HIPAA and prescription records

Prescription records are covered under HIPAA because they are considered protected health information (PHI). This means that pharmacies and healthcare providers must protect the privacy and security of these records. They have to ensure that the information in the prescription records is only shared for valid reasons like treatment, payment, and healthcare operations. This is to ensure that individuals' private information is kept secure.

What constitutes PHI in prescription records?

According to an article published in the US Pharmacist, “Many records kept in pharmacies meet the definition of PHI, including prescription records, billing records, patient profiles, and counseling records. Hence, pharmacy systems must satisfy HIPAA standards for privacy and security. Note that PHI is not restricted to electronic media or transmissions; an oral communication of individually identifiable health information constitutes PHI.”

The key elements within prescription records that render them as PHI and individually identifiable health information include:

1. Personal identifiers: These are details that can be used to identify a specific individual. In prescription records, this includes the patient's name, address, date of birth, and often their Social Security number.
2. Medical information: This encompasses the specifics of the medication prescribed, such as the drug name, dosage, and frequency of use. It directly relates to the individual's health condition and the treatment prescribed by a healthcare provider.
3. Healthcare provider information: The records contain information about the healthcare professional who prescribed the medication, which can include their name and possibly their practice or hospital affiliation.
4. Payment information: This includes any data related to how the prescription is paid for, whether it's through insurance details or direct payment methods. It can link the medication to the patient's insurance policy or payment accounts.
5. Dates of service: Prescription records often include the date the prescription was written and filled, providing a timeline of the patient's treatment.

See also: What is protected health information (PHI)?

How does the HIPAA Privacy Rule Affect prescription records?

HIPAA Privacy Rule requires that healthcare providers and pharmacies only use and disclose the minimum necessary information from these records for specific purposes like treatment, payment, or healthcare operations. For treatment, pharmacists can share prescription information with doctors to discuss drug interactions, whereas, for payment, information can be disclosed to insurance companies for billing. 

The rule also allows using these records for healthcare administrative functions and compliance with legal and public health requirements. The Privacy Rule empowers patients with rights over their prescription records, including access, amendment, and being informed about disclosures. Any other use or disclosure of prescription records outside these specified activities requires explicit patient authorization

See also: What are HIPAA’s Privacy Rule provisions?

How should pharmacies determine what constitutes the minimum necessary information when dealing with prescription records?

Pharmacies should actively assess each situation to determine what constitutes the minimum necessary information when handling prescription records. This involves evaluating the specific purpose of the request or use of the information. For instance, when a pharmacist is dispensing medication, only the information necessary for that transaction, such as the patient's name, prescription details, and dosage instructions, should be used. Similarly, if the information is needed for billing or insurance purposes, only the details relevant to that specific transaction should be disclosed. Pharmacies should have clear policies and staff training in place to ensure that everyone understands and consistently applies the minimum necessary standard. 

Permissible disclosures of prescription records under HIPAA

1. For treatment purposes, such as when a pharmacist shares prescription details with healthcare providers involved in the patient's care to ensure safe and effective treatment. 
2. Payment activities include billing and interactions with health insurance companies for reimbursement of healthcare services. 
3. For healthcare operations, like conducting quality assessments, training medical staff, or performing certain administrative functions. 
4. HIPAA also permits disclosure without consent for public health activities, like reporting adverse drug reactions or for disease control, and when complying with legal requirements, such as court orders or law enforcement requests. 

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a covered entity?

A covered entity is an organization like a healthcare provider, insurance plan, or healthcare clearinghouse that must comply with HIPAA.

What is the most secure way to share prescription records?

The most secure way to share prescription records is through HIPAA compliant email.

.

When do pharmacists need customer consent?

Pharmacists need customer consent when sharing protected health information for purposes other than treatment, payment, or healthcare operations.