What You Need to Know About Compounding Pharmacy HIPAA Compliance
Back in the day, patients who visited pharmacies to fill prescriptions wrote their names in a logbook that sat out on the pharmacy counter. Anyone could casually peruse the ink-filled lines to see that their Aunt Millie had come in or that Joseph Smith down the road had left with pseudoephedrine cough syrup.
The thought is absurd today, of course. As more and more Americans rely on pharmacies and compounding pharmacies to help them with health and wellness, disease treatment and pain relief, the medical field has entered an unprecedented era of technological advances and focus on patient data privacy. Patients want to know their information is secure, and the Health Insurance Portability and Accountability Act (HIPAA) is the law of the land requiring providers to make that a reality.1
Enacted in 1996 by the Office of Civil Rights, the creation of HIPAA was primarily aimed to make keeping health insurance easier. It also included provisions to protect the security and confidentiality of patient health information and sought to make administrative costs more manageable via the administrative simplification rules.
In recent years, the federal government has made enforcement of HIPAA violations a growing priority, which means HIPAA compliance is a major operational pillar for most healthcare organizations.2
For compounding pharmacies, HIPAA may not loom as large depending on whether or not you are a “covered entity,” but the privacy of protected health information (PHI) still rules. Pharmacists should still ensure they know HIPAA’s requirements backward and forward, and that their compounding pharmacy is set up for compliance success.
What is a Covered Entity and Why Does it Matter for Compounding Pharmacy HIPAA Compliance?
HIPAA divides healthcare organizations into three categories — covered entities, business associates and subcontractors. As of 2013 and the passage of the HIPAA Omnibus Rule, all three have the same organizational and compliance requirements under HIPAA.3
Generally speaking, compounding pharmacies only need to concern themselves with assessing whether they are a covered entity or not (the other categories would rarely apply). As a healthcare provider, traditional pharmacies almost always qualify as a covered entity, meaning HIPAA regulations would apply.
For a compounding pharmacy, potential exceptions that would make you an uncovered entity include:
- You never transmit any information in electronic format, or
- The electronic information you do transmit falls under a transaction category for which the Department of Health and Human Services has no legal standard. This means it is not covered in healthcare codes as a standard transaction, which can be true of compounded medication.
If you are a covered entity, know the federal regulations and your state’s laws, since they can differ. For instance, a patient cannot use a HIPAA breach to file a privacy lawsuit, but under many state laws, HIPAA violations resulting from professional malpractice or negligence are eligible for lawsuits. Even if you aren’t a covered entity under HIPAA’s Omnibus Rule, it’s a good idea to know the laws, since ignorance of the rules is not considered a viable defense.4
Five Keys to Navigating HIPAA for Compounding Pharmacies
Whether or not you are a covered entity under HIPAA, patient data safety should still be a top priority and your compounding pharmacy’s operations should reflect that.
Pharmacies can be especially prone to lapses in patient data privacy. Your staff and pharmacists handle a lot of patient information between lab results, prescription records, prescription labels, medical documentation and more. Even the smallest piece of identifying information can be a breach.5
Regardless of your status under HIPAA, here are five key ways to ensure you’re treating your patients’ information in accordance with the latest laws:
- Stay up to date. HIPAA regulations change frequently. To date, there have been four major updates to the law, not including numerous smaller changes to individual rules: the Privacy Rule in 2000, the Security Rule in 2003, the Enforcement Rule in 2009 and the Omnibus Rule in 2013.6
Even if you are not a covered entity and not liable under HIPAA right now, you need to stay informed. One day, you might become a covered and liable entity under a rule change, and if you aren’t paying attention, you might not be prepared.
- Train your staff. Your security is only as good as the most poorly trained staff member. If your systems are ironclad but your staff compromises patient data through shoddy operations, you need better quality control and enforcement. Make sure everyone who ever comes into contact with patient health information understands the importance of patient privacy and knows how to maintain it.
- Keep your technology updated. All your rules and the most careful staff of all time cannot function without the right tools. If you’re having to do a lot of manual work to keep patient data secure, or your systems just aren’t up to date, you need to invest in keeping your technology current.
At the current pace of innovation, it’s a good idea to at least review your technology every two to three years, even if you’re not able to update it that often. If you’re a covered entity, you are required by certain elements of the Health Information Technology for Economic and Clinical Health (HITECH) Act to maintain a certain level of functionality in your technology.7
- Communicate with your patients. Even if you’re not a covered entity, you should still communicate what that means to patients and what they can expect from you in terms of data safety standards. Perhaps especially if you’re an uncovered entity who’s not required by law to maintain certain standards, you’ll want to assure your patients that you still practice a high level of patient data security.
- Ensure compliance throughout your supply chain and partnerships. If you have supply partners or business associates, know whether or not they are required to be HIPAA compliant and research any violations they may have committed. Poor compliance practices at any stage of your supply chain could put you in jeopardy. If your partners are not covered entities, ensure they still have a high commitment to patient data privacy. If you are all covered entities, make sure you’re using an approved business associate agreement (BAA) that outlines all of these policies.8
As members of the compounding community, we know that compounding pharmacists are committed to ensuring patients get effective, customized care in ways that work for their specific needs.
Part of that commitment to patient health means taking responsibility for the health of patient data, whether or not HIPAA or other federal regulations require it. It’s important to know the law and understand your requirements under your entity categorization, but it’s equally important to prioritize health information safety regardless of your legal liability.
Pharmaceutica North America is a premier provider of high-quality pharmaceutical ingredients and custom compounding kits for compounding pharmacies with the highest commitment to standards and compliance. Contact us to find out more about how our active pharmaceutical ingredients or compounding kits can be part of your compounding pharmacy’s services and products.
- “HIPAA Compliance in the Pharmacy,” Jan. 10, 2014, http://www.pharmacompliancemonitor.com/hipaa-compliance-in-the-pharmacy/6111/ ↩
- “OCR Kicks Off HIPAA Audits After Issuing Two Major Settlements,” March 22, 2016, http://www.natlawreview.com/article/ocr-kicks-hipaa-audits-after-issuing-two-major-settlements ↩
- “Covered Entities and Business Associates,” accessed March 22, 2016, http://www.hhs.gov/hipaa/for-professionals/covered-entities/index.html ↩
- “Can a Patient Sue a Pharmacist for Violating HIPAA?” Sept. 9, 2015, http://www.pharmacytimes.com/contributor/erica-lindsay-pharmd-mba-jd/2015/09/can-a-patient-sue-a-pharmacist-for-violating-hipaa ↩
- “Is a Pharmacy a Covered Entity Under HIPAA?” Aug. 15, 2013, http://www.physicianspractice.com/blog/pharmacy-covered-entity-under-hipaa ↩
- “HIPAA for Professionals,” accessed March 22, 2016, http://www.hhs.gov/hipaa/for-professionals/ ↩
- “HITECH Act Enforcement Interim Final Rule,” accessed March 22, 2016, http://www.hhs.gov/hipaa/for-professionals/special-topics/HITECH-act-enforcement-interim-final-rule/index.html ↩
- “Is a Pharmacy a Covered Entity Under HIPAA?” ibid. ↩