To answer the question does HIPAA apply to pharmacies, it is necessary to review the definitions of HIPAA Covered Entities, healthcare providers, and health care in the General Administrative Requirements of the Administrative Simplification provisions.
Most people assume that HIPAA does apply to pharmacies because pharmacies have access to health information when they fill prescriptions. Although the assumption is correct, the reason why HIPAA applies to pharmacies is a little less straightforward than that.
Why Does HIPAA Apply to Pharmacies?
The General Administrative Requirements of the Administrative Simplification provisions define a HIPAA Covered Entity as “a health plan, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter”. As pharmacies are none of the above, why does HIPAA apply to pharmacies?
The answer can be found in the definitions of health care provider and health care in section §160.103 of the General Administrative Requirements.
Health care provider means – “A provider of services (as defined in 42 U.S.C. 1395x(u)), a provider of medical or health services (as defined in 42 U.S.C. 1395x(s)), and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.”
Health care means – “Care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following […] the sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.”
Although pharmacies do not qualify as health care providers under 42 U.S.C. 1395x, HIPAA applies to pharmacies because they are paid for health care inasmuch as they dispense drugs, devices, and equipment in accordance with a prescription. Consequently, pharmacies must comply with the HIPAA regulations in the same way as other HIPAA Covered Entities.
The HIPAA Regulations for Pharmacies
The HIPAA regulations for pharmacies consist of the Administrative Requirements, the Privacy Rule, the Security Rule, and the Breach Notification Rule. These regulations generally pre-empt those in other federal and state privacy laws unless a law has more stringent privacy and security measures than HIPAA and/or provides individuals with more rights than HIPAA.
The Administrative Requirements mostly relate to the general provisions for HIPAA-covered transactions such as the code sets and operating rules for claim status transactions, ASC X12/NCPDP eligibility, and Medicaid pharmacy subrogation transactions. The standards in this section of HIPAA are enforced by the Centers for Medicare and Medicaid Services, who can impose Corrective Action Plans on non-compliant pharmacies.
The Privacy Rule covers safeguards that must be implemented to mitigate the risk of an impermissible use or disclosure of non-electronic Protected Health Information. In relation to pharmacies, this may include portioning areas of the store so pharmacists can speak to customers without being overheard and ensuring members of the pharmacy´s workforce are properly trained on the compliant disposal of Protected Health Information printed on prescription labels.
The Security Rule includes the Administrative, Physical, and Technical Safeguards pharmacies must implement to ensure the confidentiality, integrity, and availability of electronic Protected Health Information. Importantly, the Security Rule mandates that all members of a pharmacy´s workforce participate in security and awareness training regardless of their access to electronic Protected Health Information. This is to maximize the pharmacy´s online security.
The Breach Notification Rule outlines the procedures pharmacies must follow if unsecured Protected Health Information is impermissibly disclosed to a third party. The impermissible disclosure may be due to one of several reasons – i.e., due to an oral disclosure in the retail environment, due to the improper disposal of Protected Health Information, or a database being hacked by a cybercriminal – but it must be reported to the individual and to HHS´ Office for Civil Rights.
Examples of Pharmacy HIPAA Violations
There are many examples of pharmacy HIPAA violations – the most high-profile being the failure by CVS Pharmacy Inc. to compliantly dispose of Protected Health Information printed on prescription labels. CVS Pharmacy Inc. agreed to a financial settlement of $2.25 million, plus had to comply with a comprehensive Corrective Action Plan – which probably cost the company a lot more in terms of redeveloping HIPAA policies, training staff on the policies, and ensuring they were enforced.
Most pharmacy HIPAA violations are on a smaller scale than committed by CVS Pharmacy Inc. and investigations by HHS´ Office for Civil Rights are most often resolved via technical assistance or a Corrective Action Plan. However, small independent pharmacies have also fallen foul of HHS´ Office for Civil Rights for pharmacy HIPAA violations; and, in 2015, Cornell Prescription Pharmacy was also found guilty of improperly disposing Protected Health Information and fined $125,000.
Ultimately, the answer to the question does HIPAA apply to pharmacies is “yes”; and if any pharmacy fails to maintain the privacy of Protected Health Information or denies customers their HIPAA rights, they too could face a penalty for a pharmacy HIPAA violation. Therefore, if you are responsible for regulatory compliance at a pharmacy, and you are unsure of your privacy and security obligations, you should seek professional compliance advice.