HIPAA
Health Insurance Portability and Accountability Act
A 1996 federal law that, among other things, sets national standards for protecting individuals’ health information. For pharmacies it drives privacy, security, and breach-notification obligations around protected health information (PHI).
In depth
HIPAA itself is the umbrella statute; the day-to-day rules pharmacies follow are the regulations issued under it - chiefly the Privacy Rule (45 CFR Part 160 and Part 164 Subparts A and E), the Security Rule (45 CFR Part 164 Subpart C), and the Breach Notification Rule (45 CFR §§164.400-414). A retail pharmacy is a HIPAA “covered entity,” so it must appoint a Privacy Officer and a Security Officer, maintain written policies, train staff, execute Business Associate Agreements (BAAs) with vendors that touch PHI, and complete a Security Risk Assessment. Enforcement is by the HHS Office for Civil Rights, with civil penalties tiered by culpability.