The Health Insurance Portability and Accountability Act, commonly known as HIPAA, established rules governing healthcare in the United States. Congress enacted HIPAA in 1996 — when people still referred to the internet as the World Wide Web and Amazon only sold books — making it one of the nation’s earliest data privacy laws.
Under HIPAA, the Secretary of Health and Human Services began enforcing the rules regarding the confidentiality of “personal health information” (PHI). It was a pretty farsighted provision at the time — most medical providers didn’t make the switch to electronic medical records until Congress gave them a $35 billion incentive in the 2009 stimulus bill.
Healthcare is a major industry in the United States with a presence in nearly every community. Healthcare spending in 2019 amounted to 17.7 percent of the U.S. gross domestic product, or $11,582 per person living in the United States. Prescription drugs are the third largest spending category after hospital care and outpatient care.
HIPAA, which has been updated several times since the original legislation passed, mandates strict data privacy safeguards. And those rules apply just as much at your neighborhood pharmacy as they do at a university teaching hospital.
The importance of keeping PHI confidential
The information kept in medical files, including those at pharmacies, is a prize hackers and those who commit online data theft would love to get their hands on. A data breach can expose a patient’s name, contact information, home address, date of birth, Social Security number, and credit card numbers, creating an obvious risk for identity theft.
Plus, hackers have actually used information on diagnoses, prescriptions, treatments, the doctors who treat specific patients, and the patient’s insurance information to send bills for fictitious services in elaborate insurance fraud schemes.
Patients naturally want to keep their PHI confidential for many reasons. They may worry they’ll lose their job if their boss finds out about a diagnosis, or their PHI may include a psychiatrist’s notes that would reveal information about their mental and emotional condition and the medications they take.
Protecting PHI is the right thing to do, but HIPAA also sets stiff penalties for failing to comply with its confidentiality requirements. In late October 2020, the Office of Civil Rights at The Department of Health and Human Services announced that the giant health insurer Aetna had agreed to pay $1 million to settle three alleged HIPAA violations.
Aetna had filed a “breach” report — which HIPAA requires — for each incident. One was related to web services, and the other two involved mail Aetna sent to policyholders in envelopes that revealed protected health information.
In one instance, the window on the envelope was too big, making the words “HIV medication” visible. In the third incident, 1,600 people in an atrial fibrillation (irregular heartbeat) research study received a mailing that included the name and logo of the study on the envelope.
HIPAA compliance for pharmacies
Pharmacies are often hives of activity. Patients drop off and pick up prescriptions, and others ask pharmacists for information about their medications. Pharmacists also administer vaccines and field phone calls from patients and medical practices.
When you combine the high volume of work and the relatively public setting of a pharmacy, you get an increased risk of inadvertently revealing PHI.
Pharmacies play a central role in medical care in the United States. With about two out of three adult Americans taking at least one prescription drug, each pharmacy serves a large number of people.
About 75 percent of people between the ages of 50 and 64 have at least one prescription for a medication. That number rises to 91 percent of people older than 80, according to research by the Health Policy Institute at Georgetown University. Add the fact that many people take more than one medication, and you can see how the amount of PHI a pharmacy handles increases exponentially.
Prescription and billing records, as well as any information pharmacists collect on individual patients, are all subject to HIPAA. Since nearly all pharmacies submit claims for payment electronically, they must follow HIPAA rules governing patient confidentiality.
Compliance requires all vendors that touch pharmacy PHI in any way to sign a business associate agreement (BAA) to certify HIPAA compliance. JotForm offers hundreds of HIPAA-compliant medical forms and templates as medical recordkeeping increasingly goes online.
All healthcare workers, including the staff at pharmacies, are obligated to maintain the privacy of every patient. When pharmacy employees improperly use or disclose PHI, or allow unauthorized access to it, they violate a patient’s privacy.
As the Aetna case shows, healthcare workers don’t have to be online to inadvertently violate HIPAA regulations. Pharmacists must be careful no one overhears them when they’re having confidential conversations with or about patients.
A pharmacy is probably the most common place where patients interact with the healthcare system. Protecting the confidentiality of each patient’s private health information is crucial to maintaining their trust in the care they receive.