Conducting a risk analysis? Don’t overlook automated dispensing cabinets

Automated dispensing cabinets (“ADCs”) are often integrated with electronic health record systems or medical information systems for the purpose of patient care and oversight of prescription drug utilization for both controlled and non-controlled substances. An ADC is “[a] cabinet or drug storage device or that electronically dispenses medications in a controlled fashion and tracks their use, replacing or supporting the traditional unit-dose drug delivery system.” The use of ADCs began in the 1980s and by the 1990s, the use was prevalent in hospitals and their safety and efficacy were studied. These studies highlighted the following issues: mislabeling of drugs; improperly filled dispensing cabinets; lack of safety record procedures; large numbers of doses dispensed; and the ability to override system access tracking. Ambulatory surgery centers and physician office-based surgery practices also utilize ADCs.

Since 2005, the Drug Enforcement Agency (“DEA”) has allowed pharmacies to install ADCs, such as Omnicell and Pyxis, at long-term care facilities. 70 Fed. Reg. 25462- 25466 (May 13, 2005). One issue that has come more to the forefront in light of the opioid crisis is the override features available on different machines when a drug is removed by the caregiver before the pharmacist receives, evaluates or enters a drug order. Some caregivers are not getting pharmacy approval and merely dispensing the drug. Additionally, many anesthesia departments have their own ADCs, which contain a vault of controlled substances, due to the nature of this area of medical practice. The lack of access control logs, overrides, and integration with electronic health records can be very problematic in terms of patient care, diversion of medication and misstated patient records. 

Trending: 9 Tips to Improve Patient Collections

So, what relevance does an ADC have to a Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191 (Aug. 1996) (“HIPAA”) risk analysis (often called a risk assessment) as required under the Security Rule? The requirement for conducting an annual risk analysis falls under the umbrella of the Security Rule at 45 CFR § 164.30(a)(1)(ii)(A). As the U.S. Department of Health and Human Services, Office for Civil Rights (“HHS-OCR”) articulates,           

Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful guidance that specifically addresses safeguards and technologies that will best protect electronic health information.

In essence, the Security Rule indicates that a risk analysis is the foundational element for evaluating a variety of technical, administrative, and physical safeguards to ensure that the confidentiality, integrity and availability of the information remains intact. In essence, requiring covered entities, business associates and subcontractors alike to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” 45 CFR §164.308(a)(1). The Security Rule and OCR cite to the National Institute for Standards and Technology (“NIST”) publications. NIST defines confidentiality, integrity, and availability as follows:

• Confidentiality – “[p]reserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information”;

• Integrity – “[p]rotection against unauthorized modification or destruction of information”; and

• Availability – “timely and reliable access to and use of information.

It follows that since patient information is entered into an ADC and transmitted to an EHR that the confidentiality, integrity, and availability of the protected health information (PHI) is assessed in accordance with the Security Rule. In the fall of 2016, the Joint Commission conducted a field review of all proposed revisions related to medication management. As a result, crucial final standards emerged, which include the following: record the date and time of any medication administered in the patient’s clinical record; implement comprehensive policies and procedures that articulate the categories of medication overrides that will be reviewed for appropriates and the frequency of the reviews when ADCs are used; and incorporate “wasting” of medications to the related policy and procedure that addresses the control of medications between when they are received by an individual health care provider and when they are administered, how they are documented in the patient chart and appropriate facility log, and the appropriate process for disposing of the waste, as well as accurate billing of the medication.

Read More: The New Normal for Physicians: Adapting your practice for success

In sum, it is imperative for those persons conducting an adequate Security Rule risk analysis to include any ADC in its evaluation of maintaining the confidentiality, availability, and integrity of the PHI in relation to technical, administrative, and physical safeguards. Failing to do so could result in a myriad of issues and violations.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.