HIPAA Compliance Checklist for Pharmacies

For independent pharmacies, the pharmacist-in-charge often fills both roles. Chain pharmacies must designate officers at the corporate level. Document the appointment and ensure the officer has authority to implement policy changes.

Include your pharmacy management system (PMS), e-prescribing platform (Surescripts), point-of-sale system, automated dispensing cabinets, and any patient-facing kiosks. Document every system that touches ePHI.

Pharmacy Benefit Managers (PBMs) require extensive claims data, but HIPAA's minimum necessary standard still applies. Ensure your PBM contract includes a BAA, limits data use to permitted purposes, and does not grant the PBM blanket rights to re-disclose patient information for marketing.

Every technician, pharmacist, and clerk needs a unique login. Role-based access should restrict technicians from modifying clinical notes and limit clerk access to pickup/point-of-sale functions. No shared credentials.

DEA Schedule II-V records must be maintained per 21 CFR 1304, but the patient information in those records is still PHI under HIPAA. Ensure controlled substance logs are accessible only to authorized personnel and stored with the same encryption and access controls as other ePHI.

HIPAA does not prohibit pharmacy counseling at the counter, but reasonable safeguards are required. Install privacy screens or partitions, use lower voices, and position counseling stations away from the waiting area. Many OCR complaints originate from overheard conversations.

E-prescribing via Surescripts must use encrypted connections. Stored prescription records in your PMS must be encrypted at rest. Backup tapes and portable media containing prescription data require AES-128 or stronger encryption.

Cover: handling prescription pickup by someone other than the patient, phone verification procedures, refusing to confirm whether a patient has a prescription to unauthorized callers, and proper handling of prescription label waste.

Prescription labels, patient information leaflets, pharmacy bags with labels, and voided prescriptions contain PHI. Cross-cut shred all paper containing patient information. Ensure the same standard applies to pharmacy bag labels that do not get picked up.

If you use a delivery service that sees patient names and addresses on packages, that service may be a Business Associate. Compounding pharmacies receiving prescriptions are Business Associates. IT support with database access needs a BAA.

Pharmacy workstations are often shared among technicians across shifts. Configure automatic screen lock after 2 minutes of inactivity to prevent unauthorized access to open patient records.

Many states require pharmacists to document patient counseling. These records are PHI and must be included in your security risk assessment. Ensure counseling documentation in the PMS generates an audit trail.

Pharmacy breaches often involve large patient populations. Define escalation thresholds, notification templates, and your process for the 500+ patient threshold that requires HHS and media notification.

Patients have the right to receive copies of their prescription records within 30 days. Many pharmacies are slow to respond to patient record requests. Document your intake process, fees (if any, per state law), and response timeline.

If your PMS goes down, you still need to fill prescriptions safely. Document manual dispensing procedures, backup prescription verification processes, and data recovery steps. Test the plan at least annually.

Assign an annual review date. Check for regulatory updates (HIPAA, DEA, state pharmacy board), update policies to reflect operational changes, re-train staff, and document everything. Retain policies for six years.