This month marks the two-year anniversary of a law that enhanced patients’ medical privacy rights, while significantly expanding the obligations that pharmacies and other entities have for protecting sensitive patient information. The scope of these changes are worth revisiting today to make sure your pharmacy is in full compliance.
The HITECH Act, which is short for Health Information Technology for Economic and Clinical Health, was part of the American Recovery and Reinvestment Act which was passed in February 2009. Health Information Technology or “HIT” has many applications in community pharmacy, and your adoption of HIT influences your professional practices as well as your business practices.
The HITECH Act is important for community pharmacists to understand because it updated and made stricter some of the rules you are familiar with in the Health Insurance Portability and Accountability Act, also known as “HIPAA.”
One rule which was made stricter is the penalty the Secretary of HHS is allowed to impose on a covered entity for violating HIPAA. Prior to HITECH, the maximum single penalty was $100 or $25,000 for identical violations of the same provision. There is now a tiered penalty scheme with a maximum penalty of $1.5 million for identical violations of the same provision. It is also worth noting that a covered entity is responsible for a violation even if it claims the violation is unknown, unless it corrects the violation within 30 days of discovery.
A new regulation which went into effect nearly one year ago is known as Breach Notification. The Breach Notification rule defines Protected Health Information, or “PHI,” and describes “Unsecured PHI.” Unsecured PHI is unencrypted or otherwise unprotected and may be easily reproduced on another computer or retrieved from the trash whole or readily pieced together and would require you to notify your patient(s) in the event of a breach. If electronic PHI is not encrypted to a specific standard on a storage device, or email or paper PHI is not cross-cut shredded or otherwise destroyed, it is likely to cause a breach if an unauthorized individual accesses it.
When a breach occurs, you have up to 60 days (though you should act as soon as possible to comply with the regulation) to notify your patients according to the procedure detailed in HITECH. It will require individual letters and notice to the Secretary of HHS. Depending on the number of individuals affected, requirements may also include notice on your website and notice in local media.
Note that over 200 companies have already had to report breaches to the Secretary as of today’s date, and that number will only increase. The most commonly reported location of Unsecured PHI was unencrypted records on a laptop or other electronic storage device. Be sure you do not transport patient records or billing information in this manner.
Here are two activities to avoid in order to prevent triggering breach notification requirements: 1) sending or storing emails containing PHI in a manner that does not comply with HITECH encryption requirements; and 2) creating an electronic backup of your patient records on a tape or disc which is not encrypted in compliance with HITECH requirements. If either of these activities resulted in someone other than your pharmacists, technicians or business associates (in other words, an “unauthorized user”) accessing patient PHI you would be required to follow Breach Notification requirements.
If you have questions about HITECH or Breach Notification contact NCPA’s Lisa Fowler.