HIPAA Has New Rule Changes Effective September 23, 2013
Is your pharmacy ready?
There are several changes to the HIPAA Rules that go into effective September 23rd. Pharmacies need to take action now to avoid repercussions of non-compliance. Every pharmacy should review, revise and/or replace its existing HIPAA Compliance Program.
Who do the Changes Affect?
HIPAA business associates, including a wide range of vendors who contract with pharmacies and access protected health information (PHI). So if you do business with an organization that comes into contact with Personal Health Information from your pharmacy, make sure you have a business associate agreement on file!
What Action is Required?
So, if your pharmacy cannot locate your HIPAA Manual or Procedures, or if these procedures have never been reviewed or revised, they need to be updated now to be compliant.
At a Minimum:
- Revise Business Associate Agreements and have them on file with any entity your pharmacy does business with that may handle PHI;
- Revise HIPAA Policies and Procedures, including modifications to address response to potential breaches involving unsecured PHI;
- Update and redistribute Notices of Privacy Practices;
- Train employees on updated obligations.
Key Changes impacting Pharmacies:
- The Omnibus Rule expands the definition of business associate to include: any downstream subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate, even if they have an indirect relationship with a covered entity; health information organizations, e-prescribing gateways, or other persons that provide data transmission services to a covered entity that require routine access to PHI; and any person that offers a personal health record to individuals on behalf of a covered entity.
- The Rule expands the liability and obligations of business associates and their subcontractors, making them directly liable for compliance with the HIPAA Privacy and Security Rules.
- The Rule eliminates the "significant risk of harm" standard as the threshold for breach notification. Under the previous rule, breaches were not required to be reported unless they posed a "significant risk of reputational, financial or other harm" to individuals.The new standard reverses the standard and presumes that a reportable breach has occurred unless the covered entity or business associate, through the use of a multi-factor risk assessment, determines that there is a low probability that the PHI has been compromised by the unauthorized use or disclosure.
- Pharmacies need to ensure that business partners do not sell or market any PHI.
How will this be Enforced?
Enforcement will now be proactive and no longer just in response to complaints. The Office of Civil Rights (OCR) is hiring enforcement officers to visit facilities to conduct compliance audits. The HIPAA Police will be out there! Ignorance will not work as an excuse. HHS may impose civil monetary penalties up to $1.5 million for all violations of an identical HIPAA requirement in a calendar year. The exception under the previous rule that shielded pharmacies and other covered entities from civil penalties stemming from the conduct of their business associates has been eliminated. So, pharmacies and business associates are liable for the acts of their respective business associate agents.