Monthly Archives: April 2017

HIPAA–What Can Pharmacists Say?

I have been inundated with HIPAA cases recently.  Of these, only a few had merit.  It seems like someone gave the public a bad lesson in this law and it is being mis-interpreted so badly that every word spoken by a pharmacist is considered a HIPAA violation.

This is not helped by employers whose HIPAA  training takes the same tone.  Most of these programs take the attitude that words spoken in the pharmacy should be few and so innocuous that those hearing them might not even understand what is being addressed.

The Health Insurance Portability and Accountability Act was enacted to, among other things, protect patient privacy.  Many states had highly differing laws regarding the privacy of medical information in different settings, and there was no federal example or precedent to follow.  Several provisions address what and how much Protected Health Information (PHI) can be obtained, passed along to other parties, and used in counseling.  It even goes so far as to specify the destruction of PHI—specific garbage cans, who can have access to it, etc. However, while well meaning, the law has created a number of issues, among the top being verbal HIPAA violations in the pharmacy.

These usually arise because most pharmacies, while not physically accessible, are so open that words spoken in the prescription area can be easily overheard by the visiting public.

This discussion does not include counseling.  HIPAA acknowledges that counseling may well be overheard as many states do not mandate private counseling areas but rather understand that pharmacies are public forums.  Counseling is vitally important to proper and timely health care.  Therefore, counseling is generally acknowledged to have NO privacy or privilege or confidential nature.

What the public does not realize is that there are three primary HIPAA exemptions.  For these, health care providers are under only one constraint in the use of PHI.  These exceptions are 1) communications  with  the patient, 2)  billing and3)  communications between healthcare providers providing direct care to the patient.

The latter is often misconstrued as being communications between two or more entities at different locations: pharmacy and doctor’s office, doctor’s office and hospital, etc.  BUT this also includes persons in the same space, such as a prescription area of a pharmacy, such as discussions between two pharmacists, a pharmacist and a technician, and a pharmacist and a pharmacy intern.

These conversations may be overheard and someone may become aware of some PHI regarding a patient of the pharmacy.  However, these conversations are important and essential to proper and timely medical care—weighing the public hearing a piece of PHI against the patient’ s health and well-being—there is no doubt which way this needs to come down.  That is why these discussions are exempted from HIPAA.

I mentioned above that there is one constraint.  This is the Minimum Necessary Information (MNI) standard.  Basically, HIPAA does provide that when PHI is discussed, this standard be the basis of the conversation.  Some legal commentators say the MNI standard even follows the three exemptions and most employers train their pharmacy staff in this manner.  Other commentators, myself included, believe the MNI standard does NOT follow the three exemptions, that these exemptions should be conversations as full and frank—as detail oriented—as the health care providers sees fit in her exercise of professional judgment.  A legitimate fear is that a health care provider following the MNI standard might, in the interests of protecting privacy, inadvertently or deliberately omit something the patient or other provider would have seen as important.

Further, there is a fourth exception recognized by the feds and the states: the educational exception.  When there is a pharmacy student or intern in the pharmacy, conversations seeking to expand and fulfill the education experience should also be unfettered.  Patient privacy is protected by the college of pharmacy which teaches and trains its students in respecting patient privacy and following applicable law.  Most employers additionally have interns and rotation students take that company’s HIPAA training before letting them into the pharmacy environment. Thus, students come prepared to learn but not to share.

There are two rules to follow in pharmacy conversations about patients

  1. Is the conversation necessary? Does the comment or question really need to be made?
  2. Does the conversation follow the MNI standard? While I do not like nor agree with this standard, some Boards and employers do.  Pass along everything you consider necessary, but stop there.

Some employers also want their employers to ask before speaking: Is it appropriate?  While this may seem like a restatement of the “necessary” rule above, some HIPAA cases arise because pharmacy employees do give inappropriate information as part of a discussion.  Some comments are easily determinable as inappropriate—the patient is divorced, the patient’s father is an alcoholic, his son take amphetamine sfor school—but may become necessary with the patent history (was alcohol the only drug misused/abused) or drug regimen.  Here, the pharmacist’s professional judgment should dictate what words to say and what facts to relate.

Some employers also like the adage, “When in doubt, leave it out.”  This is not good patient care.  The opposite should be followed; “when in doubt, include.”

One thing in which there is no doubt, wading through the waters of HIPAA is quite tricky and is full of traps.  A violation or breach of HIPAA opens the person who does so to huge fines from the federal government, exclusion from federally funded programs, as well as Board action and a permanent black mark on their record.  However, pharmacists’ primary goal must continue to be providing the highest quality of health care, and having whatever discussions needed to provide it.