HomeMPJEHIPAA for Pharmacy — MPJE Study Guide 2026
🔒 HIPAA Privacy & Security — MPJE Guide — 2026

HIPAA for Pharmacy — MPJE Study Guide 2026

Master HIPAA Privacy Rule, breach notification, 42 CFR Part 2, and patient rights for the MPJE. Includes tables, scenarios, and linked practice quiz.

HIPAA in Pharmacy — What the MPJE Tests

HIPAA (Health Insurance Portability and Accountability Act) governs how pharmacies handle protected health information (PHI). The MPJE tests your understanding of the Privacy Rule, Security Rule, breach notification requirements, and the situations where PHI can and cannot be disclosed.

The Privacy Rule — Key Concepts

PHI Disclosures WITHOUT Patient Authorization (TPO)

A pharmacist may disclose PHI without written patient authorization for:

  • Treatment — sharing Rx info with another provider involved in patient care
  • Payment — submitting claims to insurance, PBM adjudication
  • Healthcare Operations — quality assurance, credentialing, audits

Other Permissible Disclosures Without Authorization

  • Public health reporting (disease surveillance, adverse event reporting to FDA)
  • Law enforcement requests (with proper legal process — subpoena, court order)
  • Avert a serious threat to health or safety
  • Workers' compensation cases
  • Judicial/administrative proceedings with proper authorization

Disclosures Requiring Written Authorization

  • Marketing purposes (with limited exceptions for treatment communications)
  • Sale of PHI
  • Most research purposes (unless IRB waiver granted)
  • Psychotherapy notes

Minimum Necessary Standard

When disclosing PHI, pharmacies must limit information to the minimum necessary to accomplish the purpose. Exception: this standard does NOT apply to treatment disclosures (provider-to-provider communication for patient care).

42 CFR Part 2 — Substance Abuse Records

MPJE high-yield: Records from federally assisted substance abuse treatment programs have STRICTER protections than standard HIPAA. Under 42 CFR Part 2, these records generally cannot be disclosed without specific written patient consent — even for treatment purposes. The patient must specifically authorize the disclosure. This is more restrictive than HIPAA's TPO exception.

Breach Notification Rules

Breach SizeNotify IndividualsNotify HHSNotify Media
< 500 individualsWithin 60 days of discoveryAnnual log (within 60 days of year end)Not required
≥ 500 individualsWithin 60 days of discoveryWithin 60 days of discoveryWithin 60 days — prominent media outlet

Patient Rights Under HIPAA

  • Right to access their own PHI (pharmacy must respond within 30 days)
  • Right to request amendment of inaccurate PHI
  • Right to accounting of disclosures (last 6 years, excluding TPO)
  • Right to request restrictions on disclosures (pharmacy not required to agree, except when patient pays out-of-pocket in full)
  • Right to receive Notice of Privacy Practices (NPP)
  • Right to confidential communications (request Rx info sent to alternate address)
Take HIPAA Quiz (Free) → Full HIPAA Article

Practice HIPAA Questions for MPJE

PharmacyExam.com includes extensive HIPAA scenario-based questions in its MPJE federal law bank.

Explore PharmacyExam →
← Federal Law HubCS Law GuideDEA Forms →