HIPAA Breaches & Desk Audits
What is a breach?
- In simple words, the loss of patient protected health information, either printed or electronic.
How common are breaches within pharmacies?
- There are two types of pharmacies and pharmacy owners,
- The first are the ones who know they have had a breach
- The later are the ones who have had a breach and don’t know about it
How can I have a breach and not know about it?
- Simple, has your pharmacy clerk ever given a patient another patient’s medication?
Can you give me examples of breaches?
- Pharmacy is robbed and the will call bin is stolen
- Pharmacy is robbed and the server is stolen
- Staff pharmacist has a laptop stolen
- Delivery driver has their vehicle stolen which is full of prescriptions to be delivered
- Billing manager has a jump drive with patient files for billing to work at home and loses it on the bus
What do I do when a breach occurs?
- First, don’t panic
- Get the facts
- Complete a Potential Breach Evaluation and a Risk Assessment
- Determine whether the breach is reportable or non-reportable to HHS/OCR
- Document everything
What are OCR Desk Audits
- Tested in 2016
- Launched on January 1, 2017
- Notification via U.S. Mail and Email
- Also conducting no notice on-site inspections
What is the OCR asking for?
- Notice of Privacy Practices (date must be after 07/01/2013)
- Risk Analysis
- Risk Management Plan
- Disaster Recovery Plan/Contingency Plan
- Annual Privacy and Security Assessments
- Random Policies and Procedures
On-Site Inspections
- Same as above, but in person
- First question is to the person at your counter, normally your clerk
- Can I have a copy of your Notice of Privacy Practice?
- They have to know the answer and provide the NOPP
Penalties for Non-compliance
- Fines up to 1.5 Million Dollars
Is there help available to pharmacies?
- Yes, but you get what you pay for
- You can buy a set of policies and procedures, but if you have breach, especially a reportable breach:
- Will the consultant stay with you when you need them the most?
- Will they charge you extra?
- Will they provide the correct advice?
How do you know how to pick a consultant?
- Ask your peers
- Ask hard questions about how they have handled client breaches and inspections
- Do you get detailed answers from the consultant?
- Do you referrals from multiple people?
CONTACT: Office: 724-357-8380
Website: www.rjhedges.com