The deadline for implementing the privacy regulations for the Health Insurance Portability and Accountability Act (HIPAA) is less than 10 months away (April of 2003), and one of the HIPAA provisions requires health care entities/providers, including pharmacies, to have someone on its staff that is a Privacy Officer (called "Privacy Official" by some).

Your pharmacy's having a person who is its Privacy Officer is not an option, it is a HIPAA mandate. The regulations under HIPAA state that entities covered by it are to "designate a privacy official who is responsible for the development and implementation [of the covered entity's] privacy policies and procedures." That person will also be in charge of training staff on privacy procedures.

While large pharmacy operations such as chains will surely be required to hire someone to be a full-time privacy official, for small independent pharmacies, however, hiring and training a privacy official may not be as complicated as it sounds. Most pharmacies will be able to assign the duties of implementing privacy policies procedures to an existing employee.

Having in mind that the target/mandate of HIPAA is the use and disclosure of a person's health information, the Privacy Officer is in charge of the following tasks, among others:

• Developing a Privacy Policy. Making sure the objective of your pharmacy's privacy policy is tailored to what your pharmacy wants and needs to do to service your patients and that it meets the spirit and terms of the law.
  
• Taking Reasonable Steps to Protect Patients' Health Information. Those steps include limiting who has access to records and making sure that the records are physically and electronically secure by, for example, password-protecting electronic records and locking cabinets where paper records are kept.
  
• Training Employees About Privacy Procedures. For independent community/retail pharmacies, this requirement can be fulfilled by giving employees training materials and copies of privacy Policies and Procedures, and documenting that the employees have reviewed the materials.
  
• Implementing Patient Consent Procedures. Under the current privacy regulation, patients will have to give Consent for their medical information to be used for treatment (for example, filling their prescriptions), for payment and for the pharmacy's health care operations. If a pharmacy needs or wants to use patient information for any other reasons, it must see if the reasons qualify for exceptions, or it must get specific Authorization from its patients.
  
• Evaluating Contracts with Business Associates. Basically, this task means that the pharmacy's Privacy Officer has to make sure that physicians, possibly DME suppliers, or other organizations with whom it exchanges health information also safeguard the privacy of patient medical records to comply with the HIPAA regulations.

The practice of pharmacy has a longstanding history of treating with confidentiality patient health information. Even if a pharmacy is not yet decided on who will be its Privacy Officer, it can still begin training employees about the regulations. Either with or without a Privacy Officer yet, the time to begin training employees and preparation for compliance is definitely now.