Q: What changes might HHS make in the final rule?
A: Besides changes bulleted in the main story, a change in "minimum necessary scope" will increase covered entities' confidence that certain common practices, such as use of sign-up sheets in waiting rooms and X-ray light boards, and maintenance of patient medical charts at bedside, are not prohibited under the rule. In addition, HHS may re-evaluate the privacy rule to ensure that parents have appropriate access to their children's health information.
Q: Can a patient have a friend or family member pick up a prescription for her?
A: Yes. A pharmacist may use professional judgment and experience to make reasonable inferences of the patient's best interest in allowing a person, other than the patient, to pick up a prescription. The patient does not need to provide the pharmacist with the name of the person in advance.
Q: Can covered entities be held liable for the privacy violations of business associates?
A: A healthcare provider, health plan or other covered entity is not liable for privacy violations of a business associate. Covered entities are not required to actively monitor or oversee the means by which the associate carries out safeguards or the extent to which the associate abides by the requirements of its contract. If a covered entity becomes aware of a pattern or practice of the business associate that constitutes a material breach or violation of the associate's obligations, the covered entity must take "reasonable steps" to cure the breach or end the violation.
Q: Can contractors (business associates) use protected health information (PHI) to market to individuals for their own business purposes?
A: The privacy rule prohibits health plans and covered healthcare providers from giving PHI to third parties for the third party's own business purposes, absent authorization from the individuals. But covered entities, including PBMs, can "engage in health-related marketing on behalf of a third party, presumably for a fee."