Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most significant piece of federal legislation to affect pharmacy practice since OBRA-90.

The Privacy Rule component of HIPAA took effect on April 14, 2003, and was the first comprehensive federal regulation designed to safeguard the privacy of protected health information (PHI). Pharmacies that maintain patient information in electronic format or conduct financial and administrative transactions electronically, such as billing and fund transfers, must comply with HIPAA.

While HIPAA places stringent requirements on pharmacies to adopt policies and procedures relating to the protection of patient PHI, the law also gives important rights to patients. These rights include the right to access their information, the right to seek details of the disclosure of information, and the right to view the pharmacy's policies and procedures regarding confidential information.

The Health Insurance Portability and Accountability Act (HIPAA) imposes 5 key provisions upon pharmacies.
 * 1) The first provision is the requirement that each pharmacy take reasonable steps to limit the use of, disclosure of, and the requests for PHI. PHI is defined as individually identifiable health information transmitted or maintained in any form and via any medium. To be in compliance, a pharmacy must implement reasonable policies and procedures that limit how PHI is used, disclosed, and requested for certain purposes. The pharmacy also is obligated to post its entire notice of privacy practices at the facility in a clear and prominent location and on its Web site (if one exists).
 * 2) The second component of HIPAA requires that individuals be informed of the privacy practices of the pharmacy and that the pharmacy develop and distribute a notice with a clear explanation of these rights and practices. This notice must be given to every individual no later than the date of the first service provided, which usually means the first prescription dispensed to the patient. The pharmacist also is obligated to make a good-faith effort to obtain the patient's written acknowledgment of the receipt of the notice.
 * 3) Under the third component, pharmacies are required, as well, to select a compliance officer who will manage and ensure compliance with HIPAA.
 * 4) As part of the fourth component of HIPAA, all employees working in the pharmacy environment in which PHI is maintained must receive training on the regulations within a reasonable time after being hired. This training necessarily includes pharmacists, technicians, and any other individuals who assist in the pharmacy.
 * 5) Finally, in some situations, it is necessary for the pharmacy to allow disclosure of PHI to a person or organization that is known under HIPAA as a "business associate." Typically, business associates perform a function that requires disclosure of PHI such as billing services, claims processing, utilization review, or data analysis. Under HIPAA, a pharmacy is allowed to disclose PHI to a business associate if the pharmacy obtains satisfactory assurances, usually in the form of a contract, that the business associate will use the information only for the purposes for which it was engaged by the pharmacy.

HIPAA also provides security provisions. These security provisions went into effect April 20, 2005, almost 2 years after the privacy provisions. The security standards are designed to protect the confidentiality of PHI that is threatened by the possibility of unauthorized access and interception during electronic transmission. Like the privacy provisions, any pharmacy that transmits any health information in electronic form is required to comply with the security rules.

In particular, the security standards define administrative, physical, and technical safeguards that the pharmacist must consider in order to protect the confidentiality, integrity, and availability of PHI.

A unique aspect of the security provisions is that they include both "required and addressable" implementation specifications. Required implementation specifications are those that must be met, whereas, in addressable specifications, the pharmacy must determine whether the suggested safeguards are reasonable and appropriate, given the size and capability of the organization as well as the risk.

While cost may be a factor that a covered entity may consider in determining whether to implement a particular specification, nonetheless a clear requirement exists that adequate security measures be implemented. Cost considerations are not meant to exempt covered entities from this responsibility.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) of 2009 provided additional privacy provisions and penalties to HIPAA when dealing with electronic protected health information (ePHI). Electronic protected health information is individually identifiable health information that is created, stored, transmitted, or received electronically. The portions that affect the HIPAA regulation on pharmacy the most are the breach reporting requirements and the financial penalties for data breaches. If a breach of ePHI occurs, the affected individuals must be notified. If the unsecured ePHI of more than 500 individuals is reasonably believed to have been, accessed, acquired, or disclosed during such a breach, the HITECH Act requires HIPAA covered entities to report this breach to Health and Human Services (HHS) and the media, in addition to notifying the affected individuals.

The penalties outlined in the HITECH Act for violating the privacy provision range from $100 to $1,500,000 based on the type of disclosure, the root cause, and the number of individuals affected.