HIPAA and Drug Reps: What Info Can I Release?

Share This Post

I got an interesting email recently from a pharmacist who read an article I wrote in the past for Pharmacy Times about drug reps in the healthcare system. He asked if I ever gave patient information to them and what was allowed to be given to them.

I thought it would be a good idea to elaborate on this topic a bit and explore what types of information can be given to drug representatives.

A (very brief) overview of HIPAA

Most of us are pretty familiar with HIPAA, but I want to start by going over it briefly as well as dispelling some myths about the law so we have a good background.

The Health Insurance Portability and Accountability Act (HIPAA) put in place significant rules intended to protect patient privacy. In it, the legislation allows for the release of protected health information (PHI) for treatment, payment, or operations. This article provides more detail on how each of those is defined – I highly recommend taking a look at it.

One frequently encountered myth is that the patient must sign a waiver to release any information to anyone. In fact, it is very common for physician offices to require a patient to sign a waiver prior to sending records to another physician office.

While they might have a right to do that, it clearly falls under treatment and thus does not require patient authorization prior to releasing.

The above-linked article even provides this example: “A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual.”

To put that into perspective as a pharmacist, can you imagine if we had to have the patient sign a waiver before we could send any claims to an insurance company, or even request refills from the prescribing physician? After all, it is a release of patient information that the patient did not expressly authorize in writing.

If pharmacies had to do that I’m pretty sure most of us would just have to shut the business down.

HIPAA also acknowledges that, in order to provide timely and efficient care, some incidental disclosure is possible (and actually, in my opinion, very likely). A good example in the pharmacy is billing a patient’s old insurance. The old insurance is not involved in their care, so wouldn’t it actually be considered a privacy violation? Again, if every pharmacy were punished for doing that we would all shut down and go sell hot dogs or tires instead.

The law makes clear that the intent is not to ‘impede healthcare’ with this kind of excessive regulation, so instead reasonable safeguards must be made. One safeguard is the ‘minimum necessary‘ standard we are so used to hearing in HIPAA training.

Protected health information (PHI) is defined as “individually identifiable health information” and includes a wide variety of things; it is important to note that it does not have to be, nor is it defined as, official documents or medical records. If you write a prescription number in crayon on a piece of construction paper it’s still PHI. If you throw away extensive discharge information from a patient in the regular trash but tore off the top that had all of their info on it (and there was no other identifying patient information on the document) then it is not PHI.

In order for PHI to be de-identified all of the following must be removed (this list is pulled directly from the HHS website):

  • Names
  • All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: (1)The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
  • All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  • Telephone numbers
  • Vehicle identifiers and serial numbers, including license plate numbers
  • Fax numbers
  • Device identifiers and serial numbers
  • Email addresses
  • Web Universal Resource Locators (URLs)
  • Social security numbers
  • Internet Protocol (IP) addresses
  • Medical record numbers
  • Biometric identifiers, including finger and voice prints
  • Health plan beneficiary numbers
  • Full-face photographs and any comparable images
  • Account numbers

Prescription numbers could easily fall under “Medical Record Numbers” and so would be considered PHI.

HIPAA as it applies to pharmaceutical representatives

Now to the question about drug reps. Clearly their role (i.e. to sell the drug) does not fall under treatment, payment, or operations. Because of that, there can be no release of PHI to a drug rep without authorization from the patient.

So what can drug reps legally see? The truth is about anything else.

Financial data (not illegal, but you could get in hot water as an employee with many companies for showing it them), de-identified patient data (it is not PHI at that point), quality metrics, physician prescribing data (in aggregate, de-identified), etc.

Of note it is very possible it is against your company’s policy to release some (or all) of these items. Most companies, for example, are pretty protective of their income statements.

It is important to note here that although the drug companies’ medical teams are nearly entirely comprised of physicians, pharmacists, nurse practitioners, and other healthcare professionals you might see as “HIPAA trained” you still cannot disclose PHI to them without the patient’s consent. They are not treating the patient!

Here’s a good article of FAQ’s on how provider offices should and should not interact with sales reps to maintain patient privacy. It is also a good one for pharmacies.

Here is another article about some drug reps that got in trouble for HIPAA violations when they decided to help the pharmacy fill out prior authorization paperwork.

In Summary

Here is basically all you need to remember to comply with HIPAA (in addition to some common sense):

  • PHI is any individually identifiable health information. If there is even a slight possibility the information provided could be tied back to the individual patient you are probably in PHI territory; and
  • Without authorization, PHI may only be released for treatment, payment, or operations. Memorize those three words! If you don’t remember anything else from this article I want you to remember those three words.

Drug reps do not fall under any of those three magical words (say it with me – treatment, payment, operations); therefore, you would need authorization from the patient to release their PHI to a rep.

Here is the link to the full HIPAA rule for your reading pleasure. Enjoy!

Healthcare Disclaimer: The information provided  on Pharmacists.org is for educational and informational purposes only and is not intended to serve as medical advice. Our tools are designed to provide general conversion estimations and should not be used as a substitute for professional medical advice, diagnosis, or treatment. Always seek the advice of your physician, pharmacist, or other qualified health provider with any questions you may have regarding a medical condition or medication. Read More in our Terms of Use.

Share This Post

Recent Articles

Share On:

More To Explore

Pharmacogenomics in the Community Pharmacy

It’s no secret that pharmacies are going to have to diversify their revenue streams and continue to expand on non-dispensing revenue in order to

An interview with Tyler Taylor, PharmD, of St. Louis Hills Pharmacy

St. Louis Hills Pharmacy has actually implemented compostable prescription vials in their store. In addition, they have an entire page of their website dedicated

Drug Supply Chain and Security Act Infographic

This infographic is a visual representation of the post Top Things to Know About the Drug Supply Chain and Security Act (DSCSA). Get your

Optimize Your Pharmacy Software System [18 Ways]

Making the most of your computer system is one of the easiest, no-cost ways you can improve your workflow, save time, and reduce the

Hazardous Drug Handling in the Community Pharmacy

One of the most commonly overlooked areas of community pharmacies I have either managed or worked in involves the handling and dispensing of hazardous

How Does the Inventory Adjustment Work? [With Examples]

If you’re confused about the adjustment made to your income statement after inventory, you’re not alone. Here, we’ll look at …

9 Tips for Managing Controlled Substances in the Pharmacy

It’s no secret controlled substances are one of the biggest subjects of any pharmacy inspection, so if your pharmacy doesn’t have a good handle

Responding to a State Board of Pharmacy Complaint

This article is by Jeffrey Baird, esq., a healthcare attorney who practices with Brown and Fortunato, PC. I thought it gave a great overview

Best Practices: The Compliance Binder

The Compliance Binder is a pharmacy best practice that will really make your life easier. While not legally required, the compliance binder has everything

How to Manage a Drug Recall

Systems to quickly manage recalls are an important, but often overlooked, area of pharmacy operations. This was brought to the forefront of the public’s

Maximizing Your Pharmacy Switch

Your pharmacy switch routes the claim from your pharmacy to the insurance company. Here’s what you need to know.

6 Top Tips to Know about DSCSA (Drug Supply Chain Security Act)

Here’s what you need to know about DSCSA to stay compliant and avoid fines.

3 Most Frequently Asked Questions About the 340b Program

If you’re wondering where to get started with the 340b program, this is a great place to get started.

What is a Surety Bond?

What is a surety bond? Let’s look a little more closely at why you should get one for your pharmacy.

The Ultimate Guide to DMEPOS Accreditation for Pharmacies

Need to get DMEPOS Accreditation? Here’s a step-by-step guide.

How to Read an Income Statement

If you’re new to accounting and finance, the income statement can be confusing. Here’s what to look for.

Tips to get started with pharmacy sustainability

I’m sure you can guess from the title what this post is about. Today we’re going to talk about greening the community pharmacy. Why

5 Great Pharmacy Organization Ideas

If you’ve been putting off getting your pharmacy organized, there’s never been a better time to get started. Here are a list of ideas

Tracking Licenses and Certifications

This state law also requires all pharmacy technicians to ultimately obtain certification from NCCA-accredited organizations (i.e., PTCB or NHA) after a provisional grace period.

Infographic: USP 800 Visual Guide

This one guides you through a very brief overview of each chapter of USP 800.

The 7 BEST Shoes for Pharmacy Staff [2024]

Pharmacists spend a long time on their feet, and in such a demanding environment, a good pair of shoes becomes more than just an

The Pharmacy Equipment Marketplace

This week’s Quick Tip comes from Shawn Earl, PharmD. Dr. Earl is the founder of Pinnacle Pharmacy Group and specializes in pharmacy mergers and

Are you tracking exclusions?

This Quick Tip is a reminder for pharmacies that they need to be checking all their staff at hire and at least monthly to

The Correct Medical Refrigerator Temperature Range

According to the CDC Vaccine Storage and Handling Toolkit, the correct medical refrigerator temperature range is 36-46 Fahrenheit.
error: Content is protected !!