Practitioner & Pharmacist Access and Use Policy
Practitioner Delegate Access and Use Policy
Law Enforcement Access and Use Policy
Court Staff & Probation Officer Access and Use Policy
Licensing Board Access and Use Policy
INSPECT Staff Confidentiality & Security
Practitioner & Pharmacist Access and Use Policy
PURPOSE
To ensure the protection of patient confidentiality when using the INSPECT System
SCOPE
This policy applies to all registered Practitioner accountholders.
STATEMENT OF POLICY
Each practitioner granted access to INSPECT holds a position of trust and must preserve the security and confidentiality of the INSPECT data they use. INSPECT practitioners must meet specific eligibility requirements and must abide by all applicable Federal and State guidelines including, but not limited to, IC-25-26-24 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The misuse of INSPECT data constitutes a criminal offense and may result in the suspension or revocation of a user’s account access privileges, or in some cases, action against the offending accountholder’s professional license.
REFERENCE
IC-25-26-24-19
USAGE GUIDELINES
- Establishing an Account: The following individuals are eligible for an INSPECT account:
- Health professionals who are licensed to prescribe or dispense controlled substances in the United States and who are actively and directly providing medical or pharmaceutical treatment, or evaluating the need for providing such treatment, to a patient.
- Prescriber delegates who are approved and supervised by a registered prescriber to make patient requests on behalf of said supervisor.
- Law Enforcement, when an investigation involving an individual or proceeding involving the unlawful diversion or misuse of schedule II, III, IV, or V controlled substances. The information obtained must assist in the active investigation.
- Court staff and Probation Officers, in the course of completing a presentence investigation, in the course of determining eligibility or suitability for a program, service, or community supervision condition, or in the course of case managing an individual pre- or post-conviction if the individual's conditions of supervision or program participation require they abstain from the use of controlled substances or undergo chemical testing to detect and confirm the presence of a controlled substance.
- Attorney General's Office, if they are involved in an investigation, adjudication, or a prosecution regarding a violation of state/federal laws concerning controlled substances.
- Licensing Boards engaged in an investigation of a licensee.
- Contents of Report: An INSPECT Patient Report provides an overview of a patient’s prescription activity over a certain period of time. The information contained in the report is submitted to INSPECT by the dispensing pharmacy within twenty-four (24) hours from the date on which the drug was dispensed to the patient.
- Requesting Report: Health Practitioners may only request reports on patients for whom they are providing treatment or evaluating the need for treatment. This includes patients who have made appointments for an initial office visit or persons who have presented a prescription to a pharmacist. Health Practitioners may not request a report on staff, prospective employees, or anyone else for whom there is no medical chart or record available on-site for review at the pharmacy location or practitioner’s office.
- Limited Use of Report: The INSPECT Patient Report must be used only for purposes of making medical treatment decisions. Users should always take steps to verify that the information contained in the report is accurate. The report should be one factor in a comprehensive assessment of a patient.
- Sharing Report: The information contained in the INSPECT Patient Report is privileged medical treatment information and must not be discussed with anyone who is not involved in the direct provision of medical treatment for the patient. Practitioners may contact other health providers to discuss the care of a mutual patient. If another provider wishes to have a copy of the INSPECT Patient Report, they must establish an account and submit a request for their own copy of the report. The report, or the contents of the report, should never be faxed, mailed, emailed or otherwise disseminated. A practitioner or pharmacist who in good faith discloses information based on a report from the INSPECT program to a law enforcement agency is immune from criminal or civil liability. A practitioner that discloses information to a law enforcement agency is presumed to have acted in good faith.
- Storing Report: If the INSPECT Patient Report is stored along with a patient’s other medical records, it must be clearly marked “Do Not Copy.” It should never be included when sending a patient’s medical records to another health provider.
- Role of INSPECT Staff: Practitioners will not receive confidential prescription information from INSPECT staff over the phone. Practitioners should not expect INSPECT Staff to serve in a liaison role between themselves and law enforcement.
Practitioner Delegate Access and Use Policy
Law Enforcement Access and Use Policy
PURPOSE
To ensure the protection of patient and practitioner confidentiality when law enforcement users access INSPECT data.
SCOPE
This policy applies to all registered law enforcement accountholders.
STATEMENT OF POLICY
Each member of federal, state, or local law enforcement granted access to INSPECT holds a position of trust and must preserve the security and confidentiality of the INSPECT data they use. INSPECT law enforcement users must meet specific eligibility requirements and must abide by all applicable Federal and State guidelines including, but not limited to, IC-25-26-24 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The misuse of INSPECT data constitutes a criminal offense and may result in the suspension or revocation of a user’s account access privileges. Misuse of INSPECT data constitutes a criminal offense and may result in the suspension/revocation of the user’s account access privileges.
REFERENCES
USAGE GUIDELINES
- Establishing an INSPECT Account: All local, state and federal law enforcement officers are eligible for INSPECT accounts. This includes sworn officers, prosecutors, county coroners, Board of Pharmacy compliance officers, and investigators affiliated with the Indiana Attorney General.
- Contents of Report: An INSPECT Patient or Practitioner Report provides an overview of a patient or practitioner’s prescription activity for a specific period of time. The information contained in the report is submitted to INSPECT by the dispensing pharmacy within twenty-four (24) hours from the date on which the drug was dispensed to the patient. There may be a lag of up to four (4) days before the prescription data is available for review on INSPECT.
- Requesting a Report: A law enforcement user is authorized to request an INSPECT Report if:
a)The law enforcement user is currently engaged in an active, ongoing investigation pertaining to the subject of the request; and
b)The investigation involves controlled substances.
Law enforcement users may not request an INSPECT Report for any purpose other than to assist in an active, ongoing investigation pertaining to controlled substances. Misuse includes, but is not limited to, requesting an INSPECT Report to aid in the search for a fugitive, to track a parolee, to hold an arrestee, or to bolster a tax evasion case.
Law enforcement users are also not permitted to request an INSPECT Report based solely on the contents or findings of another INSPECT Report. - Case Identifier: Law Enforcement users must include a case number with every Patient or Practitioner Report request issued to INSPECT.
- Limited Use of Report: An INSPECT Report is not evidence. It is a tool intended to make the evidence gathering process more efficient. The contents of the report must be thoroughly verified and reviewed before any formal action is taken against the subject of the INSPECT report.
- Sharing Report: The information contained in the INSPECT Patient Report is privileged medical treatment information and must not be discussed with anyone who is not involved in an active, ongoing investigation of the patient or practitioner for whom the report was generated. Law enforcement users working within the same agency or office may share reports; however, if law enforcement personnel from outside the agency or office wish to obtain a copy of the report, they must establish an account with INSPECT and submit a request for their own copy of the report. The report, or the contents of the report, should never be faxed, mailed, emailed or otherwise disseminated.
- Storing Report: If the INSPECT Patient Report is stored by a registered accountholder within an office or agency location, it must be clearly marked confidential and “Do Not Copy” and properly secured to prevent unauthorized access.
- Role of INSPECT Staff: INSPECT will never provide prescription information to members of Law Enforcement over the phone. As INSPECT staff has no personal or prior knowledge of the contents of INSPECT Rx History Reports, they should never be subpoenaed or formally called upon by law enforcement to examine, explain, interpret, or otherwise participate in the evaluation of an INSPECT Rx History Report.
- Misuse/Misconduct: The misuse of INSPECT data constitutes a criminal offense and may result in the suspension or revocation of a user’s account access privileges.
Court Staff / Probation Officer Access and Use Policy
PURPOSE & APPLICABILITY
The purpose of this policy is to guide access to and use of INSPECT by court staff in order to maintain the confidentiality of INSPECT data. This policy applies to all court staff that are registered INSPECT accountholders.
DEFINITIONS
“Court staff” means:
a. Indiana certified probation officers (IC 11-13) employed by an Indiana probation department,
b. Court alcohol and drug program staff employed by or contracted to provide certified court alcohol and drug program services (IC 12-23-14) to a court in Indiana, and
c. Problem-solving court staff employed by or contracted to provide certified problem-solving court services (IC 33-23-16) to a court in Indiana.
“Community supervision” means the monitoring of an individual in the community by a court in Indiana under an active case number by a probation department, a court alcohol and drug program pursuant to IC 12-23-14, or a problem-solving court pursuant to IC 33-23-16.
STATEMENT OF POLICY
Each court staff member granted access to INSPECT holds a position of trust and must preserve the confidentiality of the INSPECT data. INSPECT court staff users must meet specific eligibility requirements and must abide by all applicable federal and state laws including, but not limited to, IC-25-26-24, 42 CFR Part 2, Rules on Access to Court Records, and Indiana Administrative Rule 9. INSPECT users must also utilize the system in accordance with Indiana Board of Pharmacy approved usage guidelines. Misuse of INSPECT data may result in civil or criminal liability in addition to the suspension/revocation of the user’s account access privileges.
REFERENCE
IC-25-26-24-19
USAGE GUIDELINES
- INSPECT Account Eligibility and Approval: certain designated court staff are eligible for INSPECT accounts. Court staff eligible for INSPECT access are:
(a) A chief probation officer of a probation department and/or their designee(s) - no more than two individuals per probation department may have access;
(b) A court alcohol and drug program director and/or their designee(s) - no more than two individuals per program may have access; and
(c) A problem-solving court coordinator and/or their designee(s) - no more than two individuals per problem-solving court may have access.
Requests for exceptions to the eligibility policy based on the number of authorized users per organization may be considered on a case-by-case basis.
- Requesting a Report: An accountholder may request an INSPECT Report only for the following reasons:
(a) In the course of completing a presentence investigation (PSI) pursuant to IC 25-26-24-19 in order to assist the court in determining sentencing matters, including the conditions of community supervision;
(b) In the course of determining eligibility or suitability for a program, service or community supervision condition; and/or,
(c) In the course of case managing an individual on community supervision, either pre- or post-conviction, if the individual’s conditions of community supervision and/or program participation require the individual to abstain from the use of controlled substances or undergo chemical testing to detect and confirm the presence of a controlled substance.
A registered accountholder must verify their authority to submit a request for each INSPECT Report in conjunction with one of the authorized reasons by submitting the case number associated with the active case. Only the registered accountholder may use their INSPECT username and password. Each individual who seeks access to INSPECT must be an authorized and approved user pursuant to this policy. A registered accountholder is not permitted to request an INSPECT Report based solely on the contents or findings of another INSPECT Report.
- Contents of Report: An INSPECT Patient Report provides an overview of a patient prescription activity for a specific period of time. The information contained in the report is submitted to INSPECT by the dispensing pharmacy within twenty-four (24) hours from the date on which the drug was dispensed to the patient. An INSPECT Patient Reports provide only a snapshot of information regarding a patient at a given point in time and may not be complete dependent upon when a prescription was filled and when information was submitted to INSPECT. INSPECT Reports should be updated regularly to ensure that the contents are current.
- Limited Use of Report Information: The information contained in the INSPECT Patient Report is not evidence and is a decision-making and supervision tool only. INSPECT data alone cannot be used to sanction, terminate or revoke an individual under a court’s jurisdiction.
- Report Information Sharing: The information contained in the INSPECT Patient Rx History Report is privileged medical treatment information and confidential pursuant to law. Registered accountholders may share INSPECT information with:
(a) The court charged with implementing or monitoring the community supervision of the subject of the INSPECT Report,
(b) Other individuals within the authorized user’s organization who need this information in order to carry out assigned employment responsibilities,
(c) Parties to the case if the authorized user is completing a PSI on the subject of the INSPECT Report, and
(d) The problem-solving court team if the subject of the INSPECT Report is being considered for problem-solving court participation or is a problem-solving court participant.
The report, or the contents of the report, should never be faxed, mailed, emailed or otherwise disseminated.
- Storing Report Information: If the INSPECT Patient Report is stored by a registered accountholder within an office or agency location, it must be clearly marked confidential and “Do Not Copy” and properly secured to prevent unauthorized access. Court staff shall make all INSPECT information in its possession available to INSPECT staff as soon as practicable, within at most fifteen (15) days, following a request for such information. Court staff shall maintain a detailed accounting of all INSPECT information in its possession.
- Role of INSPECT Staff: No accountholder will receive confidential prescription information from the INSPECT staff over the phone. No accountholder should expect the INSPECT staff to serve in a liaison role between themselves and the courts. INSPECT staff has no personal or prior knowledge of the contents of INSPECT Reports, and they should never be subpoenaed or formally called upon by a court to examine, explain, interpret, or otherwise participate in the evaluation of an INSPECT Report.
- Compliance with Law: Court staff are responsible for compliance with all local, state, and federal laws, regulations, and rules applicable to INSPECT Data, personally identifiable information, and health information organizations including, but not limited to, confidentiality, security, registration, and licensure requirements.
- Minimized Use: Court staff shall not request, use or release more than the minimum necessary amount of PHI to accomplish the purpose of the use, disclosure, or request.
- Incident Reporting: Court staff shall report to INSPECT in writing, within twenty-four (24) hours of discovery, of any use, loss, or disclosure of INSPECT information which is not in compliance with the terms of this Policy or applicable law, regulations, or rules of which it becomes aware. The report shall include: (1) the data elements involved (2) the individuals affected; (3) a description of any persons or entities known or reasonably believed to have improperly used or disclosed the data; (4) a description of where the information is believed to have been improperly transmitted, sent, or utilized; (5) a description of the probable causes of the incident; (6) a description of the proposed plan for preventing similar future incidents, including ongoing risk remediation plan approval; and (7) court staff believes any federal or state laws or regulations which require notifications to individuals have been triggered.
- Mitigation: Court staff shall mitigate, to the extent practicable, any harmful effect that is known to court staff of a use or disclosure of INSPECT information in violation of the requirements of this Policy, and report its mitigation activity back to the Agency. Court staff shall preserve all evidence of the violation and provide such evidence to the Agency upon request.
- Coordination: Court staff shall coordinate with the Agency to determine additional, specific actions which shall be required for mitigation of the breach, which may include notification to the individuals, entities, or other authorities. Notifications, if any, will be made at the direction of the Agency.
- Costs: Court staff shall bear all reasonable costs directly arising from an improper disclosure of INSPECT information under its care, custody, or control which arise out of a material breach of the obligations under this Policy. This may include, but is not limited to, actual costs associated with notifying affected individuals as required by law. It also may include, if required by law or regulation, the actual cost of investigation, remediation, and assistance to affected individuals, including services such as a standard level of credit-monitoring.
- Notice: All notices and communications sent under this Policy shall be sent to the INSPECT HIPAA Privacy Officer at:
Kara Slusser
KSlusser@pla.IN.gov
Indiana Professional Licensing Agency
402 W. Washington Street, Room W072
Indianapolis, IN 46204
Licensing Board Access & Use Policy
PURPOSE
To ensure that professional licensing boards, board members, and board directors fully validate INSPECT materials and meet a reasonable investigatory standard before they utilize INSPECT materials for board-related matters.
SCOPE
This policy applies to all Board of Pharmacy compliance officers, professional licensing boards, board members, and board directors
STATEMENT OF POLICY
According to IC-25-26-24-19, the INSPECT Program may release confidential patient information to professional licensing boards, provided the board is engaged in an investigation, adjudication, or prosecution of a violation under a state or federal law pertaining to controlled substances. However, it is not INSPECT’s policy to extend individual account access privileges to boards, board members or board directors. Should a board require an INSPECT report for a specific licensee, they must issue a formal request to the applicable Board of Pharmacy compliance officer, depending on the geographic location of the licensee, and use the system in accordance with approved board request procedures (see below).
Individual board members are still permitted to establish practitioner or law enforcement accounts with INSPECT should they want and qualify for one. However, any INSPECT Report generated from an individual board member’s own INSPECT account cannot be used for board-related purposes.
REFERENCES
BOARD REQUEST PROCEDURES
- Initiating an Investigation on a Licensee: If a licensing board seeks to obtain INSPECT records for a particular licensee, they must first submit a formal request to a Pharmacy Compliance Officer.
- Meeting Reasonable Investigatory Standard: The Compliance Officer will then proceed to collect additional information related to the matter, begin a case file, and, if warranted, generate an INSPECT Report. The primary role of the Compliance Officer is evidence-gathering and validation.
- Validation of INSPECT Report: Because INSPECT cannot guarantee the veracity of the information contained in the INSPECT Report, a Compliance Officer, upon receipt of the INSPECT Report, must take steps to validate the contents of the report.
- Review by Board/Board Designee: Once the contents of the INSPECT Report have been fully validated, the INSPECT Report may be reviewed by the Board and/or the Board Designee.
INSPECT Staff Confidentiality & Security
PURPOSE
To establish standards for the conduct of INSPECT staff as it relates to protecting confidential patient information and storing and retaining sensitive documents and media.
SCOPE
This policy applies to staff of the Indiana Scheduled Prescription Electronic Collection and Tracking (INSPECT) Program.
STATEMENT OF POLICY
Given the sensitive nature of daily operational activities at INSPECT, all INSPECT staff are expected to meet strict confidentiality and security standards, including applicable Indiana laws and Federal HIPAA Standards. The staff must not share or discuss details of any INSPECT - specific activities, whether of a technical or non-technical nature, with persons not currently employed by INSPECT or the Professional Licensing Agency. This includes, but is not limited to, sharing or discussing details pertaining to patient medical treatment histories; sharing or discussing details related to INSPECT software functionalities; or sharing or discussing sensitive internal procedural matters. Egregious disregard for the confidentiality and security policy will result in disciplinary action commensurate with the offense.
PROCEDURES
- Requesting Patient/Practitioner Information: INSPECT Staff may submit requests on the PMP to review information referenced by a user, or to evaluate or test the technical performance of the PMP. Any other type of request constitutes a violation of the security and confidentiality policy.