Actually, let's think about this... Is a purchase of over the counter drugs PHI??
Personally, I think that the grocer should not be able to store the fact that the person purchased a prescription at all; at least outside of the pharmacy tracking system. Surely to err on the side of safety they would not make that information available with other purchase information... But, if John Doe also buys cough medicine to treat his Bronchitis along with the prescription antibiotics, should that be disclosed or available along with the fact that he bought dog food and toilet bowl cleaner? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 12:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: PHI Question Paul, I would think that one must consider that the pharmacy operated by the grocery store is a covered entity that is in possession of PHI regarding customers to whom or for whose benefit prescriptions are dispensed. In order to send a "loyalty card" to a customer, the pharmacy or grocery store must examine its customer records. I would think data indicating that a customer received a prescription from a particular pharmacy is just as much PHI as data indicating that an individual is a patient of a particular hospital, even though in both instances, the exact nature of the prescription or care provided might not be discernible without more information. If the patient of the hospital has the right not to have it disclosed that he or she is a patient of the hospital, why would he or she not also have the right to object to the disclosure that he or she received a prescription from a particular pharmacy? Moreover, if the grocery store or pharmacy has the capability of accessing the data to determine that the customer has had prescriptions filled at its pharmacy, then wouldn't it also have the capability to determine how frequently prescriptions were filled. From such data, damaging inferences might be drawn, with or without more detail regarding the exact nature of the prescriptions, thus rendering such data all the more sensitive and, one might argue, deserving of even great protection as PHI. Accordingly, if this leads one to conclude that the data is, in fact, PHI, then limitations must be placed on who within the grocery store may have access and consideration must be given to whether the access is for purposes of treatment, payment or healthcare operations or something else, like marketing, and whether express authorization for its use might be necessary. ************************************************ Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC 4610 South Ulster Street, Suite 600 Denver, Colorado 80237-4323 (303) 796-4148 (Direct) (413) 740-0512 (Facsimile) cap comm: 657 4653 [EMAIL PROTECTED] ************************************************ |------------------------+------------------------+------------------------| | | "Paul Costello" | | | | <pcostello@imrglobal.| To: | | | com> | <[EMAIL PROTECTED]> | | | | cc: | | | 12/05/2001 03:11 PM | Subject: | | | | PHI Question | |------------------------+------------------------+------------------------| I have a question regarding the definition of personal health information (PHI) and how it is defined the following scenario: A grocery store that uses "loyalty" cards (cards used by consumers to receive discounts on purchased items) captures, at the point of sale, that a consumer purchased a prescription drug at the pharmacy. The grocery store stores, in a database, the following information: Name: John Doe Date: 1/1/01 Items: "Bread" "Milk" "Prescription Drug" Would the fact that John Doe purchased a "prescription drug" on 1/1/01 be considered PHI? Any insight in greatly appreciated. Thank you. Paul Costello __________________________ Paul V. Costello Senior Consultant CGI 3100 Zinfandel Drive, Suite #250 Rancho Cordova, CA 95670 Phone: (916) 631-7645 ext. 30 Fax: (916) 631-7647 E-Mail: [EMAIL PROTECTED] ***Confidentiality Notice*** Proprietary/confidential information belonging to CGI (formerly IMRglobal) may be contained in this message. If you are not a recipient indicated in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such cases, you should destroy this message and kindly notify the sender by reply mail. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?listprivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
