The customer completes a form to receive the "loyalty" card, it is not based on the pharmacy records. The receipt only shows the price and the purchase type and perhaps the customer's name.
The customer can choose to pay for the purchase at the pharmacy counter rather than through the check out line. The grocer choose to require that prescriptions be paid for only at the pharmacy counter. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 9:27 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: PHI Question Paul, I would think that one must consider that the pharmacy operated by the grocery store is a covered entity that is in possession of PHI regarding customers to whom or for whose benefit prescriptions are dispensed. �In order to send a "loyalty card" to a customer, the pharmacy or grocery store must examine its customer records. �I would think data indicating that a customer received a prescription from a particular pharmacy is just as much PHI as data indicating that an individual is a patient of a particular hospital, even though in both instances, the exact nature of the prescription or care provided might not be discernible without more information. If the patient of the hospital has the right not to have it disclosed that he or she is a patient of the hospital, why would he or she not also have the right to object to the disclosure that he or she received a prescription from a particular pharmacy? �Moreover, if the grocery store or pharmacy has the capability of accessing the data to determine that the customer has had prescriptions filled at its pharmacy, then wouldn't it also have the capability to determine how frequently prescriptions were filled. �From such data, damaging inferences might be drawn, with or without more detail regarding the exact nature of the prescriptions, thus rendering such data all the more sensitive and, one might argue, deserving of even great protection as PHI. Accordingly, if this leads one to conclude that the data is, in fact, PHI, then limitations must be placed on who within the grocery store may have access and consideration must be given to whether the access is for purposes of treatment, payment or healthcare operations or something else, like marketing, and whether express authorization for its use might be necessary. ************************************************ Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC 4610 South Ulster Street, Suite 600 Denver, Colorado �80237-4323 (303) 796-4148 (Direct) (413) 740-0512 (Facsimile) cap comm: 657 4653 [EMAIL PROTECTED] ************************************************ |------------------------+------------------------+------------------------| | | "Paul Costello" | | | | <pcostello@imrglobal.| � � � � To: | | | com> | <[EMAIL PROTECTED]> | | | | � � � � cc: | | | 12/05/2001 03:11 PM | � � � � Subject: | | | | PHI Question | |------------------------+------------------------+------------------------| I have a question regarding the definition of personal health �information (PHI) and how it�is defined the following �scenario: A grocery store that uses "loyalty" cards (cards used by �consumers to receive discounts on purchased items) captures, at the point of �sale, that a consumer purchased a prescription drug at the �pharmacy. The grocery store stores, in a database, the following �information: Name: John Doe Date: 1/1/01 Items: "Bread" "Milk" "Prescription Drug" Would the fact that John Doe purchased a "prescription drug" on 1/1/01 be considered PHI? Any insight in greatly appreciated. Thank you. Paul Costello __________________________ Paul V. Costello Senior �Consultant CGI 3100 Zinfandel Drive, Suite #250 Rancho Cordova, �CA� 95670 Phone: (916) 631-7645 ext. 30 Fax: (916) �631-7647 E-Mail: [EMAIL PROTECTED] ***Confidentiality Notice*** Proprietary/confidential information �belonging to CGI (formerly IMRglobal) may be contained in this message.� �If you are not a recipient indicated in this message (or responsible for �delivery of this message to such person), or you think for any reason that �this message may have been addressed to you in error, you may not use or copy �or deliver this message to anyone else.� In such cases, you should �destroy this message and kindly notify the sender by reply �mail. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?listprivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ************************************************************************************************************* Confidentiality Statement-This e-mail and any files transmitted with it are confidential and are intended solely for the use of the individual or entity to which they are addressed. This communication may contain material protected by the attorney-client privilege. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited, and that you have received this e-mail and any accompanying files in error.You may not copy, publish or use them in any way and you should notify Beech Street Corporation immediately by replying to this message and deleting them from your system.Beech Street Corporation does not accept responsibility for changes to Emails that occur after they have been sent. ************************************************************************************************************* ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
