Potential impact of HIPAA regulations on pharmacy

American Journal of Pharmaceutical Education,  Summer 2002  by Nahata, Milap

• E-mail
• Print
• Link

President's Section

In 1996, the U.S. Congress enacted and President Clinton signed the first national standards for protecting the privacy of health information - the Health Insurance Portability and Accountability Act (HIPAA). Health and Human Services (HHS) Secretary Donna Shalala said, "For the first time, all Americans - no matter where they live, no matter where they get their health care - will have protections for their most private personal information, their health records. Gone are the days when our family doctor kept our records sealed away in an office file cabinet. Patient information is now accessed and exchanged quickly. With these standards, all Americans will be able to have confidence that their personal health information will be protected."

Since then, thousands of comments have been received by the HHS to clarify or revise the language of the rule. Some sections of the rule may be modified and the compliance is expected by April 2003; small health plans may have another year to comply. An important purpose of the law is to protect all health information created or received by health care providers, pharmacies, laboratories, clinics, employees, health plans, benefit managers, and others. Pharmacists and pharmacy owners must review current policies and procedures, including information systems for use, maintenance, and disclosure of patients' health information. The purpose of this commentary is to briefly discuss the implications of HIPAA on pharmacy from the perspective of a faculty.

HIPAA describes the framework for the use and disclosure of health information for treatment, payment, or health care operations at all "covered entities." The covered entities include hospitals, clinics, physician offices, pharmacies, long-term care, home care, or research facilities. Outside laboratories or companies contracted for specific purposes (e.g., to measure serum concentration of drugs, prepare IV admixtures, or compound drug formulations) are also covered by the regulation, since they would normally require patient data to satisfactorily complete their tasks. However, when such outside entity (referred as "business associate" in HIPAA) is utilized, the primary covered entity must have a contract to protect the health information of patients. The outside entity must follow the policies and procedures of the covered entity and return or destroy any protected information at the end of the relationship. An inappropriate use of patient information by the outside entity, for instance, to directly market their services, is prohibited.

A written general consent is usually obtained from patients seen in the institutional settings, which may allow the use and disclosure of health information by various providers including pharmacists, for the reasons of treatment, payment, or health care operations. However, hospitals will either have to update their general consent form to include a privacy consent or create a separate privacy consent form. A consent will also be required in community pharmacies even before the first prescription is filled for a new patient, and this consent should be on record for six years for the future relationship with the patient. Under this general consent, pharmacists may use health information to determine the need for drug therapy, calculate dosage requirements based on pharmacokinetics, and assess efficacy, adverse effects, and outcomes of drug therapy. Patients' consent or authorization is required for the use and disclosure of health information for a purpose other than treatment, payment, and health care operation, except in certain situations, such as emergencies or reporting an adverse drug reaction to the FDA or public health information to the state health department covered by other laws.

On behalf of other covered entities, the primary health care providers may obtain a joint consent or authorization. If multiple consents have been obtained, one must operate under the terms of the most restrictive consent. It should be realized that even with authorization by the patient, one must disclose the minimum necessary health information when it is not covered under the purpose of treatment, payment, and health care operations.

The regulation provides many rights to individual patients. They can have access to their own protected health information; seek details of disclosures of protected information for purposes other than treatment, payment, and health care operations; and receive descriptions of the policies and practices of a covered entity about the protection of health information for treatment, payment, and health care operations. How these rights may be exercised by patients is unclear. However, each pharmacy must be prepared to provide documentation of the records to patients on demand, and defend the use and disclosure of their health information. Policies and procedures should be developed to assure protection of health information of patients in all facilities to comply with the rule.