Skip to main content Back to Top


Health Systems Struggling With HIPAA Privacy Rules

Donna Young

Before the April 14, 2003, compliance deadline for the privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), most health systems had been spending months, even years, developing policies and procedures, upgrading computer systems, reviewing and writing new contracts, and training staff.

But because the regulations are complicated and each organization’s policies and procedures are based on its own interpretations of the complex rules, many health systems are struggling with specific patient privacy issues not clearly described by HIPAA.

For instance, the regulations do not specifically instruct health systems how to properly dispose of i.v. bags and bottles that bear labels identifying a patient’s name and the medication. Unlike paper products, bags and bottles cannot be shredded to destroy a patient’s health information, information now considered protected under the privacy rules.

For up-to-date information about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and frequently asked questions answered by the Health and Human Services Office of Civil Rights, go to To discuss pharmacy-related issues with other practitioners, participate in the ASHP issue discussion group on HIPAA preparedness (sign up at 

Update 13 June 2003—Also available is the ASHP HIPAA Resource Center, offering current information on the regulations from ASHP and federal and state agencies. The center is a service provided by the ASHP Section of Home, Ambulatory, and Chronic Care Practitioners and the ASHP Government Affairs Division.

Some health systems have been using black markers to conceal patients’ identifiable information before disposing of i.v. bags and bottles. 

Thomas E. O’Brien, pharmacy services systems director for Strong Health, the health system of the University of Rochester Medical Center in Rochester, New York, said his health system has considered using black markers to draw lines through patient information. But, he said, “that doesn’t seem too practical” because information not completely marked out could be left visible and the process is time-consuming.

Strong Health has also considered using tear-off labels that could easily be removed from i.v. containers and shredded by machines. But that solution could create a patient safety issue if a label on an i.v. container were not securely attached and came off before the drug was delivered to a patient or before a nurse had documented information about the medication’s administration.

Another option, O’Brien noted, is to hire a firm that would securely destroy i.v. bags.

But at 23 cents per pound—one estimate provided to O’Brien’s health system—“that would be astronomically expensive,” he said.

Reasonable safeguards. Pharmacist Gary G. Cacciatore, director of regulatory affairs and regulatory counsel for Cardinal Health Inc., said that there is “no real hard and fast answer” about how to properly dispose of containers that bear patient information and cannot be shredded.

“It’s whatever you consider to be reasonable,” he said.

Organizations that the federal government deemed covered entities—health plans, health care providers, and health care clearinghouses—must implement “reasonable safeguards to protect an individual’s privacy,” according to a guidance issued in December 2002 by the Department of Health and Human Services (HHS).

The guidance was issued in the form of 190 frequently asked questions (FAQ) answered by HHS’s Office of Civil Rights, which is responsible for medical privacy issues.

“Covered entities must evaluate what measures make sense in their environment and tailor their practices and safeguards to their particular circumstances,” HHS stated.

Patricia Beato, privacy officer for Strong Memorial Hospital and chair of her health system’s HIPAA privacy committee, said HHS’s online FAQ has been “helpful in providing a level of understanding that any facility might be able to go to and apply, because a lot of this is interpretation.”

Beato has advised Strong Health’s nurses providing home infusion services not to collect empty i.v. containers from patients, but to let patients dispose of them.

Pharmacist Robert P. Giacalone, vice president of regulatory affairs and chief regulatory counsel for Cardinal Health, similarly recommended that, when patients present old prescription vials when requesting a refill, the pharmacy staff should return the old vials to the patients for disposal.

Pharmacies, he added, should state in their policies and procedures that personnel must return even the old vials that patients bring in to show which prescriptions they want refilled. That way, he said, if a vial with patient information were found on the street, “at least you have a policy and procedure in place that says, ‘no, we don’t just dump them in our trash.’”

If a pharmacy collects old prescription vials from patients, Giacalone suggested, it should contract with a “dedicated disposal company” that securely disposes of containers that have protected medical information on the labels.

But, Cacciatore noted, the high cost of contracting with special disposal companies is out of range for some health systems’ budgets.

Business associate agreements. Giacalone recommended that pharmacies contracting with companies for disposal of containers and other items bearing patient information should sign a business associate agreement—a written contract by which companies agree to use appropriate safeguards to protect patient information, report any unauthorized disclosure of the information, and make internal records and practices available to HHS on request.

Pharmacist Roger Klotz, president of Specialized Clinical Services, an information services and consulting firm in Irvine, California, said he had signed more business associate agreements in the two weeks leading up to the April 14 deadline than he did in the past two years.

“But I probably only have 25% of our clients” with a signed agreement, he said.

Klotz also owns a compounding pharmacy, Care Partners Pharmacy, in Chino Hills, California.

He said he has had to deal with HIPAA as a practitioner, distributing privacy notices to patients, and as a business owner, training staff and providing his clients with software on information about protecting patients’ medical information.

Covered entities should seek agreements with business associates, Giacalone said. But, he added, there is a lot of confusion about who should sign such documents.

“They are starting to send them out like hard candy at trick-or-treat at Halloween. Everybody’s getting them,” he said. “There is so much confusion that people are just taking a shotgun approach to the whole issue.”

Many hospitals, physician offices, and pharmacies, Cacciatore said, are telling pharmaceutical sales representatives that they can no longer enter facilities or offices without signing a business associate agreement.

“There is a belief out there that if anyone has a possibility of seeing or being exposed to any protected health information, they have to sign an agreement and be a business associate, and that is not the way the rule is set up,” he said. “A business associate of a covered entity under the rule has to be performing a function on behalf of that covered entity that requires access to that protected health information.”

A person coming in for a sales call, Cacciatore said, is “not performing any function on behalf of that pharmacy or that physician’s office.”

Incidental disclosure. If a pharmaceutical sales representative accidentally heard or saw protected patient information, either by overhearing a conversation among health care providers about a patient’s treatment or walking past a computer screen displaying a patient’s information, it would be considered an “incidental disclosure,” Giacalone added.

Incidental disclosures are permitted only when the covered entity has implemented reasonable safeguards,” according to HHS.

The HIPAA privacy rule is not intended to prohibit providers from talking to each other and their patients. “Oral communications often must occur freely and quickly in treatment settings,” HHS stated in its December 2002 guidance on the privacy rule.

Reasonable precautions that health care providers could take when discussing a patient’s care, HHS suggested, include using lowered voices or talking apart from others when sharing protected health information.

But HHS strongly warned that physicians, pharmacies, and hospitals are prohibited from disclosing protected health information for marketing uses or selling patient lists to third parties, such as pharmaceutical companies, for their use.

Other examples of incidental disclosure include patients in a waiting room hearing the name of other patients when called to see the health care provider or seeing other patients’ names on sign-in sheets. Covered entities  may use sign-in sheets or announce names in waiting rooms “so long as the information disclosed is appropriately limited,” according to HHS.

Covered entities should not use a sign-in sheet that requires patients to identify the purpose of their visit and should not announce any information other than a patient’s name in a waiting room, noted Giacalone.

Leslie R. Mackowiak, assistant director of pharmacy for Duke University Medical Center in Durham, North Carolina, said that her health system has been struggling with deciding when it has achieved full compliance with the privacy rules.

“It’s a continuous debate,” she said. “You have to step back and look at everything and ask ‘is this reasonable?’”

Mackowiak said her health system has been at odds with some of their vendors about the extent of security that is needed in protecting patients’ privacy.

“Some of our vendors think that meeting the most basic levels of HIPAA is enough, whereas we have wanted more security,” she said. “But then it has been difficult to decide what is truly enough. When do you say enough is enough?”

Misconceptions. Some patients are misconstruing HIPAA’s privacy rules, said Strong Health’s Beato, and are requesting that their names be removed from outside their hospital room doors.

But HHS’s FAQ, she noted, stated that HIPAA’s privacy rules do not forbid a hospital from posting an inpatient’s name outside his or her room.

Strong Health had received a complaint about patients’ names being visible on cards attached to flowers delivered to inpatients, Beato said. While visible names on cards attached to flowers are not prohibited under HIPAA, she noted, Strong Health found a “low-tech solution” to the problem by placing small adhesive note papers over the patient names.

“We don’t want patients to think that we are not always taking privacy very seriously, so if there is something that we can do to make them feel a little bit better, we will try to do that,” Beato said.

Another misunderstanding about HIPAA, Cacciatore noted, is that some hospitals, physician offices, and pharmacies are withholding requested patient information from health care providers because of HIPAA’s minimum necessary standard.

The minimum necessary rule requires covered entities to make reasonable efforts to limit access to protected health information to the minimum amount necessary to accomplish the intended purpose of the use, disclosure, or request. But disclosures between health care providers for treatment purposes are explicitly exempted from the minimum necessary requirements, according to HHS.

Some pharmacies, under another misconception of the privacy rules, are refusing to allow state board of pharmacy or Drug Enforcement Administration inspectors or law enforcement personnel to review patients’ prescription records, Giacalone said.

Those inspectors, he said, “have a right to see these records.”

When inspectors do review a patient’s record, he said, the pharmacy is obligated to notify that patient in response to a request for an accounting of who has reviewed his or her record.

The National Association of Boards of Pharmacy requested clarification in a December 9, 2002, letter to HHS about how a pharmacy should account for disclosures made of protected health information to board of pharmacy inspectors “when inspectors may skim through hundreds, or even thousands of hard copy prescriptions and/or computerized files in one inspection.”

In its response, HHS said that a covered entity is “free to design a system that efficiently permits an accounting to be provided upon an individual’s request.”

HHS noted that it would be “sufficient to prepare a standard checklist of such disclosures, which could then be completed and provided to those individuals who request an accounting.”