Are pharmacists covered entities?

Pharmacies are covered entities under HIPAA because they regularly handle protected health information (PHI). They are subject to the regulations and requirements outlined in HIPAA to safeguard patient health information.

What are covered entities?

Covered entities, as defined under 45 CFR 160.103, encompass a range of organizations and individuals within the healthcare ecosystem. These entities are subject to strict regulations aimed at safeguarding the privacy and security of PHI. 

The categories of covered entities include healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include various medical professionals and institutions, such as doctors, clinics, psychologists, dentists, chiropractors, and nursing homes.

Are pharmacies covered entities?

Yes, HIPAA does include pharmacies under its definition of covered entities. Pharmacies fall within the category of healthcare providers.

What does this mean for pharmacists? 

1. Privacy of PHI: Pharmacies must protect the privacy of PHI by implementing safeguards to prevent unauthorized access, use, or disclosure of patient health information. This includes maintaining the confidentiality of prescription records, patient profiles, and any other PHI in their possession.
2. Security of PHI: Pharmacies must also ensure the security of PHI by implementing appropriate administrative, physical, and technical safeguards. This includes secure storage of paper and electronic records, access controls, secure communication like HIPAA compliant email, and regular security risk assessments.
3. Designated privacy officer: Pharmacies should designate a privacy officer responsible for overseeing HIPAA compliance, responding to privacy inquiries, and ensuring staff members are trained on HIPAA requirements.
4. Patient rights: Pharmacies must respect and uphold patients' rights under HIPAA, including the right to access their PHI, request corrections to their records, and receive a notice of privacy practices.
5. Business associate agreements (BAAs): When engaging with business associates, such as contract pharmacy assistants, consultants, or pharmaceutical manufacturers, pharmacies must establish and maintain BAAs. These agreements outline how business associates will handle and protect PHI in accordance with HIPAA.

See also: Why HIPAA compliant email is crucial for pharmacies

Other legislation to be aware of

Health Information Technology for Economic and Clinical Health (HITECH) Act

This federal statute, enacted as a component of the American Recovery and Reinvestment Act of 2009, promotes the adoption of electronic health records (EHR) and reinforces the privacy and security regulations outlined in HIPAA. It extends these requirements to encompass business associates of covered entities. It introduces mandates for notifying patients or the government of data security breaches.

Drug Supply Chain Security Act (DSCSA)

Although not primarily centered on data privacy, the DSCSA establishes guidelines for ensuring the security of the pharmaceutical supply chain and includes provisions related to monitoring and tracing prescription drugs to prevent counterfeiting and guarantee patient safety.

Federal Food, Drug, and Cosmetic Act (FD&C Act)

This legislation, overseen by the Food and Drug Administration (FDA), comprises clauses related to the labeling, safety, and security of prescription medications, which can have implications for data privacy and security within pharmacy operations.