Try The Compounder Today
Request a demo  of:

The Compounder Rx
&
The Compounder Lab.


E-Prescribing
Press the "Contact Us" button below to have a PCCA - PK Software representative contact you about the capabilities of the E-Prescribing system.

Contact us

Support
Pharmacies that have a current support contract can login and access software updates, documentation, training videos, price updates & other support options.

New flexible numbering
New flexible numbering system.  

Separate numbers for:
  -  Prescriptions
  -  Controlled prescriptions
  -  Doctor's office medications
  -  OTC medications

Keep In Contact

About HIPAA

This document is not meant to be the full information on the HIPAA Security Rule. You may need to seek more references than this site.

Additional documentation: NPCA:
If you are a member of NPCA, they have an excellent book that can help your pharmacy on the HIPAA security rule. www.ncpanet.org

How does this new rule affect your pharmacy?


One of the main ideas of the security rule focuses on pharmacy operations, which now must insure the security of electronic transmissions and data.

The security rule specifically mandates that the pharmacy control the ;availability, confidentiality and integrity of protected health information” in its possession. GENERAL RULE PROVISIONS: Section 164.306(a), the statement of the general rule, requires pharmacies (as covered entities) to:

  • Insure the confidentiality, integrity, and availability of all electronic protected heath information (ePHI) the pharmacy creates, receives, maintains, or transmits;
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and
  • Ensure compliance by its workforce.

It may take time to implement the security rule so start now.
As your pharmacy system provider, PK Software can assist in the technical safeguards subset of the Final Security Rule.
The administrative and physical safeguards should be addressed by you or your designated security officer. The privacy officer and the security officer may be one and the same which is in most cases the pharmacist owner/manager.
The security officer needs to start by identifying the pharmacy's computer hardware; electronic media, software and network connections that electronically store or transmit protected health information. The security officer must analyze each portion for threats and vulnerabilities, and have a backup emergency plan prepared and ready for implementation on April 20, 2005.

Is my pharmacy software HIPAA compliant?


All versions of The Compounder 3 and above are HIPAA complaint. However, the security rule requires that the security is business based meaning that all points of the hardware, network, etc. be HIPAA compliant. You should follow this document to make sure that all entry points to your network are protected. I.e. software, hardware, firewalls, routers, etc.

Risk Analysis:


Special Publication 800-30, Risk Management Guide for It Systems
The National institute of Standards and Technology, or NIST, Special Publication 800-30, Risk Management Guide for It Systems is a guide that has more details on the security issue. Link to SP800-30.

This guide has a nine step process to lead health care professionals through the process of conducting a risk analysis in order to identify all threats and vulnerabilities to the pharmacy, including natural, man-made and environmental.

Using the NIST Special Publication 800-30 you will:

  • Identify and gather information on your computer systems. Analyze for any and all potential threats to the pharmacy.
  • Determine the vulnerabilities that could arise from these threats.
  • Determine whether the control measures currently in place are adequate or if additional ones might be needed.
  • Determine the likelihood of the vulnerability occurring and what actions should take place if it does.
  • Implement policies and procedures or technology to reduce the risks from any vulnerability.

All you need to do is compile all of this data in one document, which then becomes the risk management plan. The best way to begin preparing for the security rule is to start early.
Inventories of hardware and software can be done at any time.

In developing the risk analysis, how do you determine what the threats are and which vulnerabilities really could be issues for your pharmacy?
A threat would be any potential action that can be environmental, human or natural, triggered accidentally or intentionally, which exploits a vulnerability to harm the physical or electronic operation of the pharmacy. In simple terms, earthquakes, fires, floods, robberies, thefts, malicious code (viruses, worms, Trojan Horses and other uninvited computer code that could destroy or alter system resources including (ePHI) and any other disasters fit the definition. Once you determine who and what can harm your pharmacy, you can prepare a threat statement upon which you will be able to build the information required to complete the risk analysis. The goal is to identify any potential problems or risks and either eliminate them or mitigate them to an acceptable level.

Contingency Plan:


After the risk analysis is completed, the next document that must be prepared is the contingency plan. The contingency plan is like an insurance plan for your information. The basic requirement is to ensure the pharmacy's protected health information and operational information is secure and available after a disaster strikes.

The process starts with the pharmacy's computer backup system. Many pharmacies keep their backup data near the pharmacy computer. If there were a theft or file, they would loose the computer and the data. The data backup requires that you establish a procedure to complete a successful backup daily and to secure that backup in a safe location. We have always recommended that you have at least one backup media for each day of the week you are open and two more always kept off site.

PK Software offers a Remote (FTP) Backup Service that will compress and encrypt your data and then transfer it to our storage servers. Please call for details on this service.

The disaster recovery portion of the contingency plan requires the pharmacy to:

  1. Identify all business contacts related to the electronic and physical control and access to the pharmacy. This plan should be written as if the pharmacy owner or manager is not present after The disaster. It should be viewed as the pharmacy owner’s written instructions to the employees on how to conduct and/or recover business operations if the unthinkable occurs.
  2. The security rule requires the pharmacy to practice this plan annually. The exercise should involve all key pharmacy employees in order to seek their ideas and input. After conducting an exercise, determine whether the plans are viable. As with all plans, they are only as good as the information in them. Training is the final and most important step of the security rule. All employees and business associates, when applicable, must be trained to the level of exposure they have to the protected health information. The training validates and completes the effectiveness of employees’ ability to comply with the pharmacy’s operational policies and procedures.

At a minimum, being in compliance will require:

  • the designation of a security officer;
  • additional security policies and procedures to be established;
  • the establishment and completion of a risk analysis and the development of a contingency plan; and
  • the training of all employees to ensure that everyone involved with protected health information understands what to do, when to do it and where to go when a question is asked.

We recommend that you install:

  • Firewalls (in the routers)
  • Firewalls on all computers
  • Antivirus on all computers
  • Activate the Windows Automatic Update feature in Windows (Many of the security suites offer a risk analysis testing method)
  • You hire a professional installer to install these programs and conduct risk analysis of your computer networks. PK Software can do this for a fee.
  • Install a RAID 1, RAID 5 or RAID 10 in your server computer and use the GBAK-SCHEDULER (see manual for details) to automate backups.

Safeguards Checklist To Be Addressed By The Pharmacy:

Technical information

Standard: Access Control:

  • Unique User identification: Users must activate the User Security system in The Compounder and the administrator must grant rights to each user. This allows access only to those persons that have been granted access rights through unique user identification.
  • Emergency access procedure: This may done though our office.
  • Automatic Logoff : Users may turn on this feature in Options. Set the number of inactivity minutes.
  •  Encryption and decryption: This part of the standard is (not implemented) because the process of encrypting of the database is not reasonable or appropriate for the following reasons:
  • It will severely impact the performance of the program
  • The data is stored in many different relational tables. It is virtually impossible to extract any meaningful PHI from these tables without the availability of the database schema. Our database schema is treated as highly confidential.
  • Add data transfers are done with data encryptions mechanisms.

Standard: Audit Controls:

  • One or more of the following processes are required: hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI. The Compounder offers data tracking and auditing in the software. For full and complete control over data auditing you can purchase an optional module that can log every change to the in database. This log is kept in another location.

Standard: Integrity:

  • A mechanism to authenticate electronic PHI is inappropriate or unreasonable (not implemented) for the following reasons:
  • All the electronic PHI data is user modifiable.
  • The system logs all the changes made to electronic PHI including date and timestamp and the person who made the change.

Standard: Person or entity authentication:

  • The Compounder's user security feature supports authentication via encrypted user name and password
  • Standard: Transmission Security: The Compounder's security feature provides for integrity control using checksum when transmitting electronic claims that assures that the message was not altered during transmission using a broad-band connection. Dial-up is considered secure under the final rule.