Privacy compliance

Indeed typically the strongest of a patient s concerns is vague and ill formed. As also discussed below, if the privacy of health-related information, such as the Protected Health Information (PHI) defined by the Health Insurance Portability and Accountability Act (HIPAA) enacted by the US Congress in 1996, is compromised, we could be talking about a bankruptcy of a financially healthy institution or a prosecution of senior executives of the institution. The biggest challenge with privacy compliance is limiting the use of personal information to the purposes stated at the time of collection. 

Pharmacies are affected by these rules in two ways. Pharmacies, by definition, deal with PHI (e.g., a prescription itself is PHI). If the pharmacy uses a computer, the information is then electronic and is known as ePHI (Barlas, 2004). HIPAA protects all individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media, whether electronic, paper, or oral (DHHS, 2003). This covered information includes demographic data, including the individual s physical or mental health (past, present, or future) the health care provided to the individual and payment information and common identifiers (e.g., name, address, birth date, and Social Security Number) that can be used to identify the individual. Pharmacies must have numerous policies and procedures in place to be in compliance with the HIPPA mandates. These include conducting risk assessments, appointing security and privacy officers to ensure compliance, and implementing policies and procedures to detect and prevent security violations. 

See (1) HIPAA Privacy Standards A Compliance Manual for Pharmacists. National Association of Chain Drug Stores, Inc., and Mintz, Levin, Cohn, Ferris, Glovsky, and Popeo, P.C., 2003 and (2) Fitzgerald WJ. The NCPA HIPAA Compliance Handbook for Community Pharmacy. National Community Pharmacists Association, 2003. 

What must the covered entity do to protect information Every covered entity must have an individual designated as the facility s privacy officer —a person who is charged with the responsibility of keeping the site in compliance with HIPAA. Essentially, a covered entity may not release or disclose PHI except as allowed under the privacy rule. The following subsections summarize briefly what a pharmacy manager (a person who also may be the privacy officer) must be aware of. 

The Verified Internet Pharmacy Practice Site (VIPPS) program is a voluntary certification program for online pharmacies and is sponsored by the NABP This program, initiated in 1999, provides a means for online pharmacies to demonstrate compliance with VIPPS criteria including patient rights to privacy, authentication and security of prescription orders, adherence to a... 

If a generic subject information sheet and informed consent form are attached to the protocol, these documents should also be reviewed for compliance with any requirements for informed consent, such as GCP, SOPs and the Declaration of Helsinki, and for consistency with the trial protocol. The information sheet and informed consent forms must be written in a language understandable to the trial participant and should include information on data protection/privacy. Further information on protocol and informed consent audits is available in literature (Bohaychuk and Ball, 1999 DGGF, 2003). 

Two logistical aspects of the Privacy Rule authorization should be noted. First, grandfather clauses will be implemented for research studies that began prior to the Privacy Rule s compliance date (April 14, 2003). Second, it should be noted that an IRB may approve a waiver of authorization if the use or disclosure of PHI would involve no more than minimal risk to subjects and if the IRB judges it impractical to conduct the research without the waiver and without access to the PHI. 

Similarly, existing databases or repositories created prior to the April 14, 2003, compliance data can be disclosed for research either with individual authorizations or with a waiver from either the IRB or the Privacy Board. Approval from both the IRB and the Privacy Board is not required for the covered entity. 

COMPLEXITIES OF INFORMED CONSENT FOR COMPLIANCE TO PRIVACY LAWS... 

In any event, the problem of encoding key identification remains the same, whatever we do with them. The US statutory law for protection of personal privacy, namely HIPAA defines 17 specific personal information items as protected health information (PHI). Protected, by the federal law, has a catch-all other categories of information as protected health information (PHI 18) to prevent an individual from being re-identified based on other nonpersonal information that can be used as a link to a particular person. The 17 PHI must be de-identified to comply with the federal law, which came into effect on April 1,2003. HIPAA, in general, was not enforced until April 15,2005, and calls for compliance by all healthcare organizational entities in the United States. 

The main themes for development of a sound IT architecture include (1) usability for intuitive and personalized interfaces as natural as possible to human behavior, (2) accessibility through various communication channels and devices, (3) performance for peak volumes, (4) scalability to future growth, (5) availability for access at any time and at any place as per the business needs, (6) reliability, (7) manageability for business continuity with minimal human intervention, (8) flexibility and adaptability to future business and technology changes, (9) adherence to security policies, (10) compliance to the statutory requirements for protection of privacy, and (11) viability for development and deployment in a reasonable time and at a reasonable cost with minimal risks, among others. 

The traditional computing model where data are exchanged across the network becomes inefficient and inadequate when vast amounts of data are involved or when the data need to be protected for compliance to privacy laws. The traditional computing model where software is kept stationary on a designated system becomes not only inefficient but inadequate for pervasive computing environment. 

Clinical intelligence access and collaboration. Acting on knowledge via feedback or moving humans to action by real-time on-demand access to consolidated patient, research, or other healthcare data, and including the topics of portals, shareware, identity protection, and privacy security and consent compliance ethical practice and smarter solicitation and provision of services. 

Compliance to the statutory requirements for protection of privacy as the data can be captured once and stay at the source. 

Federal Register. (2001). 34 CFR Part 99, Part V, Family Education Rights and Privacy, Final Rule. Office of Family Policy Compliance, Family Education Rights and Privacy Act. Washington, D.C. 

Directory information is the student s educational record. Directory information is information that is generally not considered harmful or an invasion of privacy if released. Under FERPA, the organization may disclose this type of information without the written consent of the student. However, the student (or guardian until a student is eighteen years of age or attends a postsecondary institution) can restrict the release of directory information by submitting a formal request to the school. Directory information includes the following (Office of Family Policy Compliance, 2008) ... 

Understanding Compliance to Privacy Guidelines Using Text-and Video-Based Scenarios... 

As has been explained, the experiment aimed to investigate the variance in interpretation between video- and text-based scenarios. First of all, both type of scenarios showed poor understanding of the compliance with privacy guidelines. On average the text-based scenario resulted in 79.4% correct interpretation, while for the... 

---