When a pharmacy learns of a HIPAA breach, it, and its business associates involved in the breach, are required to report the incident to the government. But not all violations are reportable and may not be considered a breach.
When a pharmacy learns of a HIPAA breach, it, and its business associates involved in the breach, are required to report the incident to the government.1
But not all violations are reportable and may not be considered a breach. HIPAA was passed by congress in 1996. Primarily a set of requirements aimed at insurance companies, the third section was to protect against release of confidential patient information. That third section was not completed when the bill was passed. The law gave Congress until August 21, 1999, to pass the section on comprehensive health privacy legislation.
If Congress did not enact such legislation after three years, the law required HHS to craft such protections by regulation. Perhaps not surprisingly, Congress did not meet the self-imposed requirement by 1999, so the job of writing HIPAA regulations fell to HHS.
When the regulations were written and the third section became effective, some problems became apparent. Originally by the strict terms of the regulations, a pharmacist could not hand a prescription to the patient’s next door neighbor who had been asked by the patient to pick it up. The pharmacy could not announce or post on an electronic board, “Baker, your prescription
is ready.” A hospital receptionist could not even tell the floral shop’s delivery person what room a patient was in and whether the patient was in the hospital.2
HHS began to recognize that some disclosures were not only convenient, but also valuable and necessary. HHS moved to solve such problems by making exceptions to the rules and announced:
. . . [The] potential exists for an individual’s health information to be disclosed incidentally. . . HIPAA Privacy . . . does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.3
What constitutes a HIPAA violation? An incidental disclosure? Sometimes complete privacy cannot reasonably be guaranteed in a pharmacy. It may not be a breach but an incidental disclosure if the pharmacy “applied reasonable safeguards and implemented the minimum necessary standard.”4
The University of Chicago describes reasonable safeguards as including:5
Two examples in the University
of Chicago Guidance5 instructive to pharmacists are:
phone with the patient, a provider, or a family member, but should speak quietly.
1. HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414; see www.HHS.gov and http://www.hhs.gov/hipaa/for-professionals/breach-noti_ cation/index.html last accessed 10/28/2016.
2. http://www.hhs.gov/hipaa/forprofessionals/special-topics/mental-health/ accessed 10/28/2016
4. 45 CFR 164.502(a)(1)(iii)
5. University of Chicago, HIPAA Program Office, Guidance (Oct 2006), http://hipaa.bsd.uchicago.edu/incidental_disc.html accessed 12/5/2016.
These articles are not intended as legal advice and should not be used as such. When a legal question arises the pharmacist should consult with an attorney familiar with pharmacy law in his or her state. Ken Baker is a pharmacist and an attorney. He teaches ethics at Midwestern University, Glendale, Arizona, campus and risk management for the University of Florida. He consults in the areas of pharmacy error reduction, communication, and risk management. Mr. Baker consults with Pharmacists Mutual Insurance Company and is an attorney, of counsel, with the Arizona law firm of Renaud Cook Drury Mesaros, PA. Contact Ken Baker at firstname.lastname@example.org.