Viewpoints: July/August 2014

Though it’s been nearly 20 years since the passage of the Health Insurance Portability and Accountability Act (HIPAA) and several years since the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH Act), all of us in the healthcare industry need to remind ourselves to abide by the privacy and security provisions from these important pieces of legislation.

Many aspects of pharmacy practice have been shaped by HIPAA and HITECH requirements, including the prescription drop-off and pickup process, disposing of waste that contains PHI, and the technology that pharmacies use to process prescriptions. Two areas that have recently emerged as potential threats to privacy and security are pharmacy apps and pharmacist-patient interactions outside of the pharmacy counter. 

In a recent ruling that resulted in an $800,000 fine and corrective-action plan, and that seems better suited to a “News of the Weird” story, the Office for Civil Rights (OCR) has determined that patients’ medical records, which contain protected health information (PHI), should not be left in a physician’s driveway. This ruling, as reported by Theresa C. Carnegie in Health Law & Policy Matters (reference at end of column), is an extreme example of what can happen when the rules are not followed.

Security in Pharmacy Apps

Want to track your daily calories, map your jogging route, or refill your prescription, all with the touch of a button? There’s an app for that! Apps have become so commonplace that we often forget to think about the security of this software. Users often mindlessly enter personal health information, with little thought to the privacy of their information. Usually, there are no problems — until all of a sudden, there are. HIPAA regulations are murky surrounding apps, according to Adam Greene, J.D., M.P.H., a former senior health information technology and privacy specialist at the HHS Office for Civil Rights. Writing in 2011 in MobiHealthNews (see Web reference in resource box), Greene says:

“[A]n application that is for use by patients is not going to fall under HIPAA. . . . Even if the application permitted the user to send information to her physician, the application would not be subject to HIPAA, although the information would become subject to HIPAA once the HIPAA-covered physician received it.”

While Greene did not mention pharmacy apps specifically, his comment brings up an important question: How do we know that any PHI contained in an app is protected by appropriate security measures?

One company, Appthority, acts as a “mobile app risk management” service that analyzes an app’s security and privacy characteristics. Using proprietary algorithms, Appthority analyzes the app’s source code to determine how the app functions. It also looks at a number of other factors, including whether the app accesses third-party networks, and if this access is properly encrypted. Other factors that are evaluated include the app’s access to the user’s calendar, camera, address book, and location-tracking capabilities. Appthority compiles this data to determine what the company calls an app’s “Trust Score” on a scale of 1 to 100. This Trust Score is comprised of three subscores: Risk Security Behavior Score, Privacy Behavior Score, and Likelihood of Malware Score. When Appthority evaluated the apps of two major pharmacy chains, it found Trust Scores of 19 and 23. As a comparison, when the iPharmacy Drug Guide & Pill Identifier app was rated, it received a higher Trust Score of 60. At 60, this was considered a “risky app,” and iPharmacy remedied the identified issues to increase its privacy score and its Trust Score. These findings indicate that large retail corporations have a long way to go in providing more-secure apps to their patients, and that app security should not be overlooked. Pharmacists deciding to use a pharmacy app should examine the security of the app before signing up for the service.

Privacy “Outside the Pharmacy”

Pharmacists looking to expand clinical services need to remember that while communication with customers in the pharmacy is important, it is critical to make sure that patients’ PHI is not inadvertently disclosed in the process. For example, if you use a laptop to record medications as part of a brown-bag medication review, be sure that no other patient’s data is visible, and return the device to the locked pharmacy, out of view, as soon as you are finished interacting with that patient. Just as you wouldn’t position your pharmacy computers in a way that they could be viewed by passersby, use mobile technology judiciously.

HIPAA is about more than shredding waste through a secure facility, handing out a pamphlet, or having patients sign an acknowledgment of your privacy policies. As you look to expand services in your pharmacy and to integrate new technologies, be mindful of potential privacy and security concerns. Ensure that your policies, procedures, and training address these potential risk areas.

All pharmacy employees should understand your pharmacy’s policies regarding use of their personal devices for work-related purposes. Having all of the pharmacy’s technological resources secure may not mean much if a pharmacist, intern, or technician decides to access your pharmacy’s app or other technology on their personal phone or tablet, potentially exposing patient information to the outside world. 

Although we are hopefully past the point of sharing PHI by leaving a medical record in someone’s driveway, without vigilance in our app usage and attention to our surroundings in the pharmacy, using technology to exchange PHI can be just as risky.

Lessons Learned

When considering apps, such as those used to promote medication adherence, talk with app developers and vendors about the processes in place to ensure compliance with the privacy and security rules. Check to see if they have been rated by Appthority, and if so, what score they’ve earned. It’s also important to remind patients to be cognizant of the information that they’re sharing via apps and other technologies. Finally, check with your insurance provider about insurance policies and coverage for security breaches and protection. Although we are hopefully past the point of sharing PHI by leaving a medical record in someone’s driveway, without vigilance in our app usage and attention to our surroundings in the pharmacy, using technology to exchange PHI can be just as risky. CT

Melissa Sherer Krause, Pharm.D., and Ann Johnson, Pharm.D., are consultants at PHSI. Krause has worked in pharmacy since 2001. She has experience in retail and clinical hospital pharmacy, as well as pharmacy administration, academia, government affairs, and professional associations. Johnson began working for PHSI as an intern in 2010 and is now the newest pharmacist consultant on the team. Her current emphasis is in analytics and pricing reimbursement, financial models, and market research. The authors can be reached at mkrause@phsirx. com and

Web Site Resource

Theresa C. Carnegie in Health Law & Policy Matters /2014/06/25/ocr-confirms-that-medical-records-should-not-be-left-in-the-driveway/