The privacy rule allows pharmacies to use and disclose PHI for treatment, payment, and operations (TPO). Treatment includes providing, coordinating, or managing the healthcare of the patient. In pharmacies, this includes dispensing medications, counseling patients, maintaining patient profiles, and consulting with the patient's other healthcare providers. Importantly, the pharmacist may disclose PHI with the patient's primary care physician and nurse practitioner or physician assistant as well as any other healthcare professionals involved in treating the patient. Payment activities include submitting claims for reimbursement, determining patient eligibility and extent of coverage, and sending bills to patients. Operations encompass those activities necessary to operate a pharmacy such as quality assessment, fraud detection, audits, certifications, and business management.
Pharmacists, of course, may always provide complete disclosure of PHI to the patient, and in fact, the regulations require the pharmacist to do so if the patient requests. Pharmacies may charge a reasonable, cost-based fee for providing patients a copy of their records. Disclosure may also be made to the patient's personal representative or agent such as a friend, relative, roommate, or neighbor. In the case of an agent, the pharmacist should exercise professional judgment to determine if it would really be in the patient's best interests to provide disclosure. This puts the pharmacist in somewhat of a dilemma, especially in mandatory consultation states such as California, because state regulation requires the pharmacist to counsel the patient or the patient's agent if present. Regardless of the counseling requirements, it would be best not to counsel the patient's agent unless professional judgment clearly warrants, and instead, send a notice for the patient to call for counseling.
Under HIPAA, patients have always had the right to request covered entities to access and obtain copies of their PHI in a timely manner. Prior to the 2013 rule, covered entities had 60 days to act on requests for PHI, with an additional 30-day extension. The 2013 rule, however, has modified that requirement to 30 days, and if there is good cause, it may be extended another 30 days by providing the patient with a written explanation for the delay. DHHS encourages patient access as soon as possible, and for pharmacies, PHI information may be instantaneously available and time constraints may not be a concern. However, for covered entities that continue to make use of off-site storage or have additional time constraints to providing access, the 30-day window, with the potential for a 30-day extension, can be exercised.
Pharmacies are also required to provide an electronic copy of PHI to patients in the format requested. If the request cannot be accommodated, it must be provided in an agreed-upon readable electronic format.
As provided earlier, the 2021 proposed rule seeks to modify various provisions surrounding use and disclosure of PHI as well as the individuals' right of access to PHI. For example, several modifications have been proposed that would encourage covered entities, under certain conditions, to use and disclose PHI more broadly in scenarios that involve substance use, mental health, and emergency situations. A number of the proposed changes specifically focus on how to modify the Privacy Rule to encourage disclosures of PHI to family and caregivers when needed to help individuals experiencing these concerns. To add to this, many healthcare groups have also called for changes to better align 42 CFR Part 2 regulations ("Part 2") with the HIPAA Privacy Rule. Part 2 protects the privacy of substance use disorder patients that seek treatment at federally assisted programs. While the 2020 Coronavirus Aid, Relief, and Economic Security (CARES) Act did help align the two, further expanding the ability of healthcare providers to share records is still seen as an important step in helping address the matter. On December 2, 2022, DHHS proposed changes to Part 2 that would further align it with HIPAA, while breaking down barriers to information sharing, improving care coordination, and protecting patient privacy (87 FR 74216).
Additionally, proposed modifications in the 2021 proposed rule to an individual's right to access PHI, if finalized, would include many of those already mentioned under "Health Insurance Portability and Accountability Act of 1996" including: one being able to inspect their PHI in person and take notes or images; shortening covered entities' required response time to no later than 15 calendar days (from the current 30 days) with the opportunity for an extension of no more than 15 calendar days (from the current 30-day extension); clarifying the format required when responding to individuals' requests for their PHI; creating a pathway for individuals to direct the sharing of PHI in an EHR among providers; specifying when ePHI must be provided to the individual at no charge, and requiring covered entities to post estimated costs on their websites or provide individualized estimates and itemized bills for individuals requesting or obtaining copies of PHI.
Under the initial HIPAA law and regulations, patients had a right to request and receive an accounting of disclosures of PHI made by a covered entity in the 6 years prior to the date of the request (45 C.F.R. § 164.528). That right did not extend to disclosure for TPO because covered entities commonly make these disclosures several times per day and tracking them would be unduly burdensome. However, a 2009 law called the Health Information Technology for Economic and Clinical Health (HITECH), which is part of the American Recovery and Reinvestment Act (P.L. 111-5), made an important change. Under HITECH, if a covered entity uses an electronic health record, the entity will be required to account for all disclosures, including disclosures of TPO, within 3 years prior to the date of the request. Pharmacy organizations have expressed concerns that this HITECH requirement will unduly burden pharmacies, because pharmacies make several disclosures daily when claims processing is considered, and have requested exceptions be made for pharmacy. In 2011, DHHS published a notice of proposed rulemaking on this matter (76 FR 314250); however, as of early 2023, DHHS had not finalized any rules for accounting and disclosure. Therefore, the original HIPAA regulation, providing TPO as an exception to accounting for disclosures, remains the same despite the language in HITECH.
HITECH contains another disclosure-related requirement problem for pharmacies. Patients may request that their PHI not be disclosed to a health plan if the purpose is for payment or operations and pertains to an item or service for which the patient has paid out of pocket in full. Pharmacy claims submitted to health plans, however, include PHI related to TPO, and it might be very difficult to extract this information. Not including all this information might also violate the contract between the pharmacy and the health plan. This requirement was finalized in the 2013 rule, and it is important that pharmacies understand that if a patient pays for a prescription or other goods or services with cash, the patient can prevent the pharmacy from disclosing information about treatment to his or her health insurers.
A pharmacy may disclose only the minimum amount of PHI necessary to accomplish the objective. For example, if a claims processor needs more information in order to process a claim, the pharmacy may provide only that information and no more. Exceptions to the "minimum necessary requirement" include:
Communications to the patient
Communications regarding the treatment of the patient with other providers involved in the treatment
When authorized by the patient
When required by DHHS for compliance and enforcement purposes
When required by law
In all of these situations, the pharmacist may provide complete disclosure of PHI. Prior to HITECH, HIPAA contained no definition of minimum necessary. HITECH changed this and limits the covered entities' discretion for determining what constitutes minimum necessary to, if possible, a "limited data set." A limited data set is PHI that excludes direct identifiers of the patient such as name, address, phone numbers, and social security number. If restricting the PHI to a limited data set is not possible, the pharmacy may include direct identifiers to the minimum amount necessary to achieve the intended purpose. The pharmacy must be prepared, however, to justify why the request or disclosure was not limited to the limited data set.
The 2021 proposed rule seeks to create an exception to the ‘‘minimum necessary'' standard for individual-level care coordination and case management uses and disclosures. This proposal would relieve covered entities of the minimum necessary requirement for uses by, disclosures to, or requests by, a health plan or covered healthcare provider for care coordination and case management activities with respect to an individual, regardless of whether it constitutes treatment or healthcare operations.
It is inevitable that no matter how careful a pharmacy is about protecting PHI, the information will inadvertently be used or disclosed in an unintended manner. For example, while counseling a patient, another patient may overhear the conversation. Pharmacies are not liable for these incidental uses and disclosures, provided they have applied "reasonable safeguards" to protect the PHI. Pharmacies are not expected to make structural modifications such as building a soundproof room for counseling. Pharmacists, however, are expected to exercise professional judgment and common sense. Reasonable safeguards for counseling would indicate that the counseling be conducted in a location as far away from other patients as possible. If other patients are nearby, they should be asked to stand back a few feet and the pharmacist should speak softly while counseling.
The OCR has specifically stated that under the incidental use and disclosure policy, no violation occurs when the pharmacy calls out the name of the patient who is waiting for a prescription, nor would it be a violation if another patient incidentally hears the pharmacist speaking to a technician or another pharmacist about a prescription. Pharmacists may also leave messages on the patient's answering machine, although it would be wise to say as little as possible.
Information from which all individual identifying factors have been removed, termed de-identification, is not PHI and thus not subject to HIPAA. Pharmacists and pharmacy students, when using patient information for educational and other non-TPO purposes, should take care to de-identify the information. The following items are considered identifiable:
Names
Geographic subdivisions such as street address, city, county, and zip code
All dates: birth, admission, discharge, death, ages over 89 (may aggregate to category, e.g., age 90 and over)
Telephone numbers
Fax numbers
Electronic mail addresses
Social Security numbers
Medical record numbers
Health plan beneficiary numbers
Account numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, license plate numbers
Device identifiers and serial numbers
Web universal resource locators
Internet protocol address numbers
Biometric identifiers (finger and voice prints)
Full-face photographic images and comparable images
Any other unique identifying numbers, characteristics, or codes
Pharmacy students often monitor assigned patients and give case presentations. Unless the patient gives specific authorization, all patient identification information should be removed. In institutional settings, pharmacy students should refrain from discussing patients in public places such as on elevators, in hallways, and in the cafeteria. Patient charts or other PHI should not be left where others can read them; this includes computer screens. If a computer is shared with others, protect files containing PHI from access. In community settings, apply essentially the same rules. In addition, do not discuss a patient's medications with pharmacy staff such that other patients can overhear and do not counsel patients in store aisles about over-the-counter (OTC) drugs where other people can overhear.
As discussed, a pharmacy may not use or disclose PHI except for TPO purposes, or to the patient or the patient's personal representative or agent. In addition, the privacy regulations allow the pharmacy to disclose PHI for governmental-type reasons, including:
Public health activities (e.g., to authorized health officers)
Judicial and administrative proceedings (requests should be made pursuant to a court or administrative order or subpoena)
Law enforcement purposes (e.g., to law enforcement officers under certain circumstances)
Serious threats to health or safety (e.g., in suspected cases of abuse, neglect, or endangerment)
As required by law
In these and related situations, the pharmacist should always contact the privacy officer and an attorney before releasing information.
The original HIPAA privacy laws and regulations failed to address the issue of breaches of PHI. However, HITECH did, and DHHS issued interim final breach notification regulations in August of 2009 (74 Fed. Reg. 42740). Thereafter, the 2013 rule provided for modifications to the interim final regulations regarding breach notification under HITECH.
The regulations apply to HIPAA-covered entities, including pharmacies, and their business associates. Importantly, the law and regulations apply only to unsecured PHI, defined as PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through the use of a technology or methodology as approved by DHHS. All unsecured PHI in all forms, including electronic, paper, or oral, are subject to the regulations. Pharmacies must confirm with their intellectual technology vendor, whether the pharmacy's PHI is secured or not.
A breach is defined as "the acquisition, access, use, or disclosure" of PHI in an unpermitted manner that "compromises the security or privacy of the PHI" meaning that it poses a significant risk of financial, reputational, or other harm to the individual. The regulations provide exceptions, including (1) when the acquisition, access, use, or disclosure is unintentional and in good faith and does not result in further use or disclosure, (2) when the unauthorized person to whom the PHI has been disclosed would not reasonably have been able to retain it, and (3) when the disclosure is inadvertent between two authorized individuals at the same facility if the information is not further used or disclosed.
For pharmacies, unless an exception applies, an unpermitted use or disclosure of PHI is presumed to be a breach unless the pharmacy can demonstrate that there is a low probability that the PHI has been compromised. In determining this, the pharmacy would conduct a risk assessment using specific factors, including the nature and extent of the PHI involved, the unauthorized person who used the PHI or to whom the disclosure was made, whether the PHI was actually acquired or viewed, and the extent to which the risk to the PHI has been mitigated. If a breach has occurred, the pharmacy must notify the affected individual(s) by first-class mail (or electronically, if the individual has agreed) within 60 days after the breach was discovered. The regulation contains the elements that must be included in the notification. In addition, the pharmacy may have to notify DHHS of breaches, depending on the number of individuals affected. For example, assume that a pharmacy employee places patient A's medication in a bag for patient B and places patient B's medication in a bag for patient A. Patient A is given the bag and starts to walk away from the pharmacy when the error is discovered. If the pharmacy personnel can determine that patient A could not have read or retained the information, this situation would most likely not be a breach pursuant to the exception. If; however, patients A and B were each given the wrong bags and each patient later discovered the error and returned the medications, most likely this should be considered a breach. In that case, patients A and B would need to be notified. If the pharmacy does not have sufficient contact information for either patient, the regulation allows for substitute notice. The regulations specify what constitutes substitute notice, depending on whether fewer than 10 or more than 10 individuals are affected. If more than 500 individuals are affected, the pharmacy must also notify the media within 60 days after discovery and must notify DHHS immediately.
Because of incidents involving improper disposal of PHI, such as CVS pharmacy disposing of PHI in dumpsters that resulted in a $2.5 million fine, OCR posted FAQs about the disposal of PHI (https://www.hhs.gov/hipaa/for-professionals/faq/disposal-of-protected-health-information/index.html). The information emphasizes that covered entities must implement reasonable safeguards to protect PHI that is disposed, including the training of workforce members who dispose of PHI. Although the regulations do not require a particular disposal method, simply abandoning PHI or disposing of it in dumpsters accessible to the public without rendering the PHI unreadable and unable to be reconstructed is definitely not permitted. Covered entities must develop and implement reasonable policies and procedures for disposal. Examples provided in the FAQ include shredding or burning paper records; placing labeled prescription containers in opaque bags in a secure area to be picked up by a disposal vendor; and clearing, purging, or destroying electronic media. Although it is preferable to hire a business associate to ultimately dispose of PHI, it is not required.
Another example of a HIPAA violation involving improper disposal of PHI included a Denver area pharmacy. Allegations included that patient records were found in open containers on the pharmacy's premises and were accessible by the public and other unauthorized individuals. An OCR investigation found medical records of more than 1,600 pharmacy patients intact in open containers. It was determined that the pharmacy had failed to safeguard the PHI of its patients, failed to implement written HIPAA policies, and failed to provide staff with training on its HIPAA policies and procedures. The 2015 settlement required the pharmacy to adopt a corrective plan and pay a $125,000 fine.
HIPAA provides individuals with controls over how their PHI can be sold or used and disclosed for marketing purposes. In general, HIPAA requires an individual's written authorization before his or her PHI can be sold or used for marketing. Authorizations must be detailed and customized for the particular use or disclosure intended, contain an expiration date, and be signed by the patient. A patient may not be denied treatment for refusing to sign an authorization.
Marketing means to make a communication to an individual about a product or service that encourages the individual to purchase or use that product or service. DHHS provides exceptions to what is considered marketing and, therefore, not requiring individual authorization, in order to help ensure that essential healthcare communications are not impeded. Exceptions to marketing include communications about general health issues as well as communications made:
For the treatment of the individual
Face-to-face
For case management or care coordination
To direct or recommend alternative treatment, therapies, healthcare providers, or settings of care
About the health-related services offered by the pharmacy or a health plan
For example, if a pharmacy wanted to mail patients a communication about a non-health-related product or service, individual authorization would be required.
The 2013 rule modified existing rules regarding marketing, and now requires that if there is financial remuneration related to the communication, even treatment-related communications constitute marketing. For example, if a pharmacy wanted to send their diabetic patients a brochure about a new diabetes mobile application offered by a third-party software developer and the pharmacy was paid by the software developer for the costs of the brochure, time for organizing the mailing, and an additional financial incentive, this would be considered marketing and individual authorization would have to be obtained prior to sending out the brochures. Alternatively, if the same pharmacy communicated information about the mobile application face to face with patients while they were visiting the pharmacy, individual authorization would not be required.
DHHS has expressly provided one important marketing exception: for refill reminders and other communications about a drug or biologic currently being prescribed to the individual (known as the "refill reminder" exception). This exception applies if any financial remuneration received by the pharmacy in exchange for making the communication is reasonably related to the pharmacy's cost of making the communication (i.e., costs of drafting, printing, and mailing). However, specifically for the "refill reminder" exception, if a pharmacy receives a financial incentive from a drug company beyond the cost of providing the refill reminders, individual authorization would then be required, unless the communication was during a face-to-face encounter. DHHS has also stated that communications regarding the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed fall within the scope of the "refill reminder" exception.
The 2013 rule also distinguishes between marketing of PHI and PHI for sale. Sale of PHI occurs when a covered entity discloses PHI for remuneration as opposed to encouraging an individual to purchase or use a product or service. In general, a pharmacy would not be permitted to exchange PHI for direct or indirect remuneration without obtaining prior authorization.
In addition to complying with HIPAA requirements when collecting and sharing consumer health information, pharmacies must also ensure that their disclosure statements to consumers are not deceptive under the Federal Trade Commission (FTC) Act (regulated by the FTC). Specifically, HIPAA authorizations that provide consumers with a way to understand and control their health information must be in plain language, describe to consumers how their health information will be used, and not create a deceptive or misleading impression. Due to a number of recent FTC actions against healthcare organizations for data privacy and security incidents involving allegations of unfair or deceptive business practices, in 2016, the FTC and OCR released guidance on compliance with both HIPAA and the FTC Act (https://www.hhs.gov/sites/default/files/pdf-0219_sharing-health-info-hippa-ftcact%20508.pdf).
Pharmacies must also ensure compliance with the Telephone Consumer Protection Act (TCPA; regulated by the Federal Communications Commission [FCC] and the FTC) when instituting refill reminder or other company programs that involve automated phone calls to patients. Not only is it important to obtain consent from each patient in advance, it is also important that patients understand the context in which they provide their number and expectations for how it will be used. A recent case, Zani v. Rite Aid, 246 F.Supp. 835 (Mar 30, 2017), helped clarify how pharmacies can make certain types of automated or prerecorded phone calls without those calls being considered telemarketing or advertising. In Zani, the plaintiff had received a past flu shot at a Rite Aid pharmacy through a prescription and had provided his cell phone number to Rite Aid, which was later used by Rite Aid to make a prerecorded flu shot reminder call. The plaintiff filed an action against Rite Aid for alleged violations of the TCPA, which prohibits calling cell phones with an automatic telephone dialing system and calling cell phones or residential phones using an artificial or prerecorded voice unless the caller has the prior express consent of the called party. Under the TCPA, the FCC created a Telemarketing Rule, which distinguished further that informational calls (compared with calls containing advertising or telemarketing) would only require prior express consent compared with prior express written consent. To complicate things further, the FCC also created an exception from the Telemarketing Rule's prior express written consent for automated or prerecorded calls to cell phones, as long as they deliver healthcare messages from or on behalf of the covered entity. Ultimately, the court dismissed the case (dismissal upheld on appeal in 2018 by the U.S. Court of Appeals, 2nd Circuit) in Rite Aid's favor. The Court found that Rite Aid had secured the plaintiff's prior express consent when he had provided his cell phone number to Rite Aid in the past and that Rite Aid conveyed a healthcare message on the prerecorded call, making the communication exempt under the TCPA.
The court in Zani provided important takeaways for pharmacies considering similar types of programs, if they wish to be held to the prior express consent standard rather than the prior express written consent standard. These takeaways include that automated or prerecorded calls must deliver a healthcare message; the calls should make clear that it relates to a prescription drug that the pharmacy provides; the call should note it is being made on behalf of the pharmacy; and pharmacies should only call patients with whom they already have an established relationship and the message should relate to a prescription the patient had previously.