Articles by Paul Breaux
Practice Home Page
A Start-up Checklist for Your Pharmacy's HIPAA Compliance
August 1, 2002© Paul J. Breaux completed Pharmacy School in 1965. After practicing pharmacy for several years, he entered L.S.U. Law School, graduating in 1972, and he has practiced law since then. His practice is located in Lafayette, Louisiana.
  1. Determine whether your pharmacy is covered by the new regulation (i.e., do you transmit patient identifiable information electronically). If in doubt, refer to the regulation.
  2. Within your operation, determine who currently has access to protected medical information [sales/front-end clerks, pharmacy department staff (pharmacists, technicians, etc.), delivery staff, billing staff, others, etc.].
  3. Consider how you can maintain medical records so that each employee has access to and use of only the minimum necessary information for his/her job function. For example, what medical information is needed by the front-end sales staff, by the billing staff, etc.? Think about what policies and procedures you will develop for your pharmacy to implement HIPAA's "minimum necessary" requirement.
  4. Evaluate the physical plant and operations of your facility:

    Are computer screens with protected information visible to casual onlookers?
    Where do you keep the pick-up register when not needed during open hours?
    How does your pharmacy handle trash and copies of excess records? Who handles it?
    What protections do you currently take for original patient records thatmust leave the pharmacy, e.g., under subpoena?
  5. Keep track of all the entities to which you transfer patient medical information, such as physician offices, nursing homes, hospitals, third-party networks and/or PBM's, billing submission/claims processing agents, accountants, and independent contractors; determine the manner in which you transfer it (e-mail, fax, US Mail, private mail service, telephone/cable modem, messenger delivery services, etc.); and, evaluate the security of those transmissions. Are they susceptible to loss, or misdelivery?
  6. Determine who your pharmacy's "business associates" are, and those to whom you are a business associate, concerning which you will seek contract revisions that will assure compliance with HIPAA privacy and security requirements. [Business associates under the HIPAA rule are entities who assist with activities that involve protected health information, and may include claims processors, utilization reviewers, quality assurance reviewers, billing agents, lawyers, and accountants.]
  7. Review current Louisiana laws regarding medical privacy, which laws are operable until/unless supplanted by the federal privacy requirement.
  8. Determine the relationship between the new HIPAA privacy and security regulation, the existing state licensure regulations, and federal and state Medicare or Medicaid regulations. Familiarize yourself with current licensure, conditions of participation, OIG compliance guidance requirements that relate to privacy and security of patient records. Inspectors and auditors are likely to begin to focus attention on these requirements.
HIPAA Privacy
Overview of HIPAA
Disclosure Authorization
Subpoena of Health Information
Complaints Under the HIPAA Medical Privacy Rule
Notices of Privacy Practices
Incidental Disclosures
HIPAA Requires Pharmacies to have a "Privacy Officer"

Legal Documents,
Policies and Procedures, and Patient Forms

A Start-up Checklist for Your Pharmacy's HIPAA Compliance
What should you be doing now . . . ? Assessing
Privacy, Confidentiality, and Security: of Health Information.
HIPAA Security
Corporations
Pharmacy Law
Personal Planning
Controlled Substances
Business Law
Corporate Compliance
Health Care Fraud

This memorandum analysis is provided as an informational service of Paul J. Breaux, Ltd. It is not intended to
provide specific legal advice or opinion, which may be based only on individual fact situations.
 

phone: 337.266.2270 | Mail: 600 Jefferson Street, Suite 503, Lafayette, LA 70501 |

Articles | Profile | Disclaimer | © 2013 Paul J. Breaux, Ltd.