In January, the Department of Health and Human Services (HHS) published the updated Health Insurance and Portability and Accountability Act (HIPAA) Rule, commonly known as the HIPAA Omnibus Final Rule. The update was needed to strengthen privacy and security protections, increase flexibility for and decrease burden on the regulated entities, as well as to harmonize certain requirements.¹ There are a number of changes that impact pharmacy operations, forms, policies and procedures. Covered entities and their business associates generally must comply with the new rules by September 23, 2013 unless otherwise specified.

Why This Is Important

It is important to be aware that HIPAA affects pharmacists and pharmacies in multiple ways, and that those ways can change over time. The new Final Rule significantly affects many areas of HIPA-related activities, including the topics highlighted below:

• Protected Health Information (PHI): The analysis of whether a reportable breach of PHI has occurred was amended. The updated rule now generally requires a risk assessment to be conducted to look at potential or actual PHI breaches. Additional changes that impact PHI include, but are not limited to, electronic PHI access, patient designees to receive their PHI, decedent PHI disclosures, new patient rights to “request restrictions on the uses and disclosures” of PHI, information for marketing purposes, and more clarity around situations that require “individual authorization” to use their PHI. Pharmacies should review and update their policies and procedures accordingly to be in compliance with the new rule, including, but not limited to, incorporating these changes in the pharmacy Notice of Privacy Practices (NPP) and Business Associate Agreements (BAAs) as appropriate.

• Clarifies the Definition of Marketing: Other uses of PHI beyond treatment, payment or health care operations generally require a separate signed patient authorization. The Final Rule specifically addresses pharmacy communications that can be characterized as marketing and the extent to which those involve “financial remuneration,” not just direct payments. Pharmacies should review their operations and update them accordingly to be in compliance with the new rule, including, but not limited to, where there is some financial remuneration associated with using PHI in pharmacy communications.

• Business Associate Agreements (BAAs): Any existing BAAs need to be evaluated, and then replaced if necessary to comply with the new rules. The definition and scope of a Business Associate was expanded, so new BAAs may also be necessary.  For example, a “subcontractor that creates, receives, maintains, or transmits" PHI on behalf of the BA is also now considered a Business Associate.

• Penalties and Enforcement: Penalties were significantly increased in the new rule and enforcement is being stepped up; audits were previously complaint driven but will now be proactive. HHS has made audit protocols available as a resource.

Suggested Next Steps

• Carefully review the HIPAA Omnibus Final Rule and study additional resources. Ensure that you and your staff are familiar with the changes.

• Work with your personal attorney or other consultant(s) as necessary to review and update your Notice of Privacy Practices, HIPAA-related policies and procedures, forms, Business Associate Agreements and other documents as needed to comply with the new Final Rule.

• Consider updating your HIPAA training for all employees and contractors/subcontractors with access to PHI based on the new rule.

Additional Tools for Health Mart Customers

As you are aware, a version of this article appeared in the Health Mart Weekly with the following instructions:

• Visit the Health Mart Regulatory Reference Manual and review the updated Health Information Privacy page, which includes a link to the complete HIPAA Omnibus Final Rule and additional resources.

• Take a training course at Health Mart University – offered free of charge to Health Mart franchisees – that covers the changes required by September.

  • Go to McKesson Connect > Tools Box > Health Mart University > Catalog Tab > HIPAA, HITECH, the Omnibus Rule and the Pharmacy Practice (Specialized).

• Regularly follow the articles published at SmartRetailingRx to receive updated information about the HIPAA changes.

Where to Go for Help

Questions? Contact your MPS&A Account Manager or email [email protected]. Health Mart customers can e-mail [email protected].

 1. Department of Health and Human Services. 45 CFR Parts 160 and 164. “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules”. 78 Federal Register 17 (January 25, 2013). http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf. Accessed April 22, 2013.

The materials provided are for informational purposes only and do not constitute legal advice. You are solely responsible for investigating and complying with all applicable laws, rules and regulations that govern the operation of your business. If you need legal advice, contact your attorney.

New HIPAA rule has impact on pharmacies and their business associates