Management Consultation

Management Consultation Pharmacy implications of the HIPAA Breach Notification Rule

Y

ou are the director of pharmacy at a small, busy community hospital. You do not have a 24-hour pharmacy service and, to accommodate increased prescription volumes and the recent implementation of computerized prescriber order entry, you have engaged the services of a remote order-verification service (“the Service”) to cover the time that the department is closed. The Service has generally been performing well until today, when it informed you that it had inadvertently faxed an intervention note concerning a contraindicated medication order to an incorrect fax number. Your investigation determines that the fax was delivered to the wrong nursing unit at your hospital, was viewed by the staff, and was forwarded to the nursing supervisor, who ultimately phoned the correct unit and, after some delay, delivered the document as originally intended. During investigation of the matter, you are considering your next steps. What are the respective responsibilities of your hospital and the Service under the HIPAA Breach Notification Rule? Background. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), intended to simplify administrative processes in health care and reform the insurance market, contained provisions securing the privacy rights of patients and gave legal structure to the ethical responsibility of health care professionals to maintain confidentiality.1 The law, administered by the Office for Civil Rights (OCR) of the Department

of Health and Human Services (HHS), established health information privacy standards that took effect in April 2003; rules for ensuring the security of health information were implemented in April 2005. Among other things, HIPAA requires health care providers to render annual training to employees, issue a

notice of privacy practices to each patient, and address privacy responsibilities in agreements with business associates and contractors. In 2009, Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act.2 As is typical with congressional legislation, the provisions of the HITECH Act were not self-implementing and required OCR to formally create and publish regulations to

implement the law. After much deliberation and issuance of a set of interim regulations, the final HITECH Act regulations were published by OCR in early 2013.3 The final regulations are encompassed in what has come to be called the Omnibus Rule (“the Rule”), which amends privacy, security, enforcement, and breach notification requirements promulgated under HIPAA. The Rule became effective on March 26, 2013; covered entities (such as hospitals and pharmacies) and business associates (such as remote order-verification services) were required to come into compliance with most of the Rule’s provisions before September 23, 2013. The Rule made many important changes to HIPAA requirements, one of the most significant changes being that business associates and their subcontractors are now directly liable for HIPAA violations. In addition, covered entities may be held liable for violations resulting from the activities of business associates acting on their behalf. This is a significant change from the previous standards, which protected the covered entity from liability for breaches by business associates if it was not aware. Under the Rule, a business associate may also be held liable for the violations of its subcontractors. The Rule also revises the analysis that a covered entity must conduct after an instance of impermissible use or disclosure

The Management Consultation column gives readers an opportunity to obtain advice on common management problems from pharmacists practicing in health systems. The assistance of ASHP’s Section of Pharmacy Practice Managers and its Advisory Group on Manager Development in soliciting Management Consultation submissions is acknowledged. Unsolicited submissions are also welcome. Readers are invited to submit topics for this column to [email protected] or ASHP c/o David Chen, Director, Pharmacy Practice Sections, 7272 Wisconsin Avenue, Bethesda, MD 20814 ([email protected]).

Am J Health-Syst Pharm—Vol 71 Aug 15, 2014

1337

Management Consultation

of protected health information (PHI). If the covered entity determines that a security breach has occurred, it must notify all affected individuals, HHS, and the media, where applicable. A business associate or subcontractor must also notify the covered entity or business associate, as applicable, when it learns of a potential security breach. The Rule provides for a “rebuttable presumption” of breach; that is, entities must assume that notification is necessary unless an investigation proves otherwise. This new breach notification analysis replaces the former, more subjective analysis of whether the use or disclosure caused a “significant risk of financial, reputational, or other harm.” This means that any impermissible use or disclosure of PHI is considered a breach unless the covered entity determines that there is a low probability that PHI has been compromised after applying a fourfactor test assessing • The nature and extent of the PHI involved in the incident (e.g., whether the information is sensitive information like social security numbers or infectious-disease test results), • The recipient of the PHI (e.g., whether another physician received the PHI), • Whether the PHI was actually acquired or viewed, and • The extent to which the risk has been mitigated after unauthorized disclosure (e.g., whether the PHI was immediately sequestered and destroyed). Assessment. In a breach situation such as that described at the beginning of this article, you want to avoid having to provide notification to HHS and to the individual subjected to the wrongful disclosure, but you need to ensure that you are in

1338

compliance with HIPAA—in particular, the breach notification requirements. Applying the four-factor test introduced by the Omnibus Rule, you note that the inadvertently disclosed medication order form probably includes the individual’s name and other personally identifiable information, but it does not include sensitive information such as a Social Security number or infectious-disease test results. The document changed hands and was viewed several times before it made its way back to the appropriate nursing supervisor. However, the recipient(s) of the PHI were other hospital staff internal to the organization, and there was nothing to suggest that the document was viewed by individuals outside of the hospital. The potential exposure was minimized, particularly because the document was forwarded to the correct individual in an expedient matter. Therefore, PHI was not compromised, and the unauthorized disclosure was not a reportable breach. Under these circumstances, it is unnecessary to disclose to the patient, HHS, or the media this inadvertent disclosure of PHI because such disclosure is most likely not considered a breach. Discussion. Slightly altering the facts of the scenario discussed above would lead to a different conclusion. If the intervention document was faxed to a location that could not be determined, you would not know who the recipients were and whether and to what extent the PHI was actually acquired or viewed, and you would have little or no opportunity to mitigate unauthorized disclosures. Likewise, it would be problematic if the intervention was faxed to another client hospital of the Service. Under the four-factor test, you would have the responsibility to disclose under either of those circumstances. Moreover, while the Service would not be required

Am J Health-Syst Pharm—Vol 71 Aug 15, 2014

to provide notification of such breaches (though it would be required to notify you immediately on learning of the disclosures), the Service may have direct liability under the new Rule, in addition to the hospital’s liability. It would therefore be essential for both your hospital and the Service to adjust policies and practices, revise business associate agreements, and receive appropriate training with respect to the new requirements promulgated by the Rule. 1. Health Insurance Portability and Accountability Act of 1996. Pub. Law 104191. www.cms.hhs.gov/HIPAAGenInfo/ Downloads/HIPAALaw.pdf (accessed 2014 May 7). 2. Health Information Technology for Economic and Clinical Health Act. Title XIII of the American Recovery and Reinvestment Act of 2009. Pub. Law 111–5. 3. Office for Civil Rights, Department of Health and Human Services. Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules (January 25, 2013). www.gpo.gov/fdsys/pkg/FR-2013-01-25/ pdf/2013-01073.pdf (accessed 2014 May 7).

Karl G. Williams, B.Pharm., LL.M., J.D., Associate Professor Department of Pharmacy Practice and Administration Wegmans School of Pharmacy St. John Fisher College Rochester, NY [email protected] Kimberly J. Gold, J.D., Attorney Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. New York, NY

The authors have declared no potential conflicts of interest. DOI 10.2146/ajhp130598

Copyright of American Journal of Health-System Pharmacy is the property of American Society of Health System Pharmacists and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.

Pharmacy implications of the HIPAA Breach Notification Rule.

Pharmacy implications of the HIPAA Breach Notification Rule. - PDF Download Free
479KB Sizes 2 Downloads 9 Views