15.5 Adhering to the Health Insurance Portability and Accountability Act

As discussed in Chapter 2, the Health Insurance Portability and Accountability Act (HIPAA) is a comprehensive federal law passed in 1996 to, among other goals, protect patients’ private health information. Obviously, though, a physician, a nurse, a pharmacist, and a pharmacy technician must have access to medical information to serve the needs of each patient. For this reason, all healthcare professionals are bound by law and ethics not to disclose information about consultations, diagnoses, tests, services, and medications, as well as any personal identifiers, outside the immediate pharmacy workplace. This is all considered protected health information (PHI).

All healthcare facilities (including pharmacies in all practice settings) that access, store, maintain, or transmit patient-identifiable medical information must comply with HIPAA regulations. Failure to do so can result in severe civil and criminal penalties.

Both state and federal laws govern patient confidentiality. Some states may have more stringent requirements than the federal law. As with controlled drugs, the more stringent policy generally takes precedence. Pharmacy technicians should know the laws in the state where they are practicing. If the technician moves to another state, it is important to learn the regulations and laws of the new state.

Notice of Privacy Practices and Permissions

Confidentiality is defined as keeping privileged information about customers from being disclosed without their consent. Therefore, each pharmacy is required to have a policy statement that defines patient privacy rights and protections and how patient information will be used by the pharmacy, which must be presented to the patient for signed consent. This policy statement is called a notice of privacy practices. It must be presented and explained at someone’s first time as a new pharmacy customer. Patients may list others whom they allow to have access to their information. The signed notice is kept on file for six years.

Sharing with Family Members and Friends

Even for sharing healthcare information with other family members, permission is important. Parents or legal guardians of minor children are considered their dependents’ personal care representatives and can sign for their children up to an age determined by the state. For instance, in some states, adolescents at age 16 can receive mental health and/or reproductive counsel and pharmaceuticals, such as birth control or prescriptions for sexually transmitted infections, without their parents’ knowledge or approval. This occurs even if the parents are paying for their coverage via billing or insurance. These are not the only situations where teenage minors may be treated as adults with respect to access and disclosure of health information records.

images Practice Tip

Each state determines the age at which a teenager can receive health care (in specific situations or in general) without parental knowledge or permission. So it is essential to know your state’s HIPAA guidelines.

Teens, however, may list their parents and others as able to access their health records. Elderly parents often list their sons and daughters as having permission to access their records and pick up their prescriptions. Spouses, too, often give permission in order to access each other’s care information. Patients may ask you to print their annual prescription records (for income tax preparation) as well as those of their spouses or of-age dependents, but you may not do this without the written permission from the others involved.

Protecting Patient Identifiers

A community pharmacy depends upon protected health information to dispense medications and have them covered by insurance. To be in HIPAA compliance, pharmacy personnel must therefore remove or conceal from public view the PHI while they are working. Computer screens should be aimed away from the public and/or protected from over-the-shoulder scanning. One of the many reasons only authorized personnel are allowed entrance into the pharmacy area is to safeguard patients’ private health information stored in the computers and files.

images

Always stay up to date on the latest standards to be in HIPAA compliance.

Examples of patient identifiers that must be protected are listed in Table 15.3. In addition, pharmacy personnel must take measures to conceal the medication itself. To this end, an FDA-required Medication Guide should be stapled underneath the cover sheet and placed inside the patient’s bag for pickup, so that the medication cannot be seen by anyone other than the patient.

images Work Wise

The medical information that a patient shares in a discussion with a pharmacy staff member is confidential and protected by law.

Table 15.3 Protected Health Information Patient Identifiers

  • Name

  • Address and ZIP code

  • Relatives

  • Employer

  • Date of birth

  • Telephone number or fax number

  • Email address

  • Social Security number

  • Medical record number

  • Health plan identification number

  • Account number

  • Vehicle identification

  • Certificate or license number

  • Uniform resource locator (URL) or internet protocol (IP) address

  • Fingerprint or voiceprint

  • Photo

images Practice Tip

Patient confidentiality of electronic transmissions includes email correspondence that includes PHI. It must be secure, without a patient identifier in the subject line, and sent only to those allowed access to treat the patient and for this purpose.

Patient identifiers may be used legally for billing and credit card processing, and are occasionally used for sending out quality assurance surveys by the pharmacy or prescriber. They may also be provided by the pharmacy or prescriber in response to a lawsuit. In most legal cases, the lawyer obtains written approvals from the patient to release their prescription records, or the pharmacy gets the approval directly from the patient. PHI may be released without permission in the case of a court order or evidence of a crime or fraudulent activity. All requests for PHI other than by the patient should be directed to the pharmacist.

Permitted Protected Health Information Sharing

Medical necessity dictates professional PHI sharing regulations. Who must have access to what information inside or outside the pharmacy for the best medical service to the patient, and who does not have that access? How can unnecessary access to patient health information be limited, especially in large organizations such as hospitals, chain pharmacies, research sponsors, or insurance providers?

Sharing Among Healthcare Personnel In the process of diagnosing or treating a patient, the physician and the pharmacist (or their agents, on their behalf) may exchange information without restriction, or without the expressed written permission of the patient. For example, if a patient is receiving controlled narcotic prescriptions from several physicians, the pharmacist may notify these physicians.

In addition, some insurance reimbursement requires diagnostic codes from the physician for select diabetic and respiratory drugs, and this information can be provided to the pharmacy without explicit patient permission. Also a pharmacist may need to see a copy of a patient’s hospital discharge summary or recent laboratory results for insurance coverage of the follow-through drugs. These documents, however, cannot be viewed without the patient’s permission, so this permission must be asked for in written form.

PHI Sharing Between Insurance Providers and Employers A patient’s insurance provider or pharmacy benefit manager is also bound to privacy and may not pass on an employee’s information to their employer. Nor can a technician discuss such information or pass it on to an employer. An insurance processor requires a great deal of personal medical and medication information, including which drug and dosage was dispensed, but they may not share this information. In the past, insurance companies occasionally shared medical information with an employer, resulting in illegal employment termination for the patient. This situation is outlawed by HIPAA.

PHI Sharing Among Investigational Drug Personnel How much information does an investigational drug study (often by a pharmaceutical company) need to know about the patients? Some—but not all—health information is shared with investigational drug studies, according to the limits outlined for the study and agreed to by the patient before the study begins. Studies must be designed so that patients cannot be individually identified. A minimum amount of information that directly relates to the study is exchanged with the sponsor, according to protocols approved by the Institutional Review Board or the Human Use Committee.

Security and Electronic Transmission

The electronic transmission of PHI data is a necessity at the pharmacy and involves several parties, including healthcare practitioners, pharmacy personnel, and third-party insurance companies. All such transmissions are protected by state and federal laws and must have built-in software encryption and security systems that fit HIPAA standards to be legal. Other safeguards include limited access of certain healthcare professionals to fields of information and frequent password changes to limit access to patient information. Patient data privacy laws also extend to email correspondence. Never send any emails containing patient identifiers in the subject line. Some employers do not allow email transmission of PHI or require special precautions be taken (such as using a unique acronym in the message) before sending.

Sending medical or prescription information via fax has been a common pharmacy practice, especially for refill authorization from a physician’s office. Like other types of electronic submissions, a fax must be carefully monitored. Faxes to and from the pharmacy and medical offices are in an encrypted format. The receipt of faxed information is intended only for personnel of the medical office or pharmacy to which it was sent. This information should be filed or securely disposed of (shredded) after it has been reviewed. If an inadvertent fax was transmitted to the wrong number, the sender must be notified and the protected information returned or destroyed immediately.

Protecting Operational Records

Though individual patient information is considered the property of the patient, the prescriber’s medical records themselves are considered the property of the facility that generates them. Patients, however, are entitled to a copy of their personal records at any time through a written request. While a patient and a provider have a right to review and add to the records as appropriate, medical records belong to the facility, but they are still protected information and may not be sold or distributed without authorization.

Pharmacy medication dispensing records are similar. You must keep your employer’s proprietary information protected from competitors, including individual records, but also operational records. This includes prescription volume, pricing issues, and pharmacy policies and procedures. If you are not sure, ask a senior pharmacy technician or pharmacist. You must also protect your customers’ private billing information to avoid any issues of identity theft.

Pharmacy Strategies for HIPAA Compliance

Each pharmacy develops its own mechanisms to implement, communicate, audit, and document compliance with HIPAA regulations. This may include the layout of the pharmacy customer area, its lines, pickup stations, and counseling areas. Each pharmacy has a set of policies and procedures in its manual to cover the HIPAA regulations. Depending on the size of the pharmacy, formal training programs with annual refresher courses may be used.

images IN THE REAL WORLD

If you knowingly obtain or use protected health information in violation of the law, you can be fined up to $50,000 and sentenced to up to one year in prison. If you obtain information under “false pretenses,” it climbs to a fine of up to $100,000 and up to five years in prison. Someone who obtains health information with the intent to sell, transfer, or use it for commercial purposes or personal gain can be fined up to $250,000 and sentenced to up to 10 years in prison.

Pharmacies are held liable for any problems with privacy, and can be sued or have legal sanctions for any confidentiality leak. Casually mentioning or passing on any patient information in conversation in the pharmacy or outside of it or on social media is illegal in every sense, as well as a professional and ethical breach of judgment. You will face legal consequences and may lose your job immediately.

images Work Wise

Remember that sharing any patient information on social media, whether on the job or off, is illegal, and sufficient reason for immediate termination of your job. If you have trouble keeping secrets or being discreet, being a pharmacy technician is not the job for you.

images

The information contained in both medical and pharmacy records is protected under HIPAA laws.

Since the PHI belongs to the patient and not to the pharmacy, it is best to always err on the side of caution when it comes to releasing or discussing patient information. Follow the golden rule of HIPAA: treat every person’s information with at least the same caution and respect you would want for your own information, if not more. That requires great discretion in pharmacy conversations.

Maintaining Privacy in Patient Discussions

When a patient requests a private consult with a pharmacist, both the technician and the pharmacist should conduct these discussions quietly and discreetly. When using the telephone, pharmacy personnel should not use speakerphone when talking with a patient, and should not leave a message for a patient that divulges any medical or drug information unless given express written permission to do so by the patient. Maintaining the security and privacy of a patient’s medical information must remain a high priority.

In addition, be careful about discussing sensitive medical issues while other customers are waiting in line. As you update customer records, make sure that you maintain privacy. If, for example, you are stationed at the pharmacy window and need patient profile information, use a written form for the patient to fill in or find space for the customer to answer your questions away from the customer line. Some pharmacies have a waiting area for the line that is a few paces from the counter to give the person being served some privacy.

Outside of the immediate pharmacy work area, such as in the lunch break room, at home, or with friends, avoid any discussion of patients and their medications. No PHI can leave the pharmacy premises.

Prescription Pickup

A patient’s illness can often be determined by their medication history. A patient receiving antiviral prescriptions for HIV, antibiotics for gonorrhea, antivirals for herpes, antidepressants, erectile dysfunction drugs, or chemotherapy requires the same amount of privacy as in a physician’s office or the hospital. Many states have specific laws protecting patients with HIV or acquired immune deficiency syndrome (AIDS).

Because of this, when a patient is picking up a prescription, speak in a low voice when confirming their identity and what medication is being picked up, so as not to broadcast to nearby customers what the patient is receiving. If someone else is picking up a medication, especially for a controlled substance, many pharmacies have a policy of requesting and recording a photo ID, such as a driver’s license. Many pharmacies now have a separate area for prescription pickup and counseling, where the patient can have a higher degree of privacy.

Customer Retail Sales Privacy

If a patient cannot trust the pharmacist or the pharmacy technician with personal health information, then a good customer will be lost. That is why, in addition to HIPAA regulations, the pharmacy technician needs to be sensitive and respectful of customer privacy regarding retail health purchases and information. Pharmacies sell many products related to private bodily functions and conditions (e.g., condoms and other contraceptives, feminine hygiene and menstrual products, suppositories, hemorrhoid remedies, enemas, adult diapers, catheters, bed pans, pediculocides). Customers often are embarrassed to ask about such products and have to work up the nerve to request assistance.

images Practice Tip

As a part of the healthcare profession, you must adopt a helpful, no-nonsense, professional attitude toward the body and its functions.

Responding to an inquiry about such a product with efficiency, courtesy, respect, and a certain degree of nonchalance often relieves your customer’s embarrassment and demonstrates your professionalism. Speak in a clear voice but not so loudly that other customers or employees are privy to your private exchange with the customer. For patients who request specific product information that requires expertise or counseling, technicians should refer these patients to the pharmacist.

images IN THE REAL WORLD

In 2015, a Denver pharmacy was fined $125,000 for a HIPAA violation for improperly disposing of protected health information on 1,600 patients in an unlocked container. The information was not shredded but was simply discarded in general trash. The pharmacy was also required to develop written policies and procedures and institute a staff training program.

Disposal of Patient Protected Information per HIPAA Guidelines

PHI must never be thrown in the general trash. If patient-identifying information is discarded in the trash by mistake and recovered, the pharmacy would be subject to a considerable fine from the federal government.

images Practice Tip

Per HIPAA, personal information on the labels of medication containers (including IV bags and other compounded sterile preparations [CSPs]) must be removed or covered before disposal. Many are incinerated rather than being thrown in the trash.

In the pharmacy, shredding (or burning) of all printed patient-related information is common practice, where it denotes the patient name, address, date of birth, prescription number, or other personal identifiers. This encompasses the whole range of medication container labels, information sheets, insurance information, prescription vials, patient profiles, insurance or Drug Utilization Reviews, and so on. All must be discarded appropriately for privacy protection. If not shredded, this information must be discarded in a special designated container (not accessible to the public) that is incinerated or sealed and mailed for incineration. Electronic PHI must be regularly purged or destroyed per pharmacy policy to prevent misuse.

As a technician, you must be vigilant about following HIPAA regulations. If you see potential violations, bring them to the attention of your pharmacy supervisor. Maintaining the privacy and security of health information is an extremely important ethical and legal issue.