So what do the new regulations mean?
In essence, you need strict controls to protect patients' privacy. Patients themselves now can control who sees their PHI, and they must be given access to their own files. Health professionals will still be given access to PHI in regard to specific patients for particular allowable reasons. Privacy requirements remain unchanged for anything allowed under the privacy rule.
Under the old rules you only had to report a breach if it represented a significant threat to those affected. Now, however, the Department of Health and Human Services has to be notified if any breach happens. Again, disclosures that are allowed under the privacy rule are still acceptable. Business associates and subcontractors will need to have privacy agreements in place – updated on a regular basis – and they must also agree to abide by the HIPAA security rules as established in September 2013.
In essence, you will need to redesign your pharmacy with your patients' privacy in mind. Because you must report every security breach, your reputation may suffer if you don't put the proper safeguards in place.
Physical safeguards specific to pharmacy construction and remodeling include:
When patients' PHI is accessed on portable devices like tablets and laptops, those devices must be securely locked away when not in use. Any new pharmacy construction or design should include fixtures or shelving that secure. Locking cabinets placed behind the counter, for example, will protect PHI from unauthorized access.
Any new pharmacy construction or design should place workstations centrally so that they can be carefully monitored at all times, thus discouraging protocol missteps that could cause a personal health information breach.
Part of this monitoring will include new protocols that specify how workstations can be used. The workstations should be set up so that it is impossible to remove PHI electronic media, hardware, storage devices, or any other devices used for access. If such devices are to be moved, implement policies that specify how these devices can be moved, reused again, or replaced/eliminated. Establish an audit trail for any equipment that is recycled, used, or moved to another building or facility. All of this is to make sure that patients health information is protected and not accessed by anyone without authorization.
If your pharmacy doesn't already have one, any remodeling or new pharmacy construction should include a privacy wall that separates prescription filling and other work areas from the pharmacy floor and customer areas. A wall helps prevent prescription errors because it eliminates unnecessary distractions, but it's also essential to prevent the accidental "sharing" of PHI. Patients and customers will not be able to overhear any sensitive information not meant for them, and you can conduct business secure in the knowledge that you are not violating HIPAA regulations.
September 2013's new HIPAA regulations seek to protect your patients' privacy by requiring you to stringently protect patients' privacy, particularly their PHI. Any pharmacy construction or remodel must be done with these regulations in mind.