As pharmacists, we handle sensitive information about our patients on a daily basis in order to provide them with the best care possible. But, with great power comes great responsibility! It’s crucial that we understand the laws and regulations that govern how much we can use and share personal health information. In this article, we’ll dive into two regulations: the Health Insurance Portability and Accountability Act (HIPAA) in the United States and the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada. We’ll explore what these two regulations mean for us as community pharmacists, and how we can uphold our patient’s right to privacy and security. 

‍

HIPAA vs. PIPEDA

HIPAA was created by Congress to set national standards for how healthcare providers, insurance companies, and other stakeholders must protect personal health information. In Canada, the equivalent standard is known as PIPEDA. Both these laws govern the collection, use, and disclosure of personal information for health care providers including us as pharmacists. There may also be additional provincial or state regulations you may need to follow.

Here are 4 fundamental concepts that you should ensure your staff members understand to help you begin to enforce HIPAA and PIPEDA regulations at your pharmacy:

1. Obtaining patient consent: Before collecting, using, or sharing a patient’s personal health information, pharmacists must ask for their consent. Patients should be informed about how their information will be used and disclosed, and to whom it will be disclosed. For example, if a patient’s spouse wants access to a patient’s prescription file, the patient must authorize this. Your pharmacy staff should get a verbal or written consent from the patient and document it before releasing any information to a spouse or other third party. 

2. Limiting collection, use, and disclosure: Pharmacists must only collect, use, and share the minimum amount of information to fulfill their intended purpose. For example, when filling a prescription, we should only collect the relevant and necessary information required to fulfill the prescription. In addition, the information should only be used for its intended purpose of filling a prescription. It should not be used for other reasons such as marketing. For example, if a patient is getting a covid test for non-travel, it is not appropriate to document passport numbers. You should ensure that all your forms show what is mandatory or optional under which conditions so that you can limit the collection of data and stay compliant with HIPAA.    

3. Protecting personal health information: Pharmacists must implement reasonable and appropriate security safeguards to protect personal health information. These safeguards include technical measures as well as administrative measures. An example of a technical measure is using strong passwords, password management software, and two factor authentication.  Do not save passwords in an open, easily accessible file especially without additional authentication systems. An administrative measure to protect information is if a patient is discussing a sensitive health concern, they should always be offered a private counselling room instead of discussing it in an open space. 

4. Providing access to patients: Patients have the right to access their personal health information and to know who else has seen or received it. This allows patients to monitor how their information is being used and ensure its accuracy. There also needs to be a way for pharmacies to correct patient records when requested. For example, patients should be allowed to see an original prescription they submitted, and request adjustments to their records if there is an error.

‍

As pharmacists, it is essential to understand and comply with the regulations that govern the use and disclosure of personal health information. Unless a privacy officer is assigned, the designated manager of a pharmacy is likely responsible and liable for ensuring all software, policies, and procedures will meet the regulations. Teaching your staff about these fundamentals and documenting is the first step in protecting yourself from potential liabilities and maintaining patients’ trust.

Does your current software meet the requirements of HIPAA and PIPEDA? MedEssist is designed to streamline workflows, enable your team to collaborate efficiently, and grow your business with an online presence that meets HIPAA and PIPEDA regulations. All MedEssist subscriptions include a HCP authentication system (two factor authentication) that is built to minimize workflow disruptions while maximizing patient data security. We also never advertise or send any non-technical communications directly to patients without specific patient or provider consent.