communities and health and social workers, as well as conducting robust investigations of violations of the HIPAA Privacy and Security Rules. Covered entities are defined as (1) health plans, (2) health care clearinghouses, and (3) health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services has adopted such standards. Individuals, organizations, and agencies that meet the definition of a “covered entity” pursuant to HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. Pharmacies are considered to be covered entities and, as such, are obligated to comply with the HIPAA Privacy and Security Rule regulations. Contractors, subcontractors, and other outside persons and companies who are not employees of the pharmacy, but who need access to protected health information (PHI) to provide services for the pharmacy, or who will potentially have the ability to gain access to PHI during the course of providing services, are referred to as “business associates.” Examples of business associates include: • Billing companies that process claims to private insurance and federal payor programs; • Companies that store or destroy pharmacy records; • Lawyers and accountants; • IT companies; and • Marketing companies. To properly protect PHI, the pharmacy should have a Business Associate Agreement (BAA) with all of its business associates. Business associates in turn, must follow the use and disclosure provisions of the BAA, as well as the HIPAA Privacy and Security Rules.
HIPAA AUDITS This past March, OCR announced the next phase of audits of covered entities and business associates. OCR is identifying pools of covered entities and business associates that represent a wide range of health care providers that include pharmacies, physicians, hospitals, health plans, health care clearinghouses and business associates. The audits are anticipated to be conducted primarily by desk audit, an electronic process with no on-site visit by OCR. If your pharmacy is chosen for a desk audit, requested information must be submitted electronically within 10 business days of the request. OCR will provide draft findings and auditees will have 10 days to review and return written comments. Similarly, pharmacies chosen for onsite audits will also receive an email notification. OCR will schedule an entrance conference to provide more information about the process and onsite audits will be conducted over a 3-5 day period, depending upon the size of the operations. You will have 10 business days to review draft findings and provide written comments to the auditor. OCR will complete and provide a final audit report within 30 business days. ENFORCEMENT LANDSCAPE We believe OCR is focusing its efforts on business associates as evidenced by enforcement activity in 2016. Business associates have been covered by HIPAA only since 2013, therefore compliance with the HIPAA PrivaPHARMACY EDGE
7