Yes, HIPAA does apply to pharmacies.

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, aims to protect the privacy of personal health information (PHI) and prevent the disclosure of PHI to unqualified entities. PHI includes pharmacy records including prescription records that may include personally identifiable health information or other medical information.

HIPAA requires compliance of all “covered entities” handling medical patient data, individuals as well as organizations, including health plans, clearinghouses, certain healthcare providers such as pharmacies, and their “business associates.”

HIPAA defines “business associate” as any company or individual working in partnership with a covered entity.

All healthcare workers who have access to medical records and other healthcare information are affected by HIPAA.

HIPAA is a federal law that establishes the acceptable uses and disclosures of protected health information (PHI). HIPAA also establishes standards for the secure storage and transmission of this information over information technology and gives patients the right to obtain copies of it.

HIPAA is administered by the U.S. Department of Health and Human Services (HHS), which can issue sizable fines for HIPAA violations

For complete, up-to-date information on HIPAA requirements and compliance, check out our ultimate guide.

How Pharmacies Can Maintain HIPAA Compliance

HIPAA is administered and enforced by the U.S. Department of Health and Humans Services’ (HHS) Office for Civil Rights (OCR).  HIPAA regulations require that “covered entities,” which the OCR defines as “health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA.”

Covered entities’ business associates must also be HIPAA-compliant, and protect patients’ PHI. This includes pharmacy operations and pharmacy staff.

The rules for pharmacy compliance are the same as for any covered entity. However, state laws and new federal regulations sometimes apply to pharmacies only. For instance, HIPAA allows the dispensing of medication to a family member or other person acting as the patient’s representative, in certain situations.

This checklist can help your organization reach compliance with this important regulation.


HIPAA’s Privacy Rule is primarily concerned with the protection of patient health information, including electronic information, or e-PHI, from unauthorized access and use.

  • Have all your patients have signed your notice of privacy practices, and be sure that it tells them why you are collecting their information and what you plan to do with it.
  • Get signed permission from your patients to process, store, and use their information.
  • Have a privacy officer who oversees your compliance with the  HIPAA Privacy Rule and implementation of your privacy policy.
  • Make sure that your third-party business agreements require HIPAA-compliant handling of PHI.
  • Test your processes for honoring patient requests. If, for instance, a patient asks who has seen their health records and when, can you tell them?
  • Be prepared to honor patients’ requests to hide their records or remove them from your database.
  • Provide HIPAA training to your employees to ensure that they know how to properly handle PHI.

Breach notification:

  • Establish your breach notification protocols to require detailed records of every PHI breach and whom you notified and when as well as documentation of your post-breach assessments and remediation.


HIPAA’s Security Rule establishes safeguards to protect e-PHI from breach and theft. Also, the HITECH Act of 2009 requires covered entities and business associates under HIPAA to report breaches promptly to owners of the data, HHS, and even, perhaps, the news media.

  • Regularly assess your risks associated with the privacy and security of PHI. Address these risks or revise your policies.
  • Restrict internal and external text messaging and emails regarding patient information to HIPAA-approved applications.
  • Strengthen your controls stored PHI including encryption, firewalls, workforce training and testing, and multi-factor authentication (MFA). 
  • Establish safeguards to protect e-PHI. The HIPAA technical safeguards checklist includes:
    • Access control: Limit access to patient information to the minimum necessary on an as-needed basis.
    • Authentication: Determine whether PHI data has been altered, destroyed, or used without authorization.
    • Encryption and decryption tools:  Encrypt ePHI before transmitting it.
    • Audit controls: Record attempts to access PHI, and document responses.
    • Remote log-off: Enable users to log off their devices remotely in case the device is lost or stolen. 
    • Information system activity review: Regularly review records of information system activity, including audit logs, access reports, and security incident tracking reports. HIPAA requires you to maintain these logs for at least six years.

Get Help if You Need It

HIPAA compliance isn’t easy for health care providers or pharmacies, and the penalties for non-compliance can be steep. But using automated governance, risk management, and compliance (GRC) software can simplify the task and let you rest easier at night.

ZenGRC flags your HIPAA compliance gaps and, on a user-friendly, color-coded dashboard, shows how to fill them and the status of each task. It tracks vendor risk, stays up-to-date on regulatory changes, allows unlimited self-audits, and stores all your audit documentation in a “single source of truth” repository.

Worry-free HIPAA compliance is the Zen way. Contact us today for your free consultation.