The Health Insurance Portability and Accountability ACT (HIPAA) sets a framework for privacy and security of medical information. While typically associated with hospitals and other direct health organizations, HIPAA encompasses many stakeholders and applies to covered entities (CE), business associates (BA) and subcontractors (SC). Since pharmacies fall under CE, HIPAA regulations apply to them, as well.
Under HIPAA, hospitals and health agencies have been hit with fines in the upwards of millions, sometimes as high as $5 million. For pharmacies, too, violating HIPAA can have a significant financial impact—with fines up to $1.5 million. In 2009, CVS Pharmacy faced an investigation from the Federal Trade Commission after the media reported that patient information was being thrown into trash dumpsters accessible by anyone. CVS ended up paying a $2.25 million resolution agreement.
So what does that mean for pharmacies and what steps can they take to protect themselves from HIPAA violations and possible fines? Here are a few tips:
• Prioritize encryption: Pharmacies risk data when they transmit it over an open network. Make sure to activate the encryption function of wireless networks, encrypt PHI Data stored on any hard drives, and communicate via encrypted channels.
• Develop proper protocol: It’s typically acknowledged that using the “minimum necessary” of private information in medical records decrease the risk of exposure and violation. Pharmacies should develop a protocol that defines the “minimum necessary” (information that must be included) and controls Personal Health Information (PHI)
• Provide training to pharmacist employees on the proper protocol: staff should understand what information they can discuss during live consultations, know to handle communications about prescriptions over phone or secure text confidentially, and to collect the correct authorizations of the contact when collecting information.
• Introduce security best practices: Too often, employees’ security practices end up being the weakest link in an organization’s security. Make sure staff use secure passwords with a mix of alpha and numeric passwords that they do not share or post near a computer. Organizations may also want to consider adopting two-factor identification.
It’s worth noting that HIPAA does not apply to de-identified health information which includes addresses, birth, and death dates of patients that can be used for research and public health records. Pharmacies need to know what information that can be used before they release research materials and that all staff with access to the information must sign a data use agreement. Pharmacists are also protected under HIPAA in the event that they accidentally disclose information if they’re overheard during a store consultation or if health instructions are seen by another patient. However, it’s still best practice for pharmacies to adopt the “minimum necessary” rule.
With the rise of people’s reliance on their smartphones, it has become more common for pharmacies to use text messaging to communicate with patients. While this holds several advantages because of convenience for both staff and patients, eliminating phone tag and the robotic voice messages in voicemail that patients often miss, it can also pose privacy risks. Native SMS text messaging is not encrypted, and even if pharmacies only includes non-specific information, such as letting patients know that an unspecified prescription is ready for pick up, an unintentional disclosure could result in a privacy violation. It’s to the pharmacies’ advantage to use secure messaging solutions like Vaporstream that mimic the look and feel of SMS to communicate with patients. This provides them with flexibility in terms of the information they can communicate (for example, specifying the prescription available for pick up to avoid confusion) while ensuring information is protected at all times. It also allows for great collaboration with other healthcare professionals such as clinics, long term care facilities and home health and rehabilitation centers. To learn how Vaporstream can help contact us here or schedule a demo.
Contributor: Vaporstream Team