HIPAA COMPLIANCE POLICIES AND PROCEDURES MANUAL Botica Del Sol 2331 Cesar E. Chavez Ave. Los Angeles, CA 90033 Phone: 323- 260-7531 Fax: 323-261-6782 Privacy Officer: Cyndie Lee Important Disclaimer This manual is not intended as legal advice. This information provided is to serve as sample ?Policies and Procedures Manual? for pharmacies to help in their compliance with HIPAA privacy rules. You may modify and or all of the included policies as they may relate to your unique pharmacy. The HIPAA privacy rules are complicated, subject to change and can be affected or superceded by state law. If you have any questions regarding HIPAA, contact an experienced privacy attorney to discuss legal advice regarding implementation of HIPAA requirements. NOTICE OF PRIVACY PRACTICES POLICY: It is the Pharmacy?s policy to provide patients with a HIPAA Notice of Privacy of Practices (?Notice?) upon their first receipt of items or services through the Pharmacy. In addition, the Pharmacy will post the Notice in a conspicuous location and will make the Notice available to all patients upon request. PURPOSE: The purpose of this policy is to explain: (I) the patient?s right to a Notice, (2) the relevant procedures the Pharmacy must follow when providing its Notice to patients and (3) the requirements for documentation of and revisions to the Pharmacy?s Notice. I. RIGHT TO A NOTICE OF PRIVACY PRACTICES A. Patient?s right to notice. Patients have the right to adequate notice of: 1. The uses and disclosures of PHI that the Pharmacy may make; 2. The patient?s rights with respect to PHI; and 3. The Pharmacy?s legal obligations regarding PHI. B. Basic notice requirements. This Notice must be written in plain language and contain specified elements. If a use or disclosure is prohibited by state law, the Notice?s description of such use or disclosure must reflect the more stringent state law. II. PROVISIONS OF THIS NOTICE TO PATIENTS A. General rules. The Pharmacy must follow these rules for providing a paper copy of the Notice to patients and the public in general. 1. The Pharmacy must make the Notice available upon request to any person, even if they are not current Pharmacy patients. 2. The Pharmacy must provide the Notice to the patient no later than the date that the Pharmacy first provides service to that patient, including service delivered electronically. In emergency treatment situations, the Notice will be provided as soon after the emergency as is reasonably practicable. The Pharmacy may send the Notice to all of its patients at once, give the notice to each patient as he or she comes into the Pharmacy or contracts the Pharmacy electronically, or by any combination of these approaches. 3. The Pharmacy must have the Notice available at the store for individuals to request to take with them. 4. The Pharmacy must post the Notice in a clear and prominent location in the store where patients will be able to read it. B. Electronic notice. The Pharmacy may be required to provide its Notice electronically under certain circumstances. 1. If the Pharmacy maintains a web site that provides information about the Pharmacy?s services or benefits, it must prominently post its Notice on the web site and make the Notice available electronically through the web site. 2. The Pharmacy may provide the Notice to an individual by e-mail, if the individual agrees to receive materials from the Pharmacy electronically and the individual had not withdrawn his or her agreement. If the Pharmacy knows that the e-mail transmission failed, the Pharmacy must provide a paper copy of the Notice to the individual. 3. If the first delivery of service to an individual is delivered electronically, the Pharmacy must provide electronic notice automatically and contemporaneously with the individual?s first request for service. For example, the first time a patient requests a prescription refill via the Internet, the Pharmacy must automatically and contemporaneously provide the patient with the Pharmacy?s Notice. 4. If an individual receives an electronic notice from the Pharmacy, he or she still has the right to obtain a paper copy of the Notice from the Pharmacy upon request. III. REVISIONS TO THE NOTICE A. The right to change this Notice. If the Pharmacy wishes to reserve the right to change its privacy practices and apply the revisions to PHI previously created or retained, it must make a statement to that effect in the Notice. If the Pharmacy does not make this statement, it may still change its privacy practices, but it can apply those revised practices only to PHI that it creates or obtains in the future, after the effective date of the change. B. Making material changes to the Notice. The Pharmacy must promptly revise and distribute its Notice whenever there is a material change to the uses or disclosures of PHI, the individuals? rights, the Pharmacy?s legal obligations, or other privacy practices state in the Notice. 1. Whenever the Notice is revised, the Pharmacy must make the Notice available upon request on or after the effective date of the revision, promptly make the Notice available at the store location, and post the revised Notice in a clear and prominent location in the store. 2. After giving a patient a copy of the Notice upon his or her first visit or delivery of service, the Pharmacy is not required to further distribute the Notice to the patient. Even if the Pharmacy revises the Notice, it is not required to distribute the Notice to all current and former patients. The Pharmacy only has to make the Notice available upon request and post the information in the store. C. Implementation of revised privacy practices. In general, the Pharmacy may not implement a material change to any term of the Notice before the effective date of this Notice that reflect material change to any term of the Notice before the effective date of the Notice that reflects the material change. This means that the Pharmacy must revise its Notice accordingly and make it available to patients before it may implement any new or different privacy practices. IV. DOCUMENT RETENTION REQUIREMENTS The Pharmacy must retain a copy of each Notice it issues for a period of six years from the date that the Notice was last in effect. AUTHORIZATION FOR USE OR DISCLOSURE OF PHI POLICY: The Pharmacy will obtain a valid, signed authorization from a patient prior to using or disclosing the patient?s PHI for purposes not otherwise permitted by a verbal agreement or the rules that allow uses or disclosures without the patient?s permission. PURPOSE: The purpose of this policy is to explain: (1) when a written patient authorization is required, and (2) the relevant procedures the Pharmacy must follow when using or disclosing PHI pursuant to a valid authorization. I. WHEN AN AUTHORIZATION IS REQUESTED A. An authorization is required before the Pharmacy uses or discloses PHI for ?non-routine? purposes beyond treatment, payment and health care operations, such as sales of PHI and certain marketing activities. B. Among the uses and disclosures for which an authorization is not required are uses and disclosures 1. For treatment, payment, and health care operations 2. For involvement in the patient?s care and notification purposes 3. Required by law 4. For public health activities 5. About victims of abuse, neglect, or domestic violence 6. For health oversight activities 7. For judicial and administrative proceedings 8. For law enforcement purposes 9. About decedents 10. For research purposes where a waiver has been obtained 11. To avert a serious threat to health or safety 12. For specialized government functions 13. For workers? compensation 14. To the patient 15. To the Department of Health and Human Services for enforcement of the privacy rules 16. For marketing communications that are made face-to-face or that involve promotional products of nominal value. II. CONTENT REQUIREMENTS A. Plain language. All authorizations must be written in ?plain language?. This means that the Pharmacy must make a reasonable effort to: 1. Organize material to serve the needs of the reader. 2. Write short sentences in the active voice using ?you? and other pronouns 3. Use common, everyday words in sentences 4. Divide material into short sections B. Core elements. All authorizations must contain the following core elements: 1. A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. 2. The name or other specific identification of the person(s) or class of persons authorized to make the requested use or disclosure. 3. The name of other specific identification of the person(s) or class of persons to whom the Pharmacy will disclose the information. 4. A description of each purpose of the requested use or disclosure with enough information to allow patients to make informed decisions about whether to release the information. Broad or blanket authorizations requesting the use or disclosure of PHI for a wide range of unspecified purposes are prohibited, but if the patient is initiating the authorization the purpose may be described as ?at the request of the individual?. 5. An expiration date or an expiration event that relates to the patient or the purpose of the use or disclosure. The authorization may expire on a specific date, a specific time period (e.g., 3 years from the date of the signature), or an event directly relevant to the patient or the purpose of the use or disclosure (e.g., for the duration of the patient?s participation in a drug study). Authorizations may not have an indeterminate expiration date. 6. Signature or the patient and the date. 7. If the authorization is signed by a personal representative of the patient, a description of the representative?s authority to act for the patient. C. Required notifications. In addition to the core, authorizations must contain all of the following notifications: 1. A statement that the patient has the right to revoke the authorization in writing and either a discussion of the exceptions to the right to revoke, together with a description of how the patient make revoke the authorization, or, to the extent that this information is included in the Notice of Privacy Practices, a reference to the Notice 2. For most authorizations, a statement that the Pharmacy will not condition treatment, payment, enrollment, or eligibility on the patient?s providing authorization for the requested uses or disclosures. 3. A statement that information used or disclosed pursuant to the authorization may be subject to re-disclosure by the recipient and no longer be protected by the Privacy Regulations. D. Authorization for marketing. If the authorization is for marketing purpose, and the marketing involves any direct or indirect remuneration to the Pharmacy from a third party, the authorization must state this fact. E. Copy to the patient. The pharmacy must give the patient a copy of the signed authorization. F. Non-required elements. Valid authorizations may also contain non-required elements, so long as those additional elements are not inconsistent with the required elements. G. Defective authorizations. An authorization is not valid if it has any of the following defects 1. The expiration date has passed or the expiration event is known by the Pharmacy to have occurred. 2. The required elements of the authorization has not been filled out completely. 3. The authorization is known by the Pharmacy to have been revoked. 4. The authorization lacks a required element. 5. The authorization violates the rule on compound authorizations (see Section II. H. below) 6. Any material information in the authorization is known by the Pharmacy to be false. H. Combining Documents. An authorization for use or disclosure of PHI may not be combined with any other types of documents (e.g., The notice of privacy practices) to create a compound authorization. However, multiple authorizations for the use or disclosure of PHI may be combined, so long as the Pharmacy has not conditioned the provision of treatment or payment on obtaining the authorization. III. REVOCATION OF AUTHORIZATIONS A. A patient may revoke an authorization at any time by means of written revocation, except to the extent that the Pharmacy has taken action in reliance upon authorization. B. When a patient revokes an authorization, the Pharmacy must stop making uses and disclosures pursuant to the authorization to the greatest extent practical. IV. RECORD RETENTION REQUIREMENTS The Pharmacy must document and retain signed authorizations for six years after the date they were last in effect. GENERAL USE AND DISCLOSURE POLICY: The Pharmacy will use and disclose PHI only as specifically permitted or required by the privacy rules in accordance with the Pharmacy?s privacy policies and procedures. PURPOSE: The purpose of this policy is to explain the basic standards that must be met when using and disclosing PHI. I. INTRODUCTION A. Basic rule for use and disclosure of PHI. The Pharmacy may not use or disclose PHI unless permitted or required by the privacy rules. B. Permitted uses and disclosures. Some of the permitted uses and disclosures of PHI are: 1. To the patient; 2. To carry out treatment, payment, or health care operations; 3. In compliance with a valid authorization; 4. Pursuant to a verbal agreement from a patient that permits disclosure to a caregiver; and 5. For certain ?national priority? purposes such as disclosures required by law. C. Incidental uses and disclosures. Incidental uses and disclosures that occur as a byproduct of a use or disclosure otherwise permitted under the privacy rules are explicitly permitted, so long as the Pharmacy has applied reasonable safeguards and implemented the minimum necessary standard, where applicable D. Required disclosures. The privacy rules require the Pharmacy to disclose PHI in only two instances: 1. When the patient requests access to information about himself or herself; and 2. When HHS requests information to investigate or determine the Pharmacy?s compliance with the rules II. MINIMUM NECESSARY A. When using or disclosing PHI, and when requesting PHI from another entity, the Pharmacy must make reasonable efforts to use, disclose, or request the minimum amount of PHI reasonable necessary to accomplish the intended purpose of the use, disclosure, or request. B. Exceptions. Among the uses, disclosures, and requests to which the minimum necessary standard does not apply are: 1. Uses and disclosures for treatment purposes; 2. Disclosures to the patient who is the subject of the information; 3. Most uses or disclosures made pursuant to an authorization; 4. Uses or disclosures made in mandatory or situational fields of a HIPAA transactions standard; 5. Disclosures to HHS when required by HHS for compliance and enforcement purposes; and 6. Uses or disclosures that are required by other law. C. Required policies and procedures for uses of PHI. The Pharmacy must develop and implement policies that limit the use of PHI to the minimum PHI reasonable necessary to accomplish the intended purpose of the use or disclosure. 1. The policies and procedures for use of PHI must identify: a. The persons or classes of persons in the Pharmacy who need access to PHI to carry out their duties; b. The categories of PHI that each person or class of persons needs; and c. Any conditions necessary for such access. 2. The Pharmacy must have policies and procedures that limit access to only the identified persons and to only the identifiable PHI. These policies and procedures should be based on reasonable determinations about the persons or classes of persons who require PHI, and the nature of the PHI they require, for their particular job responsibilities. D. Required policies and procedures for disclosures of PHI. The Pharmacy also is required to develop certain policies and procedures of PHI. The regulatory requirements differ depending on whether the disclosure is a routine or non-routine disclosure. 1. For any type of disclosure that is made on a routine, recurring basis, the Pharmacy must develop and implement policies and procedures (which may be standard protocols) that permit only the disclosure on the minimum amount of PHI that is reasonably necessary to achieve the purpose of the disclosure. The policies and procedures identify the: a. Types of PHI to be disclosed; b. Types of persons who may receive the PHI; and c. Conditions necessary for such access. 2. For non-routine disclosures, the Pharmacy must develop reasonable criteria for determining and limiting disclosure to only the minimum amount of PHI necessary to accomplish the purpose of the disclosure. a. Among the factors that may be considered in making such a determination are: i. How much PHI will be disclosed? ii. To what extent would the disclosure increase the number of persons with access to the PHI? iii. What is the likelihood of further disclosures? iv. How important is the disclosure? v. Can substantially the same purpose be achieved using de-identified information? vi. Is there technology available to limit the amount of PHI disclosed? vii. What is the cost, financial or otherwise, or limiting the disclosure? b. The Pharmacy must also develop and implement procedures for reviewing non-routine requests for disclosures on an individual basis on accordance with established criteria. E. Requests for PHI. The minimum necessary standard applies to situations where the Pharmacy is requesting an individual?s PHI from another entity 1. For requests to other entities made on a routine and recurring basis, the Pharmacy must establish standard protocols describing what information is reasonably necessary for the purposes for which it is requested, and limit its requests to only that information. 2. For non-routine requests, the Pharmacy must develop policies and procedures that provide for review of the requests on an individualized basis. F. Reasonable reliance on requested disclosures. The pharmacy must rely, if reasonable under the circumstances, on statements by public officials of other covered entities or their business associates that they are requesting the minimum PHI necessary to achieve the stated purpose of the request. The Pharmacy may also reasonably rely on the statements of its own business associates or professionals within its workforce (such as pharmacists, attorneys, or accountants) that the information requested to provide professional services to the Pharmacy is the minimum necessary for such purposes. III. DE-IDENTIFICATION A. Basic Standard. Health Information is considered de-identified (i.e. not individually identifiable) under the rules if it does not identify a patient and the Pharmacy has no reasonable basis to believe it can be used to identify a patient. De-identified information is not PHI and therefore the requirements of the rules do not apply to such information. B. De-Identifying information. The Pharmacy may de-identify information in two ways: 1. If a person with appropriate knowledge and experience applying generally accepted statistical and scientific principles and methods for rendering information not individually identifiable makes a determination, and documents the analysis, that the risk is very small that the information could be used, either by itself or in combination with other available information, by anticipated recipients to identify a subject of the information; or 2. If the pharmacy removes a list of specified identifying information about the individual or his or her relatives, employers, or household members, and the Pharmacy has no actual knowledge that the information could be used alone or in combination to identify a subject of the information. C. Use of PHI to create-de-identified information. The Pharmacy may use PHI to create de-identified information, or may disclose PHI to a business associate for such purpose, whether or not the de-identified information will be used by the Pharmacy. D. Re-identification. If de-identified information is re-identified as some point by the Pharmacy, it becomes subject to the rules again and may only be used or disclosed in compliance with the regulations and the Pharmacy?s privacy policies. IV. DISCLOSURES TO FRIENDS AND RELATIVES A. Basic rule. The Pharmacy may disclose to a person involved in the current health care of the patient (such as a relative, close personal friend, or any other person identified by the patient) PHI directly related to the person?s involvement in the current health care of the patient or payment for the patient?s health care. Examples of persons who might be involved in the patient?s care include, but are not limited to: 1. Blood relatives; 2. Spouses; 3. Roommates; 4. Girlfriends and boyfriends; 5. Domestic partners; and 6. Neighbors. B. Disclosures of PHI when the patient is present. When the patient is present and has the capacity to make his or her own decisions, the Pharmacy may disclose PHI to the third party only if the Pharmacy: 1. Obtains the patient?s agreement to disclose to the third party involved in his or her care; 2. Provides the patient with an opportunity to object to such disclosure and the patient does not express an objections; or 3. Reasonably infers from the circumstances, based on the exercise of professional judgment, that the patient does not object to the disclosure C. Disclosures of PHI when the patient is not present. When a patient is not present (e.g. when a friend of the patient seeks to pick up the patient?s prescription at the Pharmacy) or when the Pharmacy cannot practically give the patient an opportunity to agree or object to the use or disclosure (e.g. because of the patient?s incapacity or an emergency circumstance), the pharmacist may, in the exercise of professional judgment, determine whether the disclosure is in the patient?s best interests and if so, disclose only the PHI that is directly relevant to the person?s involvement with the patient?s health care. For instance, this allows the pharmacist to disclose instructions for taking a particular prescription to an elderly patient?s caregiver. The pharmacist must follow these guidelines when deciding whether to disclose PHI when the patient is not present: 1. Only disclosure PHI that is directly related to the patient?s current condition. 2. Consider the patient?s best interests and construe this opportunity narrowly, allowing disclosures only to those persons with close relationships with the patient, such as family members. 3. Take into account whether the disclosure is likely to put the patient at risk of serious harm. 4. Pharmacy employees are not required to verify the identity of relatives or other persons involved in the patient?s care. When a patient brings a person to the Pharmacy counter with him or her to pick up a prescription, this is sufficient verification of the person?s identity. 5. A patient?s agreement to disclosure of PHI in one situation or on one occasion does not mean that the patient is agreeing to disclosures of PHI indefinitely in the future. Use professional judgment to determine the scope of the person?s involvement in the patient?s care and the time period during which the patient agrees to the other person?s involvement. V. ORAL COMMUNICATIONS A. Applicability of privacy standards. The rules apply to PHI in all forms- electronic, written, oral, and any other form. B. Use of PHI in oral communications. Employees may orally coordinate Pharmacy services. Employees may discuss a patient?s PHI over the telephone with the patient, a physician, or a family member. C. Documentation of oral communications. The Pharmacy is not required to document any information, including oral information, that is used or disclosed for treatment, payment, or health care operations. However, where the rules or the Pharmacy?s privacy policies require documentation of other types of disclosures, oral communications are included in this requirement. For example, oral disclosures of PHI for purposes other than treatment, payment, or health care operations must be documented in order to provide the patient with a complete accounting of disclosures. D. The Pharmacy?s duty to safeguard PHI. The Pharmacy must reasonably safeguard PHI, including oral information, from any intentional or unintentional use or disclosures that are in violation of the rules of the Pharmacy?s privacy policies. This means that the Pharmacy A. must make reasonable effort to prevent improper use and disclosures of PHI. Measures that the Pharmacy may implement to protect patients? privacy include: 1. Creating a private area, such as a small separate room, cubicle, or screened off or divided area, where the Pharmacist can counsel patients regarding treatment of their medical conditions. 2. Speaking quietly or asking that waiting patients stand a few feet back from the counter when Pharmacy employees are consulting with patients from behind the Pharmacy counter.
Welcome to Botica Del Sol. As your local Good Neighbor Pharmacy, we offer quality products at affordable prices, while providing the personalized attention and customer service you expect from a local business. As your neighbors, we live, work and play in the same community as you and your family. We’re the local business owners you see in the neighborhood, at the school play, and volunteering at the local charity. We believe it is our responsibility to take care of our community and our neighbors, and it’s one we take very seriously. We thrive on the opportunity to serve you and your family to the best of our abilities because your business and your health are very important to us. Get to know your neighbor – we’re here to help.