Alexandria, Va. - Sept. 16, 2010
The National Community Pharmacists Association (NCPA) recently submitted comments to the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) in response to its Notice of Proposed Rulemaking on Modifications to the HIPAA Privacy and Security Rule as well as to implement recent statutory amendments under the HITECH Act. Overall, NCPA supports the proposed changes that seek to provide additional protections to safeguard consumers' protected health information (PHI).
HHS' existing privacy rule requires community pharmacies and other covered entities to make reasonable efforts to limit the use, disclosure of and requests of the patient's protected health information (PHI) to the "minimum necessary" to accomplish the intended purpose, a standard that most community pharmacies have found to be reasonable. Significantly, the proposed rule would extend those same obligations to business associates of the covered entities as well as any subcontractors of the business associate, such as a pharmacy benefit manager (PBM) contracting with a health insurance plan. The proposed rule also makes clear that business associates may not use their access to protected health information beyond the purpose for which they have been retained by the covered entity.
"NCPA feels strongly that business associates should not be allowed to capitalize on their access to protected health information to pursue business opportunities beyond the purpose for which they have been retained by the covered entity," the association said in comments filed with OCR. "NCPA has seen firsthand how a business associate of a health plan has used PHI to attempt to bolster its own financial bottom line."
NCPA has expressed concerns about this issue in the past. In the association's letter to OCR dated November 20, 2009, NCPA details how CVS Caremark, a combined pharmacy benefit manager/retail pharmacy chain and the subject of an active Federal Trade Commission investigation, appears to have accessed sensitive patient data available to the company in its capacity as a business associate of the health insurance plan. The data was then apparently used by CVS Caremark in an effort to steer those patients to its retail pharmacies. Many of the letters sent to patients by CVS Caremark included the specific drug name, the date of the patient's last fill and the name of their independent pharmacy. To guard against inappropriate uses of sensitive patient data, NCPA urged the Department to advise that all BA agreements include a statement on this obligation to patient privacy.
The proposed rule would also grant patients additional rights in certain circumstances to ask pharmacies and other covered entities to restrict disclosure of the patient's protected health information to a health plan. In some cases, such action would violate the pharmacy's contract obligations to third-party payers such as pharmacy benefit managers. To clear up this potential conflict NCPA asked OCR to issue guidance to clarify that a patient's request to exercise this right shall supersede any conflicting contractual agreement.
NCPA noted other scenarios needing clarification so that the expanded patient rights as proposed don't carry unintended consequences, such as preventing pharmacies from complying with state prescription drug monitoring programs or preventing the proper calculation of patient out-of-pocket costs in the Medicare Part D coverage gap (or "donut hole").
NCPA commended OCR for changing the proposed rule to address electronic prescribing concerns that the association previously addressed. The regulation's revised wording should allow e-prescribing transactions to continue unimpeded.
The National Community Pharmacists Association (NCPA®) represents America's community pharmacists, including the owners of more than 22,700 independent community pharmacies, pharmacy franchises, and chains. Together they represent an $88 billion health-care marketplace, employ over 65,000 pharmacists, and dispense over 40% of all retail prescriptions. To learn more go to www.ncpanet.org or read NCPA's blog, The Dose, at http://ncpanet.wordpress.com.
Senior Vice President, Public Affairs
Director, Public Relations
NCPA News Release FeedWhat is RSS?
NCPA Advocacy Center
Legislative Action Network
NCPA's Blog — The Dose,
eNews Weekly Archives
Business Plan Competition,
Programs & Awards,
© NCPA • 100 Daingerfield Road • Alexandria, VA 22314 • 703.683.8200 • 703.683.3619 fax • email@example.com
NCPA ID #