Health Insurance Portability and Accountability Act

  

From Rx-wiki

Revision as of 02:02, 1 November 2011 by Sean (Talk | contribs)

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the most significant piece of federal legislation to affect pharmacy practice since OBRA-90.

The Privacy Rule component of HIPAA took effect on April 14, 2003, and was the first comprehensive federal regulation designed to safeguard the privacy of protected health information (PHI). Pharmacies that maintain patient information in electronic format or conduct financial and administrative transactions electronically, such as billing and fund transfers, must comply with HIPAA.

While HIPAA places stringent requirements on pharmacies to adopt policies and procedures relating to the protection of patient PHI, the law also gives important rights to patients. These rights include the right to access their information, the right to seek details of the disclosure of information, and the right to view the pharmacy's policies and procedures regarding confidential information.

The Health Insurance Portability and Accountability Act (HIPAA) imposes 5 key provisions upon pharmacies.

  1. The first provision is the requirement that each pharmacy take reasonable steps to limit the use of, disclosure of, and the requests for PHI. PHI is defined as individually identifiable health information transmitted or maintained in any form and via any medium. To be in compliance, a pharmacy must implement reasonable policies and procedures that limit how PHI is used, disclosed, and requested for certain purposes. The pharmacy also is obligated to post its entire notice of privacy practices at the facility in a clear and prominent location and on its Web site (if one exists).
  2. The second component of HIPAA requires that individuals be informed of the privacy practices of the pharmacy and that the pharmacy develop and distribute a notice with a clear explanation of these rights and practices. This notice must be given to every individual no later than the date of the first service provided, which usually means the first prescription dispensed to the patient. The pharmacist also is obligated to make a good-faith effort to obtain the patient's written acknowledgment of the receipt of the notice.
  3. Under the third component, pharmacies are required, as well, to select a compliance officer who will manage and ensure compliance with HIPAA.
  4. As part of the fourth component of HIPAA, all employees working in the pharmacy environment in which PHI is maintained must receive training on the regulations within a reasonable time after being hired. This training necessarily includes pharmacists, technicians, and any other individuals who assist in the pharmacy.
  5. Finally, in some situations, it is necessary for the pharmacy to allow disclosure of PHI to a person or organization that is known under HIPAA as a "business associate." Typically, business associates perform a function that requires disclosure of PHI such as billing services, claims processing, utilization review, or data analysis. Under HIPAA, a pharmacy is allowed to disclose PHI to a business associate if the pharmacy obtains satisfactory assurances, usually in the form of a contract, that the business associate will use the information only for the purposes for which it was engaged by the pharmacy.

HIPAA also provides security provisions. These security provisions went into effect April 20, 2005, almost 2 years after the privacy provisions. The security standards are designed to protect the confidentiality of PHI that is threatened by the possibility of unauthorized access and interception during electronic transmission. Like the privacy provisions, any pharmacy that transmits any health information in electronic form is required to comply with the security rules.

In particular, the security standards define administrative, physical, and technical safeguards that the pharmacist must consider in order to protect the confidentiality, integrity, and availability of PHI.

A unique aspect of the security provisions is that they include both "required and addressable" implementation specifications. Required implementation specifications are those that must be met, whereas, in addressable specifications, the pharmacy must determine whether the suggested safeguards are reasonable and appropriate, given the size and capability of the organization as well as the risk.

While cost may be a factor that a covered entity may consider in determining whether to implement a particular specification, nonetheless a clear requirement exists that adequate security measures be implemented. Cost considerations are not meant to exempt covered entities from this responsibility.

See also

Federal pharmacy law

References

  1. Pharmacy Times, A Review of Federal Legislation Affecting Pharmacy Practice, Virgil Van Dusen , RPh, JD and Alan R. Spies , RPh, MBA, JD, PhD, https://secure.pharmacytimes.com/lessons/200612-01.asp
  2. Pharmacy Technician Practice and Procedures, Gail G. Orum Alexander and James J. Mizner, Jr., McGraw Hill, 2011