With all respect to the interpretation cautioning against maintenance of the list or any list of pharmacy customers...
The spirit of the law is to opt out of release of that information...outside marketing firms etc. would probably be covered and the transfer of the data to them would probably require consent or if not explicit authorization The question is would a checkbox question solve this: Do you not wish to receive offers on prescriptions? Would this be an appropriate out a does the grocery pharmacy need consent on signup at the pharmacy to maintain a list and to notify John Doe of specials and loyalty offers. Either way, I still do not see the requirement that you may no longer maintain any company file on whomever might constitute a firm's current customers by product line - you should be able to maintain it as long as it does not indicate illness, diagnosis or treatment. This was not a question about selling their list, it is a simple question of list maintenance and sending a simple loyalty card or offer. Any restrictions on a firms ability to do this basic customer tracking are not reasonable. Joe Joseph Schein Sr. Consultant Director of Business Development Axiom Systems, Inc. Phone: 757-270-3069 800 #: 800-330-8119 ext 252 or 0 for Operator Office: 301-840-3861 Fax: 208.275.1777 [EMAIL PROTECTED] See our web site at www.axiom-systems.com Axiom Systems: THE MANAGED CARE TECHNICAL EXPERTS Co Chair - MAHI Mid Atlantic Health / HIPAA Initiative See our website at www.mahicentral.org [EMAIL PROTECTED] MAHI - Saving Time and Money on HIPAA Compliance -----Original Message----- From: Heiert, David [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 12:55 PM To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: PHI Question Actually, let's think about this... Is a purchase of over the counter drugs PHI?? Personally, I think that the grocer should not be able to store the fact that the person purchased a prescription at all; at least outside of the pharmacy tracking system. Surely to err on the side of safety they would not make that information available with other purchase information... But, if John Doe also buys cough medicine to treat his Bronchitis along with the prescription antibiotics, should that be disclosed or available along with the fact that he bought dog food and toilet bowl cleaner? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 06, 2001 12:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: PHI Question Paul, I would think that one must consider that the pharmacy operated by the grocery store is a covered entity that is in possession of PHI regarding customers to whom or for whose benefit prescriptions are dispensed. In order to send a "loyalty card" to a customer, the pharmacy or grocery store must examine its customer records. I would think data indicating that a customer received a prescription from a particular pharmacy is just as much PHI as data indicating that an individual is a patient of a particular hospital, even though in both instances, the exact nature of the prescription or care provided might not be discernible without more information. If the patient of the hospital has the right not to have it disclosed that he or she is a patient of the hospital, why would he or she not also have the right to object to the disclosure that he or she received a prescription from a particular pharmacy? Moreover, if the grocery store or pharmacy has the capability of accessing the data to determine that the customer has had prescriptions filled at its pharmacy, then wouldn't it also have the capability to determine how frequently prescriptions were filled. From such data, damaging inferences might be drawn, with or without more detail regarding the exact nature of the prescriptions, thus rendering such data all the more sensitive and, one might argue, deserving of even great protection as PHI. Accordingly, if this leads one to conclude that the data is, in fact, PHI, then limitations must be placed on who within the grocery store may have access and consideration must be given to whether the access is for purposes of treatment, payment or healthcare operations or something else, like marketing, and whether express authorization for its use might be necessary. ************************************************ Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC 4610 South Ulster Street, Suite 600 Denver, Colorado 80237-4323 (303) 796-4148 (Direct) (413) 740-0512 (Facsimile) cap comm: 657 4653 [EMAIL PROTECTED] ************************************************ |------------------------+------------------------+------------------------| | | "Paul Costello" | | | | <pcostello@imrglobal.| To: | | | com> | <[EMAIL PROTECTED]> | | | | cc: | | | 12/05/2001 03:11 PM | Subject: | | | | PHI Question | |------------------------+------------------------+------------------------| I have a question regarding the definition of personal health information (PHI) and how it is defined the following scenario: A grocery store that uses "loyalty" cards (cards used by consumers to receive discounts on purchased items) captures, at the point of sale, that a consumer purchased a prescription drug at the pharmacy. The grocery store stores, in a database, the following information: Name: John Doe Date: 1/1/01 Items: "Bread" "Milk" "Prescription Drug" Would the fact that John Doe purchased a "prescription drug" on 1/1/01 be considered PHI? Any insight in greatly appreciated. Thank you. Paul Costello __________________________ Paul V. Costello Senior Consultant CGI 3100 Zinfandel Drive, Suite #250 Rancho Cordova, CA 95670 Phone: (916) 631-7645 ext. 30 Fax: (916) 631-7647 E-Mail: [EMAIL PROTECTED] ***Confidentiality Notice*** Proprietary/confidential information belonging to CGI (formerly IMRglobal) may be contained in this message. If you are not a recipient indicated in this message (or responsible for delivery of this message to such person), or you think for any reason that this message may have been addressed to you in error, you may not use or copy or deliver this message to anyone else. In such cases, you should destroy this message and kindly notify the sender by reply mail. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?listprivacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address. ********************************************************************** To be removed from this list, go to: http://snip.wedi.org/unsubscribe.cfm?list=privacy and enter your email address.
