Is a Pharmacy a Covered Entity Under HIPAA?

While covered entities (CEs), business associates (BAs), and subcontractors (SCs) now have the same express organizational and compliance requirements (i.e., 45 C.F.R. §164.314) under the HIPAA Omnibus Rule released in January 2013, there may be some confusion as to what constitutes a covered entity.

If the entity or individual does not qualify as a CE, BA, or SC under 45 C.F.R. §160.103, then compliance with HIPAA is not necessary. Bear in mind, however, that state laws may still impart liability. Additionally, if an entity or individual is transmitting, storing, or handling protected health information (PHI), the chances of the federal rules and regulations not applying are slim to none.

With this in mind, where do pharmacies fit in?

In general, CEs can be designated in three broad baskets: healthcare providers, health plans, and healthcare clearinghouses. The HHS website provides examples of providers that fit into each of the broad baskets. For example, a healthcare provider includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies. A health plan is representative of health insurance companies, HMOs, company health plans (self-funded plans), and government programs such as Medicare and Medicaid. Lastly, a health care clearinghouse "includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa."

Pharmacies are considered covered entities. And, as such, "[t]he HIPAA Administrative Simplification provisions also require the establishment of national standards to protect the privacy and security of personal health information and established civil money penalties for violations of the Administrative Simplification provisions."  Under the HIPAA Privacy Rule, 45 C.F.R. 160 and 164(A) and (E), covered entities are required to have the requisite safeguards in place to ensure the protection of PHI. If a pharmacy engages a business associate, then a business associate agreement (BAA) is required. Examples of business associates may be contract pharmacy assistants or pharmacists, consulting companies, or pharmaceutical manufacturers.

Both entities need to make sure, as part of their risk assessment, that the BAA is in place. For pharmacies, this could occur on a local level through a corporate directive if the pharmacy is a chain or with an independent pharmacy directly. If a pharmacy is receiving prescriptions directly from a physician’s office through electronic means, then the information would be between covered entities for the purpose of treatment.

Therefore, as long as the pharmacy had BAA agreements in place with any contractors and the physician’s office did the same, then no business associate agreement should be required in this particular scenario between the physician and the pharmacy. The takeaway is to make sure that all of the requisite standards are met and that the PHI is being used for one of the limited purposes outlined in the laws and regulations.