Start-up Checklist for Your Pharmacy's HIPAA Compliance
||Paul J. Breaux completed
Pharmacy School in 1965. After practicing pharmacy
for several years, he entered L.S.U. Law School,
graduating in 1972, and he has practiced law since
then. His practice is located in Lafayette, Louisiana.
- Determine whether your pharmacy is covered by the new
regulation (i.e., do you transmit patient identifiable information
electronically). If in doubt, refer to the regulation.
- Within your operation, determine who currently has access
to protected medical information [sales/front-end clerks,
pharmacy department staff (pharmacists, technicians, etc.),
delivery staff, billing staff, others, etc.].
- Consider how you can maintain medical records so that
each employee has access to and use of only the minimum
necessary information for his/her job function. For example,
what medical information is needed by the front-end sales
staff, by the billing staff, etc.? Think about what policies
and procedures you will develop for your pharmacy to implement
HIPAA's "minimum necessary" requirement.
- Evaluate the physical plant and operations of your facility:
Are computer screens with protected information visible
to casual onlookers?
Where do you keep the pick-up register when not needed during
How does your pharmacy handle trash and copies of excess
records? Who handles it?
What protections do you currently take for original patient
records thatmust leave the pharmacy, e.g., under subpoena?
- Keep track of all the entities to which you transfer
patient medical information, such as physician offices,
nursing homes, hospitals, third-party networks and/or PBM's,
billing submission/claims processing agents, accountants,
and independent contractors; determine the manner in which
you transfer it (e-mail, fax, US Mail, private mail service,
telephone/cable modem, messenger delivery services, etc.);
and, evaluate the security of those transmissions. Are they
susceptible to loss, or misdelivery?
- Determine who your pharmacy's "business associates"
are, and those to whom you are a business associate, concerning
which you will seek contract revisions that will assure
compliance with HIPAA privacy and security requirements.
[Business associates under the HIPAA rule are entities who
assist with activities that involve protected health information,
and may include claims processors, utilization reviewers,
quality assurance reviewers, billing agents, lawyers, and
- Review current Louisiana laws regarding medical privacy,
which laws are operable until/unless supplanted by the federal
- Determine the relationship between the new HIPAA privacy
and security regulation, the existing state licensure regulations,
and federal and state Medicare or Medicaid regulations.
Familiarize yourself with current licensure, conditions
of participation, OIG compliance guidance requirements that
relate to privacy and security of patient records. Inspectors
and auditors are likely to begin to focus attention on these
|This memorandum analysis is provided
as an informational service of Paul J. Breaux, Ltd.
It is not intended to
provide specific legal advice or opinion, which
may be based only on individual fact situations.
| Mail: 600 Jefferson Street, Suite
503, Lafayette, LA 70501 |