Pharmacies and HIPAA

The connection between pharmacies and HIPAA is that pharmacies may qualify as covered entities if they dispense drugs, devices, or equipment in accordance with a prescription. The other qualifying criteria is that they conduct transactions for which HHS has developed standards.

Pharmacies and HIPAA compliance can have a difficult relationship due to the other state and federal laws pharmacies have to comply with. Additionally, while HIPAA has remained mostly unchanged for twenty years, other state and federal laws are frequently evolving.

When the Health Insurance Portability and Accountability Act was passed in 1996, it instructed the Secretary for Health & Human Services to make “Recommendations with Respect to Privacy of Certain Health Information” and develop “Security Standards for Health Information”.

These instructions gave birth to the HIPAA Privacy Rule (2002) and the HIPAA Security Rule (2003), which have remained much the same ever since – bar the introduction of the Breach Notification Rule in 2009 and a few amendments to the Privacy Rule via the Final Omnibus Rule in 2013.

At the time the Privacy Rule was published in 2002, it was described as a “federal floor of privacy protections” that preempted state laws and most other federal laws unless stronger privacy protections existed, or the subject of the privacy protection had more rights.

In 2002, there were not many federal laws providing stronger privacy protections and rights that affected pharmacies and HIPAA compliance. FERPA had been in existence for some time, but neither FERPA nor the recently passed COPPA had much of an impact on pharmacy HIPAA compliance.

The Evolution of State, Federal, and International Laws

Since the publication of the HIPAA Privacy and Security Rules, a number of states have adopted new privacy and security laws (or adopted existing laws), federal legislation has changed the ways in which pharmacies operate, and the EU has passed the General Date Protection Regulation (GDPR).

One of the issues for pharmacies and HIPAA compliance is that a number of state laws cross state boundaries. Consequently, a pharmacy in California might not only have to comply with HIPAA, but also California´s Confidentiality of Medical Information Act, Texas´ Medical Records Privacy Act, and Illinois´ Biometric Information Privacy Act (among other cross-state laws).

With regards to federal legislation changing the way in which pharmacies operate, there have been multiple amendments to the Controlled Substances Act – possibly the most significant in the context of pharmacies and HIPAA being the Electronic Prescriptions for Controlled Substances Final Rule and the security requirements to safeguard digital signatures for controlled substance prescriptions.

Finally, GDPR protects data relating to every EU citizen – even if they are not in the EU at the time their data was collected, processed, or disclosed. Like many state laws, GDPR allows EU citizens who suffer harm due to a data breach to bring a private right of action against the negligent party. So, although the HHS´ Office for Civil Rights rarely imposes fines for pharmacy HIPAA violations, data breaches that result from HIPAA violations can be subject to fines from other sources.

Pharmacy HIPAA Violations

Although fines for pharmacy HIPAA violations are rare, one of the earliest HIPAA financial settlements involved a pharmacy. In 2009, CVS Pharmacy Inc. paid a settlement of $2.25 million for the failure to dispose of non-electronic Protected Health Information (PHI) in compliance with HIPAA and the failure to train staff on the company´s policies and procedures relating to PHI. In addition, CVS Pharmacy Inc. had to comply with a Corrective Action Plan in all its stores.

Corrective Action Plans are a favored enforcement action by HHS´ Office for Civil Rights, so data breaches attributable to pharmacy HIPAA violations rarely make the headlines. However, pharmacies are required by the Breach Notification Rule to report data breaches that affect more than five hundred individuals. Reports currently under investigation are listed in the OCR Breach Portal; and, if you click on the “Archive” button, you can view resolved investigations.

The Archive database is essential reading for Covered Entities and Business Associates who underestimated the need to be HIPAA compliant because, when you export the database, it is possible to see the cause of each data breach and what enforcement action was taken. In many cases, negligent parties have been required to comply with comprehensive Corrective Action Plans – the cost of which can be considerably more than a $2.25 million fine!

HIPAA and Pharmacies – What Should Your Pharmacy Do to be Compliant?

Although pharmacies and HIPAA compliance can have a difficult relationship, it is important that your pharmacy complies with the “federal floor” privacy and security regulations required by HIPAA. Thereafter, it is also important you understand which state and federal laws apply to your operations and where they pre-empt HIPAA due to stronger protections and/or more rights.

Because of state laws that cross boundaries, and federal laws that apply to some pharmacies but not others (i.e., pharmacies outside the CSA framework), it can be beneficial to seek advice from a compliance professional if you are unsure about what your pharmacy should do to be compliant with HIPAA and other laws that may impact your pharmacy´s operations.