Overview
HIPAA - Health Insurance Portability and Accountability Act. Enacted in 1996 by Congress. The regulations were created by the U.S. Dept of Health and Human Services (HHS) and will be enforced by the Office of Civil Rights (OCR) within the Dept. of Health and Human Services (HHS).

The primary purpose of the Act is to allow people to maintain insurance coverage when switching employers. The Act has 3 main components - Code Set, Privacy and Security. Code set is NCPDP 5.1 and is due to go into effect October 16, 2003. Privacy is the section that addresses the privacy of patient information between health care providers and their business associates and goes into effect on April 14 2003. Security addresses the accessibility of information on computer systems and is due to go into effect in April 2004.

HIPPA Security Requirements

NOTE #1: In order for each pharmacy to understand the HIPAA regulations in detail and prepare their responses, VIP recommends that stores contract to receive the $195 HIPAA book from NCPA at www.ncpanet.org/store or the $522 Security combo package from NCAP at www.ncpharmacist.com.

NOTE #2: All “Required” standards are to be directly addressed in the Pharmacy's HIPAA processes and procedures. Those standards that are “Addressable” are those that have been determined to be optional based on the individual covered entity. If a pharmacy chooses not to address one of these standards, you must document why it does not apply, why it is too much of a hardship, etc.

DISCLAIMER: This document is provided for informational purposes only and in abbreviated fashion. It should in no way be construed as complete or accurate. VIP makes no statement and accepts no responsibility to its completeness or accuracy. This is the sole responsibility of each pharmacy.

ADMINSTRATIVE

Standard - Security Management Process

• Risk Analysis (required) – assessment of potential risks and vulnerabilities of access to PHI
• Risk Management (required) – implement measures to eliminate or minimize the risks
• Sanctions (required) – sanctions for employees not in compliance
• Information Systems Reviews (required) – procedures to review systems activities such as audit logs, incident reports, access reports (not just for the computer system)

  VIP – First, there are Linux system files that we can help you review but you will need to call us for assistance. There is also a VIP audit file to track invalid login/password attempts that you will be able to view. This invalid login attempt audit log will be accessible through the system administration screens by the system administrator only.

• Assigned security responsibility – assign to someone.

Standard – Workforce Security

• Authorization and/or Supervision (addressable) – procedures to authorize and/or supervise people with access to PHI

  VIP – will provide a mechanism for the pharmacy system administrator to assign user id's and passwords as well as set security levels for each individual user.

• Clearance Procedure (addressable) – make sure procedures to access PHI by employees are appropriate
• Termination Procedures (addressable) – removing access to PHI when employment ends.

  VIP – the same mechanism used to assign user id's and passwords can be used to remove the user from the access list.

Standard – Information Access Management

• Isolate health care clearinghouse functions (required) – protect the PHI from the other parts of the (large) organization
• Access Authorization (addressable) – policies & procedures to provide access to PHI (i.e. Computer, programs, process, etc.)

  VIP – will provide a mechanism for the pharmacy system administrator to assign a user id and password for each individual user to gain access to the VIP system.

• Establish, modify & manage access (addressable) – for those Access Authorizations identified above, establish, document, modify and manage that access.

Standard – Security Awareness and Training

• Security reminders (addressable) – provide periodic updates
• Protection from malicious software (addressable) – procedures for protecting, identifying and reporting of malicious software.
  

  VIP – The VIP software runs on the Linux operating system which is more stable and more secure than the Microsoft Windows operating system. We have turned-off many optional services on the Linux server to minimize or prevent unauthorized access. In addition, we don't recommend pharmacy's use the VIP machine for anything other than pharmacy. There are operating system files that we can help you review to determine if your system has been compromised.

• Login monitoring (addressable) – procedures to monitor and report invalid login attempts or discrepancies.

  VIP – First, there are Linux system files that we can help you review but you will need to call us for assistance. There is also a VIP audit file to track invalid login/password attempts that you will be able to view. This invalid login attempt audit log will be accessible through the system administration screens by the system administrator only.

• Password Management (addressable) – procedures for creating, modifying and protecting passwords.

  VIP – will provide a mechanism for the pharmacy system administrator to assign a user id and password for each individual user to gain access to the VIP system.

Standard – Security Incident Reports

• Response (required) - procedures to document, report and mitigate suspected or known incidents

Standard – Contingency Plan

• Data backup plan (required) – implement steps to create & maintain retrievable and recoverable exact copies of PHI.

  VIP – VIP's backup and restore programs enable you to restore your system to its last stable state – typically at the time of your last daily backup. The pharmacy should document how to do a monthly/daily backups, and what is done with the monthly/daily backup media (where is it stored).

• Disaster recovery plan (required) – implement steps to restore loss of data.

  VIP – Similar as Data Backup Plan above, however this focuses on how to get your Pharmacy and pharmacy system up and running again after a disaster. The pharmacy needs to document how to perform a recovery. This should cover PHI stored in the computer as well as PHI stored other ways (file cabinets, etc.).
  In the event of a complete disaster, VIP can have a system to you within 1 working day. The pharmacy would then need to reload the last monthly, then the last daily and finally rebuild the files.

• Emergency operation plan (required) – implement steps to continue critical business operations & protection of PHI when operating during an emergency period.

  VIP- Pharmacy needs to document how staff should respond & perform to an emergency/disaster situation. This should also apply to non-disaster, but difficult, situations such as (1) all electrical power is lost and you still need to get access to and protect PHI (2) the computer is down and not working, etc.

• Testing and revision plan (addressable) – implement steps to periodically test and revise the contingency plans.
• Applications and data criticality analysis (addressable) – assess the criticality of applications and data to support the contingency plans.

  VIP – All of the pharmacy's data in the VIP system should be deemed most critical.

Standard – Business Associate Contracts and Other Arrangements

• Get Business Associate agreements in place (required)

PHYSICAL SAFEGUARDS

Standard – Facility Access Controls

• Contingency Operations (addressable) – implement steps to support your emergency operations and disaster recovery plans.
• Facility security plan (addressable) – implement steps to protect facility and equipment from unauthorized access
• Access control & validation procedures (addressable) – implement steps to validate a person's access to facilities and equipment based on their role or function – including visitors.
• Maintenance records (addressable) – implement steps to record repairs and modifications to physical components associated with security.

Standard – Workstation Use

• Implement steps that specify functions of use, manner in which they are to be performed, physical surroundings of those stations.

Standard – Workstation Security

• Implement steps that restrict access to electronic PHI

  VIP – will provide a mechanism for the pharmacy system administrator to assign a user id and password for each individual user to gain access to the VIP system.

Standard – Device & Media Controls

• Disposal (required) – implement steps to address the final disposal of hardware and media in regards to PHI.

  VIP – To dispose of computers, be sure to remove the hard drive and either dip it in acid or drill 4-5 holes in it. Same with the media – either dip in acid or break them into little parts.

• Re-use (required) – implement steps to remove PHI when re-using media or hardware.

  VIP – only use PHI media with PHI systems (e.g. Don't use a backup tape from pharmacy to do a backup on your home PC.)

• Accountability (addressable) – maintain records of the movement & responsibility of hardware & electronic media.
• Data backup & storage (addressable) – implement steps to retrieve an exact copy, if needed, of electronic PHI before movement of media or hardware

  VIP – For these steps, see the description under the Data Backup Plan and Disaster Recovery Plan.

TECHNICAL SAFEGUARDS

Standard – Access Control

• Unique user identification (required) - Assign a unique id & password for identifying & tracking.

  VIP – will require unique IDs and passwords to gain initial entry into the VIP Pharmacy Management System. Each ID will have a security level assigned in order to restrict access to system functionality.

• Emergency Access Procedure (required) – Establish (and implement) procedures for getting to necessary electronic PHI during an emergency.

  VIP – For these steps, see the description under the Data Backup Plan and Disaster Recovery Plan. VIP interprets this to mean steps staff should follow when an emergency (hospital, life and death, etc.) or a disaster (hurricane, no electricity, etc.) situation arises.

• Automatic Logoff (addressable/optional) – terminate an electronic session after a predetermined time of inactivity.

  VIP – will provide a pharmacy controlled (amount of time) time-out mechanism that will log-out a user after a pre-set amount of time.

• Encryption & Decryption (addressable) – to encrypt & decrypt electronic PHI

  VIP – much of the data stored in VIP is in a format that can not be read without tools to interpret the files. This includes PHI data. All claims data that is transmitted over the internet is encrypted.

Standard - Audit Controls

• Hardware/Software/Procedural (required) – mechanisms that record & examine activity in systems that contain or use PHI

  VIP – already provides tracking and viewing of activity performed on the system. This is done using transaction & prescription records. Reports are available to show when pricing and other certain information is changed. There are also Linux system files that we can help you review but you will need to call us for assistance.

Standard - Integrity

• Authenticate Electronic PHI (addressable) – mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner

  VIP – Since the Linux Operating System (that VIP uses) is one of the most secure Operating Systems, there are operating system mechanisms that indicate when unauthorized access and activity has been attempted or gained on a computer. We can help you review these but you will need to call us for assistance.

Standard – Person or Entity Authentication

• Procedures to verify that a person or entity seeking access to electronic PHI is the one claimed (required)

  VIP – interprets this to mean that pharmacies should document procedures for their staff to follow to verify a person is who they claim to be. This includes what to do if any of the following are seeking access to PHI - the Police, IRS, SBI, officer of the courts, family member, etc. Part of the procedures should be to request a picture ID to verify the identity of the person.

Standard – Transmission Security

• Integrity Controls (addressable) – security measures to ensure that electronically transmitted electronic PHI is not improperly modified without detection until disposed of

  VIP – incorporates a piece of software that uses public and private key encryption that is certified and monitored by Verisign to encrypt all claims information that is transmitted over the Internet for third party adjudication. Basically, this is the highest form of encryption that can be used outside of the military. For dial-up users, the VIP system dials a dedicated phone number to connect you directly to the switching company so there is no need for encryption/decryption at that point. The switching company maintains responsibility for data that is passed on to the 3rd parties.

• Encryption (addressable) – mechanisms to encrypt electronic PHI whenever deemed appropriate.

  VIP – much of the data stored in VIP is in a format that can not be read without tools to interpret the files. This includes PHI data. All claims data that is transmitted over the internet is encrypted. We are still unclear as to what “whenever deemed appropriate” means.

ORGANIZATIONAL REQUIREMENTS

Standard – Business Associate Contracts

• Update BA's to reflect security protections and incidents as needed (required)

Standard – Group Health Plans

POLICIES AND PROCEDURES AND DOCUMENTATION REQUIREMENTS

Standard – Policies and Procedures

• Implement reasonable & appropriate mechanisms to comply with the HIPAA standards. These policies and procedures can be changed at any time as long as they are reflected in the documentation.

Standard – Documentation

• Maintain policies & procedures in written form (which may be electronic). If any action or activity is required, maintain a written (which may be electronic) copy.
• Time limit (required) – retain for 6 years from the date of creation of the information or the date when it was last in effect, whichever is later.
• Availability (required) – make the documentation available to those with corresponding responsibilities.
• Updates (required) – review and update as needed due to internal changes or changes required for the protection of PHI

Getting More Information on HIPAA
www.access.gpo.gov/su_docs/aces/aces140.html
aspe.hhs.gov/admnsimp
www.cms.hhs.gov/hipaa
www.aspe.os.dhhs.gove/admnsimp
www.hipaadvisory.com/alert
www.wedi.org
snip.wedi.org
www.wpc-edi.com/hipaa
www.hhs.gov/news
www.hipaa-dsmo.org
www.nchica.org
www.healthlawyer.com
www.ahima.org
www.aha.org
www.ncvhs.hhs.gov

Products to Help Pharmacies with HIPAA
www.hipaadocs.com
www.prsrx.com