
Health Insurance Portability and Accountability Act (HIPAA) Review Auburn University Harrison School of Pharmacy
HIPAA Basics • HIPAA passed in 1996 • Protect and secure patient information • Guarantee patients’ right to access health information and control its use • Implemented April 14, 2003
Protected Health Information (PHI) • Spoken, written, or electronic • Prescription • Fax or email • Patient consultation • Created or received by a covered entity (e.g. health care providers, pharmacies, health insurance plans) • Info related to past, present, or future health
De-identified Data • Data that cannot identify an individual patient • De-identified data does not fall under HIPAA rules • Often used in research
Patient Rights • Limit how PHI used • Determine when/how communicated with patient • Review and obtain copy of PHI • Request edits of PHI • Know how pharmacy uses PHI
Rx Obligations • Provide written notice to patients regarding Privacy Practices • Patient rights • How uses and discloses PHI • Who to contact with complaints • Obtain written acknowledgement from patients of receipt of Privacy Practices
Rx Obligations • “Minimum Necessary” • Limit PHI provided by pharmacy • Provide only minimum necessary information to complete a task (e.g. fill prescription, counsel patient, file a claim)
Rx Obligations • Exceptions to “Minimum Necessary” • Health care provider request to aid treatment • Disclosure directly to patient • Disclosure according to patients’ written authorization • Must avoid incidental uses and disclosures of PHI!
Acknowledgement vs. Authorization • Acknowledgement • Patient written acknowledgement of receipt of written notice of privacy practices • Notice to include types of PHI disclosures for treatment, payment, operations (TPO) • Authorization • Signed authorization required for any disclosure other than that necessary for TPO
Authorization Exemptions • PHI relative to the following: • Public Health • Abuse, neglect, domestic violence • Health oversight • Law enforcement • Judicial and administrative proceedings • Decedents • Avert serious threat to health or safety • Specialized government • Comply with worker’s compensation laws • ADR reports to the FDA • DEA or state Board of Pharmacy inspections
Authorization Exemptions • Refer ALL authorization exemptions to Privacy Officer for review!
Rx Obligations • Prevent incidental disclosures of PHI! • Telephone (refills, call in Rx) • Faxed Rx • Info left via pharmacy voice mail • Drive through pick up window • Insurance requests for information • Patient consultations • Friend or family member requests info regarding patient’s Rx or condition
Penalties for HIPAA Violation • Civil • $100 per rule violation, up to $25,000 for identical violations in one calendar year • Only 2 Exceptions (do not apply) • Did not know violated HIPAA rule • Failure to comply with rule not due to willful negligence, and corrected within 30 days
Penalties for HIPAA Violation • Criminal • Knowingly and in violation of HIPAA rules uses or causes to be used unique health identifiers, and/or obtains or discloses PHI relating to an individual • $50,000 fine and/or up to 1 year imprisonment
Penalties for HIPAA Violation • Criminal • $10,000 fine and/or up to 5 years imprisonment if obtain PHI under false pretenses • $250,000 and/or up to 10 years imprisonment if intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm • AUHSOP Honor Code Violation
Summary • You will have access to PHI every day • Access only PHI necessary to complete the task at hand • Make every effort to avoid incidental disclosure of PHI • If unsure about a request for PHI, do not disclose and contact Privacy Officer • Treat PHI as if it is your own