Does HIPAA apply to supermarkets with a pharmacy?

Yes, HIPAA does apply to the pharmacy within the supermarket, but not the supermarket operation itself. When a supermarket operates a pharmacy, it must comply with HIPAA regulations because it handles protected health information (PHI) related to prescription services. There is, however, a distinction in the roles within the supermarket. Other non-pharmacy operations of the supermarket do not need to comply with HIPAA as they do not handle PHI. 

Do supermarkets with pharmacies qualify as covered entities?

HIPAA defines covered entities as healthcare providers who transmit health information electronically concerning transactions for which the HHS has set standards. According to the American Academy of Pediatrics, “The Federal HIPAA privacy regulations apply to what is termed “Covered Entities.” Below are the groups identified as covered entities: Health care providers such as, physicians, dentists, psychiatrists, hospitals, clinics, pharmacies, and laboratories. Other groups may also meet HIPAA definition of Covered Entities.”

Since pharmacies within supermarkets engage in activities like processing prescriptions, billing, and managing patient information, they fall under this definition. 

How HIPAA affects the operation of a supermarket

The presence of a pharmacy allows supermarkets to offer a wide range of health and wellness services, like prescription dispensing and immunizations. The integration it provides increases foot traffic and boosts average spending. Customers who use pharmacy services tend to spend more on groceries and other items while in the store. It should be noted that with the adequate division of pharmacy and nonpharmacy operations, the supermarket itself would not have to comply with HIPAA like the pharmacy division would. 

The HIPAA requirements for pharmacies 

As a covered entity, pharmacies compliance with HIPAA includes:

• The Privacy Rule requires that all patient data remains confidential and shared only on a need to know basis for treatment, payment, or health operations. The rule sets in place the requirement for comprehensive training programs for covered entities like pharmacies so that staff understand their responsibilities in handling PHI. 
• The Security Rule requires pharmacies to establish physical safeguards to protect electronic PHI (ePHI) from unauthorized access. These safeguards include measures like the use of HIPAA compliant email to secure the transmission of ePHI. 
• The Breach Notification Rule further obligates pharmacies to quickly notify affected patients and authorities in case of a breach involving unsecured PHI. 

FAQs

What are the covered functions?

Covered functions are activities that would make an entity a healthcare provider, health plan, or healthcare clearinghouse, involving the use or disclosure of PHI.

What are non-covered functions?

Non-covered functions are business activities that do not involve healthcare services or the handling of PHI and are not subject to HIPAA regulations.

Why would an entity want to designate itself as a hybrid entity?

Designating as a hybrid entity allows an organization to limit HIPAA compliance obligations to only its healthcare components.