While walking through the hospital the other day, I overheard two employees talking about a “problem patient.” Even though no patient name or location was mentioned in the conversation, the employees did discuss some of the patient’s history. After gently but firmly reminding the employees that this type of conversation was not appropriate for hallway talk, it made me think of HIPAA, patient privacy, and protected health information.
Several years ago, the mere mention of the term HIPAA led to insomnia as pharmacists tried to determine how to comply with the law’s rules and regulations. Today, HIPAA is incorporated into how we practice pharmacy. But are we really doing what we should? Should there be insomnia about HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act, was enacted in 1996. The first section of the act protected health insurance coverage for workers and their families when changing or losing a job. The second section required the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. Also part of the second section were provisions on the security and privacy of health data.
Many changes have occurred in pharmacy practice since 1996. Electronic health records are commonplace in hospitals or health systems. We have access to more information about our patients than ever before. In many hospitals, not only can we review the medical records of hospitalized patients, we can also review the medical records from their physician’s practice. This information is very beneficial to critical clinical decisions and will become increasingly useful for continuity of care. But are we adequately guarding that protected health information?
Hospitals typically provide training on HIPAA as part of new employee orientation and on an ongoing basis. From a pharmacist’s perspective, patient information is necessary to provide care—but what about the other people working in the pharmacy? Depending on their role, that information may be necessary as well. For example, if a pharmacy technician is involved in gathering medications as part of medication reconciliation, then it may be very important for that individual to have access to a patient’s outpatient record. However, if the pharmacy technician is responsible for preparing an inpatient’s I.V. medications, do they need access to outpatient records?
Access can be limited, but managers and department directors must keep close tabs on who has what access. Over time, people, jobs, and functions can change, and it is important to make sure that access changes as well. All employees must also remember that even if they need protected health information to do their job, it isn’t to be shared with those who do not. Hallway conversations are simply not allowed.
HIPAA is not new, but there are frequently new provisions or changes to the act, and its penalties and sanctions continue to evolve. No one wants to experience insomnia worrying about a potential HIPAA violation, and some simple steps can keep that from occurring. Conducting patient privacy checks may help you monitor what’s happening in the pharmacy and identify any potential issues. Review pharmacy staff members’ electronic access and ensure that it’s appropriate. Last, provide pharmacy-specific education for all staff, but especially for new employees, to reinforce the importance of patient privacy.