5 HIPAA Violations You Might Not Know About

14786696_l crop

Reprinted with permission from PBA’s Elements magazine

Despite your best efforts at compliance, your pharmacy might be violating the Health Insurance Portability & Accountability Act (HIPAA). And you might not even know it.

You’ve likely either partnered with a company that provides compliance support for pharmacies or spent hours carefully crafting policies to minimize your risk of a HIPAA violation. After that work, your biggest—and most costly—liability is violating the regulation in a way you didn’t even know was possible.

Here are some examples of HIPAA violations that others have unknowingly committed. Take a look and learn from their mistakes so that you can protect your pharmacy.

1. Employers can be liable for their employees’ violations, despite proper policies

Recently, Walgreens was fined $1.4 million after a pharmacist in Indiana violated HIPAA regulations by reviewing the prescription health records of a woman who previously dated her husband. Despite the company’s strict privacy policies, and the employee admitting she knowingly violated her employer’s rules, the company was still fined. While currently under appeal, the Indy Star reported that this decision is significant because it’s the first time a health care provider is being held liable for a HIPAA violation committed by an employee.

2. Your trash can get you into trouble

In 2009, CVS Pharmacy, now known as CVS Health, was fined $2.25 million after local media discovered that the pharmacy’s trash violated HIPAA regulations. A reporter revealed that the pharmacy’s employees were disposing of old prescription drug bottles with labels containing protected health information still intact. The bottles included patient and pharmacy order information, and they were found in unsecured dumpsters. The pharmacy agreed to pay the fine and also implemented a detailed Corrective Action Plan to ensure that it properly disposed of protected health information in the future.

3. Your digital data is compromised

In one New York hospital, a security breach made it possible for some patients’ health information to be found through a simple search on the Internet. The hospital’s firewall was deactivated, which allowed anyone to view the private health information of deceased patients. In a settlement with the Department of Health and Human Services (HHS,) the hospital paid a $4.8 million fine. As cloud storage and digital data storage become more common, the opportunity for your data to be accidentally compromised by an uploading error or unsecure connection is greater than ever.

4. Design flaws can result in privacy concerns

A study conducted by Change to Win Retail Initiatives found that the layout of some Walgreens’ pharmacies was contributing to possible HIPAA violations. Walgreens implemented “Well Experience,” a new model that moved the pharmacist’s desk in front of the counter in hopes of making pharmacists more accessible. In 80 percent of locations that adopted this model, the study found patient information, like personal medical histories, easily visible to customers. And in nearly half of the stores visited, prescription medication was left unattended within reach of customers.

5. Mishandling files can lead to fines

One health care office was fined for a HIPAA violation due to its filing system. The office had placed large red stickers with the word “AIDS” on the outside of patients’ files. The labels were not only visible to the office staff, but also to all the other patients in the waiting room. Another company was fined after CBS News discovered copies of patients’ medical files in the memory of a copy machine. The company had leased the copier and returned it without erasing its memory. The company agreed to pay $1,215,780 in a settlement with HHS.

Tweet with @TheMPA