Let us talk about HIPAA - specifically, the mistakes we keep seeing pharmacies make over and over. Most of these are not the result of bad intent. They come from outdated training, informal workarounds that became habit, and the daily pressure of running a busy pharmacy. The good news is every one of them is fixable. Here is what to watch for.
Regulatory Update: OCR Ramps Up Right of Access Enforcement
The Office for Civil Rights has been aggressively enforcing the HIPAA Right of Access since 2019, and the pace has not slowed. In the latest round of settlements, OCR fined providers between $15,000 and $240,000 for failing to provide patients with timely access to their records. Pharmacies are not exempt from this.
Under HIPAA, when a patient requests their records, you have 30 calendar days to provide them - and that includes prescription records, pharmacy notes, and any other designated record set. Charging unreasonable fees or requiring patients to submit requests in a specific format (like requiring it in writing when they ask verbally) can also trigger a violation. Review your patient access request process this month and make sure every staff member knows the timeline and the rules.
HIPAA Deep Dive: The 7 Most Common Pharmacy Privacy Mistakes
After years of working with pharmacies on HIPAA compliance, these are the violations we see most often.
1. Discussing patient information in areas where other customers can overhear. Consultation windows, drive-throughs, and open counter areas are the worst offenders. You cannot eliminate all incidental disclosures, but you are required to implement reasonable safeguards - things like lowering your voice, stepping to a private area, or using a consultation room.
2. Leaving computer screens visible to patients. If a customer standing at the counter can read another patient's prescription information on your monitor, that is a violation. Screen privacy filters cost less than $30 and take two minutes to install.
3. Disposing of PHI in regular trash. Prescription labels, patient profiles, voided scripts, and even the labels from returned-to-stock medications must go in a HIPAA-compliant shredding bin - not the wastebasket under the counter.
4. Texting patient information on personal phones. This is rampant in pharmacy, and it is a clear violation unless you are using an encrypted, HIPAA-compliant messaging platform. "But it is faster" does not count as a security exception.
5. Failing to log off workstations. Automatic screen locks should be set to activate after no more than two minutes of inactivity. If your pharmacy software does not support this, your operating system does.
6. Sharing login credentials. Every user needs their own unique login for your pharmacy management system, your dispensing software, and any system that contains PHI. Shared logins make audit trails meaningless.
7. Not training temporary or relief staff. If a relief pharmacist or a temp tech works even one shift at your pharmacy, they need to be briefed on your privacy practices and sign an acknowledgment. No exceptions.
Compliance Tip: Breach Notification Timelines You Need to Know
When a breach of unsecured PHI occurs, HIPAA requires notification - but the timelines trip people up. Here is the breakdown.
For breaches affecting fewer than 500 individuals, you must notify each affected person without unreasonable delay and no later than 60 calendar days from discovery. You must also log the breach and report it to HHS annually by March 1 of the following year.
For breaches affecting 500 or more individuals, the same 60-day individual notification applies, but you must also notify HHS and prominent media outlets serving your state or jurisdiction within that same 60-day window.
Discovery does not mean the day you found out about it informally. Under HIPAA, a breach is considered "discovered" on the first day it is known - or should have been known - by any person in your workforce. That means if a pharmacy tech notices something suspicious on a Tuesday and does not report it until the following Monday, your clock started on Tuesday.
Document everything. When you discover a potential breach, start a written record immediately: what happened, when you found out, what data was involved, and what steps you took. This documentation is your defense if OCR comes knocking.
Patient Access Requests: Getting It Right
Patients have the right to access their pharmacy records, and most pharmacies handle routine requests without issue. The problems start when the request is unusual - a patient asks for records in electronic format, requests that records be sent to a third party, or asks for records going back several years.
You are required to provide records in the format the patient requests if it is readily producible. If a patient asks for their records as a PDF emailed to their personal email, and your system can export a PDF, you need to accommodate that. You can charge a reasonable cost-based fee for labor and supplies, but you cannot charge for search and retrieval time, and you cannot refuse the request because it is inconvenient.
Create a simple, written procedure for handling patient access requests and post it where your staff can reference it. Include the 30-day timeline, acceptable formats, fee limits, and who is responsible for fulfilling the request. A clear process prevents most of the errors that lead to OCR complaints.
Quick Hits
- Install privacy screen filters on all patient-facing monitors
- Audit your PHI disposal process - no patient information in regular trash
- Verify automatic screen locks are set to 2 minutes or less on all workstations
- Review your breach notification procedure and ensure all staff know the reporting chain
- Confirm every workforce member (including temps) has signed a HIPAA acknowledgment
- Check that your patient access request process meets the 30-day deadline
Stay compliant. Stay ahead. - The Rxperts Team