CPIA Module 1, Section 4: Regulatory Drivers and Accreditation Influences
MODULE 1: INTRODUCTION & FOUNDATIONS OF PHARMACY INFORMATICS

Section 1.4: Regulatory Drivers and Accreditation Influences

Understand the “rules of the road.” We dissect the key legislation and regulatory bodies that mandate how health data is managed, protected, and shared, and how they shape health IT systems.

SECTION 1.4

The Rules of the Road: Law, Regulation, and Accreditation in Health IT

Understanding the external forces that shape every click, alert, and workflow you will ever build.

1.4.1 The “Why”: Informatics Does Not Exist in a Vacuum

In the world of health informatics, no decision is made in isolation. While it may seem that the design of an alert, the layout of a screen, or the configuration of an order set is a purely clinical or technical choice, the reality is far more complex. Nearly every aspect of health IT is profoundly shaped by a powerful and intricate web of federal laws, government regulations, and standards from accrediting bodies. These external forces dictate what we can do, what we must do, and how we must do it. They are the “rules of the road” for health data, and ignoring them carries massive financial, legal, and clinical consequences.

As a clinical pharmacist, you are already intimately familiar with this reality. You don’t question why you have to offer counseling on a new prescription or why you must check the state’s prescription drug monitoring program (PDMP) before dispensing an opioid—it’s the law. You understand that the Board of Pharmacy and the DEA set firm boundaries on your practice. In informatics, this concept is magnified a thousand-fold. The equivalent of the Board of Pharmacy is a collection of federal agencies and acts with acronyms that will become central to your vocabulary: HIPAA, HITECH, ONC, CMS, and TJC.

Understanding these drivers is not an academic exercise in policy; it is a fundamental professional competency. It is the context for everything you will build. When a project manager tells you that a new feature must include a specific type of audit trail, it’s not arbitrary—it’s likely a HIPAA requirement. When an administrator prioritizes a project to improve electronic prescribing of controlled substances (EPCS), it’s driven by federal and state mandates. When a quality officer demands a report on your hospital’s sepsis bundle compliance, it’s because it’s a measure tied to both accreditation and reimbursement. Your ability to understand this “why” behind the “what” will make you a more effective, strategic, and valuable informaticist.

Retail Pharmacist Analogy: The Pharmacy as a Highly Regulated Vehicle

Imagine your pharmacy is a car. As the pharmacist, you are the driver, focused on getting from Point A (prescription received) to Point B (patient counseled and medication dispensed) safely and efficiently. You are an expert at operating the vehicle—managing the steering (workflow), the gas and brake (dispensing speed), and the dashboard indicators (your computer system).

However, you don’t get to design the car or decide the rules of the road. The National Highway Traffic Safety Administration (NHTSA) mandates that your car must have seatbelts, airbags, and anti-lock brakes. This is analogous to HIPAA’s Security Rule, which mandates the fundamental safety features (encryption, access controls) of your IT systems. The Department of Transportation (DOT) sets the speed limits, traffic light rules, and road signs. This is like the HITECH Act and Meaningful Use, which set the rules for how you must operate your EHR to receive your “license” (incentive payments). Your state’s DMV requires you to pass a driving test and maintain your registration. This is like The Joint Commission (TJC), which surveys your hospital to ensure you are following the rules and meeting safety standards.

As an informatics pharmacist, you are no longer just the driver. You are now part of the automotive design and engineering team. You can’t design a new feature without knowing the federal safety standards it must meet. You can’t build a new workflow without understanding the traffic laws it must obey. This section is your driver’s education course for the highly regulated highway of health information technology.

1.4.2 The Cornerstone of Privacy and Security: The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is the foundational legislation governing health information in the United States. While it was enacted long before the widespread adoption of EHRs, its principles are the bedrock upon which all modern health IT privacy and security are built. For an informaticist, a deep, operational understanding of HIPAA is not optional; it is a prerequisite for the job. You are a steward of Protected Health Information (PHI), and your work involves creating the very systems that protect it.

HIPAA is broadly divided into several key rules, but for our purposes, the two most critical are the Privacy Rule and the Security Rule.

The HIPAA Privacy Rule: What Information is Protected?

The Privacy Rule establishes national standards for the protection of individuals’ health information. It defines what information is protected, who is obligated to protect it, and the circumstances under which it can be used and disclosed.

Key Concepts of the Privacy Rule:
  • Protected Health Information (PHI): This is the central concept. PHI is any individually identifiable health information. The key is “individually identifiable.” This includes not only obvious identifiers like name and social security number but also a list of 18 specific identifiers (e.g., medical record numbers, birth dates, admission dates, geographic subdivisions smaller than a state). If a piece of health information is linked to any of these identifiers, it is PHI.
  • Covered Entities (CE) and Business Associates (BA): The rule applies to Covered Entities (health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions) and their Business Associates (e.g., a software vendor, a billing company, a record storage company). Essentially, it covers almost everyone who handles health information.
  • Use and Disclosure: The rule is built around this principle. PHI can be used and disclosed for Treatment, Payment, and Healthcare Operations (TPO) without specific patient authorization. Any use or disclosure outside of TPO requires explicit, written authorization from the patient.
  • Minimum Necessary Standard: This is a crucial principle for informaticists. A covered entity must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. This means you shouldn’t have access to patient data you don’t need for your specific job function.
  • Patient Rights: The Privacy Rule grants patients several rights, including the right to access and receive a copy of their PHI, the right to request amendments, and the right to know who their PHI has been disclosed to.
Informatics in Practice: The “Minimum Necessary” Principle

The Minimum Necessary standard directly impacts how you will build and configure user security. Scenario: A pharmacy technician’s primary role is to fill medications from the ADC. Do they need to see a patient’s entire problem list, surgical history, and psychotherapy notes to do their job? Absolutely not. Your role as an informaticist is to work with operational leaders to define role-based security profiles. You will configure the system so that the technician’s security class only allows them to see the patient’s name, allergies, and active medication orders—the minimum necessary information for them to safely perform their function. Granting excessive access is a common and serious HIPAA violation that is often identified during audits.

The HIPAA Security Rule: How Information is Protected

If the Privacy Rule sets the “what,” the Security Rule sets the “how.” It specifically deals with electronic PHI (ePHI) and establishes national standards for protecting this data from unauthorized access, alteration, deletion, and transmission. The Security Rule is intentionally flexible and technology-neutral, meaning it tells you what you must achieve but not what specific software you must use. This is where the informaticist’s expertise is critical—in selecting and implementing technologies and processes that meet the rule’s requirements.

The Security Rule’s requirements are broken down into three categories of safeguards:

Masterclass Table: HIPAA Security Rule Safeguards
Safeguard Type Core Principle Informatics Pharmacist’s Role & Practical Examples
Administrative Safeguards These are the policies, procedures, and governance actions that manage the selection, development, implementation, and maintenance of security measures to protect ePHI. This is the “people and policy” part of security.
  • Security Management Process: Participating in the pharmacy department’s annual risk analysis to identify potential vulnerabilities (e.g., lack of audit trails for ADC overrides).
  • Assigned Security Responsibility: Often, an informatics pharmacist is designated as a “security officer” for a specific application, responsible for granting and revoking user access.
  • Workforce Security: Developing role-based security templates in the EHR that enforce the “Minimum Necessary” principle for different pharmacy roles (e.g., technician vs. pharmacist vs. manager).
  • Information Access Management: Performing audits of user access to ePHI, such as reviewing logs of who accessed a celebrity patient’s chart.
Physical Safeguards These are the physical measures, policies, and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards, and unauthorized intrusion.
  • Facility Access Controls: While not a primary IT role, you might be involved in discussions about the placement of workstations in the pharmacy to prevent public viewing of screens.
  • Workstation Use and Security: Your most direct impact. You will help develop and enforce policies such as:
    • Never sharing login credentials.
    • Configuring workstations to automatically log off after a period of inactivity.
    • Ensuring computer screens are angled away from public view.
Technical Safeguards This is the technology and the policy and procedures for its use that protect ePHI and control access to it. This is the core “IT” component of the rule.
  • Access Control: This is fundamental. You implement systems that require a unique user ID for every person and an authentication method (like a password and, increasingly, multi-factor authentication) to access the EHR.
  • Audit Controls: You ensure that the systems you manage (EHR, ADCs) have robust audit trails that record who accessed what information, and when. This is critical for investigating potential breaches.
  • Integrity Controls: You implement measures to ensure that ePHI is not improperly altered or destroyed. This includes using checksums in interfaces to verify that data was not corrupted during transmission.
  • Transmission Security: You work with network engineers to ensure that any ePHI transmitted over a network (e.g., an e-prescription sent to a pharmacy) is encrypted.

1.4.3 The Great Accelerator: The HITECH Act and Meaningful Use

As discussed in the previous section on the evolution of informatics, the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 was the single most important catalyst in modernizing the American healthcare IT landscape. Its impact cannot be overstated. While HIPAA laid the foundation for privacy and security, HITECH built the skyscraper of digital health on top of it. HITECH’s primary mechanism was a massive federal financial incentive program designed to encourage the adoption and “Meaningful Use” of certified EHRs.

For an informatics pharmacist, understanding HITECH is understanding the “Big Bang” that created the universe you now work in. It explains why EHRs are ubiquitous, why structured data is so important, and why there is such a focus on quality reporting and analytics.

Meaningful Use: From Adoption to Optimization

The core of HITECH was the concept of “Meaningful Use.” It wasn’t enough for a hospital to simply buy and install an EHR; they had to prove they were using it in a way that meaningfully improved care. The program was rolled out in three stages, with each stage increasing the complexity and the requirements. The program has since been rebranded as “Promoting Interoperability,” but its DNA is still pure Meaningful Use.

The Stages of Meaningful Use – A Pharmacist’s Perspective
Stage Core Focus Key Pharmacy-Related Objectives Impact on Pharmacy Informatics
Stage 1 (Starting 2011) Data Capturing and Sharing. The focus was on getting providers to use the basic functions of an EHR to capture clinical data in a structured format.
  • Maintain an active medication list.
  • Maintain an active medication allergy list.
  • Implement one clinical decision support rule.
  • Use Computerized Provider Order Entry (CPOE) for medication orders.
 This created the initial, massive demand for informatics pharmacists to help build the foundational components of the EHR: the drug master file, the allergy database, and the first wave of CPOE and CDS.
Stage 2 (Starting 2014) Advanced Clinical Processes. The focus shifted to more advanced EHR use, including care coordination and patient engagement.
  • Increased CPOE utilization thresholds.
  • Implement more advanced CDS (e.g., drug-drug, drug-formulary checks).
  • Perform medication reconciliation at transitions of care.
  • Provide patients with electronic access to their health information.
 This drove the development of more sophisticated CDS and created entire projects around building robust medication reconciliation tools. The demand for CDS and EHR Analyst pharmacists grew significantly.
Stage 3 & Promoting Interoperability (Starting 2016) Improved Outcomes and Data Exchange. The focus moved to demonstrating improved patient outcomes and the ability to exchange data with other systems.
  • Increased emphasis on application programming interfaces (APIs) for data sharing.
  • Reporting on clinical quality measures (CQMs) that rely heavily on medication-related data (e.g., VTE prophylaxis).
  • Continued focus on patient engagement and electronic data access.
 This created the demand for the Analytics Pharmacist role, as extracting and validating data for CQM reporting became a major priority. It also spurred the adoption of newer interoperability standards like FHIR.

The HITECH Breach Notification Rule

Beyond promoting EHR adoption, HITECH also significantly strengthened HIPAA’s enforcement. The most notable change was the introduction of the Breach Notification Rule. This rule requires covered entities and their business associates to provide notification to affected individuals, the Secretary of Health and Human Services (HHS), and, in some cases, the media, following a breach of unsecured PHI. This rule made the consequences of a data breach far more public and punitive, raising the stakes for information security and creating a much stronger business case for investing in robust security measures—and the informatics professionals who manage them.

1.4.4 The Modern Era: The ONC, Interoperability, and the 21st Century Cures Act

The current regulatory landscape is largely shaped by the work of the Office of the National Coordinator for Health Information Technology (ONC). The ONC is the principal federal entity charged with coordinating the nationwide effort to implement and use the most advanced health information technology. While HITECH forced adoption, the ONC’s current focus is on making the adopted systems work better and, most importantly, work together. This is the challenge of interoperability.

The landmark legislation driving the ONC’s modern mission is the 21st Century Cures Act, passed in 2016. A key component of this act is a set of rules designed to promote patient access to their data and to stop the practice of “information blocking.”

What is Information Blocking?

Information blocking is any practice that is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information. The Cures Act makes this practice illegal. In simple terms, it means that healthcare providers, health IT vendors, and health information exchanges cannot unreasonably stand in the way of patients getting access to their own data or having that data sent to another provider or application of their choice.

Pharmacist-Relevant Example: A hospital’s EHR is technically capable of sending a patient’s medication history to a third-party medication management app on the patient’s smartphone, but the hospital has a policy of refusing to connect to any outside apps. This could be considered information blocking. Your role as an informaticist will be to help your organization develop policies and technical workflows that enable this kind of data sharing securely and in compliance with the law.

To enable this new era of open data exchange, the ONC has championed the adoption of modern, API-based standards, most notably FHIR (Fast Healthcare Interoperability Resources). As an informaticist, you will increasingly work with FHIR-based applications and interfaces. It is the new language of interoperability.

1.4.5 The Watchful Eyes: Accreditation and Quality Organizations

Beyond federal laws, your work will be heavily influenced by the standards set by accreditation and quality organizations. While these bodies are typically non-governmental, their “seal of approval” is essential for receiving reimbursement from Medicare and many other payers, giving them immense power to shape hospital practices. For an informatics pharmacist, the most important of these are The Joint Commission (TJC) and the National Committee for Quality Assurance (NCQA).

The Joint Commission (TJC) and National Patient Safety Goals (NPSGs)

TJC is the primary accrediting body for U.S. hospitals. During their regular surveys, they assess compliance with a detailed set of standards. Many of these standards, particularly the National Patient Safety Goals (NPSGs), are directly related to medication safety and have become major drivers for the adoption of specific health IT solutions.

Masterclass Table: Mapping TJC NPSGs to Informatics Solutions
National Patient Safety Goal (NPSG) Core Requirement Direct Informatics Solution & Your Role
NPSG.03.04.01: Labeling Medications Label all medications, medication containers, and other solutions on and off the sterile field in perioperative and other procedural settings. You will design and implement systems that print clear, standardized labels for all medications, especially for things like syringe labels in the operating room. This involves configuring printers and label formats within the EHR.
NPSG.03.05.01: Reducing Harm from Anticoagulation Therapy Use standardized dosing protocols and programmable pumps for anticoagulants like heparin. Provide education to patients and families. Your role is central. You will build the standardized heparin dosing protocols and order sets in the EHR. You will also be the primary owner of the “smart pump” drug library, building in the hard and soft safety limits for heparin infusions.
NPSG.03.06.01: Medication Reconciliation Maintain and communicate accurate patient medication information. Compare the patient’s home medications to new orders at admission, transfer, and discharge. You will be responsible for designing, building, and optimizing the medication reconciliation tools within the EHR. This is a notoriously complex workflow, and making it efficient and effective for nurses and physicians is a major informatics challenge.

When a TJC surveyor visits your hospital, they will ask to see these systems in action. They will want to see your heparin order set, your smart pump library, and your medication reconciliation workflow. Your work as an informatics pharmacist is therefore directly tied to your organization’s ability to maintain its accreditation.

NCQA and HEDIS Measures

The National Committee for Quality Assurance (NCQA) is a leading quality organization, particularly influential in the ambulatory and health plan worlds. NCQA develops a set of performance measures known as the Healthcare Effectiveness Data and Information Set (HEDIS). Health plans use HEDIS scores to compare their performance, and these scores are increasingly used in value-based payment models.

Many HEDIS measures are directly related to medication management (e.g., Medication Adherence for Diabetes Medications, Statin Therapy for Patients with Cardiovascular Disease). Reporting on these measures is only possible with clean, structured, and extractable data from an EHR. The Analytics Pharmacist archetype plays a key role here, as they are the ones who must pull this data and validate its accuracy. This creates a powerful organizational incentive to ensure that clinical workflows are designed to capture the necessary structured data, a task that often falls to the EHR Application Analyst and CDS Specialist.

1.4.6 Conclusion: The Informaticist as a Guardian of Compliance and Safety

As we have seen, the world of pharmacy informatics is not an isolated clinical or technical discipline. It operates within a dense framework of legal mandates, regulatory requirements, and accreditation standards. The work you do—building an order set, designing an alert, configuring a report—is a direct response to these powerful external forces. A significant part of your professional responsibility will be to serve as your organization’s expert in translating these rules into functional, safe, and efficient clinical systems.

This can sometimes be a frustrating reality. You may be forced to implement a workflow that is not ideal because it is required to meet a specific regulatory measure. However, this is also what makes the role so critical. You are the professional who stands at the intersection of policy and practice, ensuring that the systems you build are not only clinically sound but also legally and regulatorily compliant. By mastering these “rules of the road,” you become an indispensable asset to your organization, a guardian of both patient safety and institutional integrity.