We have added an account recovery function to your Rx Mobility app. This can be used when a patient:
- gets a new phone
- loses his or her phone
- forgets a PIN
- deletes the app
- swaps from Android to an iPhone or vice-versa
The HIPAA Privacy Rule covers protected health information (PHI) in any medium while the HIPAA Security Rule covers electronic protected health information. You can get more information on the Department of Health and Human Services website.
Due to these HIPAA rules, PHI is securely encrypted on your mobile app and protected with a PIN. Plus PHI data transfers to the pharmacy portal are also encrypted.
The combination of HIPAA rules and the PIN make account recovery more complex than password recovery on an email account.
For example, you need to ensure that the patient is who he or she says he or she is.
Because we need to comply with HIPAA, the account recovery needs to be secure.
If a patient wants to recover their account, they must first contact your pharmacy and receive a generated recovery code from you.
This will enable all their PHI such as refill and order data to be transferred to the new device.
To generate this code and complete the account recovery, a member of staff must take the following details from the patient:
- Patient name used in the app (1 only needed)
- Date of birth
- Cell phone number
Then follow these steps:
- Login to the Pharmacy Portal, click your name in the top right, and select “Recover Customer Account”
- Enter the name of the patient’s account and click “Search”
- Look through the results generated and confirm which device is the patient’s by comparing their date of birth and phone number.
- It is important that an exact match is found to accurately identify the patient and ensure patient data is transferred to the right person.
- Click “Create Recovery Code” and wait for a 9 digit code to be generated.
- Give this code to the patient.
- Instruct the patient that this code needs to be entered in the “Forgot PIN” screen (or Recover Account screen) within 15 minutes, otherwise a new code will need to be generated.
I know this sounds is a little complicated, but it does ensure HIPAA compliance and stops PHI being hacked.
You can also review the steps in a video.