It is important to understand what HIPAA is and how to avoid HIPAA complaints from patients during your work shifts in the Pharmacy. Violating patient confidentiality in any way can lead to substantial fines for your Pharmacy and can even cause you to lose your job. Studying what the HIPAA rules preclude can help you avoid a costly HIPAA violation. Read on to learn more about HIPAA and how to prevent a HIPAA complaint in the Pharmacy.
What is HIPAA?
HIPAA stands for the Health Insurance Portability and Accountability Act which was passed by the United States Congress and signed into law by President Clinton in 1996.
HIPAA has 5 separate titles or sections:
- Title 1 of HIPAA deals with the reform of Health Insurance laws
- Title 1 of HIPAA protects individuals who either lose their jobs or who change jobs from being dropped from their health insurance plans.
- Title 1 of HIPAA also prevents insurance companies who run group health plans from denying health coverage for those who have pre-existing health conditions
- Title 1 of HIPAA also stops insurance companies from instituting what are known as “lifetime coverage limits” whereby a cap is placed on the total amount of coverage possible over a patient’s lifetime
- Title 2 of HIPAA gives direction to HHS (United States Department of Health and Human Services) to establish national standards for electronic health records and to require healthcare organizations to follow strict privacy regulations established by the United States Department of Health and Human Services
- Title 2 of HIPAA provides for the establishment of a National Provider Identifier Standard in which any person who healthcare entity is given a 10 digit NPI (National Provider Identifier Number)
- Title 2 of HIPAA provides for standardized electronic data exchange in order to submit insurance claims electronically
- Title 2 of HIPAA also provides for individual privacy rules and gives national standards to protect patient’s critical health information
- Title 2 of HIPAA also provides for guidelines into the investigation of HIPAA compliance violations
- Title 3 of HIPAA deals with tax-related issues involving medical care
Title 4 of HIPAA:
- Title 4 of HIPAA deals with ensuring that those patients with pre-existing conditions and those patients who are seeking continued coverage are treated fairly
- Title 5 of HIPAA deals with revenue offsets for those who lose their US citizenships and with company-owned life insurance policies for purposes of income taxes
HIPAA Fines and Penalties
HIPAA penalties can include:
- 100 dollars per violation if HIPAA is unknowingly violated with an annual maximum of 25,000 dollars
- 1000 dollars per violation if there is reasonable cause to assume a violation with an annual maximum of 100,000 for repeat violations
- 10,000 dollars per violation for willful violation with an annual maximum of 250,000 dollars for repeat violations
- 50,000 dollars per violation if the willful violation remains uncorrected with an annual maximum penalty of 1.5 million dollars for repeat violations
A Case Example of a Successful HIPAA Suit Filed Against Walgreens In Indiana with a Verdict of $1.4 million for the Plaintiff
It is useful to examine an actual court case brought against a Pharmacist to understand the seriousness and potential liabilities of HIPAA violations and how to avoid them. This is a case in which a jury in Indiana awarded $1.4 million to a plaintiff whose HIPAA rights were violated by a Pharmacist working at Walgreens.
At a Walgreens Pharmacy located in Indianapolis, Indiana a female Pharmacist researched the profile of a female patient’s prescriptions from another Walgreens Pharmacy located in the city of Crown Point, Indiana that was located in another part of Indiana 150 miles away from Indianapolis, Indiana.
The female patient being researched turned out to be the ex-girlfriend of the female Pharmacist’s husband who she suspected had transmitted a sexually transmitted disease (STD) to him.
After discovering what medications the female patient had been treated with, the female Pharmacist then revealed the patient’s past medical history and medications prescribed to her husband.
Upon receiving this information, the Pharmacist’s husband immediately texted his former girlfriend demanding to know the details of the alleged sexually transmitted disease.
The husband’s ex-girlfriend then called Walgreens to complain about this violation of her HIPAA rights but Walgreens did nothing.
The same Pharmacist then went into the same patient’s medical record again with no consent from the patient and without any acceptable reason to further research her medical conditions and prescribed treatments.
After this second HIPAA abuse, the female patient involved hired an attorney and filed suit for damages against Walgreens alleging HIPAA violations and asking for monetary damages.
After a jury trial, the patient prevailed and was awarded $1.4 million in damages against Walgreens for violation of HIPAA requirements https://www.pharmacytimes.com/contributor/erica-lindsay-pharmd-mba-jd/2015/09/can-a-patient-sue-a-pharmacist-for-violating-hipaa.
Case Example of a Successful HIPAA Violation Filed by HHS (The US Department of Health and Human Services) and FTC (Federal Trade Commission) Against CVS Caremark Resulting in a Fine of $2.25 Million
In this case, CVS Caremark was found to be discarding bottles of medication and receipts with Protected Health Information (PHI) into dumpsters that were not secured in areas behind their stores. https://www.ftc.gov/news-events/press-releases/2009/02/cvs-caremark-settles-ftc-chargesfailed-protect-medical-financial.
This information included such sensitive information as personal identifying information, confidential medical information, physician’s names and addresses and sensitive insurance information.
As part of the settlement agreement, CVS Caremark was required to change their techniques of disposing of medication bottles and also required to provide employee training on the proper method for bottle disposal.
CVS Caremark was also required to implement internal monitoring procedures and to undergo evaluation by an independent compliance evaluator for a period of 3 years.
Case Example of Rite Aid Paying a $1 Million Fine to HHS and the FTC for Violating the HIPAA Privacy Act
After multiple TV stations across the country filmed Rite Aid personnel disposing of prescription pill bottles with patients personal information easily identifiable in industrial garbage containers easily seen by the public, Rite Aid (https://properphidisposal.com/2010/07/27/rite-aid-to-pay-1-million-for-improper-disposal/) and its 4800 pharmacies were fined $1 million and forced to implement numerous changes in its policies including:
- Changing its policies concerning the disposal of prescription medication bottles
- Training their workers on these new procedures and policies
- Instituting new internal monitoring procedures
- Hiring an external monitor to assess compliance reviews and submit reports to HHS
- Having the HHS corrective plan in effect for 3 years and the FTC order in place for 20 years
The HIPAA Privacy Rule
The HIPAA Privacy Rule which is also known as the Standards for Privacy of Individually Identifiable Health Information establishes standards for properly using and disclosing sensitive protected health information (PHI).
This rule protects the patient’s privacy by requiring doctors to provide the patient with documentation requiring their consent every time their personal protected health information is used for either billing or other purposes.
This rule also allows the patient’s protected medical information to be disclosed as necessary to other medical personnel for medical purposes while being kept strictly confidential.
The HIPAA Privacy Rule also guarantees that all patients, upon their written request, are entitled to a copy of their protected health information from all healthcare providers who are covered under HIPAA regulations.
Who Must Adhere to HIPAA?
HIPAA applies to any HIPAA covered organization which includes healthcare plans and healthcare personnel including Pharmacy staff.
What Information is Protected?
The HIPAA Privacy Rule applies to all identifiable health information either on paper or held electronically including the following:
- The patient’s name, address, birth date or social security number
- The patient’s mental health history
- The patient’s physical health conditions
- The patient’s prescription records
- The patient’s billing records
- The patient’s health profile
Special HIPAA Precautions for Pharmacists and Pharmacy Technicians
- Be sure all transmissions via the internet are using encrypted data
- Be sure that any wireless network used is encrypted
- Be sure all hard drives on laptops are encrypted
- Be sure all user names and passwords are sufficiently strong to protect the network
As a member of the pharmacy team, pharmacy technicians must be keenly aware of HIPAA guidelines at all times. Protecting a patient’s protected health information including name, address, personal health conditions, and billing records is essential to avoid penalties and sanctions by the Federal Government.