HIPAA Compliance Checklist for Pharmacies
Last updated: 2026-07-06 — ComplianceStack Editorial Team
Pharmacies HIPAA Compliance Checklist
0 of 16 items reviewed
Designate a HIPAA Privacy Officer and Security Officer
For independent pharmacies, the pharmacist-in-charge often fills both roles. Chain pharmacies must designate officers at the corporate level. Document the appointment and ensure the officer has authority to implement policy changes.
Conduct a Security Risk Assessment covering pharmacy systems
Include your pharmacy management system (PMS), e-prescribing platform (Surescripts), point-of-sale system, automated dispensing cabinets, and any patient-facing kiosks. Document every system that touches ePHI.
Review and negotiate PBM data-sharing agreements for HIPAA compliance
Pharmacy Benefit Managers (PBMs) require extensive claims data, but HIPAA's minimum necessary standard still applies. Ensure your PBM contract includes a BAA, limits data use to permitted purposes, and does not grant the PBM blanket rights to re-disclose patient information for marketing.
Implement access controls in the pharmacy management system
Every technician, pharmacist, and clerk needs a unique login. Role-based access should restrict technicians from modifying clinical notes and limit clerk access to pickup/point-of-sale functions. No shared credentials.
Secure the interface between DEA-required records and HIPAA-protected PHI
DEA Schedule II-V records must be maintained per 21 CFR 1304, but the patient information in those records is still PHI under HIPAA. Ensure controlled substance logs are accessible only to authorized personnel and stored with the same encryption and access controls as other ePHI.
Design the counseling area to prevent incidental disclosure
HIPAA does not prohibit pharmacy counseling at the counter, but reasonable safeguards are required. Install privacy screens or partitions, use lower voices, and position counseling stations away from the waiting area. Many OCR complaints originate from overheard conversations.
Encrypt all e-prescribing transmissions and stored prescription data
E-prescribing via Surescripts must use encrypted connections. Stored prescription records in your PMS must be encrypted at rest. Backup tapes and portable media containing prescription data require AES-128 or stronger encryption.
Train all staff on HIPAA and pharmacy-specific scenarios annually
Cover: handling prescription pickup by someone other than the patient, phone verification procedures, refusing to confirm whether a patient has a prescription to unauthorized callers, and proper handling of prescription label waste.
Establish a prescription label and paperwork disposal protocol
Prescription labels, patient information leaflets, pharmacy bags with labels, and voided prescriptions contain PHI. Cross-cut shred all paper containing patient information. Ensure the same standard applies to pharmacy bag labels that do not get picked up.
Execute BAAs with delivery services, compounding partners, and IT vendors
If you use a delivery service that sees patient names and addresses on packages, that service may be a Business Associate. Compounding pharmacies receiving prescriptions are Business Associates. IT support with database access needs a BAA.
Implement automatic logoff on all pharmacy workstations
Pharmacy workstations are often shared among technicians across shifts. Configure automatic screen lock after 2 minutes of inactivity to prevent unauthorized access to open patient records.
Document patient counseling records with PHI access logging
Many states require pharmacists to document patient counseling. These records are PHI and must be included in your security risk assessment. Ensure counseling documentation in the PMS generates an audit trail.
Create a breach notification procedure specific to pharmacy data
Pharmacy breaches often involve large patient populations. Define escalation thresholds, notification templates, and your process for the 500+ patient threshold that requires HHS and media notification.
Establish patient rights procedures: access, amendment, accounting
Patients have the right to receive copies of their prescription records within 30 days. Many pharmacies are slow to respond to patient record requests. Document your intake process, fees (if any, per state law), and response timeline.
Develop a contingency plan for pharmacy system downtime
If your PMS goes down, you still need to fill prescriptions safely. Document manual dispensing procedures, backup prescription verification processes, and data recovery steps. Test the plan at least annually.
Review all HIPAA policies annually and after any security incident
Assign an annual review date. Check for regulatory updates (HIPAA, DEA, state pharmacy board), update policies to reflect operational changes, re-train staff, and document everything. Retain policies for six years.
Common Mistakes to Avoid
Frequently Asked Questions
Does HIPAA apply to independent pharmacies the same way it applies to chains?
Yes. Every pharmacy that transmits health information electronically — including insurance claims, e-prescriptions, or electronic prior authorizations — is a covered entity under HIPAA (45 CFR §160.103) with identical compliance obligations regardless of size, whether independent or part of a chain. Small independent pharmacies must maintain written HIPAA Privacy policies, conduct an annual Security Rule risk analysis (45 CFR §164.308(a)(1)), and designate a Privacy Officer (45 CFR §164.530(a)).
How do DEA recordkeeping requirements interact with HIPAA?
DEA requires pharmacies to maintain records of controlled substance dispensing under 21 CFR 1304. Those records contain patient PHI, so HIPAA's Privacy and Security Rules apply to them simultaneously. You must satisfy both DEA's recordkeeping mandates and HIPAA's access, encryption, and audit requirements for the same records.
Can a pharmacy share patient medication history with a PBM without patient authorization?
Pharmacies can share claims data with PBMs for treatment, payment, and healthcare operations without individual patient authorization, provided a BAA is in place and the data shared is limited to what is needed for the stated purpose (minimum necessary standard). However, if the PBM uses data for marketing or non-covered purposes, separate patient authorization is required.
Get This Checklist Emailed to You
No account needed. We'll email you the full checklist + any updates to compliance requirements.