E-prescribing software is HIPAA compliant only when the software and its supporting services protect electronic protected health information under the HIPAA Security Rule, e-prescribing workflows limit uses and disclosures under the HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule, and the e-prescribing vendor and any connected service providers that create, receive, maintain, or transmit electronic protected health information on behalf of a HIPAA Covered Entity or Business Associate will sign a HIPAA Business Associate agreement when they function as Business Associates.
HIPAA does not provide a certification label that makes e-prescribing products compliant by default. Compliance depends on the safeguards built into the software and on how the Covered Entity or Business Associate configures and uses the system. E-prescribing routinely involves protected health information through patient identifiers, medication histories, prescriber identifiers, pharmacy identifiers, drug names, dosages, directions, and clinical notes associated with prescribing decisions.
The HIPAA Security Rule requires safeguards that protect the confidentiality, integrity, and availability of electronic protected health information and that address reasonably anticipated threats and impermissible uses or disclosures. E-prescribing systems used for regulated operations need access controls that support unique user identification and role based access, authentication controls for prescribing functions, audit controls that record access and prescribing activity, and transmission security for prescription transactions sent across networks. Encryption for data in transit and at rest supports protection of electronic protected health information when implemented and managed within the organization’s security program. Availability controls, backups, and contingency procedures support continuity when prescribing functions are disrupted.
The HIPAA Privacy Rule and the HIPAA Minimum Necessary Rule apply to prescribing related access and disclosures. Access to medication histories and prescribing notes should be limited to workforce members with assigned duties that require that information. Messaging and notifications associated with e-prescribing, including refill requests and status alerts, should limit content to what is needed to complete the transaction and should avoid unnecessary clinical detail.
Vendor contracting determines whether the service can be used with protected health information. When an e-prescribing vendor provides transaction routing, cloud hosting, medication history services, or integrated tools on behalf of the regulated entity, the vendor can function as a Business Associate and a HIPAA Business Associate agreement is required before electronic protected health information is transmitted or stored through the service. If the e-prescribing vendor or a connected service provider will not sign a HIPAA Business Associate agreement when its services involve electronic protected health information, the service is not appropriate for regulated use involving that information.