The Privacy Rule protects the exchange of confidential health information among health plans, doctors, hospitals, pharmacies and other health care practitioners. Therefore, health providers that use, disclose or share protected health information must comply with the regulations governing the electronic or printed exchange of an individual’s sensitive health information.
Purpose of HIPAA Regulations
The Privacy Rule, which the U.S. Department of Health and Human Services issued as part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, sets national standards for protecting the privacy of individually identifiable health information. These government regulations are in place to help prevent your personal health information from falling into the wrong hands.
Protected health information refers to information about your present and past medical conditions and mental health. It also includes non-medical information, such as your name, birth date and emergency contact information, on your health record that can identify you.
Medical information includes chronic diseases you suffer, dates of major surgeries or illnesses, and dates and results of diagnostic tests and screenings. Your family health history, drug allergies and a list of prescription medications and the dosages you take fall within the area of protected health information as well. Consequently, you have the right to know to what health care providers, health organizations or business associates that a compounding pharmacy has disclosed your health information.
You also have the right to request a copy of the protected health information the pharmacy enters into your health record. Normally, you can request either a paper or electronic copy of the information.
Privacy of Protected Health Information
Now that health information is often transmitted in electronic format, compounding pharmacies must comply with the legal standard set by the Department of Health and Human Services. In addition to federal regulations, the privacy and security of your health information may also be protected by the laws in your state. These laws may vary from the health information privacy laws in other states.
The laws in some states allow you to sue a pharmacist for a HIPAA violation if the violation is the result of negligence or professional malpractice. However, you can’t normally file a lawsuit for a privacy violation under HIPAA. The primary purpose of HIPAA is to protect your right to privacy regarding your medical information. It doesn’t guarantee you the right to sue if you feel your HIPAA rights have been violated.
The same as a traditional pharmacy, a compounding pharmacy is regulated by both the state’s board of pharmacy and federal authorities. Likewise, compounding pharmacies are subject to HIPAA privacy practices on how they can use and disclose your health information.
Disclosure of Protected Health Information
Generally, a compounding pharmacy can use or disclose your protected health information for treatment of a medical condition or payment for medications and medical equipment or supplies you receive from the pharmacy. A third-party payer may need information to bill you for the cost of medications or medical supplies the pharmacy provides.
Compounding pharmacies can also disclose information to the following:
- Family member or another individual responsible for your care
- Public health agencies
- U.S. Food and Drug Administration
- Worker’s Compensation Board
- Military
- Law enforcement officials
- Coroners and medical examiners
The pharmacy you use must obtain your written authorization before using or disclosing your information to these or other entities allowed under the HIPAA Privacy Rule. Without your consent, the pharmacy is in violation of HIPAA.
Some of your health information may have additional protections under your state’s laws. For example, mental health records, alcohol and/or substance abuse records, and HIV treatment information often have added privacy protections under state law.
Your Role in HIPAA Compliance
If you are concerned about the privacy of your health information, make certain that the compounding pharmacy that fills your prescriptions remains current on HIPAA regulations. Since the rules change often, talk to the pharmacist about what safety provisions the pharmacy has in place to protect the confidentiality of your health information. Some of the safeguards may include administrative policies, data encryption solutions and limiting who can access your health records.
Inquire whether the pharmacy’s pharmaceutical distributors or drug suppliers comply with current HIPAA regulations. Privacy protection laws also apply to the pharmacy’s business associate relationships with health insurance companies and billing and claims processing services.
Business associates include companies that provide cloud storage for a pharmacy that is HIPAA compliant. In that case, the cloud service provider must comply with HIPAA regulations to avoid penalties for noncompliance.
Common HIPAA violations involving business associates include failure to obtain written authorization, unencrypted data, and data breaches. Depending on the severity of the violation, penalties can be in the form of fines or even criminal charges.
If you have questions about HIPAA compliance related to pharmacies that dispense compounded prescription drugs, the team of pharmacists at Potter’s House Apothecary are happy to help explain current HIPAA privacy rules.