| January
5, 2001© |
Paul J. Breaux completed
Pharmacy School in 1965. After practicing pharmacy
for several years, he entered L.S.U. Law School,
graduating in 1972, and he has practiced law since
then. His practice is located in Lafayette, Louisiana. |
Now that the health
care privacy standards mandated by the Administrative Simplification
provisions of HIPAA 1996 are promulgated as a final federal
rule, pharmacies should begin the process of assessing
their respective situations. The following are some areas for
Louisiana pharmacies that should be reviewed in preparation
for HIPAA Privacy Rule compliance.
- DETERMINE IF LOUISIANA HAS STATUTES OR
REGULATIONS RELATED TO PRIVACY OF PATIENT HEALTH INFORMATION.
As an example, do patients have a right to access, inspect,
and copy their medical records? What types of "uses
and disclosures" (in "HIPAAese") in your
practice require under Louisiana law a patient consent
or authorization (e.g., law enforcement, marketing, etc.)?
Do patients have the right to amend their medical/prescription
records? What are the medical record retention requirements
for patients of your pharmacy practice; and, if none for
a pharmacy, then all patient medical records generally?
This information is needed in order to determine if Louisiana's
statutes and rules will be preempted, or the need to comply
eliminated, by the new federal HIPAA Privacy Rule.
- DIAGRAM THE TYPICAL FLOW OF PATIENT INFORMATION WITHIN
YOUR PHARMACY.
The flow should start at the time of initiation of service
(first prescription, first consultation, etc.) and progress
through to the conclusion of the patient service process.
This flow diagram should be used in conjunction with the
inventories of systems and users discussed below.
- IDENTIFY ALL OF YOUR PHARMACY'S POLICIES AND PROCEDURES
RELATED TO USES, AND DISCLOSURES, OF INDIVIDUALLY IDENTIFIABLE
HEALTH INFORMATION.
This would enable a pharmacy to determine what may need
to be deleted, added or otherwise revised. Likewise, this
should raise the awareness within your pharmacy staff
that patient privacy, though not a new concept, is governed
under a different set of rules — new patient rights
and new provider duties.
- CREATE AN INVENTORY OF ALL SYSTEMS AND MEDICAL EQUIPMENT
THAT CONTAIN, TEMPORARILY OR PERMANENTLY, PATIENT HEALTH/MEDICAL
INFORMATION.
Along with each system or piece of equipment (computer
in the pharmacy, as one example.), list/show what patient
information is customarily stored in it, who has access
to the information, what, if any, access controls are
in place and what audit trails are available. This inventory
will assist in identifying systems that may require some
type of remediation, e.g., computer CRT's are to never
be left unattended, but if left unattended, then turned
off. You may also want to add this information to the
flow diagram to assist in identifying electronic versus
paper information.
- INVENTORY WHICH PERSONS ON YOUR STAFF HAVE ACCESS TO,
USE, OR DISCLOSE, INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION.
It is useful to list the 18 criteria (page 60054 of the
Federal Register from the proposed rule; §164.514
of the final rule) when asking this question, because
many individuals in your workforce may not realize that
they access, use, or disclose what the new federal rule
deems to be individually identifiable health information.
Once gathered, the individuals should then be added to
the flow diagram of patient information.
- INVENTORY CURRENT "BUSINESS ASSOCIATES."
Begin to document each contractor, auditor, etc., that
has access to, or receives from your pharmacy, patient
health information that exists in your pharmacy, including
what types of individually identifiable health information
they access, use, or disclose, and how frequently they
do so.
- INVENTORY ROUTINE AND AD HOC REPORT REQUESTS THAT CONTAIN
ANY OR ALL OF THE 18 CRITERIA IN THE RULE.
Be certain to include routine downloads (for example,
state reporting, patient satisfaction surveying, outcomes
reporting, etc.) in this inventory.
- INVENTORY WHAT, IF ANY, PATIENT PRIVACY AND CONFIDENTIALITY
TRAINING IS BEING OFFERED TO OR RECEIVED BY EMPLOYEES AND
CONTRACTORS (BUSINESS ASSOCIATES).
Is this routine training or only offered during the period
of new employee orientation, for example? Is there a tracking/documenting
of attendance?
- CREATE A NOTICE OF PRIVACY PRACTICES.
Using the information obtained in the foregoing steps,
begin the creation of a Notice of Privacy Practices,
and increase the awareness and sensitivity among all
staff members as to patient health information. There
must also be a signed patient consent in conjunction
with the Notice of Privacy Practices, and both documents
are required by the HIPAA Privacy Rule.
To obtain the above information, your pharmacy, depending on
its size, might be able to use an existing committee (e.g.,
a compliance committee), and if not, then might create such
a committee. As each of the above areas is discussed, detailed
documentation, minutes, should be maintained. This documentation
may then be used to compare against the standards in the federal
HIPAA Privacy Rule.
By starting the privacy assessment now, your pharmacy will
experience an added value of creating a heightened awareness
of the standards, and it will reinforce the significance of
the obligation to create and maintain private health information
of your patients in confidence, in its staff. |
|
