HIPAA's Three Rules That Pharmacists Must Know
Privacy Rule — The Most Tested
The Privacy Rule governs protected health information (PHI) — individually identifiable health information in any form (verbal, paper, electronic). Covered entities (including pharmacies) must protect PHI and can only disclose it under specific circumstances.
Security Rule — Electronic PHI (ePHI)
The Security Rule applies specifically to electronic PHI. Pharmacies must implement administrative, physical, and technical safeguards to protect ePHI. For the MPJE, focus on the types of safeguards rather than technical details.
Breach Notification Rule
Requires covered entities to notify affected individuals, HHS, and potentially media (if 500+ individuals affected in a state) following a breach of unsecured PHI. The notification window is 60 days from discovery of the breach.
When Disclosure is Permitted WITHOUT Patient Authorization
This is the highest-yield HIPAA topic on the MPJE. Memorize every category where no authorization is required:
- Treatment, Payment, Healthcare Operations (TPO): Sharing patient information with another treating provider, processing insurance claims, quality improvement activities — all permitted without authorization.
- Public health activities: Reporting to public health authorities (CDC, state health departments) for disease surveillance, adverse drug event reporting to FDA.
- Health oversight activities: Audits, investigations, and inspections by regulatory agencies (DEA, state boards of pharmacy, CMS).
- Law enforcement: Responding to court orders or subpoenas, providing limited information to locate suspects, reporting crimes on premises. Limited — pharmacists should not provide more than the minimum requested.
- Abuse, neglect, or domestic violence: Required reporting to relevant authorities.
- To avert serious threat: Belief that disclosure is necessary to prevent or lessen a serious, credible threat to health or safety.
- Workers' compensation: As authorized by and necessary to comply with workers' compensation laws.
- Research: With appropriate IRB waiver of authorization, or using de-identified data.
- Decedents: To medical examiners, funeral directors, and for organ donation.
When Patient Authorization IS Required
- Marketing communications (including most pharmacy promotional materials that involve PHI)
- Sale of PHI to any party
- Most research uses that do not qualify for IRB waiver
- Psychotherapy notes — always require specific authorization
- Substance abuse treatment records (also governed by 42 CFR Part 2 — stricter than HIPAA)
- Disclosures to employers (with narrow exceptions)
- Disclosures to family members or friends (unless patient is present and consents, or patient is incapacitated and disclosure is in their best interest)
The Minimum Necessary Standard
One of the most tested HIPAA concepts in pharmacy scenarios: when disclosing PHI for permitted purposes (other than treatment and patient-requested), pharmacists must make reasonable efforts to limit disclosure to the minimum amount necessary to accomplish the purpose.
- Applies to: All disclosures except treatment, patient-requested, and legally required disclosures
- Does NOT apply to: Disclosures to treating providers (for treatment purposes), disclosures to the individual patient, legally mandated disclosures, authorizations signed by the patient
- Pharmacy application: If a law enforcement officer asks for a patient's medication history, provide only what is responsive to the specific request — not the complete dispensing history
- Incidental disclosures: Pharmacists calling out patient names in a busy pharmacy does not violate HIPAA as long as reasonable safeguards are in place (lowering voice, using privacy windows, etc.)
Patient Rights Under HIPAA
| Right | What It Means | Pharmacy Application |
|---|---|---|
| Right to Access | Patient can request copies of their health records | Must respond within 30 days; can charge reasonable cost-based fee for copies |
| Right to Amend | Patient can request corrections to their records | Can deny if record is accurate and complete; document denial |
| Right to Accounting | Patient can get a list of certain disclosures made in past 6 years | Does not include disclosures for TPO; disclosures made pursuant to authorization |
| Right to Restrict | Patient can request limitations on certain uses/disclosures | Must honor request if for payment/operations and patient paid out-of-pocket in full |
| Right to Confidential Communications | Patient can request alternative means of contact | e.g., "call my cell, not my home number"; must accommodate reasonable requests |
Most Commonly Missed HIPAA Scenarios on the MPJE
- A prescriber calls asking about a mutual patient's refill history: Permitted — treatment purpose, no authorization needed.
- A patient's employer calls to verify their prescription history: NOT permitted without authorization (employer is not a covered entity in a TPO relationship).
- A police officer asks to see if a patient recently filled an opioid: Without a court order or subpoena, disclose only the minimum — and only under a valid law enforcement exception.
- A patient's spouse asks about their medications at the pharmacy counter: Not permitted unless the patient has previously authorized it or is present and verbally consents.
- Leaving a voicemail with medication refill reminders: Permitted — but should use minimum necessary information (don't leave medication names if possible).
- HIPAA and state law conflict: If state law is more protective of patient privacy than HIPAA, state law prevails. If HIPAA is more protective, HIPAA prevails.
📌 MPJE Memory Trick for HIPAA Disclosures
Remember "TPO = no authorization needed." Treatment, Payment, Operations — the three pillars of routine pharmacy practice are all permitted without patient authorization. Everything else either requires authorization or falls into one of the specific exception categories listed above.