I got an interesting email recently from a pharmacist who read an article I wrote in the past for Pharmacy Times about drug reps in the healthcare system. He asked if I ever gave patient information to them and what was allowed to be given to them. I thought it would be a good idea to elaborate on this topic a bit and explore what types of information can be given to drug representatives.
A (very brief) overview of HIPAA
Most of us are pretty familiar with HIPAA, but I want to start by going over it briefly as well as dispelling some myths about the law so we have a good background.
The Health Insurance Portability and Accountability Act (HIPAA) put in place significant rules intended to protect patient privacy. In it, the legislation allows for the release of protected health information (PHI) for treatment, payment, or operations. This article provides more detail on how each of those is defined - I highly recommend taking a look at it.
One frequently encountered myth is that the patient must sign a waiver to release any information to anyone; in fact, it is very common for physician offices to require a patient to sign a waiver prior to sending records to another physician office. While they might have a right to do that, it clearly falls under treatment and thus does not require patient authorization prior to releasing.
The above-linked article even provides this example: "A primary care provider may send a copy of an individual’s medical record to a specialist who needs the information to treat the individual."
To put that into perspective as a pharmacist, can you imagine if we had to have the patient sign a waiver before we could send any claims to an insurance company, or even request refills from the prescribing physician? After all, it is a release of patient information that the patient did not expressly authorize in writing.
If pharmacies had to do that I'm pretty sure most of us would just have to shut the business down.
HIPAA also acknowledges that, in order to provide timely and efficient care, some incidental disclosure is possible (and actually, in my opinion, very likely). A good example in the pharmacy is billing a patient's old insurance. The old insurance is not involved in their care, so wouldn't it actually be considered a privacy violation? Again, if every pharmacy were punished for doing that we would all shut down and go sell hot dogs or tires instead.
The law makes clear that the intent is not to 'impede healthcare' with this kind of excessive regulation, so instead reasonable safeguards must be made. One safeguard is the 'minimum necessary' standard we are so used to hearing in HIPAA training.
Protected health information (PHI) is defined as "individually identifiable health information" and includes a wide variety of things; it is important to note that it does not have to be, nor is it defined as, official documents or medical records. If you write a prescription number in crayon on a piece of construction paper it's still PHI. If you throw away extensive discharge information from a patient in the regular trash but tore off the top that had all of their info on it (and there was no other identifying patient information on the document) then it is not PHI.
In order for PHI to be de-identified all of the following must be removed (this list is pulled directly from the HHS website):
All geographic subdivisions smaller than a state, including street address, city, county, precinct, ZIP code, and their equivalent geocodes, except for the initial three digits of the ZIP code if, according to the current publicly available data from the Bureau of the Census: (1)The geographic unit formed by combining all ZIP codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a ZIP code for all such geographic units containing 20,000 or fewer people is changed to 000
All elements of dates (except year) for dates that are directly related to an individual, including birth date, admission date, discharge date, death date, and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
Vehicle identifiers and serial numbers, including license plate numbers
Device identifiers and serial numbers
Web Universal Resource Locators (URLs)
Social security numbers
Internet Protocol (IP) addresses
Medical record numbers
Biometric identifiers, including finger and voice prints
Health plan beneficiary numbers
Full-face photographs and any comparable images
Prescription numbers could easily fall under "Medical Record Numbers" and so would be considered PHI.
HIPAA as it applies to drug reps
Now to the question about drug reps. Clearly their role (i.e. to sell the drug) does not fall under treatment, payment, or operations. Because of that, there can be no release of PHI to a drug rep without authorization from the patient.
So what can drug reps legally see? The truth is about anything else. Financial data (not illegal, but you could get in hot water as an employee with many companies for showing it them), de-identified patient data (it is not PHI at that point), quality metrics, physician prescribing data (in aggregate, de-identified), etc. Of note it is very possible it is against your company's policy to release some (or all) of these items. Most companies, for example, are pretty protective of their income statements.
It is important to note here that although the drug companies' medical teams are nearly entirely comprised of physicians, pharmacists, nurse practitioners, and other healthcare professionals you might see as "HIPAA trained" you still cannot disclose PHI to them without the patient's consent. They are not treating the patient!
Here's a good article of FAQ's on how provider offices should and should not interact with sales reps to maintain patient privacy. It is also a good one for pharmacies.
Here is another article about some drug reps that got in trouble for HIPAA violations when they decided to help the pharmacy fill out prior authorization paperwork.
Here is basically all you need to remember to comply with HIPAA (in addition to some common sense):
PHI is any individually identifiable health information. If there is even a slight possibility the information provided could be tied back to the individual patient you are probably in PHI territory; and
Without authorization, PHI may only be released for treatment, payment, or operations. Memorize those three words! If you don't remember anything else from this article I want you to remember those three words.
Drug reps do not fall under any of those three magical words (say it with me - treatment, payment, operations); therefore, you would need authorization from the patient to release their PHI to a rep.
Here is the link to the full HIPAA rule for your reading pleasure. Enjoy!