The United States Department of Health and Human Services Office for Civil Rights (OCR) has stepped up enforcement of the compliance requirements contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and has begun sending out HIPAA Audit Letters to Covered Entities. So far, twenty HIPAA Audit Letters have been sent out to a variety of Covered Entities, including physicians, laboratories, and pharmacies. The OCR intends to send out similar HIPAA Audit Letters to 150 Covered Entities by year end.
Most health care providers are familiar with HIPAA’s rules, in particular the Privacy and Security rules. The Privacy rule was first issued in 2000 and the Security Rule was issued in 2003, with required compliance dates of 2003 and 2005 respectfully. Although most Covered Entities, including pharmacies, have been required to comply with HIPAA for several years, the federal government has undertaken very little enforcement action against non-compliant Covered Entities. However, due to changes in federal law, it is likely that enforcement actions will dramatically increase, and the OCR’s recent actions forecast a shift.
Specifically, in 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed, which requires HHS to provide for periodic audits to ensure Covered Entities and Business Associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. To implement HITECH’s mandate, the federal government, in late 2011, began conducting audits of Covered Entities to assess HIPAA compliance.
It is necessary for pharmacies to stay compliant with HIPAA’s requirements and to take proactive steps, in advance, to ensure and maintain compliance. Once OCR sends the HIPAA Audit Letter to the pharmacy, the pharmacy has only ten days to provide the requested information. Hence, pharmacies should take steps to ensure compliance with HIPAA’s privacy and security requirements before they receive a HIPAA Audit Letter, not after they’ve been told to disclose how they comply with HIPAA’s requirements.
Pharmacies can suffer substantial financial and administrative problems if they are found to be in violation of HIPAA. Potential harms for non-compliance were described in the recent case of an Arizona cardiac surgery group. The Covered Entity settled with the U.S. Department of Health and Human Services (HHS) for $100,000 in connection with its HIPAA non-compliance. Specifically, HHS asserted that the surgery group failed to (i) implement adequate policies and procedures to appropriately safeguard patient information; (ii) document that it trained any employees on its policies and procedures on the Privacy and Security Rules; (iii) identify a security official and conduct a risk analysis; and (iv) obtain business associate agreements with Internet-based email and calendar services where the provision of the service included storage of and access to its electronic protected health information (ePHI). These requirements apply equally to pharmacies, as they did in that case to the surgery group.
Compliance with HIPAA and HITECH has become an important consideration for pharmacies and other healthcare providers. Pharmacies must do a thorough analysis of HIPAA’s requirements in order to ensure compliance and have in place the requisite safeguards required by HIPAA and HITECH.
Two of the most important documents required by HIPAA are a “HIPAA Compliance Plan” and a “Business Associate Agreement.” The HIPAA Compliance Plan provides a comprehensive roadmap and a compendium of policies and practices related to a Covered Entity’s actions related to the creation, use, storage, and disclosure of PHI. The Business Associate Agreement creates a legally binding contract between the Covered Entity and individuals and entities that may access a Covered Entity’s PHI for a variety of purposes related to patient care, billing, and operations. Pharmacies must have in place a well-crafted and current HIPAA Compliance Plan, and enter into a Business Associate Agreement with any entity that will have access to its PHI.
Frier Levitt has particular expertise in HIPAA, HITECH, and health care privacy. Our attorneys are versed in all aspects of HIPAA and HITECH monitor regulations and enforcement on an ongoing basis. We have drafted dozens of HIPAA Compliance Plans and Business Associate Agreements for our pharmacy and health care clients. Contact us today to speak to an attorney.
