• linkedin
  • Increase Font
  • Sharebar

    Incidental Use and Disclosure of HIPAA Information


    When a pharmacy learns of a HIPAA breach, it, and its business associates involved in the breach, are required to report the incident to the government.1

    But not all violations are reportable and may not be considered a breach. HIPAA was passed by congress in 1996. Primarily a set of requirements aimed at insurance companies, the third section was to protect against release of confidential patient information. That third section was not completed when the bill was passed. The law gave Congress until August 21, 1999, to pass the section on comprehensive health privacy legislation.

    If Congress did not enact such legislation after three years, the law required HHS to craft such protections by regulation. Perhaps not surprisingly, Congress did not meet the self-imposed requirement by 1999, so the job of writing HIPAA regulations fell to HHS.

    When the regulations were written and the third section became effective, some problems became apparent. Originally by the strict terms of the regulations, a pharmacist could not hand a prescription to the patient’s next door neighbor who had been asked by the patient to pick it up. The pharmacy could not announce or post on an electronic board, “Baker, your prescription

    is ready.” A hospital receptionist could not even tell the floral shop’s delivery person what room a patient was in and whether the patient was in the hospital.2

    HHS began to recognize that some disclosures were not only convenient, but also valuable and necessary. HHS moved to solve such problems by making exceptions to the rules and announced:

    . . . [The] potential exists for an individual’s health information to be disclosed incidentally. . .  HIPAA Privacy . . . does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individual’s privacy.3

    Kenneth R. Baker, BS Pharm, JD
    These articles are not intended as legal advice and should not be used as such. When a legal question arises, the pharmacist should ...


    You must be signed in to leave a comment. Registering is fast and free!

    All comments must follow the ModernMedicine Network community rules and terms of use, and will be moderated. ModernMedicine reserves the right to use the comments we receive, in whole or in part,in any medium. See also the Terms of Use, Privacy Policy and Community FAQ.

    • No comments available
    2018 Novel Drug Approvals: The First Five
    2018 Novel Drug Approvals: The First ...

    Signs point to a cooling on the FDA's fiery approval pace of 2017, but 2018 has already seen five novel drug approvals.

    Five Tips for Surviving a 12-Hour ...
    The Top 5 Pharmacist Movies of All Time
    Top 5 Problem Dietary Supplements