A Behind the Desk report published by a union advocacy group, Change to Win, alleges major HIPAA privacy and security violations against Walgreen’s new pharmacy model. The new model is called “Well Experience.” Walgreens has implemented the Well Experience model in 20 states. The goal of Well Experience is to “make pharmacists more accessible to patients and broaden the focus of the pharmacy by expanding services Walgreens can offer in its drug stores, such as vaccinations and acute and primary care.”
Sound like a good idea? Many retailers are trying innovative approaches to medicine. Kroger has the Little Clinic. CVS has the Minute Clinic. So, what it the issue? The Behind the Desk reports:
• In 80 percent of stores visited, patients’ protected health information was left unattended on or near the pharmacist’s desk, and
• In 46 percent of stores visited, prescription medication was left unattended.
• Pharmacists were observed leaving active computer screens unattended on 11 visits. In some cases, patient information was clearly visible on the screen.
• Pharmacists sometimes had sensitive conversations about patients at the desk, including telephone calls with doctors and third parties…
• On 10 percent of visits, iPads were left unattended on the pharmacist’s desk.
To see pictures of the Well Experience model and read the full Behind the Desk report click here.
HIPAA does not require that providers, health plans, and business associates preclude all incidental disclosures, but medical providers, health plans and business associates are required to implement reasonable safeguards to prevent incidental disclosure of protected health information.
The Department of Health and Human Services on its website, Understanding HIPAA for Covered Entities and Business Associates says it this way: A covered entity must have in place appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as limiting incidental uses or disclosures. See 45 CFR 164.530(c). It is not expected that a covered entity’s safeguards guarantee the privacy of protected health information from any and all potential risks.
Listen to the video to learn some of the things you can do to safeguard against incidental disclosures of protected health information or PHI.
Share some of the HIPAA privacy and security challenges and solutions that you implemented in your office or workplace!