Patient health information is protected from unauthorized use or disclosure by an array of federal and state laws. Although there are actually multiple statutes and regulations involved, this array is often collectively referred to by the name of the most recognized individual statute, HIPAA (the Health Insurance Portability and Accountability Act). HIPAA and the other health information privacy laws affect the ways pharmacists and other healthcare providers use, collect, disclose, dispose of, and protect the confidentiality of patient data. In addition, states can impose health information privacy requirements separate from and in addition to the federal laws, and some states even have specific additional requirements for pharmacy or prescription records. As a result, each pharmacy must work with its own attorney to identify the relevant legal requirements and how to comply.

It is important to be aware that HIPAA affects pharmacists and pharmacies in multiple ways, and that those ways change over time as the law in this area evolves frequently. For example, as recently as January 2013, the Department of Health and Human Services released a new final rule (the "Omnibus Rule") that significantly affects many areas of HIPAA-related activities, including marketing or selling PHI and relationships with business associates, among other things. The complete text of the Omnibus Rule is available here. As DHHS implements the Omnibus Rule, the FAQs and other resources available on the DHHS website will likely be revised to the extent needed to reflect new requirements.

Regarding privacy of the patients' protected health information, HIPAA regulates the disclosures that can be made with patient authorization, and disclosures without patient authorization (Standards for Privacy; Patient Rights to Their Own Information). Regarding security of the information, HIPAA also regulates the handling of the patient information in the pharmacy's possession, including disposal practices, computer system security, and other aspects of data management (HIPAA Security Provisions).

In light of the requirements and prohibitions that exist under HIPAA and its progeny, the U.S. Department of Health and Human Services has addressed common issues faced in the practice of pharmacy: Here are the top three areas: 

1. How to protect patient privacy at the pharmacy counter when counseling, receiving and dispensing prescriptions for patients; resources addressing this topic include:

• Can a doctor or pharmacy be paid to make a prescription refill reminder without a prior authorization under the HIPAA Privacy Rule? 
• Can a pharmacist use protected health information to fill a prescription that was telephoned in by a patient's physician without the patient's written consent if the patient is a new patient to the pharmacy?
• Does the HIPAA Privacy Rule require hospitals and doctors' offices to be retrofitted to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard?
• Can patients have a friend or family member pick up a prescription for them?
• Can healthcare providers engage in confidential conversations with other providers or with patients, even if there is a possibility that they could be overheard?
  

2. How to respond to public health or other government officials requesting patient information and deciding what can be disclosed without patient authorization; resources addressing this topic include:

• May a covered entity that is not a party to a legal proceeding disclose protected health information in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order?
• Why would a HIPAA Privacy Rule require covered entities to turn over anybody's personal health information as part of a government enforcement process?
• Does the HIPAA Privacy Rule require my doctor to send my medical records to the government?

3. Additional topics relevant to the practice of pharmacy include:

• What to do in the event that a patient's protected health information is disclosed without a required authorization.
• How to submit claims in compliance with HIPAA requirements.
• Whether the pharmacy conducts any activities that require a business associate agreement; Sample Agreement Provisions.
• How to maintain the security of the electronically stored patient data in the pharmacy's possession.
• How to determine what patient information is protected under the law and what is not.
• How to identify and respond to breaches of unsecured patient data.

Note: In addition to these federal requirements and resources, each state can have additional or different requirements, particularly related to determining whether protected data has been breached and whether notification is required.