HIPAA and Retail Pharmacy

This forum made possible through the generous support of SDN members, donors, and sponsors. Thank you.

golf299

Member
15+ Year Member
Joined
May 5, 2004
Messages
76
Reaction score
0
Hi all,

Quick question about HIPAA and retail pharmacy - at my chain pharmacy job we have been told that it is a HIPAA violation to even say "Mr. X please return to the pharmacy". Their reasoning is that anything that implies they have a prescription at the pharmacy is a violation of HIPAA.

I have done a lot of looking for specifics guidelines on what can/can not be said while paging a patient and can't find anything in HIPAA that specifically addresses this issue.

Anyone have the information or know where I might find the information?

Thanks!

Members don't see this ad.
 
Hi all,

Quick question about HIPAA and retail pharmacy - at my chain pharmacy job we have been told that it is a HIPAA violation to even say "Mr. X please return to the pharmacy". Their reasoning is that anything that implies they have a prescription at the pharmacy is a violation of HIPAA.

I have done a lot of looking for specifics guidelines on what can/can not be said while paging a patient and can't find anything in HIPAA that specifically addresses this issue.

Anyone have the information or know where I might find the information?

Thanks!

I doubt that's a violation. It's legal to call someone's name out in a waiting room to come pick up their drugs. However, it's difficult to know where to draw the line. I'm not sure if it's a good idea to call someone's name out in a Costco with hundreds of people. I'm sure if you just use their first name, it's fine.
 
It is NOT a HIPPA violation to say Mr. Jones, please come to the pharmacy. You did not disclose any protected health information. It would of course be a violation to say, Mr. Jones, your Valtrex is ready....
 
Members don't see this ad :)
Quoted from the U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Summary of the HIPAA Privacy Rule


What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

the individual's past, present or future physical or mental health or condition,
the provision of health care to the individual, or
the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

Here again is something people want to add more into it than what the law says. The bottom line is you have committed a HIPPA violation if you have disclosed someone's protected health information (PHI) without their consent.
If you announce over the store intercom "Mr. Smith please return to the pharmacy" have you disclosed any of Mr. Smith's individually identifiable health information? No, you have not. Therefore you have not violated HIPPA
.
 
Agreed! It's not a violation unless you mention something about their health or medication. A name isn't PHI!
 
A name isn't PHI!

It's not specifically PHI, but it's a unique identifier if you use first and last name. HIPAA doesn't allow disclosure of unique identifiers either (e.g. address, name, discharge date, etc.). This isn't just about health information. Fortunately, it's mostly about common sense. As I said, I don't think you should be calling someone's full name over Costco's PA system.
 
It's not specifically PHI, but it's a unique identifier if you use first and last name. HIPAA doesn't allow disclosure of unique identifiers either (e.g. address, name, discharge date, etc.). This isn't just about health information. Fortunately, it's mostly about common sense. As I said, I don't think you should be calling someone's full name over Costco's PA system.

This is not the definition of unique identifiers as I understand it: http://www.bethesda.med.navy.mil/Patient/HIPAA/Unique.asp

I agree with others who've stated that patient name is not protected.
 
A lot of chain stores are implementing store policies where they aren't calling patients by their last names over the loudspeaker, but there is no law prohibiting this.
 
This is not the definition of unique identifiers as I understand it: http://www.bethesda.med.navy.mil/Patient/HIPAA/Unique.asp

I agree with others who've stated that patient name is not protected.

You're right, I used the term "unique identifier" incorrectly. I meant information that could be used to identify patients.

Otherwise, as for patient information, it's illegal to release a list of names of people who go to your pharmacy.

The names aren't PHI (in the health sense), but they are identifiable information.

Then again, we're getting into the gray areas.
 
Last edited:
You're right, I used the term "unique identifier" incorrectly. I meant information that could be used to identify patients.

Otherwise, as for patient information, it's illegal to release a list of names of people who go to your pharmacy.

The names aren't PHI (in the health sense), but they are identifiable information.

Then again, we're getting into the gray areas.

If the names are not PHI or associated with PHI then it is not a HIPPA violation. With HIPPA there really are very few gray areas. Either a patients PHI has a unique identifier that can be used to identify them or it does not.
Simple and clear cut.
 
If the names are not PHI or associated with PHI then it is not a HIPPA violation. With HIPPA there really are very few gray areas. Either a patients PHI has a unique identifier that can be used to identify them or it does not.
Simple and clear cut.

So we're now no longer talking about announcing someone's full name on a PA system.

In that case, a list of patients who go to your pharmacy is technically PHI. It's not something you are allowed to freely disclose. You must protect that list.

What I was trying to emphasize with the previous posts is that the information doesn't have to directly pertain to health (e.g. drugs or diagnosis). For example, if a couple of movie stars got drugs from your pharmacy, how would you answer this patient's question, "hi, would you tell me the movie stars who come to this pharmacy?"

I think that's illegal under HIPAA. It's not a gray area.

But the whole name thing is a gray area.
 
So we're now no longer talking about announcing someone's full name on a PA system.

In that case, a list of patients who go to your pharmacy is technically PHI. It's not something you are allowed to freely disclose. You must protect that list.

What I was trying to emphasize with the previous posts is that the information doesn't have to directly pertain to health (e.g. drugs or diagnosis). For example, if a couple of movie stars got drugs from your pharmacy, how would you answer this patient's question, "hi, would you tell me the movie stars who come to this pharmacy?"

I think that's illegal under HIPAA. It's not a gray area.

But the whole name thing is a gray area.

If it does not directly pertain to a patients PHI then it is not covered under the HIPPA law. HIPPA deals specifically with a patients PHI.

In your example if a person came up to the pharmacy and said "hi, would you tell me the movie stars who come to this pharmacy?" and you told them, that is not a HIPPA violation. If you accessed the computer system and saw a movie stars entire medication profile and you did not have a reason to view it, other than to see if they were a patient at the pharmacy, you have violated HIPPA. You accessed a patients PHI without a valid reason which is a clear violation.

If someone came up to the pharmacy and said "hi, would you tell me the movie stars who come to this pharmacy and what medications they were on and you told them, then you would have violated HIPPA.

Again do not make this harder than it needs to be. HIPPA deals specifically with a patients PHI -protected health information. A list of names of people who come to your pahrmacy is just that, a list of names. If there is not some sort of PHI attached to it then it is relese is not convered under the HIPPA law.
 
Last edited:
I believe you're wrong (but I do see what you're saying). I'll try to find support later.

Also, it's HIPAA, not HIPPA.

Here's a court case that I vaguely remember from class. A pharmacist gets into a car accident with a man who gives wrong information about who he is, where he lives, etc. The pharmacist is unable to contact the man for car insurance reasons. Later, the pharmacist encounters the man in the pharmacy to pick up drugs. From this, the pharmacist is able to get his real information (name, address, phone number). However, it is a violation of HIPAA (not some privacy law) because it doesn't pertain to TPO (treatment, payment, or operations), but the pharmacist didn't use any health related information.
 
Last edited:
Members don't see this ad :)
Cool....prove me wrong.

A good place to start is U.S. Department of Health & Human Services

http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

Anyway, I found this regarding incidental disclosure:

http://books.google.com/books?id=8chcjlz2VpQC&pg=PA217&lpg=PA217&dq=67+Fed.+Reg.+53182,+53193%E2%80%93+95&source=bl&ots=7Ov9NGZkWW&sig=zF3pCk6SSqQV3fQzTgeQvfN-uII&hl=en&ei=u0_lSZ33DozstgPllZybBA&sa=X&oi=book_result&ct=result&resnum=1 (Page 217 - under "Patient Charts")

Calling and posting patient names is considered "incidental disclosure." Disclosure of what? PHI.

Also, here's from HHS:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html

Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information – for instance:

* By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area;
* By avoiding using patients' names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;

From the information I presented, it looks like names are PHI. This conversation is interesting because it shows how little we know about HIPAA :D

Ugh, my HHS supporting evidence isn't very good. I'll get back to this tomorrow!
 
Last edited:
Anyway, I found this regarding incidental disclosure:

http://books.google.com/books?id=8c...lZybBA&sa=X&oi=book_result&ct=result&resnum=1 (Page 217 - under "Patient Charts")

Calling and posting patient names is considered "incidental disclosure." Disclosure of what? PHI.

Also, here's from HHS:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html



From the information I presented, it looks like names are PHI. This conversation is interesting because it shows how little we know about HIPAA :D

Ugh, my HHS supporting evidence isn't very good. I'll get back to this tomorrow!

Can I ask a really stupid question? Do you read the things you post before you post them and say they support your position?

From the Google Book Link:

Physicians offices can use patient sign-in sheets or call out the names of patients in their waiting rooms.........The privacy rule permits certain accidental disclosures, such as in waiting rooms when patient names are called.

Just the other day a patient come to the pharmacy counter and purchased only OTC items and left her credit card on the counter. We called over the PA for Mrs ____________ to come to the pharmacy. This is not nor has it ever been a HIPAA violation...........
 
Can I ask a really stupid question? Do you read the things you post before you post them and say they support your position?

This is very ironic :love:

I agree with the rest of your post though.
 
This is a good conversation. Hopefully you should learn something. I am not saying that in a mean or condesending way. If your desire to be a pharmacist this is important for you to understand.

Okay...to review:

From the U.S. Department of Health & Human Services website:

What Information is Protected

Protected Health Information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."12

"Individually identifiable health information" is information, including demographic data, that relates to:

1. the individual's past, present or future physical or mental health or condition,
2. the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
3. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The first step is to understand the above definition. You need to be clear on what PHI is and what common identifiers are. It becomes covered under HIPAA if it is PHI and it has a common identifier associated with it. It is worthy of emphasis that PHI can be in any form or media, whether electronic, paper, or oral.


Now lets look at this quote from your last post.
Many health care providers and professionals have long made it a practice to ensure reasonable safeguards for individuals' health information – for instance:

* By speaking quietly when discussing a patient's condition with family members in a waiting room or other public area;
* By avoiding using patients' names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality;

You pulled this out of context but it is still usefull in our discussion. Again I ask you to always keep in mind what PHI is and remember it is covered under HIPAA if it is attached to a common identifier.

I will give you three scenarios:

1. Bob and Tom are pharmacists in a hospital. Bob gets on an elevator with Tom and five other people. Bob says, "Hey Tom, I am going to go upstairs and see an interesting patient would you like to come with me?" Tom says, "No Bob, I have to go down to SICU and check on a few patients. I can come up later. Where will you be?" Bob replies "I will be up in room 642 if you want to swing by."

2. Bob and Tom are on the elevator again with five other people. Bob says "Hey Tom I got the lab work back on John Smith." Bob replies "Oh good we can meet later and go over it. Tom says. "Okay how about at lunch. I am going over to the SICU to see Mary Smith right now."

3. Bob and Tom are on the elevator again with five other people. Bob says "Hey Tom, John Smith up in room 245 just got diagnosed with an inoperable primary brain tumor, glioblastoma multiforme." Tom replies, "Oh, thats terrible."

Tell me in each scenario if a HIPAA violation occured. If so tell me why using examples from the HIPAA law.
 
It's not specifically PHI, but it's a unique identifier if you use first and last name. HIPAA doesn't allow disclosure of unique identifiers either (e.g. address, name, discharge date, etc.). This isn't just about health information. Fortunately, it's mostly about common sense. As I said, I don't think you should be calling someone's full name over Costco's PA system.

Definitely go back and read through HIPAA. Disclosing identifying information isn't a HIPAA violation unless you disclose it WITH information related to their healthcare. If a name alone constituted a HIPAA violation, they wouldn't be able to name people in newspaper articles. You're not getting into HIPAA territory until you start talking about information regarding their health, medication, therapy, etc...
 
Definitely go back and read through HIPAA. Disclosing identifying information isn't a HIPAA violation unless you disclose it WITH information related to their healthcare. If a name alone constituted a HIPAA violation, they wouldn't be able to name people in newspaper articles. You're not getting into HIPAA territory until you start talking about information regarding their health, medication, therapy, etc...

HIPAA does not apply to newspapers as they neither submit electronic claims nor fall under the covered entity provision. Nor does HIPAA apply to Churches and Synagogues nor to family members. HIPAA applies to health care providers only.
 
HIPAA does not apply to newspapers as they neither submit electronic claims nor fall under the covered entity provision. Nor does HIPAA apply to Churches and Synagogues nor to family members. HIPAA applies to health care providers only.

Good point. I take it back. :) My statement still stands though...that HIPAA doesn't apply unless you're disclosing health-related information in addition to the unique identifier.
 
This is a good conversation. Hopefully you should learn something. I am not saying that in a mean or condesending way. If your desire to be a pharmacist this is important for you to understand.

You pulled this out of context but it is still usefull in our discussion. Again I ask you to always keep in mind what PHI is and remember it is covered under HIPAA if it is attached to a common identifier.

Yup, I didn't read my own quote correctly, so later, I said my HHS support isn't very good :)

Anyway, I agree with and understand your examples.

I still think names constitute PHI. Again, disclosing a list of names of people who go to your pharmacy would be a violation of the HIPAA privacy rule.

In many HIPAA FAQs, these two questions often appear:

http://www2.umdnj.edu/hipaaweb/privacy/privacy_FAQ01.htm

1. Can we use a sign-in sheet?

Yes, as long as the information that is used meets the reasonable safeguard and minimum necessary standards. This means that the sign in sheet must contain only the information that is necessary for the purpose of alerting staff that a patient has arrived, e.g. name and time. It may not include information that is not necessary for that purpose, such as medical information.

2. Can we call for patients in our waiting room, or use a patient's name at the front desk?

Yes, as long as the information meets the reasonable safeguard and minimum necessary standards. Therefore, staff should limit the call to the patient's name, and should use the most direct means possible under the circumstance to locate the patient.

If names weren't PHI, then the answer would be much simpler: names aren't PHI, feel free to announce them as long as you don't attach health information.

Again, I'll try to find the exact wording later. Then again, you all do make a lot of sense, so I may be wrong :)
 
I still think names constitute PHI.

No.

If names weren't PHI, then the answer would be much simpler: names aren't PHI, feel free to announce them as long as you don't attach health information.

Dude. That *IS* the simple answer. Names aren't PHI and you CAN use them if health information is not attached. BOTH points #1 and #2 in your above quote support this simple answer.

Then again, you all do make a lot of sense, so I may be wrong :)

A number of more experienced health care providers and pharmacy students have given you the correct interpretation. Your own sources don't support the point you are making. At some point it's just :beat:.
 
A number of more experienced health care providers and pharmacy students have given you the correct interpretation. Your own sources don't support the point you are making. At some point it's just :beat:.

If pharmacy experience teaches you law, then that's great, unfortunately, it doesn't. The OP wouldn't have had this HIPAA question if experience taught him the law.

The OP's question has already been answered, so we're just talking about names in general now.

People are assuming I think names, by themselves, are PHI. No, names by themselves aren't PHI, BUT names attached to any health service provider are PHI. In the example I used, you aren't allowed to give someone a list of names of people who go to your pharmacy.

Your own sources don't support the point you are making.

Then please explain: "2. Can we call for patients in our waiting room, or use a patient's name at the front desk?

Yes, as long as the information meets the reasonable safeguard and minimum necessary standards. Therefore, staff should limit the call to the patient's name, and should use the most direct means possible under the circumstance to locate the patient."

I'm not saying I'm right, but I think my supporting evidence is worthy of discussion.
 
People are assuming I think names, by themselves, are PHI. No, names by themselves aren't PHI, BUT names attached to any health service provider are PHI. In the example I used, you aren't allowed to give someone a list of names of people who go to your pharmacy.

A name attached to PHI is, by definition, a unique identifier. The fact that it is attached to PHI doesn't make it PHI in and of itself. If it isn't PHI by itself, then it never is PHI.

Hypothetical example:

Mr. Doe gets a refill for xxxxstatin at Pharmacy A. As he's waiting, the pharmacist calls out, "Prescription is ready for Mr. Doe."

After some time, the patient has not returned, so the pharmacist impatiently announces, "Mr. Doe, your xxxxstatin is ready for pickup!"

In the first statement, no PHI was disclosed in the announcement. The pharmacist did not divulge that the patient was picking up xxxxstatin. In the second statement, however, the name of the drug was attached to a unique identifier (the patient's name), which is a violation if HIPAA.

We may be arguing semantics here, but for the sake of argument I thought I'd post.
 
Has anyone even been fined for a HIPPA violation yet...last I heard no one had.
 
Then please explain: "2. Can we call for patients in our waiting room, or use a patient’s name at the front desk?

Yes, as long as the information meets the reasonable safeguard and minimum necessary standards. Therefore, staff should limit the call to the patient’s name, and should use the most direct means possible under the circumstance to locate the patient."

I'm not saying I'm right, but I think my supporting evidence is worthy of discussion.

What's to explain? Your example says it's fine to use the name, which is the point everyone has been making.

My doctor's receptionist is allowed to publically call my name when they want me to come to the desk and pay my co-pay, or to tell me that the doctor will see me.

My pharmacist can call my name when he wants me to come to the counter and pick up my prescription.
 
Has anyone even been fined for a HIPPA violation yet...last I heard no one had.

It happens all the time. A bunch of Kaiser employees were just sanctioned and fired for accessing Octomom's information with no reason to do so. Information is on a need-to-know basis. If you don't need to know, then you can receive an official reprimand for any level of access.
 
It happens all the time. A bunch of Kaiser employees were just sanctioned and fired for accessing Octomom's information with no reason to do so. Information is on a need-to-know basis. If you don't need to know, then you can receive an official reprimand for any level of access.

And I believe stuff like that happened before HIPPA...let me rephrase...has the federal government ever fined anyone for a HIPPA violation?
 
I can't believe you guys made me look through the HIPAA regulations to find this!

Here is the evidence supporting what I've been saying all along:

1) Defining an individual's name as PHI (protected health information):

Main directory: http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html

http://edocket.access.gpo.gov/cfr_2002/octqtr/pdf/45cfr164.510.pdf

(a) Standard: use and disclosure for facility
directories. (1) Permitted uses and
disclosure. Except when an objection is
expressed in accordance with paragraphs
(a)(2) or (3) of this section, a
covered health care provider may:

(i) Use the following protected health
information
to maintain a directory of
individuals in its facility:
(A) The individual's name;
(B) The individual's location in the
covered health care provider's facility;
(C) The individual's condition described
in general terms that does not
communicate specific medical information
about the individual; and
(D) The individual's religious affiliation

If you continue reading the link I posted, you'll understand the whole story.

2) A question relating to disclosure of patient names:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalu&d.pdf

Q: A hospital customarily displays patients' names next to the door of the hospital rooms that they occupy. Will the HIPAA Privacy Rule allow the hospital to continue this practice?

A: The Privacy Rule explicitly permits certain incidental disclosures that occur as a by-product of an otherwise permitted disclosure—for example, the disclosure to other patients in a waiting room of the identity of the person whose name is called. In this case, disclosure of patient names by posting on the wall is permitted by the Privacy Rule, if the use or disclosure is for treatment (for example, to ensure that patient care is provided to the correct individual) or health care operations purposes (for example, as a service for patients and their families). The disclosure of such information to other persons (such as other visitors) that will likely also occur due to the posting is an incidental disclosure.

Incidental disclosures are permitted only to the extent that the covered entity has applied reasonable and appropriate safeguards and implemented the minimum necessary standard, where appropriate. See 45 CFR 164.502(a)(1)(iii). In this case, it would appear that the disclosure of names is the minimum necessary for the purposes of the permitted uses or disclosures described above, and there do not appear to be additional safeguards that would be reasonable to take in these circumstances. However, each covered entity must evaluate what measures are reasonable and appropriate in its environment. Covered entities may tailor measures to their particular circumstances.

All the information posted come from government sites.

So here's a summary of this thread:

Misconception #1: Patient names aren't PHI.

Misconception #2: Disclosing a list of names of people who go to your pharmacy isn't a violation of HIPAA.

Misconception #3: powertoold is beating a dead horse.

Anyway, again, this thread shows how little we actually know about HIPAA!
 
So what happened to all the naysayers? I just tried to show that everyone in this thread was wrong all along.

HIPAA isn't black and white my friends. It's about common sense and gray areas.
 
So what happened to all the naysayers? I just tried to show that everyone in this thread was wrong all along.

HIPAA isn't black and white my friends. It's about common sense and gray areas.

I would recommend reading the part where your information says, "...there do not appear to be additional safeguards that would be reasonable to take in these circumstances..."

You're wrong.
 
I would recommend reading the part where your information says, "...there do not appear to be additional safeguards that would be reasonable to take in these circumstances..."

You're wrong.

I don't understand what you're trying to say, please explain.

Where does it say that, and what does that have to do with my proposition that someone's name is PHI?

Also, have you read this thread?
 
I was referring to your "Misconception 2," which is incorrect.

So you think disclosing a list of names of people who to go your pharmacy isn't a violation of HIPAA (assuming it's not for TPO)? With misconception #2, I'm saying that it IS a violation of HIPAA if you disclose a list of names of people who go to your pharmacy.

My main purpose with that previous long post is to dissolve any doubt that an individual's name is PHI.
 
Top