In order to determine what is necessary for compliance with the HIPAA Medical Privacy Rule, one must undertake a close and careful reading of the entire rule, since it does not provide one comprehensive organized list. References and descriptions of the numerous required PATIENT FORMS, POLICIES AND PROCEDURES and LEGAL DOCUMENTS, are interspersed throughout the Privacy Rule and its extremely long preamble.

All three groups of documentation, and a Privacy Officer, are needed to build the privacy infrastructure for compliance with the Privacy Rule. Compliance with the Rule is not optional, and the HIPAA statute contains criminal and civil penalties for violations that can be severe.

The Rule requires at least five patient forms and twelve policies and procedures. As originally enacted, the Rule mandated four legal documents – but a proposal by the government published in the March 27, 2002, Federal Register would make one of the four legal documents, the consent, optional for treatment, payment and health care operations uses and disclosures. Even if the March 27th proposal is adopted, a pharmacy should, it is strongly recommended by most, make a good faith effort to obtain the patient's signature to a consent, and thus a pharmacy should be prepared for the consent legal document, too.

The required Patient Forms are: (1) Request for Access to Patient Health Information, (2) Request for Restrictions on Uses and Disclosures of Health Information, (3) Request to Amend Health Information, (4) Request for Alternative Means of Communication, and (5) Request for Detailed Accounting of Disclosures of Health Information.

In the group of twelve required Polices and Procedures a pharmacy must have are these: Minimum Necessary Use of Protected Health Information, Marketing and Protected Health Information, Minimum Necessary Disclosure of Protected Health Information, and Protection of Health Information of Deceased Patients. These must describe the policy of a pharmacy on each of the twelve topics, and then describe in detail the procedure pharmacy staff must follow to assure their actions are in compliance with the policy.

The four Legal Documents are: (1) Notice of Privacy Practices, (2) Patient Consent to Use and Disclosure of Health Information, (3) Patient Authorization and (4) Business Associate Contracts. These four documents are the heart of a privacy compliance infrastructure and guide, direct and inform what goes into the Patient Forms and the Policies and Procedures groups of documentation.

Key to making the Privacy Rule coherent and easing a pharmacy's implementation of it is the realization that the Rule and its required documentation revolve around use and disclosure — how and when a pharmacy may USE, and how, when and to whom it may DISCLOSE, protected health information. Having that key in mind at all times will reduce any confusion or uncertainty about the Rule and facilitate incorporating the requirements of the Rule into daily practice and the provision of patient care.

Endnotes:
1. The Privacy Rule, and its preamble, appears as Part II of Volume 65, No. 250, of the Federal Register.

2. For Criminal Penalties ranging as high as $250,000, plus prison term, see 42 U.S.C. §1320d-6. Civil Penalties are provided for at 42 U.S.C. §1320d-5.