HIPAA, the government regulation that brought us the privacy rule last year, is back with a sequel--the security rule. Last April, the privacy rule caused much hoopla and paperwork for health care professionals everywhere, all in an effort to secure patients' personally identifiable health information. Did it really do anything other than cost us a lot of time in developing policies, procedures and forms? Does it really help control protected information better than health care providers have always done? In most cases, the regulation seems to enforce practices already in place but not formally written out by pharmacists throughout the country. We were already following the spirit of the law, so to speak. Perhaps all the HIPAA (Health Insurance Portability and Accountability Act) privacy rule did was create another 'paper giant' that the pharmacy industry will be dealing with for the foreseeable future.
[ILLUSTRATION OMITTED]
Now, here we go again as we must prepare for the HIPAA security rule that takes effect on April 20. So, what does this mean for your pharmacy? A primary focus of the security rule falls on pharmacy operations, which now must insure the security of electronic transmissions and data. The security rule specifically mandates that the pharmacy control the 'availability, confidentiality and integrity of protected health information' in its possession. This may sound simple, but it isn't if retailers don't first understand how their computer systems work, where electronic files are stored and what information is being electronically sent off the pharmacy's premises and to whom. Determining this information can be a daunting task.
Even though April 20 seems like a long way off, the amount of time it will take to implement the security rule means the sooner you start, the better. Implementation of the security rule is potentially more complex and time-consuming than the privacy rule, and a lot will depend on how your pharmacy's information technology structure is set up.
Although your pharmacy systems provider can certainly assist, depending solely upon the provider would be a huge mistake because there are many facets of the rule that the provider will have no reason to address, thus leaving you vulnerable to fines and liability.
Retailers operating pharmacies need to start by identifying the pharmacy's computer hardware, electronic media, software and network connections that electronically store or transmit protected health information. Although fairly easy to accomplish, it can be time-consuming since each has to be identified and then inventoried. Then the security officer must analyze each portion for threats and vulnerabilities, and have a backup emergency plan prepared and ready for implementation on April 20.
The preamble to the security rule references the National Institute of Standards and Technology, or NIST, Special Publication 800-30, Risk Management Guide for IT Systems. This guide, although not mandatory, offers a nine-step process to lead health care professionals through the process of conducting a risk analysis in order to identify all threats and vulnerabilities to the pharmacy, including natural, man-made and environmental. Using the NIST Special Publication 800-30 you will:
* IDENTIFY AND GATHER INFORMATION ON YOUR COMPUTER SYSTEMS.
* ANALYZE FOR ANY AND ALL POTENTIAL THREATS TO THE PHARMACY.
* DETERMINE THE VULNERABILITIES THAT COULD ARISE FROM THESE THREATS.
* DETERMINE WHETHER THE CONTROL MEASURES CURRENTLY IN PLACE ARE ADEQUATE OR IF ADDITIONAL ONES MIGHT BE NEEDED.
* DETERMINE THE LIKELIHOOD OF THE VULNERABILITY OCCURRING AND WHAT ACTIONS SHOULD TAKE PLACE IF IT DOES.
* IMPLEMENT POLICIES AND PROCEDURES OR TECHNOLOGY TO REDUCE THE RISKS FROM ANY VULNERABILITY.
Then all you need to do is compile all of this data in one document, which then becomes the risk management plan. Sounds simple, right? It can be, maybe. But that depends on the level of knowledge you possess about how your computer system actually works.
The best way to begin preparing for the security rule is to start early. Inventories of hardware and software can be done at any time. Your IT staff, which most likely is just you, your pharmacy computer company, switching company and/or Internet provider, can assist you in mapping out how the electronic process flows through your computer system. Once compiled, this information is presented to the security officer so he or she can incorporate it into the risk analysis. Not as complicated as it sounds, but nonetheless very time-consuming.
In developing the risk analysis, how do you determine what the threats are and which vulnerabilities really could be issues for your pharmacy? A threat would be any potential action that can be environmental, human or natural, triggered accidentally or intentionally, which exploits a vulnerability to harm the physical or electronic operation of the pharmacy. In simple terms, earthquakes, fires, floods, robberies, thefts and any other disasters fit the definition. Once you determine who and what can harm your pharmacy, you can prepare a threat statement upon which you will be able to build the information required to complete the risk analysis. The goal is to identify any potential problems or risks and either eliminate them or mitigate them to an acceptable level.
After the risk analysis is completed, the next document that must be
prepared is the contingency plan. This actually contains three separate plans: the data backup plan, the disaster recovery plan and the emergency mode operation plan. The contingency plan is quite simply your information insurance plan. The basic requirement is to ensure the pharmacy's protected health information and operational information are secure and available after a disaster strikes.
The process starts with the pharmacy's computer backup system. You would be surprised how many pharmacies keep their backup tapes beside or near the pharmacy computer. If there were a fire, you would literally lose your pharmacy, your pharmacy computer and all your records. The data backup plan requires that you establish a procedure to complete a successful backup daily and to secure that backup in a safe location.
The disaster recovery portion of the contingency plan requires the pharmacy to identify all business contacts related to the electronic and physical control and access to the pharmacy. This plan should be written as if the pharmacy owner or manager is not present after the disaster. It should be viewed as the pharmacy owner's written instructions to the employees on how to conduct and/or recover business operations if the unthinkable occurs.
The security rule requires the pharmacy to practice this plan annually. The exercise should involve all key pharmacy employees in order to seek their ideas and input. After conducting an exercise, determine whether the plans are viable. As with all plans, they are only as good as the information in them.
Training is the final and most important step of the security rule. All employees and business associates, when applicable, must be trained to the level of exposure they have to the protected health information. The training validates and completes the effectiveness of employees' ability to comply with the pharmacy's operational policies and procedures.
Retailers must remember that April 20 is fast approaching, and their pharmacy team will need to start working on meeting this deadline very soon. At a minimum, being in compliance will require the designation of a security officer, additional security policies and procedures to be established, the establishment and completion of a risk analysis and the development of a contingency plan. Training of all employees will be the last piece necessary to ensure everyone involved with protected health information understands what to do, when to do it and where to go when a question is asked.
RELATED ARTICLE: PHARMACISTS RATE SCRIPTPRO TOPS
ScriptPro has received the top ranking in the industry for pharmacy automation, according to the WilsonRx Pharmacist Satisfaction Survey. The Mission, Kan.-based company, which has developed advanced robotic prescription dispensing and workflow systems, was voted tops in 23 categories on a survey that ranks satisfaction with pharmacy automation systems by pharmacy owners, managers and chains.
According to Jim Wilson, president of Wilson Health Information, a pharmacy satisfaction research firm, 'ScriptPro customers are most likely to report that their expectations were met for a number of key areas, including freeing up time for pharmacy staff, being able to provide more cognitive services and counseling, spending more time servicing customers, increasing customer satisfaction, improving the quality of life of the pharmacy owner or manager, handling increased volume without adding staff, inventory management and overall value. ScriptPro customers most often intend to repurchase and recommend the system to others.'
'We are extremely honored to be recognized by the pharmacy industry as the No. 1 pharmacy automation company,' says Mike Coughlin, president and CEO of ScriptPro. 'It affirms our dedication to producing technology that advances the pharmacy industry.'
ScriptPro installed its first robotic dispensing system, the SP 200, in 1997 and is the only company to develop, produce and support a full-line automation and management system for retail pharmacy.
[ILLUSTRATION OMITTED]
The survey was fielded among 1, 112 pharmacy owners, managers and chain executives. The 456 respondents represent independent and mail/online pharmacies, as well as those run by government; large, medium and small chains; hospitals; clinics; military treatment facilities; mass merchants and food stores. About 78% of the respondents make recommendations or final decisions in the purchase of pharmacy automation systems.
RELATED ARTICLE: AUTOMED PACKAGE STRESSES SAFETY, EFFICIENCY
AutoMed, the pharmacy automation division of AmerisourceBergen, has combined three of its systems into a single configuration aimed at helping pharmacies operate more safely and efficiently, especially in smaller stores.
The Efficiency Pharmacy 3005 brings together AutoMed's Efficiency Pharmacy R400W prescription fulfillment system, the Efficiency WorkPath complete dispensing workflow management software, and the FastFind Universal storage and retrieval system. It automates 100% of a pharmacy's orders, fits into an operational space of 300 square feet and can be staffed by one pharmacist and two technicians per shift.
The R400, which takes less than 10 feet of counter space, automates the top-moving 100 oral solids in the pharmacy, speeds the prescription fulfillment process and improves accuracy. The system automatically counts, sorts and fills, reducing the risk of errors and freeing time to spend with patients.
AutoMed has placed the Efficiency Pharmacy 300S configuration in Edina, Minn.-based PrairieStone pharmacy. The small pharmacies situated inside Byerly's and Lund's grocery stores are capable of volumes of more than 400 scripts per day without adding staff or increasing wait times.
'Over the years, AutoMed has designed configurations to meet the needs of pharmacies handling volumes as small as 50 prescriptions a day to pharmacies filling thousands through central fill or mail order,' says Mike Luttrell, director of retail marketing. 'Pharmacies don't always need an expensive, huge robotic dispensing system. That's not always the answer. What's needed is a range of solutions that gives individual pharmacy operators a menu of choices that they can put together to fit their particular situation. This way they can create a system that is cost-effective, one that not only meets current needs but also can be adapted as the pharmacy matures and its volume grows.'
[ILLUSTRATION OMITTED]
Company officials say the most important facet of the 300S is its ability to protect the customer, because it prevents errors when filling a prescription. 'This is a significant accomplishment, especially since the national average for making a medication error during the filling process is 3%,' says Luttrell. 'Eliminating errors is what every pharmacy strives for, so when pharmacists turn to technology, they're thinking beyond just counting. They're thinking about safety and efficiency.'
Harry A. Lattanzio, R.Ph., is president of PRS Pharmacy Services, based in Latrobe, Pa. He can be reached at (800) 338-3688.
