HIPAA Consult

February 3, 2006

E-prescribing and Part D drugs

Q. My partner and I are in the process of setting up an internal medicine practice, where we anticipate seeing a significant number of Medicare patients participating in the new Part D drug benefit. Will the government require us to prescribe Part D drugs electronically and, if so, how will that process be affected by HIPAA?

What does this mean in practice?

Among other things, the privacy rule requires that you obtain proper authorizations where required, permit patients to inspect and copy their protected health information, designate a privacy official for your practice, develop methods for disclosing the minimum amount of protected information to achieve a given purpose, and develop and use contracts that ensure that business associates will also protect the privacy of protected data. (If already compliant, simply expand your policies and practices to include e-prescribing.)

Second, if you prescribe Part D or any drugs electronically, you must comply with HIPAA's security standards, which took effect on April 21, 2003. They require that you assess the security of e-patient information-and take steps to protect it. Six areas have been designated, including administrative procedures, physical safeguards, and technical security services. For instance, you must use passwords and other procedures to control computer access, and to conduct security-awareness training.

One other related point needs to be made. Under HIPAA, if you conduct any of the standard transactions electronically, you're considered a covered entity and must comply with the law's electronic data interchange (EDI) standards. (These dictate the format in which transactions must take place.) But there are different standards for e-prescribing that the government adopted in November. If you use a PDA or PC to transmit your prescription to a local pharmacist, for example, you'll have to ensure that your electronic device can talk to the pharmacist's. But not to worry: If you use any of the e-prescribing vendors (Allscripts, ChartConnect, or MedPlus, for instance), they must be compliant with the new standards. (Double check just to be sure.)

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com
, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.