About the ads

HIPAA and Retail Pharmacy

Discussion in 'Pharmacy' started by golf299, Apr 13, 2009.

  1. SDN is a nonprofit organization. Services are made possible through the generous support of SDN members and sponsors. Thank you.
  1. golf299

    golf299 Member

    Joined:
    May 5, 2004
    Messages:
    73
    SDN 7+ Year Member

    SDN Members don't see this ad. (About Ads)
    Hi all,

    Quick question about HIPAA and retail pharmacy - at my chain pharmacy job we have been told that it is a HIPAA violation to even say "Mr. X please return to the pharmacy". Their reasoning is that anything that implies they have a prescription at the pharmacy is a violation of HIPAA.

    I have done a lot of looking for specifics guidelines on what can/can not be said while paging a patient and can't find anything in HIPAA that specifically addresses this issue.

    Anyone have the information or know where I might find the information?

    Thanks!
  2. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    I doubt that's a violation. It's legal to call someone's name out in a waiting room to come pick up their drugs. However, it's difficult to know where to draw the line. I'm not sure if it's a good idea to call someone's name out in a Costco with hundreds of people. I'm sure if you just use their first name, it's fine.
  3. Old Timer

    Old Timer SDN Advisor SDN Advisor

    Joined:
    May 16, 2007
    Messages:
    3,061
    Status:
    Pharmacist
    SDN 7+ Year Member
    It is NOT a HIPPA violation to say Mr. Jones, please come to the pharmacy. You did not disclose any protected health information. It would of course be a violation to say, Mr. Jones, your Valtrex is ready....
  4. MountainPharmD

    MountainPharmD custodiunt illud simplex

    Joined:
    Aug 15, 2004
    Messages:
    4,334
    Status:
    Pharmacist
    SDN 10+ Year Member
    Quoted from the U.S. Department of Health & Human Services website: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html

    Here again is something people want to add more into it than what the law says. The bottom line is you have committed a HIPPA violation if you have disclosed someone's protected health information (PHI) without their consent.
    If you announce over the store intercom "Mr. Smith please return to the pharmacy" have you disclosed any of Mr. Smith's individually identifiable health information? No, you have not. Therefore you have not violated HIPPA
    .
  5. Vitamin K

    Vitamin K

    Joined:
    Jan 18, 2009
    Messages:
    235
    Status:
    Pharmacist
    SDN 2+ Year Member
    Agreed! It's not a violation unless you mention something about their health or medication. A name isn't PHI!
  6. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    It's not specifically PHI, but it's a unique identifier if you use first and last name. HIPAA doesn't allow disclosure of unique identifiers either (e.g. address, name, discharge date, etc.). This isn't just about health information. Fortunately, it's mostly about common sense. As I said, I don't think you should be calling someone's full name over Costco's PA system.
  7. All4MyDaughter

    All4MyDaughter SDN Mommystrator Staff Member Administrator SDN Senior Moderator Lifetime Donor Partner Organization

    Joined:
    May 7, 2005
    Messages:
    22,701
    Location:
    Cube Farm
    Status:
    Pharmacist
    Pharmacist SDN Partner SDN Published Author NCPA Kappa Psi SDN 7+ Year Member
    This is not the definition of unique identifiers as I understand it: http://www.bethesda.med.navy.mil/Patient/HIPAA/Unique.asp

    I agree with others who've stated that patient name is not protected.
  8. dumediat

    dumediat

    Joined:
    Apr 23, 2007
    Messages:
    67
    Location:
    Ohio
    Status:
    Pharmacy Student
    SDN 2+ Year Member
    A lot of chain stores are implementing store policies where they aren't calling patients by their last names over the loudspeaker, but there is no law prohibiting this.
  9. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    You're right, I used the term "unique identifier" incorrectly. I meant information that could be used to identify patients.

    Otherwise, as for patient information, it's illegal to release a list of names of people who go to your pharmacy.

    The names aren't PHI (in the health sense), but they are identifiable information.

    Then again, we're getting into the gray areas.
    Last edited: Apr 14, 2009
  10. MountainPharmD

    MountainPharmD custodiunt illud simplex

    Joined:
    Aug 15, 2004
    Messages:
    4,334
    Status:
    Pharmacist
    SDN 10+ Year Member
    If the names are not PHI or associated with PHI then it is not a HIPPA violation. With HIPPA there really are very few gray areas. Either a patients PHI has a unique identifier that can be used to identify them or it does not.
    Simple and clear cut.
  11. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    So we're now no longer talking about announcing someone's full name on a PA system.

    In that case, a list of patients who go to your pharmacy is technically PHI. It's not something you are allowed to freely disclose. You must protect that list.

    What I was trying to emphasize with the previous posts is that the information doesn't have to directly pertain to health (e.g. drugs or diagnosis). For example, if a couple of movie stars got drugs from your pharmacy, how would you answer this patient's question, "hi, would you tell me the movie stars who come to this pharmacy?"

    I think that's illegal under HIPAA. It's not a gray area.

    But the whole name thing is a gray area.
  12. MountainPharmD

    MountainPharmD custodiunt illud simplex

    Joined:
    Aug 15, 2004
    Messages:
    4,334
    Status:
    Pharmacist
    SDN 10+ Year Member
    If it does not directly pertain to a patients PHI then it is not covered under the HIPPA law. HIPPA deals specifically with a patients PHI.

    In your example if a person came up to the pharmacy and said "hi, would you tell me the movie stars who come to this pharmacy?" and you told them, that is not a HIPPA violation. If you accessed the computer system and saw a movie stars entire medication profile and you did not have a reason to view it, other than to see if they were a patient at the pharmacy, you have violated HIPPA. You accessed a patients PHI without a valid reason which is a clear violation.

    If someone came up to the pharmacy and said "hi, would you tell me the movie stars who come to this pharmacy and what medications they were on and you told them, then you would have violated HIPPA.

    Again do not make this harder than it needs to be. HIPPA deals specifically with a patients PHI -protected health information. A list of names of people who come to your pahrmacy is just that, a list of names. If there is not some sort of PHI attached to it then it is relese is not convered under the HIPPA law.
    Last edited: Apr 14, 2009
  13. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    I believe you're wrong (but I do see what you're saying). I'll try to find support later.

    Also, it's HIPAA, not HIPPA.

    Here's a court case that I vaguely remember from class. A pharmacist gets into a car accident with a man who gives wrong information about who he is, where he lives, etc. The pharmacist is unable to contact the man for car insurance reasons. Later, the pharmacist encounters the man in the pharmacy to pick up drugs. From this, the pharmacist is able to get his real information (name, address, phone number). However, it is a violation of HIPAA (not some privacy law) because it doesn't pertain to TPO (treatment, payment, or operations), but the pharmacist didn't use any health related information.
    Last edited: Apr 14, 2009
  14. MountainPharmD

    MountainPharmD custodiunt illud simplex

    Joined:
    Aug 15, 2004
    Messages:
    4,334
    Status:
    Pharmacist
    SDN 10+ Year Member
  15. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    Anyway, I found this regarding incidental disclosure:

    http://books.google.com/books?id=8chcjlz2VpQC&pg=PA217&lpg=PA217&dq=67+Fed.+Reg.+53182,+53193%E2%80%93+95&source=bl&ots=7Ov9NGZkWW&sig=zF3pCk6SSqQV3fQzTgeQvfN-uII&hl=en&ei=u0_lSZ33DozstgPllZybBA&sa=X&oi=book_result&ct=result&resnum=1 (Page 217 - under "Patient Charts")

    Calling and posting patient names is considered "incidental disclosure." Disclosure of what? PHI.

    Also, here's from HHS:

    http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalusesanddisclosures.html

    From the information I presented, it looks like names are PHI. This conversation is interesting because it shows how little we know about HIPAA :D

    Ugh, my HHS supporting evidence isn't very good. I'll get back to this tomorrow!
    Last edited: Apr 14, 2009
  16. Old Timer

    Old Timer SDN Advisor SDN Advisor

    Joined:
    May 16, 2007
    Messages:
    3,061
    Status:
    Pharmacist
    SDN 7+ Year Member
    Can I ask a really stupid question? Do you read the things you post before you post them and say they support your position?

    From the Google Book Link:

    Just the other day a patient come to the pharmacy counter and purchased only OTC items and left her credit card on the counter. We called over the PA for Mrs ____________ to come to the pharmacy. This is not nor has it ever been a HIPAA violation...........
  17. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    This is very ironic :love:

    I agree with the rest of your post though.
  18. MountainPharmD

    MountainPharmD custodiunt illud simplex

    Joined:
    Aug 15, 2004
    Messages:
    4,334
    Status:
    Pharmacist
    SDN 10+ Year Member
    This is a good conversation. Hopefully you should learn something. I am not saying that in a mean or condesending way. If your desire to be a pharmacist this is important for you to understand.

    Okay...to review:

    From the U.S. Department of Health & Human Services website:

    The first step is to understand the above definition. You need to be clear on what PHI is and what common identifiers are. It becomes covered under HIPAA if it is PHI and it has a common identifier associated with it. It is worthy of emphasis that PHI can be in any form or media, whether electronic, paper, or oral.


    Now lets look at this quote from your last post.
    You pulled this out of context but it is still usefull in our discussion. Again I ask you to always keep in mind what PHI is and remember it is covered under HIPAA if it is attached to a common identifier.

    I will give you three scenarios:

    1. Bob and Tom are pharmacists in a hospital. Bob gets on an elevator with Tom and five other people. Bob says, "Hey Tom, I am going to go upstairs and see an interesting patient would you like to come with me?" Tom says, "No Bob, I have to go down to SICU and check on a few patients. I can come up later. Where will you be?" Bob replies "I will be up in room 642 if you want to swing by."

    2. Bob and Tom are on the elevator again with five other people. Bob says "Hey Tom I got the lab work back on John Smith." Bob replies "Oh good we can meet later and go over it. Tom says. "Okay how about at lunch. I am going over to the SICU to see Mary Smith right now."

    3. Bob and Tom are on the elevator again with five other people. Bob says "Hey Tom, John Smith up in room 245 just got diagnosed with an inoperable primary brain tumor, glioblastoma multiforme." Tom replies, "Oh, thats terrible."

    Tell me in each scenario if a HIPAA violation occured. If so tell me why using examples from the HIPAA law.
  19. Vitamin K

    Vitamin K

    Joined:
    Jan 18, 2009
    Messages:
    235
    Status:
    Pharmacist
    SDN 2+ Year Member
    Definitely go back and read through HIPAA. Disclosing identifying information isn't a HIPAA violation unless you disclose it WITH information related to their healthcare. If a name alone constituted a HIPAA violation, they wouldn't be able to name people in newspaper articles. You're not getting into HIPAA territory until you start talking about information regarding their health, medication, therapy, etc...
  20. Old Timer

    Old Timer SDN Advisor SDN Advisor

    Joined:
    May 16, 2007
    Messages:
    3,061
    Status:
    Pharmacist
    SDN 7+ Year Member
    HIPAA does not apply to newspapers as they neither submit electronic claims nor fall under the covered entity provision. Nor does HIPAA apply to Churches and Synagogues nor to family members. HIPAA applies to health care providers only.
  21. Vitamin K

    Vitamin K

    Joined:
    Jan 18, 2009
    Messages:
    235
    Status:
    Pharmacist
    SDN 2+ Year Member
    Good point. I take it back. :) My statement still stands though...that HIPAA doesn't apply unless you're disclosing health-related information in addition to the unique identifier.
  22. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    Yup, I didn't read my own quote correctly, so later, I said my HHS support isn't very good :)

    Anyway, I agree with and understand your examples.

    I still think names constitute PHI. Again, disclosing a list of names of people who go to your pharmacy would be a violation of the HIPAA privacy rule.

    In many HIPAA FAQs, these two questions often appear:

    http://www2.umdnj.edu/hipaaweb/privacy/privacy_FAQ01.htm

    If names weren't PHI, then the answer would be much simpler: names aren't PHI, feel free to announce them as long as you don't attach health information.

    Again, I'll try to find the exact wording later. Then again, you all do make a lot of sense, so I may be wrong :)
  23. All4MyDaughter

    All4MyDaughter SDN Mommystrator Staff Member Administrator SDN Senior Moderator Lifetime Donor Partner Organization

    Joined:
    May 7, 2005
    Messages:
    22,701
    Location:
    Cube Farm
    Status:
    Pharmacist
    Pharmacist SDN Partner SDN Published Author NCPA Kappa Psi SDN 7+ Year Member
    No.

    Dude. That *IS* the simple answer. Names aren't PHI and you CAN use them if health information is not attached. BOTH points #1 and #2 in your above quote support this simple answer.

    A number of more experienced health care providers and pharmacy students have given you the correct interpretation. Your own sources don't support the point you are making. At some point it's just :beat:.
  24. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    If pharmacy experience teaches you law, then that's great, unfortunately, it doesn't. The OP wouldn't have had this HIPAA question if experience taught him the law.

    The OP's question has already been answered, so we're just talking about names in general now.

    People are assuming I think names, by themselves, are PHI. No, names by themselves aren't PHI, BUT names attached to any health service provider are PHI. In the example I used, you aren't allowed to give someone a list of names of people who go to your pharmacy.

    Then please explain: "2. Can we call for patients in our waiting room, or use a patient's name at the front desk?

    Yes, as long as the information meets the reasonable safeguard and minimum necessary standards. Therefore, staff should limit the call to the patient's name, and should use the most direct means possible under the circumstance to locate the patient."

    I'm not saying I'm right, but I think my supporting evidence is worthy of discussion.
  25. dumediat

    dumediat

    Joined:
    Apr 23, 2007
    Messages:
    67
    Location:
    Ohio
    Status:
    Pharmacy Student
    SDN 2+ Year Member
    A name attached to PHI is, by definition, a unique identifier. The fact that it is attached to PHI doesn't make it PHI in and of itself. If it isn't PHI by itself, then it never is PHI.

    Hypothetical example:

    Mr. Doe gets a refill for xxxxstatin at Pharmacy A. As he's waiting, the pharmacist calls out, "Prescription is ready for Mr. Doe."

    After some time, the patient has not returned, so the pharmacist impatiently announces, "Mr. Doe, your xxxxstatin is ready for pickup!"

    In the first statement, no PHI was disclosed in the announcement. The pharmacist did not divulge that the patient was picking up xxxxstatin. In the second statement, however, the name of the drug was attached to a unique identifier (the patient's name), which is a violation if HIPAA.

    We may be arguing semantics here, but for the sake of argument I thought I'd post.
  26. Hibiclens

    Hibiclens

    Joined:
    Dec 17, 2006
    Messages:
    51
    SDN 7+ Year Member
    Has anyone even been fined for a HIPPA violation yet...last I heard no one had.
  27. All4MyDaughter

    All4MyDaughter SDN Mommystrator Staff Member Administrator SDN Senior Moderator Lifetime Donor Partner Organization

    Joined:
    May 7, 2005
    Messages:
    22,701
    Location:
    Cube Farm
    Status:
    Pharmacist
    Pharmacist SDN Partner SDN Published Author NCPA Kappa Psi SDN 7+ Year Member
    What's to explain? Your example says it's fine to use the name, which is the point everyone has been making.

    My doctor's receptionist is allowed to publically call my name when they want me to come to the desk and pay my co-pay, or to tell me that the doctor will see me.

    My pharmacist can call my name when he wants me to come to the counter and pick up my prescription.
  28. Praziquantel86

    Praziquantel86 Moderator Emeritus

    Joined:
    Oct 28, 2008
    Messages:
    2,559
    Status:
    Fellow [Any Field]
    Pharmacist SDN 5+ Year Member
    It happens all the time. A bunch of Kaiser employees were just sanctioned and fired for accessing Octomom's information with no reason to do so. Information is on a need-to-know basis. If you don't need to know, then you can receive an official reprimand for any level of access.
  29. Hibiclens

    Hibiclens

    Joined:
    Dec 17, 2006
    Messages:
    51
    SDN 7+ Year Member
    And I believe stuff like that happened before HIPPA...let me rephrase...has the federal government ever fined anyone for a HIPPA violation?
  30. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    I can't believe you guys made me look through the HIPAA regulations to find this!

    Here is the evidence supporting what I've been saying all along:

    1) Defining an individual's name as PHI (protected health information):

    Main directory: http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html

    http://edocket.access.gpo.gov/cfr_2002/octqtr/pdf/45cfr164.510.pdf

    If you continue reading the link I posted, you'll understand the whole story.

    2) A question relating to disclosure of patient names:

    http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/incidentalu&d.pdf

    All the information posted come from government sites.

    So here's a summary of this thread:

    Misconception #1: Patient names aren't PHI.

    Misconception #2: Disclosing a list of names of people who go to your pharmacy isn't a violation of HIPAA.

    Misconception #3: powertoold is beating a dead horse.

    Anyway, again, this thread shows how little we actually know about HIPAA!
  31. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    So what happened to all the naysayers? I just tried to show that everyone in this thread was wrong all along.

    HIPAA isn't black and white my friends. It's about common sense and gray areas.
  32. Praziquantel86

    Praziquantel86 Moderator Emeritus

    Joined:
    Oct 28, 2008
    Messages:
    2,559
    Status:
    Fellow [Any Field]
    Pharmacist SDN 5+ Year Member
    I would recommend reading the part where your information says, "...there do not appear to be additional safeguards that would be reasonable to take in these circumstances..."

    You're wrong.
  33. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    I don't understand what you're trying to say, please explain.

    Where does it say that, and what does that have to do with my proposition that someone's name is PHI?

    Also, have you read this thread?
  34. Praziquantel86

    Praziquantel86 Moderator Emeritus

    Joined:
    Oct 28, 2008
    Messages:
    2,559
    Status:
    Fellow [Any Field]
    Pharmacist SDN 5+ Year Member
    I was referring to your "Misconception 2," which is incorrect.
  35. powertoold

    powertoold

    Joined:
    Dec 15, 2006
    Messages:
    299
    Status:
    Pharmacist
    SDN 5+ Year Member
    So you think disclosing a list of names of people who to go your pharmacy isn't a violation of HIPAA (assuming it's not for TPO)? With misconception #2, I'm saying that it IS a violation of HIPAA if you disclose a list of names of people who go to your pharmacy.

    My main purpose with that previous long post is to dissolve any doubt that an individual's name is PHI.

Share This Page


About the ads