Do you really need online prescriptions on pharmacy website or apps?
Why investing in technology with pharmacy website or pharmacy app with features like online prescriptions will have remarkable ROI (return on investment) in future on patient experience and loyalty? Quite obviously, it solves two most important problems in community pharmacy we face today – Patient Engagement and Convenience.
We all know these kind of mobile pharmacy apps have already been launched by major banners and in some communities even small pharmacies have their own app. Patients have actually liked the convenience of taking a picture of prescription and send it to their pharmacy of choice to get it filled.
But guess what? Not every pharmacy affiliated with banners have actually cared about using it and marketing it to their patients. This will not continue in coming years as customers become more aware of technology and they are going to expect their pharmacy to have this kind of service. We strongly urge those pharmacy owners to consider the option of having online prescriptions sent through pharmacy app or website. The good news is that you do not have to invest anything but just connect with your banner’s technology people and they will set it up for your store.
Now what about the pharmacy businesses not associated with any name or banner – means they are a completely independent business ?
All this years of hard work and patient care can suffer by missing one single opportunity like this and this is why this guide will explain you how to get your pharmacy website ready for online prescriptions and if engagement increases then build more services on top of this
The obvious questions arising for pharmacists is security and infrastructure of website. It is very challenging to build such service yet completely doable with help from technology expert. We will explain you step by step all information required to determine if online prescription will be a good choice or not.
This article will introduce to privacy laws and regulations, responsibilities of pharmacy owning a website, steps to take to comply with privacy regulations and how to convert existing website into a secure platform.
What is the Canadian version of information privacy law like HIPAA in United States?
Unlike United States (U.S.) where there is a special regulation around protected health information called HIPAA, we here in Canada have one common data privacy law called PIPEDA which applies to all private sector businesses including healthcare providers. Also, there can be additional province-specific privacy laws which are more or less similar to the parent federal act PIPEDA. Depending on their province of practice, all health care providers need to adhere to regulations set out around how to handle personal information.
What regulations apply to pharmacists and pharmacy business in British Columbia?
In this article, we are going to describe the privacy law of province of British Columbia. Since we are discussing here about pharmacy business, it is worth mentioning that pharmacies as healthcare providers are subject to “Personal Information Protection Act (PIPA)” in British Columbia.
This act does not identify a different category of healthcare providers, but rather they identify all businesses collecting personal information as part of this act. For examples, businesses like pharmacies, clinics, physiotherapists, chiropractors, dentists etc are all considered as “businesses” that deals with personal information. Also, the College of Pharmacists of British Columbia has set out guidelines how to protect personal health information.
Other privacy laws in british columbia are:
- The Freedom of Information and Protection of Privacy Act – applies to health authorities and hospitals
- The E-Health Act – applies to certain designated databases
- The Ministry of Health Act gives the Minister of Health power to do things with personal health information for a wide range of purposes
- The Public Health Act
- The Health Authorities Act
Summary of principles of Personal information protection act (PIPA):
Healthcare providers like pharmacies must obtain consent from patients to collect personal health information and collect only necessary amount of information to provide a service requested by patients.
Pharmacies should restrict the use of data solely for pharmacy related services, prevent unauthorized access, and not disclose information without consent of individuals.
Respect patient’s consent to request any changes to information if needed and take reasonable steps to protect the information collected. All this regulations are well understood by licensed pharmacists as they already learned these in pharmacy school learning and in jurisprudence exam undertaken by College of Pharmacist of British Columbia. More reading in detail about ten principles of PIPA can be found here Ten Principles of Privacy Protection in British Columbia
“As it goes with internet, the security cannot always be guaranteed but businesses should take advantage of all available help in technology to protect personal information they handle. Privacy laws requires that they document and follow through all actions in place to protect data”
How PIPEDA and PIPA applies to pharmacy business practice online?
We understand how busy pharmacists are running their pharmacies and our goal is to provide an informative guide on how to establish online practice because it will become inevitable in near future to have services online when our industry will need to adapt to consumer demands.
Most pharmacy banners and corporate chains have provided pharmacy apps for patients to manage their health. The growth however seems to not match with expectations of industry. There are lots of inefficiencies in this mobile apps and lack of marketing to patients had resulted in slower than anticipated growth. To make it more challenging, even pharmacist’s attitude to pharmacy websites and mobile apps is unclear because they do so many things to go above and beyond to care for their patients and when it comes to technology they seem to have many questions.
Interestingly, pharmacists are not against using technology but in our opinion they are just unsure about how to start online engagement and still comply with privacy laws of the college of pharmacists and federal privacy act. The good news is that it is possible to build a service by having all standards of regulation in place.
The concept of running online pharmacy website is not new, it was introduced a long time ago but following some events it is now no longer used as a common business model in pharmacy. The ones still running are catering to customers inside and outside Canada.
Our guide here aims to help independent pharmacy owners determine if they need to implement a PIPEDA and PIPA compliant security on their website if they are involved in providing healthcare services online.
Pharmacists who wants to start a service where they can accept online prescriptions from patients and have conversation through live chat should go through this checklist to help find out the best solution to implement:
Determine if your pharmacy practice needs website or mobile app?
- Is your pharmacy store website built on simple website builder like WordPress Websites?
- Is your independent pharmacy banner not able to provide a patient-faced app to accept prescriptions online?
- Is your pharmacy not associated with any major pharmacy banner such as Pharmasave, IDA, People’s drug mart, PharmaChoice, Medicine Shoppe, People’s Drug Mart ? If yes, then contact your company technology partner to get an app working for your location since you do not need to invest any resource to introduce this service.
- Does your pharmacy website contain https:// in the domain name (website address)?
- Have you purchased a SSL Certificate (an indication that website handles data securely) for your online pharmacy website ?
- Do you know if your website is hosted on a server compliant to security?
If any of the above listed scenario applies to your business then we will guide you to set up your website in full compliance with PIPA/PIPEDA. Since almost all websites are made in wordpress these days this articles goes in detail about how to convert wordpress into secure platform. Also, we will explain you how to convert any kind of website into secure and compliant platform of pharmacy practice. If you are not sure about your pharmacy website then we are happy to find out for you. Just leave us a question in comments or contact us.
In Canada there is no definite requirement of having a business associate agreement in place between the web platform owner company and their third party providers. It rather focuses on the “measures” and “policies” in place between healthcare providers and IT providers/technology vendors to protect personal information.
Explaining WordPress and Pharmacy Websites in WordPress needs to work
WordPress is a highly popular, simple and user-friendly platform to host websites and blog.
Thousands of plugins and themes available to enhance the functionality and appearance of website makes it a very attractive option to website builders – which is quite good but also has some disadvantages to healthcare niche websites.
If your pharmacy website is built on wordpress then wordpress alone is not a secure platform to exchange personal health information that comes with prescriptions, appointment requests etc. But there is a way to secure your wordpress and make it compliant with privacy regulations regarding handling and storage of personal health information.
So, why wordpress as is not a secure platform to extend pharmacy services online?
Usually, to enhance the functionality of website WordPress users have to rely on installing plugins and themes. Unless a plugin is from a trusted source and secure enough it is not going to keep the data secure in the database.
WordPress do claim that their tools have decent security and access controls but they still need to be tailored to further secure a pharmacy website dealing with electronic personal health information.
Also, wordpress being the most popular website builder remains a favorite target of hackers who can compromise the data if they find a way to break in the database or server. Examples are: email spammers, bots redirecting your page traffic somewhere else, plugins containing virus or malware etc.
As mentioned above, it is relatively easy for hackers to compromise your website which in case of healthcare providers or covered entities is a big deal because ultimately they are held responsible for breach if they didn’t make any reasonable attempts to secure the website, server or emails. The reason- according to PIPEDA once the personal information is accessible to healthcare providers it is their responsibility to keep it safe and secure from unauthorized access.
Steps to secure pharmacy website or mobile app into secure platform
The privacy laws are in place not to intimate businesses dealing with personal information. It is to actually guide them how to make reasonable attempts to lock down the security of online platform businesses own and operate.
Below are some actionable steps to secure pharmacy website and server:
- You need to run your website with web hosting company who will sign a BAA (business associate agreement) to maintain the security of hosting environment.
- Pharmacies also need to sign a BAA with website developers experienced with making healthcare websites compliant to HIPAA or PIPEDA. Having a BAA in place is recommended in British Columbia’s privacy laws. At this point it is not entirely clear how BAA should be made as there is no standard checklist.
- You need to secure your wordpress web application with some tight security steps:
- Install SSL certificate to display to visitors that their information is handled safely on your website.
- The number of users designated as website database admin and super admin should be kept to minimum number possible.
- Two-way Factor Authentication – Famous already with other internet services this feature ensures that a user trying to access pharmacy website is actually a person with valid phone number or email address.
- Make sure that the physical location of server where your data is hosted is located in Canada since British columbia’s PIPA does not allow storage of data, either encrypted or unencrypted, anywhere outside Canada.
- Website is only available to access with web address containing HTTPS so make sure pharmacy website address contain https:// in the web address.
- Obviously, all the expenses to convert a WordPress website into secure platform can be too high so then we recommend building a custom web platform for pharmacy from scratch and ensure all security features discussed here are implemented. By doing this, website owners have full control on access, protection and administration of electronic personal information handled on website.
It is worth noting that all the steps and advice listed here applies to any kind of website platform and not just to wordpress. Basically, these principles can be applied when building any kind of platform of pharmacy practice online either a website, survey form, secure emails, mobile pharmacy app, pharmacy data management etc.
Let us remind you that compliance to PIPEDA and PIPA with your online presence is possible, although it can be a little difficult at first to understand the technical standards of internet in general. This is why this guide here will serve as a starting point for any pharmacy business owner wanting to implement a solution online for their pharmacy practice. Similar to how privacy rules are set out in a “physical” pharmacy setting, the security rules for online data handling are also comparable. What changes is the way you keep the information secure as compared to restricted physical access to information in an actual pharmacy.
The requirements of Canadian Privacy Laws like PIPEDA and PIPA include the following:
- Securing code: Keep information confidential whatsoever, restricting access to any user deemed unauthorized
- Administration: Do not alter any personal health information in any way possible. Only designated employees can have online access to information
- Openness: Keep information available to user when they request access
- Protection: Protect personal health information transmitted back and forth is always protected and encrypted
- Accountability: Appoint a privacy officer in organization to handle compliance in general. This person is responsible to design and implement the strategy around how their company will collect, administrate and maintain personal health information. Their job is to educate everyone in the company about this policy and train staff as needed. Maintain accountability log of individuals accessing health information. Train staff how to adhere to these rules of compliance to privacy laws
- Risk analysis: Security analysis should be carried out once every where you make sure everything in place to protect and handle information is in compliance with HIPAA laws and take immediate action if something is identified to potentially compromise compliance.