HIPAA Today: Individual access to PHI vs. Rx printout

Article

Patients have a right to a copy of their protected health information under HIPAA

 

HIPAA Today

Individual access to PHI vs. Rx printout

By Walter L. Fitzgerald Jr., R.Ph., J.D.

The Health Insurance Portability & Accountability Act grants to individuals a right of access to inspect and obtain a copy of their protected health information in the designated record set of a covered entity, for as long as the PHI is maintained in the designated record set. But prior to HIPAA, requests for PHI were occurring at the pharmacy. Consider the routine request for a "printout" of prescriptions dispensed over the past year.

It is essential to recognize that the right to access PHI granted by HIPAA extends beyond a printout of Rxs dispensed. For example, with such a printout, the pharmacy likely created, using a function of the Rx dispensing software, a relatively simple list of Rxs dispensed. Information on this list may have included the patient name, drug name, quantity dispensed, and amount paid.

While such a list may have been provided to the patient, the actual electronic patient profile maintained by the pharmacy likely was not provided. Indeed, providing the actual profile would not be necessary if the patient's request was for prescriptions over the past year since the profile contained information for a longer period. But under HIPAA, the patient has a right to inspect and obtain a copy of the actual patient profile maintained by the pharmacy.

HIPAA defines a designated record set as a group of records maintained by or for a covered entity that is:

  • the medical and billing records about the individual

  • enrollment, payment, claims adjudication, and case or medical management record systems

  • used, in whole or in part, to make decisions about individuals

For purposes of this definition, the term record means any item or collection of information that includes PHI and is maintained, used, or disseminated by or for a covered entity. Records that come to mind include Rxs on file, patient profiles, and billing/claims records.

But upon a request for access to PHI, the privacy official should ensure that access is allowed to all records containing PHI. For example, if the pharmacy requires patients to complete a form for purposes of collecting information for incorporating into the electronic patient profile and the form is maintained by the pharmacy, access to the form should be provided.

Three exceptions exist to the granting of access to PHI. They are:

  • psychotherapy notes

  • information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding

  • PHI maintained by a covered entity that is subject to the Clinical Laboratory Improvements Amendments to the extent the provision of access to the individual would be prohibited by law or exempt from CLIA.

In relation to these exceptions, HIPAA permits a covered entity to deny access to PHI on the basis of "unreviewable grounds" and "reviewable grounds." Unreviewable grounds of significance to a pharmacy are the following:

  • The PHI is one of the three types of information listed above.

  • The request is from a prisoner, if obtaining the PHI would jeopardize the health, safety, custody, or rehabilitation of the prisoner or other inmates, or the safety of any other person at the prison.

  • The PHI maintained by the covered entity was obtained from someone other than a health provider under a promise of confidentiality and the access requested would be reasonably likely to reveal the source of the PHI.

Reviewable grounds of significance to pharmacy are the following:

  • A health provider has determined that the access requested is reasonably likely to endanger the life or physical safety of the individual or another person.

  • The PHI makes reference to another person (unless the other person is a healthcare provider) and a health professional has determined that the access requested is likely to cause substantial harm to the other person.

  • The request for access is made by the individual's personal representative and a health professional has determined that granting access to the representative is reasonably likely to cause substantial harm to the individual or another person.

If the basis for denial of access is a reviewable ground, the individual has a right to have the denial reviewed by a health professional designated by the covered entity to act as a reviewing official and who did not participate in the original decision to deny the request. The covered entity must provide or deny access in accordance with the decision of the reviewing official.

Finally, there are a number of "implementation specifications" with which the covered entity must comply, such as responding within 30 days of the receipt of the request and notifying the individual in writing if the request is denied, including whether the denial is based upon an unreviewable or reviewable ground. These specifications can be found by referring to 45 CFR 164.524 in the HIPAA resource maintained by the pharmacy. (For more on HIPAA, see "Solutions for compliance with HIPAA regulations".)

The AUTHOR, a pharmacist-attorney, is a professor of pharmacy at the University of Tennessee College of Pharmacy and author of the NCPA HIPAA Compliance Handbook for Independent Pharmacy. To access the NCPA Web site, go to: www.ncpanet.org .

 

Walter Fitzgerald. HIPAA Today: Individual access to PHI vs. Rx printout. Drug Topics Oct. 20, 2003;147:39.

Related Videos
Related Content
American Heart Association Launches Initiative to Include Pharmacists in Atrial Fibrillation Care

American Heart Association Launches Initiative to Include Pharmacists in Atrial Fibrillation Care

April 25th 2024
Article

Despite a wealth of knowledge, pharmacists are frequently not consulted as part of the decision-making team in atrial fibrillation management.

Is E-Prescribing the Future of Veterinary Medicine?

Is E-Prescribing the Future of Veterinary Medicine?

December 21st 2023
Podcast

Wendy Crouse, DVM, an independent house call veterinarian with Heal House Call Veterinarian, sat down with Drug Topics to discuss how the adoption of e-prescribing has transformed her practice.

Pharmacists’ Role in the Diagnostic Stewardship Team

Pharmacists’ Role in the Diagnostic Stewardship Team

April 25th 2024
Article

With expertise through antimicrobial stewardship experience, researchers believe antimicrobial stewardship pharmacists are vital in assisting diagnostic stewardship.

The Importance of Continuing Education in Pharmacy Compounding

The Importance of Continuing Education in Pharmacy Compounding

December 13th 2023
Podcast

Kevin Hope, RPh, senior director of pharmacy education at Pharmcon, joined Drug Topics to discuss pharmacy compounding from the new USP changes and the importance of education around compounding best practices.

Short-Term CGM for T1D More Effective Than Self-Monitoring Blood Glucose

Short-Term CGM for T1D More Effective Than Self-Monitoring Blood Glucose

April 24th 2024
Article

Researchers’ objective was to assess the short-term glycemic benefits of continuous glucose monitoring (CGM) systems compared with patients with type 1 diabetes (T1D) who self-monitor.

Recreational Marijuana Laws Did Not Increase Substance Use Among Adolescents

Recreational Marijuana Laws Did Not Increase Substance Use Among Adolescents

April 24th 2024
Article

With more states allowing the use of recreational marijuana than ever before, researchers examined its effects among youth populations.

© 2024 MJH Life Sciences

All rights reserved.