Pharmacy Law: HIPAA and Patient Counseling by xxn0NlUY


									         Pharmacy Law: HIPAA and Patient Counseling

                         Supported by an unrestricted educational grant from


                               Gerald Gianutsos, RPh, PhD, JD
                                 Associate Professor of Pharmacology
                                      University of Connecticut
                                         School of Pharmacy
                                              Storrs, CT

                        PDQ CE Services, Inc. is approved by the Accreditation Council for Pharmacy
                        Education as a provider of continuing pharmaceutical education.

This program reflects the opinion(s) of the author(s) and may not reflect those of the sponsor or
publisher. While all reasonable attempts have been made to assure the accuracy of the information
contained in this program based on current scientific knowledge at the time of publication, the reader is
advised to evaluate their individual patient’s condition, compare information discussed or suggested with
recommendations from other authorities, and refer to the official prescribing literature for the latest
information on new or highly toxic drugs prior to administration or dispensing.

Statements made in this program have not been evaluated by the Food and Drug Administration.
Discussion of published or investigational uses of drugs outside of approved labeling is offered for
educational purposes only, and the sponsor and publisher of this program do not endorse such off-label
use. Nutritional products discussed are not intended for the prevention, diagnosis, treatment, or cure of
any disease.


The purpose of this lesson will be to review the requirements of the HIPAA law and how it will affect
pharmacists, with particular emphasis on the disclosure of protected health information and its effect on

Upon completion, the pharmacist should be able to:

        1. Describe the purpose of the Health Insurance Portability and Accountability Act
        2. Describe what constitutes protected health information and when it may be disclosed;
        3. Recognize the limitations that HIPAA may place on counseling activities; and
        4. Identify what pharmacists must do to comply with the law.

Patients have an expectation that certain health care information is confidential and that this information
will not be revealed to others without the patient’s consent. By now, pharmacists have some familiarity
with the new federal privacy law, HIPAA, which went into effect April 14, 2003. The law is designed to
provide patients with increased access to their own health care information while also providing greater
protection against the unauthorized use of their private health information. Pharmacists need to be
cognizant of the requirements of HIPAA, especially as it relates to notice obligations and how it may
affect counseling activities. This lesson will review the requirements of HIPAA and aid the pharmacist in
understanding how to comply with the law while still providing patient counseling.


The Health Insurance Portability and Accountability Act (HIPAA; PL 104-191; 42 USCS § 1320d [2003])
was approved by Congress in 1996. The law was signed by then-President Clinton in 1996 as part of the
effort on health care reform. The law is a far reaching bill concerned with more than health care privacy.
The primary intent of the law is to improve the transfer of insurance and health care for those individuals
and employees who changed health plans and ensure that employees would not lose insurance
coverage if they changed jobs. The new law also tried to reduce health care costs by encouraging the
electronic submission of information and reducing paperwork, purportedly providing "administrative
simplification." The law sought to standardize the exchange of information between different, often
incompatible, data systems. Despite the attempt at simplification, the government estimates that
compliance with the proposed privacy regulations will cost approximately $ 17.5 billion over the next 10

The new law has a number of components which include requirements on portability of health insurance
by assisting policyholders and beneficiaries in maintaining coverage when they change jobs and making
insurance more accessible to small groups (employers with 2 to 50 employees). It also provides
measures to improve the efficiency of exchange of health care information by instituting standards for
electronic transmission of information and makes available stronger sanctions against health care fraud.
The law also revises security standards to assure the confidentiality and integrity of electronic
information and identifies and mandates code sets that must be used when reporting medical data. For
pharmacists, the most important provisions provide enhanced protections against disclosures of private
health information and require pharmacists to take steps to ensure medical privacy.

It was recognized that simplifying the storage, retrieval and exchange of health care information through
electronic means also makes it easier for private information to be improperly disclosed. In addition,
privacy advocates have been concerned with the expanding use of personal health information for
marketing purposes. The enactment of HIPAA sought to address these privacy concerns.

Under HIPAA, Congress was to enact privacy legislation within 3 years. When Congress failed to act in
time, the burden to enact regulations passed to the Department of Health and Human Services (HHS).
After a lengthy rule making process (standards and commentary exceeded 1500 pages), a final rule was
developed in December 2000, but concerns were expressed about the cumbersomeness of the
proposed regulations and the difficulties it might cause for the delivery of health care. The Department
of Health and Human Services issued final regulations in August 2002, and the regulations became
effective on April 14, 2003.


HHS Secretary Tommy Thompson stated that "the new rules … reflect a common-sense balance
between protecting patients’ privacy and ensuring the best quality care for patients. They do not interfere
with the ability of doctors to treat their patients, and they allow important public health activities, such as
tracking infectious disease outbreaks and reporting adverse drug events, to continue."

The law created regulations concerning the privacy of individually identifiable health care information by
a "covered entity." A covered entity includes a health insurance plan, a health care clearinghouse and a
health care provider who transmits health information in an electronic form. Pharmacists are health care
providers since they provide some of the defined services which include: "diagnostic, therapeutic,
rehabilitative, maintenance or palliative care and counseling" and also includes the "sale or dispensing
of a drug, device equipment, or other item in accordance with a prescription." Pharmacies may also be
part of "hybrid" entities. For example, a pharmacy may be located within a supermarket. In this situation,
only the health care component of the business is covered by HIPAA, and the health care component
must separate itself from the rest of the business, such as by erecting a firewall between the pharmacy’s
computer system and the store’s system. Specifically, the privacy features of the law mandate that "a
covered entity must implement policies and procedures (which may be standard protocols) that limit the
protected health information disclosed to the amount reasonably necessary to achieve the purpose of
the disclosure."


HIPAA establishes national standards for the privacy of medical records and protected health
information (PHI) and provides safeguards for the protection of this information. PHI is any information

       Is created or received by a covered entity;
       Identifies an individual or creates a reasonable
        basis that the information can be used to identify
        an individual; and
       Relates to the past, present, or future physical or
        mental health condition of the individual, or
        relates to the payment for health care.

Prescription records and patient profiles are obvious examples of PHI. The original proposal would have
only covered information that was in an electronic form, but the final rules cover all personal health
information maintained in any format, whether electronic, paper, or oral.

Disclosure of PHI
General.—HIPAA limits the circumstances under which PHI may be used or disclosed by others. Use of
the PHI falls into three general categories. Under certain circumstances, information may be disclosed
without any concerns about the patient’s consent. In other circumstances, the health care provider has
to meet paperwork requirements but does not necessarily have to obtain consent, while in other
situations, the patient’s express authorization must be obtained (see below for further details).

When information is disclosed, the entity must make reasonable efforts to limit the protected information
to the minimum necessary to accomplish the intended purpose or use. This minimum necessary
standard does not apply to requests by providers for treatment, since this could compromise the delivery
or adequacy of treatment. The final rule gives providers full discretion in determining what personal
health information to include when sending patients’ medical records to other providers for treatment
purposes. For example, a pharmacist can disclose prescription information to a physician who is
inquiring about a patient, and a physician can verify the health status of a patient when contacted by a
pharmacist who is verifying a prescription. The minimum necessary standard also does not apply when
the pharmacist is speaking directly with the patient. For example, the pharmacist may provide advice
about OTCs without consent, so long as no record is kept of the patient’s health information and there is
no other disclosure.

HIPAA applies to information that can identify an individual patient. The rules permit the disclosure of
information that is "de-identified." These data sets can be used for research, public health purposes,
efforts for quality improvement, or health care operations within an entity. The de-identified information
may not include names, addresses, social security numbers, phone numbers, photographs, or other
unique information that could identify a particular individual, but may include the name of a city, ZIP
code, age, or date of death.

Disclosure to others.—Information may be used and disclosed without the patient’s consent where it is
required by law or in judicial and administrative proceedings. For example, disclosures necessitated by
court orders, warrants, or subpoenas are exempted from the requirements. Information may also be
disclosed without consent if it concerns a victim of abuse, neglect, or domestic violence. In addition,
disclosure is permitted to a public health agency authorized by law to collect or receive information for
the purpose of preventing or controlling disease, such as public health surveillance and also includes
reports to the FDA about adverse events. Finally, the information may be disclosed where it is needed
for identification of the body of a deceased person or the cause of death, for facility patient directories,
and for activities related to national defense and security. Note that states can implement additional
requirements that are more stringent. Indeed, state-mandated privacy restrictions are already common
in many states covering, among other things, HIV status and notes from psychotherapy sessions.

Initially, the regulations would have required a patient’s consent before any PHI could be used. Under
these regulations, a pharmacist could not have received a phoned or faxed prescription, or verified a
patient’s insurance coverage, unless a signed consent form was on file. However, it was recognized that
this would interfere with the provision of quality health care in a timely manner. The revised rules permit,
but do not require, a covered entity to obtain patient consent for uses and disclosures of protected
health information for treatment, payment, and health care operations. This is especially true in
emergency situations where the applicable rule has been described as "treat first and ask legal
questions later."

In lieu of obtaining consent, however, the health care provider is expected to give a notice of privacy
practices to every individual no later than the date of first service delivery to the individual and to make a
good faith effort to obtain the individual’s written acknowledgment of receipt of the notice (see below for
more details). The provision of the notice also affords the patient an opportunity to object to the
disclosure of certain information or recipients. Pharmacists are also advised to make certain that their
state does not have more stringent requirements for privacy.

The privacy rule relates to uses and disclosures of protected health information, not to whether a patient
consents to the health care itself. As such, the privacy rule does not affect the need to obtain informed
consent for treatment, which is ordinarily addressed by state law.

The revised privacy rules also affect pharmacists in other ways. HIPAA allows the transfer of patient
medical records if there is a change in ownership. For example, if a pharmacy is sold, the prescription
records may be conveyed to the new owner without authorization. Information may also be shared with
students training in the pharmacy. The definition of "health care operations" in the privacy rule provides
for "conducting training programs in which students, trainees, or practitioners in areas of health care
learn under supervision to practice or improve their skills as health care providers." Covered entities can
shape their policies and procedures for minimum necessary uses and disclosures to permit medical
trainees access to patients’ medical information, including entire medical records.

Patients may request and receive access to their own medical records and PHI, and may request
amendments to their records. The health care provider may deny these requests for changes to the
medical record if the original information is deemed to be accurate, or if the person to whom the request
is made did not create the information. Patients may also request information on the nature of
disclosures of PHI to others (see below for details).

HIPAA also provides an exemption for "incidental disclosure." The initial proposals made even
incidental uses and disclosures subject to penalty. The final modifications, however, recognized that
these may occur in the course of patient care and are often impossible to avoid. An incidental use or
disclosure is a secondary use or disclosure that cannot reasonably be prevented, is limited in nature,
and that occurs as a result of another use or disclosure that is permitted by the rule. However, incidental
use or disclosure is not permitted if it is a by-product of an underlying use or disclosure that violates the
privacy rule. Negligent disclosure of PHI is not considered incidental. For example, mistakenly providing
a prescription record to the wrong patient would not be incidental disclosure.

Incidental disclosure is only permissible to the extent that the covered entity has applied reasonable
safeguards to protect the PHI. If these safeguards are met, health care providers may use office sign-in
sheets, hospitals may keep charts bedside, and health care providers can talk with patients in semi-
private rooms without fear of violating the rule if overheard by a passerby.

The pharmacist may also disclose information to the patient’s designated personal representatives.
The HIPAA privacy rule treats an adult or emancipated minor’s personal representative as the individual
for purposes of health care matters that relate to the representation, including the right of access. The
scope of access will depend on the authority granted to the personal representative by other law. If the
personal representative is authorized to make health care decisions generally, then the personal
representative may have access to the individual’s protected health information regarding health care in
general. In the relationship between parents and minors, the privacy regulations generally defer to state
law. In most cases, a parent is considered the personal representative of a minor child and has the
authority to act for the minor and exercise the minor’s rights. For example, a parent can acknowledge
receipt of the Notice of Privacy of Practices for the minor and can access the minor’s medical records.

In some circumstances, however, a parent is not considered the personal representative of a minor. This
may occur when the minor consents to the health care and consent of the parent is not required under
state or other law (for example, this may apply in some states to situations involving contraception).
Other instances where the parent would not have access to PHI are when the minor obtains health care
at the direction of a court or a person appointed by the court, or when the parent agrees to a confidential
relationship between the minor and a health care provider. Similarly, when the minor is emancipated
under state law, the PHI may not be provided to the parent without authorization.

In the case of an adult’s personal representatives, if the authority is limited, the personal representative
may have access only to protected health information that may be relevant to making decisions within
the personal representative’s authority. For example, if a personal representative’s authority is limited to
authorizing artificial life support, then the personal representative’s access to protected health
information is limited to that information which may be relevant to decisions about artificial life support.

There is an exception to the general rule that a covered entity must treat an adult or emancipated
minor’s personal representative as the individual. Specifically, the privacy rule does not require a
covered entity to treat a personal representative as the individual if, in the exercise of professional
judgment, it believes doing so would not be in the best interest of the individual; for example, if there is
reasonable belief that the individual has been or may be subject to domestic violence, abuse, or neglect
at the hands of the personal representative, or that doing so would otherwise endanger the individual.
This exception applies to adults and both emancipated and unemancipated minors.

When the individual is not present to give consent to the disclosure, the pharmacist may use
professional judgment to determine if it is in the patient’s best interest to make disclosure to another
individual. For example, a pharmacist may permit a friend or relative of the patient to pick up a
prescription on behalf of the patient if the pharmacist believes it is in the patient’s best interest.

HIPAA also provides for disclosures to "business associates," individuals who are not part of the
workforce but perform a service on behalf of the entity. Examples of business associates include
lawyers, accountants, consultants, and outside billing companies. Individuals involved with treatment are
not included as business associates. Disclosures may be made to the business associate if there is a
contract that establishes the permitted and required uses, and disclosures of such information by the
business associate. The contract may not authorize the business associate to use or further disclose the
information in a manner that would violate the requirements, if done by the covered entity, with a few
minor exceptions. A sample of a contract may be found on the HHS website.

Most other disclosures require an affirmative authorization by the patient. For example, marketing of
information is now largely limited by the new rules. Selling protected health information to third parties
for their use and re-use requires authorization. Under the rule, pharmacists may not provide patient lists
to pharmaceutical companies for those companies’ drug promotions without authorization. Similarly, a
provider may not sell names of pregnant women to baby formula manufacturers or magazines without
authorization. However, certain types of health promotion or treatment programs would not be
considered marketing. For example, if a pharmacy directly operates a disease management program
and sends a flyer or promotional mailings to patients in its database describing the program, it would not
require prior authorization. This might include information on lowering cholesterol, health fairs, cancer
prevention, recommendation of generics, and the like. Similarly, it is not marketing for a pharmacy to
provide prescription refill reminders even if the pharmacy is paid by a pharmaceutical company to send
the reminders. Refill reminders are considered to be a part of treatment, which is an exempted activity.
Of course, the pharmacy could not sell the mailing list to the pharmaceutical company itself.


In order to comply with HIPAA, there are a number of procedural actions that a pharmacy must

The pharmacy must designate a Chief Privacy Officer who is responsible for the implementation and
development of its privacy policies and procedures. The policies and procedures must state who will
have access to the PHI, how the entity will use PHI, and the circumstances where it will be disclosed.
The pharmacy must also designate a contact person or other means to provide information about the
entity’s privacy policies to the public and who will receive complaints from the patient about unauthorized
disclosures. The privacy officer and contact may be the same person. The pharmacy must also provide
training for all employees on the policies and procedures relating to PHI in the workplace so they
understand potential risks to privacy.

Notice Requirements
Pharmacies must develop and distribute a notice of privacy practices that describes the purposes for
which PHI may be disclosed. The notice must be written in plain language and contain:

       A statement that the covered entity is required by
        law to maintain the privacy of PHI;
       A description (with an example) of the types of
        disclosures that can be made with or without
        consent or authorization;
       The fact that other disclosures require a written
        authorization which can be revoked at any time;
       A statement of the individual’s rights which
        includes the right to inspect and amend PHI, to
        request restrictions on PHI disclosed, and to ask
        for an accounting of disclosures;
       The identity of the contact person at the
        pharmacy and a statement that the individual may
        file a complaint with HHS.

The notice must also prominently display the statement: "This notice describes how medical information
about you may be used and disclosed and how you can get access to this information. Please review it
carefully." Pharmacists may provide a "layered" notice that consists of a short summary of the patient’s
rights attached to a more complete notice that complies with all the elements required by the rule. A
single privacy notice may be used to cover all the pharmacies in a chain or group of pharmacies under
common ownership.

Providers must distribute the notice no later than the first date of delivery of service and must make a
good faith effort to obtain a written acknowledgement that the patient received it. While distributing the
notice in person would be preferable, the pharmacist can also distribute it by postal mail, electronic mail
or by placing it in a prescription bag. However, the pharmacy needs to provide a mechanism for the
patient to return the written acknowledgement. If the pharmacy cannot obtain the written
acknowledgement (eg, in an emergency situation), they must document the efforts to obtain it. The
written acknowledgement may be obtained by signing or initialing a log book so long as the patient is
informed about the nature of the log book, and the signature cannot be used for another purpose such
as a waiver of OBRA-mandated consultation with the pharmacist. The "signature" may also be obtained
digitally if the pharmacy maintains a web site. The privacy notice must also be posted in a prominent
area of the pharmacy and a link must be provided on the pharmacy’s web site (if patients can access the
site). The acknowledgment must be retained for a period of 6 years. If the privacy notice is revised, the
revision must be posted in the pharmacy and made available to patients, but it does not have to be
redistributed each time. If the provider maintains an office or other physical site where health care is
provided directly to individuals, the provider must also post the notice in that facility in a clear and
prominent location where individuals are likely to see it, as well as make the notice available to those
who ask for a copy.

Patients are not required to sign the notice if they choose not to do so. A patient cannot be denied
service if they refuse to sign or acknowledge the form, but the pharmacy should document the efforts to
obtain the signature and explain the reason why the patient refused to sign.

In addition to the privacy notice, the pharmacy must develop a separate patient authorization document
that must be signed before performing activities for which authorization is required. Generally, this
document must contain a description of the information to be used or disclosed, the purpose of the
disclosure, the names of the entities that are giving or receiving the information, and an expiration date
for use of the information. This also must be retained for 6 years.

Patient Rights
Patients may request documentation of instances where disclosures were made during the previous 6
years to anyone outside of the permitted province of treatment, payment, or regular operations or
conversations directly with the patient. Needless to say, pharmacies must keep accurate records of all
covered disclosures. In addition to the exclusion of records relating to treatment and payment, incidental
disclosures and legally-mandated disclosures need not be accounted for. If requested by the patient, the
pharmacy has 60 days to provide an accounting of the disclosures, which would include the name and
address of who received the information, and a brief description of the nature and reason for the

Security Standards
The Department of Health and Human Services has also recently issued security standards under
HIPAA. These standards require covered entities, including pharmacies, to implement administrative,
physical, and technical safeguards to protect PHI that is stored or transmitted electronically. The
standards cover a broad range of activities to protect electronic PHI from unauthorized access, deletion,
alteration, and transmission. Many of the requirements outlined in the security regulation are very similar
to those of the HIPAA privacy rule—both regulations require covered entities to sign contracts with their
business associates. However, unlike the privacy standards, which cover PHI in any form, the security
standards only cover PHI in electronic form. Covered entities must comply with these standards by April
25, 2005. The security standards provide some flexibility, listing some implementation specifications that
are required and must be met, while others are "addressable." Risk analysis/risk management security
measures, a sanction policy for employees who fail to comply, and disaster contingency plans are
required. For addressable standards, a covered entity must determine if implementation is reasonable
and appropriate, and depends on factors such as the cost of implementation, the nature of the potential
risks to the PHI, the technological infrastructure, and the size, complexity, and capabilities of the
covered entity.


Enforcement of the HIPAA privacy rule is entrusted to the Office of Civil Rights (OCR) of HHS. Under
HIPAA, anyone may file a complaint with the OCR (ie, it is not limited to the patient whose privacy has
been violated), and the OCR is required to investigate any complaint. OCR may also conduct periodic
reviews of the privacy policies and procedures of covered entities to ensure that they are in compliance
with HIPAA. Once the patient knows that a violation has occurred, they have up to 180 days to file a
complaint, although this deadline can be extended for "good cause." (Note that the clock starts when the
patient knows about the violation, not from the date that the violation occurred.) The complaint must be
in writing, either on paper or electronically. Further information on filing a complaint can be found on the
OCR web site

HIPAA provides for both civil and criminal penalties if there is a violation of the patient’s privacy rights. A
pharmacy may be liable for civil damages of $100 per incident, up to $25,000/person/year.

More severe criminal penalties are provided for pharmacies that knowingly and improperly violate the
privacy rules. Penalties may include a fine of up to $50,000 and up to 1 year in prison. If the violation is
made under false pretenses, the penalty may increase to $100,000 and 5 years in prison. A fine up to
$250,000 and imprisonment for up to 10 years may be imposed if the rule is violated for the purpose of
selling or using the information for commercial purposes, personal gain, or malicious harm.

Pharmacies must develop policies that provide sanctions for employees who violate the HIPAA privacy
standards. If an employee discloses PHI, the pharmacy must sanction the employee and also take
measures to limit the damage caused by the disclosure, document the event, and account for the events
to the affected party if requested by that party. The sanctions may include counseling, oral or written
warnings, probation, suspension, demotion, or termination, and the employee may be responsible for
restitution to the pharmacy or patient.


Release of Information
Obviously, patients are entitled to their own health information, so pharmacists should not feel that the
HIPAA rules would unnecessarily hinder counseling functions. Providing advice or instructions on a
prescription, or recommending an OTC product based upon the patient’s medical history, does not
violate the privacy rules. However, the pharmacist needs to ensure that the disclosure of PHI to others is

The HIPAA rules permit health care providers to communicate with patients regarding their health care.
This includes communicating with patients at their homes, whether through the mail, by phone, or in
some other manner. However, pharmacists should take extra precautions to verify the identity of
individuals when talking on the phone or in person.

The rule also does not prohibit pharmacists from leaving messages for patients on their answering
machines. However, to reasonably safeguard the individual’s privacy, covered entities should take care
to limit the amount of information disclosed on the answering machine. For example, a covered entity
might want to consider leaving only its name and number and ask the individual to call back. In
situations where a patient has requested that the covered entity communicate with him in a confidential
manner, such as by alternative means or at an alternative location, the covered entity must
accommodate that request, if reasonable. For example, a request to receive mailings from a pharmacy
in a closed envelope rather than by postcard, or a request to receive mail from the covered entity at a
post office box rather than at home, or to receive calls at the office rather than at home, are considered
to be reasonable requests that should be accommodated.

HIPAA regulations also cover situations in which a pharmacist may, in the course of treating the patient,
disclose part of a patient’s PHI to a friend, family member, or relative who is involved with the patient’s
health care. As discussed above, parents are generally, but not always entitled to information about their
minor children. The regulations also permit pharmacists to use "professional judgment" to determine
whether a disclosure to a family member or friend is in the best interest of the patient, or if he or she can
reasonably infer that the patient would not object. If information is released to a representative, it must
be the minimum amount of PHI. The disclosure must be directly relevant to the person’s involvement
with the patient’s health care. For example, a pharmacist may explain dosing directions to a caregiver if
he or she determines that it would be appropriate to do so. Additional information, such as what the
medication specifically treats, should not be discussed. The pharmacist should encourage the patient to
call the pharmacy for additional counseling and to ask questions regarding the therapy.

A covered entity also may leave a message with a family member or other person who answers the
phone when the patient is not home. The privacy rule permits covered entities to disclose limited
information to family members, friends, or other persons regarding an individual’s care, even when the
individual is not present. However, covered entities should use professional judgment to assure that
such disclosures are in the best interest of the individual and limit the information disclosed.

Structural Changes and Privacy Areas
The (HHS) specifically has stated that the rule’s minimum necessary standard does not require covered
entities to make costly structural or systems change. For example, pharmacies do not need to install
private rooms, soundproofed areas, or encrypted telephone or FAX. However, Internet pharmacies and
pharmacies with web sites need to be aware of forthcoming encryption and security standards.

The covered entity must, however, implement reasonable safeguards to minimize the potential for
inadvertent disclosures of PHI. Reasonable safeguards could include:

    1.   Asking waiting customers to stand a few feet back from a counter used for patient counseling,
    2.   Providing added shielding and sound reducing devices to areas where oral communications
         frequently occur.

In assessing what is "reasonable," covered entities might consider the viewpoint of a prudent health care
professional. Pharmacists should also consider the use of locked cabinets and passwords to prevent the
deliberate or inadvertent viewing of PHI by employees who are not entitled to have access to such


Case 1
Mr. J comes into the pharmacy and asks about a recommendation for his cold. You walk him down to
the aisle, which is crowded with other patrons, and explain the different products. You (the pharmacist)
then remember that he has been taking medication for hypertension and explain to him that a
decongestant could worsen his high blood pressure. Did the pharmacist act appropriately under HIPAA?

It is certainly appropriate for the pharmacist to review Mr. J’s medical history, discuss it with him, and
make recommendations on OTC products based upon that history. The HIPAA privacy rule is not
intended to prohibit practitioners from talking to their patients and providing information that is in the
patient’s best interest. However, while "incidental" release of PHI is permitted, the pharmacist likely
failed to act in a "reasonable" manner by discussing the health information in a crowded aisle. The
pharmacist should have taken Mr. J to a more private area to continue the discussion.

Case 2
Mrs. D comes into the pharmacy to buy aspirin regimen tablets for her mother on her doctor’s
recommendation. She sees a wide range of doses and products and asks you (the pharmacist) which
one would be most appropriate to prevent heart attacks. You ask her about her mother’s drug history but
she doesn’t remember. Can you check the files to find out? Upon checking, you note that she has a
current prescription for an antiviral agent, a statin, and a history of NSAID medication use. May you
make a recommendation under HIPAA?

The privacy regulations recognize that situations exist in which a provider may need to disclose part of a
patient’s protected health information (PHI) to a friend, family member, or relative who is involved with
the patient’s health care. The regulation permits providers to use "professional judgment" to determine
whether a disclosure is in the best interest of the patient and, if so, to release a limited amount of PHI to
the individual. Here the potential interaction with NSAIDs could reasonably be considered to be in the
patient’s best interest, and a limited discussion discloses that NSAID use has been discontinued. You
may recommend an aspirin regimen product of your choosing. However, if the daughter then asks what
her mother’s medications specifically treat, that should not be discussed under HIPAA.

Cautious pharmacists should ensure that the representative’s identity is verified if the representative is
unknown to them before disclosing information. If the patron was Mrs. D’s neighbor who was running an
errand, instead of her daughter, it might be prudent to phone Mrs. D and discuss the situation with her
instead of with the neighbor.


With the emergence of HIPAA, issues of patient privacy have risen to a new level of awareness among
all health professionals. By now, pharmacists should have implemented plans to protect patient privacy.
Pharmacists need to know when protected health information must be disclosed, and when it may or
may not be disclosed. Pharmacists also need to have privacy policies and training programs in place,
and forms for distributing privacy information and requesting patient authorization. While HIPAA has
increased the burdens on pharmacists, they should not feel that their ability to counsel patients is
prohibited by the privacy regulations. The pharmacist may freely counsel the patient about his or her
own situation, so long as it is done in relative privacy. The pharmacist can also discuss health
information with caregivers so long as he or she adheres to the principle of using reasonable,
professional judgment and limiting the information to the minimum necessary. Resources are available
to assist pharmacists with compliance to HIPAA,          but the pharmacist must first accept the duty to
protect the privacy of personal health information.


    1. US Department of Health & Human Services. Office for Civil Rights–HIPAA. Medical
        privacy: national standards to protect the privacy of personal health information.
        Available at: Also: Federal Register. 45 CFR Parts 160
        and 164. Standards for privacy of individually identifiable health information; final rule.
        Available at: . Accessed May 5, 2004.
    2. Shaw R. Complying with the HIPAA privacy rule. U.S. Pharmacist. July 2002:46-53.
    3. Woody RW. Health information privacy: the rules get tougher. Conn Ins Law J.
    4. Gordon SM. Privacy standards for health information: the misnomer of administrative
        simplification. Del Law Rev. 2002;5:23-56.
    5. US Department of Health & Human Services. Statement by Tommy G. Thompson,
        Secretary of HHS, regarding new federal privacy regulations. Available at: Accessed May 5, 2004.
    6. Bishop SK, Winckler SC. Implementing HIPAA privacy regulations in pharmacy
        practice. J Am Pharm Assoc. 2002;42:836-844.
    7. Jellin JM, Burson SC. HIPAA made simple: pharmacist’s survival guide. Pharmacist’s
        Letter. 2002:1-11. Available at: Accessed May 5,
    8. Hartin TA. New federal privacy rules for health care providers. Wis Lawyer. April
        2002;75(4). Available at:
        Accessed May 5, 2004.
    9. Annas GJ. HIPAA regulations–a new era of medical-record privacy? New Eng J Med.
    10. Phoenix Health Systems. HIPAAdvisory. Available at:;
        Also US Department of HHS. Questions and answers. Available at:
        cat_lvl2=%7Eany%7E&p_search_text=&p_new_search=1%. Accessed May 5, 2004.
    11. APhA. HIPAA security standards for protected health information. Available at: . Accessed May 5, 2004.
    12. 45 CFR 164.522. See also, Bishop SK. Interactions with individuals other than the
     patient, Part 2: caregivers, personal representatives, and minors. Available at: Accessed May 5, 2004.


     1. HIPAA was enacted for what purpose?

            a. To limit access of patient’s to their medical records
            b. To provide insurance for the uninsured
            c. To improve the portability and transfer of insurance coverage
            d. To limit the exchange of information between health care

     2. Protected health information includes:

            a. Information created by a covered entity
            b. Information about the patient’s medical history
            c. Information that identifies an individual patient
            d. All of the above

     3. Which of the following statements is correct with respect to disclosure of
     protected health information?

            a. Generally, the amount of information should be the minimum
            necessary to accomplish the intended purpose
            b. A pharmacist who receives a prescription may not verify the
            health status of a patient with a physician without the patient’s
            c. Pharmacists may not distribute health information directly to
            the patient
            d. None of the above

     4. Which of the following types of data would be permissible for disclosure as
     "de-identified" information?

            a. Social security number
            b. ZIP code
            c. Photograph
       d. Phone number

5. In which of the following situations may a pharmacist disclose PHI without
the patient’s consent?

       a. In response to a court order
       b. If it concerns a victim of abuse or domestic violence
       c. Both A and B
       d. None of the above

6. Which of the following statements is correct about incidental disclosures?

       a. An incidental disclosure is one that is completely preventable
       b. Incidental disclosures are subject to penalties
       c. Incidental disclosures are disclosures made by nonsupervisory
       d. An incidental disclosure is a disclosure that cannot be
       reasonably avoided andoccurs as a result of another use or
       disclosure that is permitted by the rules

7. When may a pharmacist disclose PHI about a minor to the parent?

       a. There are no restrictions on disclosing information to a parent
       b. For an unemancipated minor when not further controlled by
       state law
       c. A parent may never have access to a minor’s PHI unless there
       is a medical emergency
       d. None of the above

8. When may a pharmacy’s business associate disclose PHI?

       a. A business associate may disclose PHI whenever the pharmacy
       has an agreement with a pharmaceutical manufacturer to promote
       a certain drug
       b. Disclosures may be made by the business associate if there is a
       contract that establishes the permitted and required uses and
       disclosures of information by the business associate
       c. A business associate may disclose PHI only if they are
       involved with patient treatment
       d. A business associate may not disclose PHI under any

9. Which of the following must a pharmacy do in order to comply with HIPAA?
       a. Designate a privacy officer
       b. Provide training for employees on privacy issues
       c. Designate a contact person for complaints about privacy
       d. All of the above

10. Which of the following are true regarding a pharmacy’s Notice of Privacy?

       a. The pharmacy cannot dispense a prescription until the notice is
       signed by the patient
       b. The privacy notice must include a description of the types of
       disclosures that may be made with or without authorization
       c. The notice must be kept for 1 year
       d. The signature on the form may be only be obtained in person

11. Which of the following penalties are available for violation of HIPAA
privacy rules?

       a. A pharmacy may be liable for civil penalties up to $25,000
       b. A pharmacy may be liable for criminal penalties if they
       knowingly violate the rules
       c. A and B are correct.
       d. The only penalty currently available is a reprimand from the
       pharmacy’s own State Pharmacy Board

12. Which of the following is correct regarding the HIPAA security standards?

       a. Security standards cover information in electronic form
       b. Implementation of standards includes both required and
       addressable standards
       c. The standards cover a broad range of activities to protect
       electronic PHI from unauthorized access, deletion, alteration, and
       d. All of the above

13. A patient who feels that the privacy standards have been violated would file
a complaint with:

       a. The FDA
       b. The State Pharmacy Board
       c. The Office of Civil Rights of HHS
       d. The Attorney General

14. What structural changes are required in the pharmacy under HIPAA?

       a. Construction of a private consultation room
       b. Reasonable safeguards to ensure privacy
       c. Encrypted telephones and FAX machines
       d. All of the above

15. When may a pharmacist disclose PHI to a family member of the patient?

       a. PHI may only be disclosed directly to the patient or their health
       care provider
       b. If a pharmacist, using professional judgment, feels that it
       would be in the best interest of the patient
       c. If the pharmacist obtains permission from the patient’s
       d. There are no restrictions on disclosure to a family member

To top