Privacy of Pharmacy Records

By Ronald L. Scott

According to the National Conference of State Legislatures Health Policy Tracking Service, in 1998 at least 35 state legislatures considered laws clarifying the boundaries between confidentiality and privacy of medical records and rightful access to computerized health information by qualified medical researchers, insurers and employers.. Eight states passed laws protecting the privacy of pharmacy records, i.e., Georgia, Kentucky, Maine, New Hampshire, Ohio, Rhode Island, South Carolina, and Virginia.. Texas and some other states are currently considering legislation.

Two reported settlement agreements illustrate the risks associated with misuse of patient prescription information. One recent settlement included an agreement by the pharmacy chain (Rite-Aid) to restrict its disclosure procedures in the future. 22 BNA Pension and Benefits Reporter 33 (Jan. 2, 1995). The settlement calls for Rite Aid "to implement new prescription billing procedures to protect HIV sufferers" from having their names linked with the HIV-related medications they purchase, according to Suzanne Mead, a vice president of Rite-Aid. However, the agreement applies only to Rite-Aidís 389 Pennsylvania pharmacies, although Rite-Aid also operates pharmacies in 22 other states. Id. In another settlement regarding marketing practices for prescription drugs, the settlement required that the company (Medco) advise consumers about the extent to which confidential information in Medcoís consumer files will remain confidential, including the fact that medical histories and prescription drug usage could be made available to consumersí employers. Seventeen Attorneys General Reach $1.9 Million Prescription Drug Practices Settlement With Merck-Medco Health Conglomerate, National Association of Attorneys General, Consumer Protection Rep. 10, 11 (Nov. 1995).

Numerous states regulate the confidentiality of prescription records directly or by inference, through state pharmacy practice acts, administrative regulations, or general statutes providing for confidentiality of medical information. The pharmacy practice acts in Texas and some other states have specific provisions regarding confidentiality of prescription records. Other states such as California have regulated such information by administrative regulations.

Since pharmacy practice acts may only limit disclosure by pharmacists, several states (e.g., California and Florida) have enacted general medical confidentiality statutes that apply to prescription records. Under some general medical information confidentiality statutes, pharmacists are deemed to be "health care providers" (e.g. California); however, the statutes in other states (e.g. Florida and Illinois) specifically provide that pharmacists are not "health care providers."

Few cases specifically address whether pharmacists owe a duty of confidentiality to a customer purchasing medication. A 1996 South Carolina case held that ethical codes of conduct that impose a duty of confidentiality on pharmacists do not create for pharmacists a statutory duty of confidentiality, and that there is no common law duty of confidentiality for pharmacists. See Evans v. Rite Aid Corporation, 478 S.E.2d 846, 848 (S.C. 1996). The court also said: "No South Carolina case has ever recognized such a [common law] duty, nor are we aware of any other jurisdiction that has done so. The court said itís research "reveal[ed] only two cases tangentially related to the issueÖ"

Clearly, patientís pharmaceutical records deserve the legal confidentiality protections afforded any other medical information, using guidelines based on the body of law that has developed around physicianís obligations to maintain the confidentiality of medical information. Effective statutes are needed to limit inappropriate disclosures not just by pharmacists but also by other health care providers.