How does the HIPAA Privacy Rule affect the Prescription Monitoring Program?
45 C.F.R. §164.512 provides a set of exceptions to the general rules that require consent or authorization by a patient before protected health information may be disclosed and used. Specifically, a covered entity such as a pharmacy may disclose protected health information for certain public health activities and purposes. In addition, disclosure may be made to a health oversight agency for oversight activities authorized by law. These two exceptions allow for the disclosure of information to the prescription monitoring program.
Limits on Use of Personal Medical Information
The Privacy Rule sets limits on how health plans and covered providers may use individually identifiable health information. To promote the best quality care for patients, the rule does not restrict the ability of doctors, nurses and other providers to share information needed to treat their patients. In other situations, though, personal health information generally may not be used for purposes not related to health care, and covered entities may use or share only the minimum amount of protected information needed for a particular purpose. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside entity for purposes not related to their health care (see 45 CFR Parts 160, 162, and 164).
For more information about the HIPAA Privacy Rule, please visit HHS - Office for Civil Rights: http://www.dhhs.gov/ocr/hipaa/