Paul,
I would think that one must consider that the pharmacy operated by the
grocery store is a covered entity that is in possession of PHI regarding
customers to whom or for whose benefit prescriptions are dispensed. �In
order to send a "loyalty card" to a customer, the pharmacy or grocery store
must examine its customer records. �I would think data indicating that a
customer received a prescription from a particular pharmacy is just as much
PHI as data indicating that an individual is a patient of a particular
hospital, even though in both instances, the exact nature of the
prescription or care provided might not be discernible without more
information.
If the patient of the hospital has the right not to have it disclosed that
he or she is a patient of the hospital, why would he or she not also have
the right to object to the disclosure that he or she received a
prescription from a particular pharmacy? �Moreover, if the grocery store or
pharmacy has the capability of accessing the data to determine that the
customer has had prescriptions filled at its pharmacy, then wouldn't it
also have the capability to determine how frequently prescriptions were
filled. �From such data, damaging inferences might be drawn, with or
without more detail regarding the exact nature of the prescriptions, thus
rendering such data all the more sensitive and, one might argue, deserving
of even great protection as PHI.
Accordingly, if this leads one to conclude that the data is, in fact, PHI,
then limitations must be placed on who within the grocery store may have
access and consideration must be given to whether the access is for
purposes of treatment, payment or healthcare operations or something else,
like marketing, and whether express authorization for its use might be
necessary.
************************************************
Peter B. Goldstein, Esq.
Cap Gemini Ernst & Young, US LLC
4610 South Ulster Street, Suite 600
Denver, Colorado �80237-4323
(303) 796-4148 (Direct)
(413) 740-0512 (Facsimile)
cap comm: 657 4653
[EMAIL PROTECTED]
************************************************
|------------------------+------------------------+------------------------|
| | "Paul Costello" | |
| | <pcostello@imrglobal.| � � � � To: |
| | com> | <[EMAIL PROTECTED]> |
| | | � � � � cc: |
| | 12/05/2001 03:11 PM | � � � � Subject: |
| | | PHI Question |
|------------------------+------------------------+------------------------|
I have a question regarding the definition of personal health �information
(PHI) and how it�is defined the following �scenario:
A grocery store that uses "loyalty" cards (cards used by �consumers to
receive discounts on purchased items) captures, at the point of �sale, that
a consumer purchased a prescription drug at the �pharmacy.
The grocery store stores, in a database, the following �information:
Name:
John Doe
Date:
1/1/01
Items:
"Bread"
"Milk"
"Prescription Drug"
Would the fact that John Doe purchased a "prescription drug" on 1/1/01 be
considered PHI?
Any insight in greatly appreciated.
Thank you.
Paul Costello
__________________________
Paul V. Costello
Senior �Consultant
CGI
3100 Zinfandel Drive, Suite #250
Rancho Cordova, �CA� 95670
Phone: (916) 631-7645 ext. 30
Fax: (916) �631-7647
E-Mail: [EMAIL PROTECTED]
***Confidentiality Notice***
Proprietary/confidential information �belonging to CGI (formerly IMRglobal)
may be contained in this message.� �If you are not a recipient indicated in
this message (or responsible for �delivery of this message to such person),
or you think for any reason that �this message may have been addressed
to you in error, you may not use or copy �or deliver this message to anyone
else.� In such cases, you should �destroy this message and kindly notify
the sender by reply �mail.
**********************************************************************
To be removed from this list, go to:
http://snip.wedi.org/unsubscribe.cfm?listprivacy
and enter your email address.
**********************************************************************
To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy
and enter your email address.
