Congress' 1996 Administrative Simplification Act (part of HIPAA), among other things, mandated that a patient's health information (when it is identifiable as his) in the possession of a covered entity may not be disclosed without either an authorization by the patient or an exception in the statute, or in regulations that Congress directed DHHS to enact. "Covered entities" are health plans, health care clearinghouses and health care providers, which DHHS has expressly deemed includes pharmacists.

Under the Act, covered entities who maintain or transmit a person's health information must maintain reasonable and appropriate administrative, technical and physical safeguards to: (1) protect against unauthorized disclosures or uses (i.e., protect the privacy), (2) ensure the confidentiality, and (3) protect the security, of the health information.

On December 28, 2000, DHHS published in the Federal Register a 368-paged notice and regulation, calling it "Standards for Privacy of Individually Identifiable Health Information." Full and complete compliance with the regulation is not mandatory until 26 months after the effective date, but it should be noted that the Congressional criminal sanctions for certain violations of the statute are effective now.

"Privacy," "Confidentiality," and "Security" are not synonymous. Although these three words are often used interchangeably, there are some differences.

PRIVACY: Privacy is the right patients have that information about them will be kept secret. It is the right of a person to himself control the disclosure and the use of his health information.

CONFIDENTIALITY: Confidentiality deals primarily with the way in which private information is held by others, the manner in which it is handled or treated by others. It refers to the notion of protecting private information against disclosure to those who have not been authorized to receive the private information.

SECURITY: Security of personal health information is the totality of safeguards, including hardware, software, personnel policies, system technologies, as well as routine oversight of these components, the major objective of which in a pharmacy (or any other health facility) being to protect both the system and the private information in the system from unauthorized access from without and misuse from within.

These DHHS Regulations have now been deemed (on April 12, 2001) by President Bush's administration to have an Effective Date of April 14, 2001. Covered entities must have polices and procedures in place to protect patients' medical/health care information, the new regulations describing and requiring such things as designation of an employee as Privacy Officer, privacy training for employees, sanctions of employees as well as employers for violations, and more. If such is not already part of your Corporate Compliance Plan/Program, efforts should be initiated as soon as possible to do so.

END NOTES:

Criminal Penalties — Knowing and willful disclosure of individually identifiable health information in violation of the act can be punished by a fine of up to $50,000 and one year in prison. Penalties for disclosures made under false pretenses rise to five years and $100,000; add an intent to sell for commercial advantage, personal gain, or to inflict malicious harm, and the maximum prison term increases to ten years, with a monetary penalty of up to $250,000. 42 U.S.C. §1320d-6

Civil Penalties — The statute has a civil penalty of $100 for intentional violation of a single provision, with an annual cap per entity of $25,000 for violations of an identical requirement. 42 U.S.C. §1320d-5