Pharmacy Law Final Exam Study Guide - Spring 2025
What are the general rules of HIPPA? I.E. you can't display PHI (protected health
information) other than for providing what? - correct answerCannot display PHI other
than for providing health care treatment, obtaining payment, and for day-to-day health
care operations
What does HIPPA apply to? - correct answer-Health care providers (ie. pharmacies)
-Health plans
-Health care clearninghouses
What are the requirements of HIPPA? - correct answerHIPPA Requirements:
-Notifying patients of rights/uses (Notice of Privacy Practices) (NOPP) *Need to inform
patients on their rights to PHI
-ensuring pharmacy personnel compliance
-appointing privacy officer
-securing patient records (all personal must be trained in regards to privacy of HPI and
maintain confidential patient records
What content is to be included in the Notice of Privacy Practices (NOPP)? - correct
answerNOPP content:
-how pharmacy intends to use and disclose information
-obligation to notify patient of a breach of unsecured PHI
-Legal duties of the pharmacy to protect confidentiality of PHI
-statement of uses and disclosures that require authorization in written document form
-statement of patient rights and how to exercise those rights (ex: how to access
amendment and accounting)
-statement that patients may complain to the pharmacy or DHHS and how to file a
complain
-name of the individual to contact with privacy concerns, including telephone number
What are NOPP obligations that have to be met by the pharmacy? - correct
answerNOPP obligations for the pharmacy:
*provide to patients
*good faith effort to obtain signature (6 yr retention)
*must be displayed in a clear and prominent location in the pharmacy
*must make a copy of the NOPP on request to anyone who requests a copy, whether
customer or not
*If pharmacy has a website, must make a notice and acknowledgement available on
that website
If a patient refuses to sign a Notice of Privacy Practices, can you refuse treatment?
what should you do in this instance? - correct answerNo, cannot refuse treatment if
someone refuses to sign acknowledgement
**If patient refuses to sign, DOCUMENT the refusal****
,Pharmacy Law Final Exam Study Guide - Spring 2025
RPh job to make good faith effort to obtain signature, if someone doesn't want to sign,
make careful note
Pharmacy can use/disclose PHI without authorization as long as it is for ____________,
__________________, or __________________ - correct answerPharmacy can
use/disclose PHI without authorization as long as it is for TREATMENT, PAYMENT, or
HEALTH CARE OPERATIONS
Note: for any purposes other than these listed, would need patient authorization
What are some examples of treatment where the pharmacy can use/disclose PHI? -
correct answerTreatment: Dispensing medications, counseling, maintaining profiles,
consulting with patient's other health care providers
What are some examples of Payments where pharmacy can use/disclose PHI? - correct
answerPayment= submitting claims for reimbursement, determining patient eligibility
and extent of coverage, sending bills to patients
What are some example operations that the pharmacy is enabled to use/disclose PHI? -
correct answerOperations= Quality assessment, fraud detection, audits, certifications,
business management
What are the authorization required statements? - correct answer-right to revoke the
authorization in writing
-Inability to condition treatment on the basis of whether the patient signs authorization
-potential for info that is released to be re-disclosed (i.e. might be to a non-covered
entity that is not subject to HIPPA)
What is authorization in regards to PHI and what should it include? - correct
answerAuthorization:
-separately signed and dated document
-specific description of PHI at issue
-Specific ID to whom PHI will be disclosed
-Description of each purpose for which PHI will be used/disclosed
-expiration date or event after which authorization no longer valid
If financial remuneration received is reasonably related to the costs of making the
communication, is it considered marketing? - correct answerNo, this is not considered
marketing and would not require an authorization
Any financial remuneration from a drug company beyond the cost of providing the
reminder would require what?
i.e. anytime pharmacy is receiving reimbursements and/or money is being exchanged,
this action requires what? - correct answeran authorization
, Pharmacy Law Final Exam Study Guide - Spring 2025
What are business associates, and what are a few examples? - correct answerBusiness
associates are outside entities that share PHI with pharmacies
Examples of business entities:
-Businesses that exchange in claim processing
-data processing
-software development
-quality assurance analysis
-SHREDDING companies
*the pharmacy must have a business associate agreement in order to share PHI
*Business associates are now responsible and accountable to maintain and protect PHI
HIPPA requires reasonable efforts to limit the use or disclosure of PHI to the minimum
necessary. This does not apply to certain scenarios. Which are they? - correct
answerDisclosure of HIPPA does not need to be kept at a minimum when:
-communications regarding the treatment of the patient with other providers involved in
the tx (ie. physician)
-disclosures to patients themselves
-when required by DHHS for compliance and enforcement purposes
-when required by law
Note: incidental exposures are expected. Should do everything in your power to keep
everything private, but occasionally something may be overheard
What are the Privacy Rule Administrative Requirements? - correct answer-Name
Privacy Official
-institute training to all employees on all aspects of maintaining privacy
-implement safeguards (administrative, technical, and physical)
-develop process for receiving complaints
-impose sanctions for transgressions (more training when necessary)
-mitigate any harmful use or disclosure
-develop policies and procedure
-retain all applicable documentation for 6 years
What are some examples of abiding by HIPPA and P&P? - correct answer-educating
individuals regarding their privacy rights and the CE's privacy practices
-Uses and disclosures of PHI, including "minimum necessary" requirement
-Verifying identities of individuals seeking disclosures
-safeguarding PHI against intentional or unintentional misuse
-providing information to individuals as to how to make complaints
-ensuring cooperation of business associates
-obtaining authorizations
-allowing individuals access to their PHI
-allowing individuals to amend their PHI
-providing accounting of disclosures of PHI to individuals
What are the general rules of HIPPA? I.E. you can't display PHI (protected health
information) other than for providing what? - correct answerCannot display PHI other
than for providing health care treatment, obtaining payment, and for day-to-day health
care operations
What does HIPPA apply to? - correct answer-Health care providers (ie. pharmacies)
-Health plans
-Health care clearninghouses
What are the requirements of HIPPA? - correct answerHIPPA Requirements:
-Notifying patients of rights/uses (Notice of Privacy Practices) (NOPP) *Need to inform
patients on their rights to PHI
-ensuring pharmacy personnel compliance
-appointing privacy officer
-securing patient records (all personal must be trained in regards to privacy of HPI and
maintain confidential patient records
What content is to be included in the Notice of Privacy Practices (NOPP)? - correct
answerNOPP content:
-how pharmacy intends to use and disclose information
-obligation to notify patient of a breach of unsecured PHI
-Legal duties of the pharmacy to protect confidentiality of PHI
-statement of uses and disclosures that require authorization in written document form
-statement of patient rights and how to exercise those rights (ex: how to access
amendment and accounting)
-statement that patients may complain to the pharmacy or DHHS and how to file a
complain
-name of the individual to contact with privacy concerns, including telephone number
What are NOPP obligations that have to be met by the pharmacy? - correct
answerNOPP obligations for the pharmacy:
*provide to patients
*good faith effort to obtain signature (6 yr retention)
*must be displayed in a clear and prominent location in the pharmacy
*must make a copy of the NOPP on request to anyone who requests a copy, whether
customer or not
*If pharmacy has a website, must make a notice and acknowledgement available on
that website
If a patient refuses to sign a Notice of Privacy Practices, can you refuse treatment?
what should you do in this instance? - correct answerNo, cannot refuse treatment if
someone refuses to sign acknowledgement
**If patient refuses to sign, DOCUMENT the refusal****
,Pharmacy Law Final Exam Study Guide - Spring 2025
RPh job to make good faith effort to obtain signature, if someone doesn't want to sign,
make careful note
Pharmacy can use/disclose PHI without authorization as long as it is for ____________,
__________________, or __________________ - correct answerPharmacy can
use/disclose PHI without authorization as long as it is for TREATMENT, PAYMENT, or
HEALTH CARE OPERATIONS
Note: for any purposes other than these listed, would need patient authorization
What are some examples of treatment where the pharmacy can use/disclose PHI? -
correct answerTreatment: Dispensing medications, counseling, maintaining profiles,
consulting with patient's other health care providers
What are some examples of Payments where pharmacy can use/disclose PHI? - correct
answerPayment= submitting claims for reimbursement, determining patient eligibility
and extent of coverage, sending bills to patients
What are some example operations that the pharmacy is enabled to use/disclose PHI? -
correct answerOperations= Quality assessment, fraud detection, audits, certifications,
business management
What are the authorization required statements? - correct answer-right to revoke the
authorization in writing
-Inability to condition treatment on the basis of whether the patient signs authorization
-potential for info that is released to be re-disclosed (i.e. might be to a non-covered
entity that is not subject to HIPPA)
What is authorization in regards to PHI and what should it include? - correct
answerAuthorization:
-separately signed and dated document
-specific description of PHI at issue
-Specific ID to whom PHI will be disclosed
-Description of each purpose for which PHI will be used/disclosed
-expiration date or event after which authorization no longer valid
If financial remuneration received is reasonably related to the costs of making the
communication, is it considered marketing? - correct answerNo, this is not considered
marketing and would not require an authorization
Any financial remuneration from a drug company beyond the cost of providing the
reminder would require what?
i.e. anytime pharmacy is receiving reimbursements and/or money is being exchanged,
this action requires what? - correct answeran authorization
, Pharmacy Law Final Exam Study Guide - Spring 2025
What are business associates, and what are a few examples? - correct answerBusiness
associates are outside entities that share PHI with pharmacies
Examples of business entities:
-Businesses that exchange in claim processing
-data processing
-software development
-quality assurance analysis
-SHREDDING companies
*the pharmacy must have a business associate agreement in order to share PHI
*Business associates are now responsible and accountable to maintain and protect PHI
HIPPA requires reasonable efforts to limit the use or disclosure of PHI to the minimum
necessary. This does not apply to certain scenarios. Which are they? - correct
answerDisclosure of HIPPA does not need to be kept at a minimum when:
-communications regarding the treatment of the patient with other providers involved in
the tx (ie. physician)
-disclosures to patients themselves
-when required by DHHS for compliance and enforcement purposes
-when required by law
Note: incidental exposures are expected. Should do everything in your power to keep
everything private, but occasionally something may be overheard
What are the Privacy Rule Administrative Requirements? - correct answer-Name
Privacy Official
-institute training to all employees on all aspects of maintaining privacy
-implement safeguards (administrative, technical, and physical)
-develop process for receiving complaints
-impose sanctions for transgressions (more training when necessary)
-mitigate any harmful use or disclosure
-develop policies and procedure
-retain all applicable documentation for 6 years
What are some examples of abiding by HIPPA and P&P? - correct answer-educating
individuals regarding their privacy rights and the CE's privacy practices
-Uses and disclosures of PHI, including "minimum necessary" requirement
-Verifying identities of individuals seeking disclosures
-safeguarding PHI against intentional or unintentional misuse
-providing information to individuals as to how to make complaints
-ensuring cooperation of business associates
-obtaining authorizations
-allowing individuals access to their PHI
-allowing individuals to amend their PHI
-providing accounting of disclosures of PHI to individuals
