Tag Archives: HIPAA authorizations

It Could Happen to You — A Call to Arms

On August 1, I wrote about how Big Brother may not be just the government, but, surprisingly, also your friendly pharmacist.  The Business Week article that I was referring to (http://www.businessweek.com/magazine/content/08_31/b4094000643943.htm) talked about how someone can be turned down for health insurance because the pharmacies they’ve used in the past have sent their pharmacy information to Pharmacy Benefit Managers (PBMs), who in turn sell the information to third parties, who sell the information to health insurance companies, who then deny health coverage. 

Sweet, huh?  For the health insurance companies, anyway.  But not for you.  Or your family.

And the road from the pharmacy to the PBM to the third party is all done without your authorization.  Which seems kind of funny to me, because pharmacies are HIPAA “covered entities”, and they need to have your authorization to share your protected health information, except in very specific circumstances.

Now, the HIPAA Privacy Rules allow an entity called a “Business Associate” to do business with a covered entity such as a pharmacy.  In such cases, the pharmacy, as the covered entity, must execute what’s called a “Business Associate Agreement” with the business associate, and part of the agreement allows the covered entity to share identifiable protected health information so that the business associate can do all kinds of things, under contract, to the covered entity — in this case, the pharmacy.

Okay.  So far we have a covered entity, the pharmacy.  And we have a business associate of the pharmacy, the PBM, pharmacy benefit manager.  Why would the pharmacy contract with a PBM? 

Because PBMs do all kinds of useful things that they can probably do a lot less expensively than the pharmacy.  Wikipedia says this about PBMs: PBMs are “. . . third party administrator(s) of prescription drug programs. They are primarily responsible for processing and paying prescription drug claims. They also are responsible for developing and maintaining the formulary, contracting with pharmacies, and negotiating discounts and rebates with drug manufacturers.  Due to their larger purchasing pool for prescription drugs, PBMs can negotiate rebates and discounts on behalf of their clients.”

I think we can agree that PBMs provide very useful services to pharmacies, right?  Good.

The problem comes along when the PBM sells your identified protected health information to yet a third party, for a profit.

I have a problem with that, a huge problem. 

The HIPAA Privacy Rules don’t allow your identifiable protected health information to be sold without your authorization. 

When was the last time your pharmacy asked your permission to sell your protected health information, or the protected health information of your children?  Gosh, I don’t remember ever being asked by a pharmacy to do such a thing with my protected health information. . . 

So I’m asking for your support: I’d like you to send an email to Health & Human Services and ask them the following questions:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Folks, the FTC has looked into this and not seen a problem with the practice of PBMs selling your identifiable protected health information.  But they are not responsible for the HIPAA Privacy Rules, Health & Human Services is.

So, please — send an email to OCRPrivacy@hhs.gov and ask them the above questions.  The more people who ask, the more they’ll pay attention and look at this very serious problem.

If you think this couldn’t really be an important issue, then I’d like to introduce you to Mr. Walter Shelton and his wife, Paula, who were denied health insurance because pharmacies they’d used in the past — WalMart and Randall’s (part of Safeway) — sent their identifiable protected health information to a PBM, who, without their authorization, sold it to a company called Med Point.  Med Point put together a pharmacy profile on them and sold it, along with the Shelton’s names, for $15 to Humana.  And then Humana rejected their insurance application because of the use of a couple of very minor medications that many of us may need to use at one time or other.

Have Humana?  How about Aetna?  Blue Cross/Blue Shield?  UnitedHealth Group?  Some other health insurance?  Do you ever get your prescriptions filled at WalMart?  Safeway?  Randalls?  Then yes, it COULD happen to you, when they sell information about you to Med Point or their competitor, IntelliScript, for just $15.

Please everyone, a quick email to OCRPrivacy@hhs.gov — remember, it’s Health & Human Services (HHS) that administers the federal medical privacy laws and rules — and ask them:

1.  Is a pharmacy a HIPAA covered entity?

2.  Is a Pharmacy Benefit Manager a business associate of a pharmacy?

3.  Can a business associate of a HIPAA-covered entity sell identifiable protected health information to a third party — for a profit — without the patient’s authorization?

Mr. Shelton has already sent his email to HHS, will you send one, too?  Just takes a minute.


I blog regularly on medical privacy issues, medical records, HIPAA, and other related issues.  If you have any questions about your medical privacy, your ability to get copies of your medical records, privacy problems with your doctors, dentists, chiropractors, psychologists, etc., please send me an email at hipaadiva@yahoo.com — I would be honored to help.


HIPAA Complaints — Yes, We Have Some Statistics, and You’re Not Alone

HIPAA privacy and security complaint statistics have been made available for June.  You may not realize it, but the federal HIPAA Privacy program is administered by Health & Human Services (HHS) Office of Civil Rights (OCR). 

Let’s see how things are going.

June 2008 — OCR received 849 HIPAA privacy complaints.  Ouch.

OCR pegged 256 cases that required some kind of action by the HIPAA covered entity (that would be a provider, a hospital, an insurance plan, folks like that who work with your protected health information).  If all 256 of those cases were filed in June, it means that a quick look-see at the complaints, just for June, reveals at least 30% of them will require that the provider or hospital or health plan DO SOMETHING to protect your health information.

OCR made one referral to the Department of Justice for potential prosecution.  Not bad, especially considering that OCR has referred 436 cases to DOJ since April 2003.  We can interpret this one of two ways: either the bad guys are getting better at getting away with stealing your protected health information, or providers, hospitals, and health plans are getting better at protecting it.  (I wouldn’t put any money on the second possibility.)

The most common HIPAA privacy complaints were:

—  Unauthorized disclosures of protected health information

—  Safeguard issues — the doctors, or practices, or health plans, etc., were not taking as good a care of your protected health information as they probably should 

—  Denial of patient requests for copies of their medical records

—  Disclosing too much protected health information 

—  Utilizing invalid authorizations for disclosing protected health information (I’ll explain more about valid authorizations in a future post)

In order, here are the offenders:

—  Private practices

—  Hospitals

—  Outpatient (day surgery) facilities

—  Health Plans (group health plans and health insurance companies)

—  Pharmacies (a small surprise, right?)

The HIPAA Security Rules are administered by CMS — the folks who bring you Medicare.  They received 10 complaints in May — a very big jump for them.

Got a question about your or your family’s protected health information, your medical records, or your HIPAA Privacy & Security rights?  Leave a comment, or send me an email at hipaadiva@yahoo.com.  I’m here to help.  BTW, all posts on my blog, written by me, are (c) 2008 Lane R Hatcher.  If you’d like to reprint, contact me!  And yes, I’m working on a web site.