This document is not meant to be the full information on the HIPAA Security Rule.
You may need to seek more references than this site.
Additional documentation: NPCA:
If you are a member of NPCA, they have an excellent book that can help your pharmacy
on the HIPAA security rule.
How does this new rule affect your pharmacy?
One of the main ideas of the security rule focuses on pharmacy operations, which
now must insure the security of electronic transmissions and data.
The security rule specifically mandates that the pharmacy control the ;availability,
confidentiality and integrity of protected health information” in its possession.
GENERAL RULE PROVISIONS: Section 164.306(a), the statement of the general rule,
requires pharmacies (as covered entities) to:
- Insure the confidentiality, integrity, and availability of all electronic protected
heath information (ePHI) the pharmacy creates, receives, maintains, or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information;
- Protect against any reasonably anticipated uses or disclosures of such information
that are not permitted or required by the Privacy Rule; and
- Ensure compliance by its workforce.
It may take time to implement the security rule so start now.
As your pharmacy system provider, PK Software can assist in the technical safeguards
subset of the Final Security Rule.
The administrative and physical safeguards should be addressed by you or your designated
security officer. The privacy officer and the security officer may be one and the
same which is in most cases the pharmacist owner/manager.
The security officer needs to start by identifying the pharmacy's computer hardware;
electronic media, software and network connections that electronically store or
transmit protected health information. The security officer must analyze each portion
for threats and vulnerabilities, and have a backup emergency plan prepared and ready
for implementation on April 20, 2005.
Is my pharmacy software HIPAA compliant?
All versions of The Compounder 3 and above are HIPAA complaint. However, the security
rule requires that the security is business based meaning that all points of the
hardware, network, etc. be HIPAA compliant. You should follow this document to make
sure that all entry points to your network are protected. I.e. software, hardware,
firewalls, routers, etc.
Special Publication 800-30, Risk Management Guide for It Systems
The National institute of Standards and Technology, or NIST, Special Publication
800-30, Risk Management Guide for It Systems is a guide that has more details on
the security issue.
Link to SP800-30.
This guide has a nine step process to lead health care professionals through the
process of conducting a risk analysis in order to identify all threats and vulnerabilities
to the pharmacy, including natural, man-made and environmental.
Using the NIST Special Publication 800-30 you will:
- Identify and gather information on your computer systems. Analyze for any and all
potential threats to the pharmacy.
- Determine the vulnerabilities that could arise from these threats.
- Determine whether the control measures currently in place are adequate or if additional
ones might be needed.
- Determine the likelihood of the vulnerability occurring and what actions should
take place if it does.
- Implement policies and procedures or technology to reduce the risks from any vulnerability.
All you need to do is compile all of this data in one document, which then becomes
the risk management plan. The best way to begin preparing for the security rule
is to start early.
Inventories of hardware and software can be done at any time.
In developing the risk analysis, how do you determine what the threats are and which
vulnerabilities really could be issues for your pharmacy?
A threat would be any potential action that can be environmental, human or natural,
triggered accidentally or intentionally, which exploits a vulnerability to harm
the physical or electronic operation of the pharmacy. In simple terms, earthquakes,
fires, floods, robberies, thefts, malicious code (viruses, worms, Trojan Horses
and other uninvited computer code that could destroy or alter system resources including
(ePHI) and any other disasters fit the definition. Once you determine who and what
can harm your pharmacy, you can prepare a threat statement upon which you will be
able to build the information required to complete the risk analysis. The goal is
to identify any potential problems or risks and either eliminate them or mitigate
them to an acceptable level.
After the risk analysis is completed, the next document that must be prepared is
the contingency plan. The contingency plan is like an insurance plan for your information.
The basic requirement is to ensure the pharmacy's protected health information and
operational information is secure and available after a disaster strikes.
The process starts with the pharmacy's computer backup system. Many pharmacies keep
their backup data near the pharmacy computer. If there were a theft or file, they
would loose the computer and the data. The data backup requires that you establish
a procedure to complete a successful backup daily and to secure that backup in a
safe location. We have always recommended that you have at least one backup media
for each day of the week you are open and two more always kept off site.
PK Software offers a Remote (FTP) Backup Service that will compress and encrypt
your data and then transfer it to our storage servers. Please call for details on
The disaster recovery portion of the contingency plan requires the pharmacy to:
- Identify all business contacts related to the electronic and physical control and
access to the pharmacy. This plan should be written as if the pharmacy owner or
manager is not present after The disaster. It should be viewed as the pharmacy owner’s
written instructions to the employees on how to conduct and/or recover business
operations if the unthinkable occurs.
- The security rule requires the pharmacy to practice this plan annually. The exercise
should involve all key pharmacy employees in order to seek their ideas and input.
After conducting an exercise, determine whether the plans are viable. As with all
plans, they are only as good as the information in them. Training is the final and
most important step of the security rule. All employees and business associates,
when applicable, must be trained to the level of exposure they have to the protected
health information. The training validates and completes the effectiveness of employees’
ability to comply with the pharmacy’s operational policies and procedures.
At a minimum, being in compliance will require:
- the designation of a security officer;
- additional security policies and procedures to be established;
- the establishment and completion of a risk analysis and the development of a contingency
- the training of all employees to ensure that everyone involved with protected health
information understands what to do, when to do it and where to go when a question
We recommend that you install:
- Firewalls (in the routers)
- Firewalls on all computers
- Antivirus on all computers
- Activate the Windows Automatic Update feature in Windows (Many of the security suites
offer a risk analysis testing method)
- You hire a professional installer to install these programs and conduct risk analysis
of your computer networks. PK Software can do this for a fee.
- Install a RAID 1, RAID 5 or RAID 10 in your server computer and use the GBAK-SCHEDULER
(see manual for details) to automate backups.
Safeguards Checklist To Be Addressed By The Pharmacy:
Standard: Access Control:
- Unique User identification: Users must activate the User Security system in The
Compounder and the administrator must grant rights to each user. This allows access
only to those persons that have been granted access rights through unique user identification.
- Emergency access procedure: This may done though our office.
- Automatic Logoff : Users may turn on this feature in Options. Set the number of
- Encryption and decryption: This part of the standard is (not implemented)
because the process of encrypting of the database is not reasonable or appropriate
for the following reasons:
- It will severely impact the performance of the program
- The data is stored in many different relational tables. It is virtually impossible
to extract any meaningful PHI from these tables without the availability of the
database schema. Our database schema is treated as highly confidential.
- Add data transfers are done with data encryptions mechanisms.
Standard: Audit Controls:
- One or more of the following processes are required: hardware, software, and/or
procedural mechanisms that record and examine activity in information systems that
contain or use electronic PHI. The Compounder offers data tracking and auditing
in the software. For full and complete control over data auditing you can purchase
an optional module that can log every change to the in database. This log is kept
in another location.
- A mechanism to authenticate electronic PHI is inappropriate or unreasonable (not
implemented) for the following reasons:
- All the electronic PHI data is user modifiable.
- The system logs all the changes made to electronic PHI including date and timestamp
and the person who made the change.
Standard: Person or entity authentication:
- The Compounder's user security feature supports authentication via encrypted user
name and password
- Standard: Transmission Security: The Compounder's security feature provides for
integrity control using checksum when transmitting electronic claims that assures
that the message was not altered during transmission using a broad-band connection.
Dial-up is considered secure under the final rule.