The Privacy and Security Aspects of e-Prescribing

The Privacy and Security Aspects of e-Prescribing
Christine Egan, J.D.
10/7/2008

Slide: 1
Hi there, good afternoon. I am Tina Egan. I am an attorney. I worked in house at CVS CareMark. I have been on the retail side of our business for 15 years as an embedded attorney working on privacy, security, and all things relating to running the pharmacy. So, my perspective is very different from the other panelists and I think it is a great opportunity to have the different perspectives on the issues of privacy and security as we tried to move e-Prescribing forward and I think the word of the day is accelerated. So, I am thrilled to be here and have this opportunity to tell you a little bit about CVS and our approach to e-Prescribing. I am going to first tell you a little bit about the state of the opportunity today. I am going to talk a little bit about pharmacy and the history of electronic prescription filling and dispensing. I am going to talk about some of my pet issues, the hanging chads that are out there, and are going away anytime soon unless we all put our thinking caps and work them out amongst several state, private, public entities that are involved in our stake holders. And I am going to wrap up with just a security initiative that my company has been involved with many other folks in the industry, and it is one that just as an example of how we might go forward.

Slide: 2
So, this is just really how we stand today. We look at e-Prescribing as an opportunity to help patient’s safety, to help payor and patient cost of course. You have heard all of this many of the speakers today. Decision cost can be curtailed through e-Prescribing of course. Patient convenience is something that as a community pharmacy we really want to focus on the excitement of the patient understanding what e-Prescribing brings to them in terms of that aspect and of course the emergency preparedness which has been an element that I have worked on with Paul Eurek because I was on this for years now. Something exciting that has a brought a real, you know, measurable results to people in need.

Slide: 3
Graphic indicating that there are 100,000 users of e-prescribing.

Obviously, you have seen charts like this. We all know that this opportunity is accelerating.

Slide: 4
Electronic systems for dispensing prescriptions and processing claims have been in the community for obviously for a very long time. Our systems have not changed all that much. They have been able to accommodate e-Prescribing. I think the important take away here is that our personnel knows how to handle electronic data. We do digital medicine or digital pharmacy record keeping in the pharmacy and have for a long time. It is not something radical to us. It simply evolved. So, pharmacists are trained and they understand how to use systems and call data up, retrieve data, and work up electronic information. We are of course a covered entity as a pharmacy and we use protected health information for various purposes, but the key one is treatment. And for that purpose we do not need to get the patient’s consent. The patient has chosen us and thus their pharmacy as well and there is no minimum necessary rule with regard to that treatment use. So, we can speak directly or communicate directly with the prescriber in a undecided manner.

Slide: 5
Privacy issues for e-Prescribing transactions are not that different than they are for paper prescriptions. The same rules about permitted disclosures of PHI between the doctor and the pharmacy, between the payors and the pharmacy, and the rule of minimum necessary.

Slide: 6
Jodi just mentioned the same anomaly that exist if you are a doctor that is not conducting HIPAA standard transactions. So, I will skip over this one quickly but it is something to consider in the realm of a details of HIPAA standard transactions and e-Prescribing.

Slide: 7
Here are some of hot topics or things that I think we still have to work out in terms of being a community pharmacy and embracing the opportunity of e-Prescribing in a big way and to bring adoption to a new level and that is the one that is really my pet peeve is that still in the pharmacy board regulation to the state rules about running your pharmacy, you still need paper to put in a box and store away to document that prescription. So, we are literary getting an electronic prescription transmitted to us and then having to print it out and stick it in a box which raises all the same paper related privacy problems that we are trying to avoid through e-Prescribing. Payors still obviously sometimes have issues with purely digital or electronic records. They want to see papers as well. But I think as we raise the volume of e-Prescribing and the opportunity becomes more well adopted, and people are more familiar with it. Hopefully, it becomes the solution. We get the critical mass of prescriptions, and we start to be able to accommodate the concerns of state boards, payors, and the like and no longer have the issues of handling on paper. We all know that there is a very big safety aspect to e-Prescribing to which is of course enormous for all of us.

Slide: 8
The key a sort of salt to the earth for me in terms of being sure, we have the privacy and security that we want as a community pharmacy and just a pause of a moment. I mean, what this is all about is the trust of the patient. It is all about the patients trusting us to handle and dispense their medications and hold their private information in accordance with Federal and State Laws in a way that they can trust us. It is really the business is associated agreement becomes key to that. It is a complex, I think Dawn mentioned it, a lawyer’s dream in a sense because it is all about contracting, and in my case, I am the pharmacy, I am contracting with service providers and SureScripts. I am also wanting, there are business associates that the prescriber has, so business associate ends up being complex and that in e-Prescribing network could have a business associate that is the business associate of more than one covered entity and we have to make sure they are never across purposes. We also have to make sure we keep track of whose PHI it is? And where it is going? And that is where the essence of the chain of trust that is established to business associate relationships. So, this is really where lawyers earned their pay.

Slide: 9
HIPPA security previsions, there is definitely a lot of privacy laws that we are focus on but the security rule cannot be underestimated. The HIPAA security rule is the backbone of what we need to do to make sure we have the program establish in fashion that will allow this opportunity to really grow. The requirements are broad; I have set them forth generally here. We need to make sure that our electronic transmissions meet the standards that have been established and we are getting into this area where we want to make sure that if we that community pharmacy are set to have certain security standards where the people be passing to the business associates and their business associates and providers in the other end of that chain are likewise trustworthy and have the same type of security that we expect of our own operations.

Slide: 10
Chart indicating major risk points in the chain of trust

This is just a graphic depiction of some of the major risk points in that chain of trust.Obviously, the payors, the doctors, the way SureScripts is set up for with the network. Nothing is on the internet; it is all dedicated lines encrypted information. But we want to make sure that all the players and stake holders here are setting for the same kind of security standards.

Slide: 11
So, we have tried to consistently look at a framework again, the favorite word framework of how to handle it. From our standpoint at CVS and we have started working with this affiliation of this non-profit organization called HITrust. And they are basically trying to come up with appropriate levels of security base on the type of entity that is in this chain of trust. So, we know, it is going to be tuneable, it is going to be adjusted based on the technological sophistication of the party in the chain of trust and it is going to be scaleable. Safeguards need to scaleable. They need to be able to be applied in different context.

Slide: 12
So, we are excited about HITrust and again this is just an illustration of the kinds of things that are going on. I guess the appropriate word is alliance, and again, it is really understanding the challenges and trying to be a leader in the space.

Slide: 13
Some of the elements of the design of HITrust are basically to make is prescripted to ensure clarity. We are trying to make as I said scaleable. Make it so that it fits different organizations that are working in e-Prescribing and mitigating the risk because it is all about making sure we manage the risk in a way that we can be accountable to the patient and the patient will have trust in us.

Slide: 14
I think that is really pretty much it. We want to make sure that you understand the risk that are associated with the technology you are using when you are part of HITrust, you have the appropriate safeguards that everyone in your organization is aware of the policies and procedures you have relating to both privacy and security. And then I think the last bullet point in this slide is important, things are going to be changing. They change so much so rapidly and they are going to continue to do so.

Slide: 15
HITrust is something that we are excited about, we know it is not the end result; it is just something that is going to help us get to the next phase. Thank you.