Pharmacy Law Final Exam Questions/Answer Graded A+ 2025/2026
What are the general rules of HIPPA? I.E. you can't display PHI (protected health information) other than
for providing what? ✔️✔️Cannot display PHI other than for providing health care treatment, obtaining
payment, and for day-to-day health care operations
What does HIPPA apply to? ✔️✔️-Health care providers (ie. pharmacies)
-Health plans
-Health care clearninghouses
What are the requirements of HIPPA? ✔️✔️HIPPA Requirements:
-Notifying patients of rights/uses (Notice of Privacy Practices) (NOPP) *Need to inform patients on their
rights to PHI
-ensuring pharmacy personnel compliance
-appointing privacy officer
-securing patient records (all personal must be trained in regards to privacy of HPI and maintain
confidential patient records
What content is to be included in the Notice of Privacy Practices (NOPP)? ✔️✔️NOPP content:
-how pharmacy intends to use and disclose information
-obligation to notify patient of a breach of unsecured PHI
-Legal duties of the pharmacy to protect confidentiality of PHI
-statement of uses and disclosures that require authorization in written document form
-statement of patient rights and how to exercise those rights (ex: how to access amendment and
accounting)
-statement that patients may complain to the pharmacy or DHHS and how to file a complain
-name of the individual to contact with privacy concerns, including telephone number
What are NOPP obligations that have to be met by the pharmacy? ✔️✔️NOPP obligations for the
pharmacy:
*provide to patients
*good faith effort to obtain signature (6 yr retention)
*must be displayed in a clear and prominent location in the pharmacy
*must make a copy of the NOPP on request to anyone who requests a copy, whether customer or not
*If pharmacy has a website, must make a notice and acknowledgement available on that website
,If a patient refuses to sign a Notice of Privacy Practices, can you refuse treatment? what should you do
in this instance? ✔️✔️No, cannot refuse treatment if someone refuses to sign acknowledgement
**If patient refuses to sign, DOCUMENT the refusal****
RPh job to make good faith effort to obtain signature, if someone doesn't want to sign, make careful
note
Pharmacy can use/disclose PHI without authorization as long as it is for ____________,
__________________, or __________________ ✔️✔️Pharmacy can use/disclose PHI without
authorization as long as it is for TREATMENT, PAYMENT, or HEALTH CARE OPERATIONS
Note: for any purposes other than these listed, would need patient authorization
What are some examples of treatment where the pharmacy can use/disclose PHI? ✔️✔️Treatment:
Dispensing medications, counseling, maintaining profiles, consulting with patient's other health care
providers
What are some examples of Payments where pharmacy can use/disclose PHI? ✔️✔️Payment= submitting
claims for reimbursement, determining patient eligibility and extent of coverage, sending bills to
patients
What are some example operations that the pharmacy is enabled to use/disclose PHI? ✔️✔️Operations=
Quality assessment, fraud detection, audits, certifications, business management
What are the authorization required statements? ✔️✔️-right to revoke the authorization in writing
-Inability to condition treatment on the basis of whether the patient signs authorization
-potential for info that is released to be re-disclosed (i.e. might be to a non-covered entity that is not
subject to HIPPA)
What is authorization in regards to PHI and what should it include? ✔️✔️Authorization:
-separately signed and dated document
-specific description of PHI at issue
-Specific ID to whom PHI will be disclosed
-Description of each purpose for which PHI will be used/disclosed
-expiration date or event after which authorization no longer valid
If financial remuneration received is reasonably related to the costs of making the communication, is it
considered marketing? ✔️✔️No, this is not considered marketing and would not require an authorization
, Any financial remuneration from a drug company beyond the cost of providing the reminder would
require what?
i.e. anytime pharmacy is receiving reimbursements and/or money is being exchanged, this action
requires what? ✔️✔️an authorization
What are business associates, and what are a few examples? ✔️✔️Business associates are outside entities
that share PHI with pharmacies
Examples of business entities:
-Businesses that exchange in claim processing
-data processing
-software development
-quality assurance analysis
-SHREDDING companies
*the pharmacy must have a business associate agreement in order to share PHI
*Business associates are now responsible and accountable to maintain and protect PHI
HIPPA requires reasonable efforts to limit the use or disclosure of PHI to the minimum necessary. This
does not apply to certain scenarios. Which are they? ✔️✔️Disclosure of HIPPA does not need to be kept
at a minimum when:
-communications regarding the treatment of the patient with other providers involved in the tx (ie.
physician)
-disclosures to patients themselves
-when required by DHHS for compliance and enforcement purposes
-when required by law
Note: incidental exposures are expected. Should do everything in your power to keep everything
private, but occasionally something may be overheard
What are the Privacy Rule Administrative Requirements? ✔️✔️-Name Privacy Official
-institute training to all employees on all aspects of maintaining privacy
-implement safeguards (administrative, technical, and physical)
What are the general rules of HIPPA? I.E. you can't display PHI (protected health information) other than
for providing what? ✔️✔️Cannot display PHI other than for providing health care treatment, obtaining
payment, and for day-to-day health care operations
What does HIPPA apply to? ✔️✔️-Health care providers (ie. pharmacies)
-Health plans
-Health care clearninghouses
What are the requirements of HIPPA? ✔️✔️HIPPA Requirements:
-Notifying patients of rights/uses (Notice of Privacy Practices) (NOPP) *Need to inform patients on their
rights to PHI
-ensuring pharmacy personnel compliance
-appointing privacy officer
-securing patient records (all personal must be trained in regards to privacy of HPI and maintain
confidential patient records
What content is to be included in the Notice of Privacy Practices (NOPP)? ✔️✔️NOPP content:
-how pharmacy intends to use and disclose information
-obligation to notify patient of a breach of unsecured PHI
-Legal duties of the pharmacy to protect confidentiality of PHI
-statement of uses and disclosures that require authorization in written document form
-statement of patient rights and how to exercise those rights (ex: how to access amendment and
accounting)
-statement that patients may complain to the pharmacy or DHHS and how to file a complain
-name of the individual to contact with privacy concerns, including telephone number
What are NOPP obligations that have to be met by the pharmacy? ✔️✔️NOPP obligations for the
pharmacy:
*provide to patients
*good faith effort to obtain signature (6 yr retention)
*must be displayed in a clear and prominent location in the pharmacy
*must make a copy of the NOPP on request to anyone who requests a copy, whether customer or not
*If pharmacy has a website, must make a notice and acknowledgement available on that website
,If a patient refuses to sign a Notice of Privacy Practices, can you refuse treatment? what should you do
in this instance? ✔️✔️No, cannot refuse treatment if someone refuses to sign acknowledgement
**If patient refuses to sign, DOCUMENT the refusal****
RPh job to make good faith effort to obtain signature, if someone doesn't want to sign, make careful
note
Pharmacy can use/disclose PHI without authorization as long as it is for ____________,
__________________, or __________________ ✔️✔️Pharmacy can use/disclose PHI without
authorization as long as it is for TREATMENT, PAYMENT, or HEALTH CARE OPERATIONS
Note: for any purposes other than these listed, would need patient authorization
What are some examples of treatment where the pharmacy can use/disclose PHI? ✔️✔️Treatment:
Dispensing medications, counseling, maintaining profiles, consulting with patient's other health care
providers
What are some examples of Payments where pharmacy can use/disclose PHI? ✔️✔️Payment= submitting
claims for reimbursement, determining patient eligibility and extent of coverage, sending bills to
patients
What are some example operations that the pharmacy is enabled to use/disclose PHI? ✔️✔️Operations=
Quality assessment, fraud detection, audits, certifications, business management
What are the authorization required statements? ✔️✔️-right to revoke the authorization in writing
-Inability to condition treatment on the basis of whether the patient signs authorization
-potential for info that is released to be re-disclosed (i.e. might be to a non-covered entity that is not
subject to HIPPA)
What is authorization in regards to PHI and what should it include? ✔️✔️Authorization:
-separately signed and dated document
-specific description of PHI at issue
-Specific ID to whom PHI will be disclosed
-Description of each purpose for which PHI will be used/disclosed
-expiration date or event after which authorization no longer valid
If financial remuneration received is reasonably related to the costs of making the communication, is it
considered marketing? ✔️✔️No, this is not considered marketing and would not require an authorization
, Any financial remuneration from a drug company beyond the cost of providing the reminder would
require what?
i.e. anytime pharmacy is receiving reimbursements and/or money is being exchanged, this action
requires what? ✔️✔️an authorization
What are business associates, and what are a few examples? ✔️✔️Business associates are outside entities
that share PHI with pharmacies
Examples of business entities:
-Businesses that exchange in claim processing
-data processing
-software development
-quality assurance analysis
-SHREDDING companies
*the pharmacy must have a business associate agreement in order to share PHI
*Business associates are now responsible and accountable to maintain and protect PHI
HIPPA requires reasonable efforts to limit the use or disclosure of PHI to the minimum necessary. This
does not apply to certain scenarios. Which are they? ✔️✔️Disclosure of HIPPA does not need to be kept
at a minimum when:
-communications regarding the treatment of the patient with other providers involved in the tx (ie.
physician)
-disclosures to patients themselves
-when required by DHHS for compliance and enforcement purposes
-when required by law
Note: incidental exposures are expected. Should do everything in your power to keep everything
private, but occasionally something may be overheard
What are the Privacy Rule Administrative Requirements? ✔️✔️-Name Privacy Official
-institute training to all employees on all aspects of maintaining privacy
-implement safeguards (administrative, technical, and physical)
