Brought to you by the Georgia Department of Law’s
Consumer Ed says:
While it is legal for a pharmacy or doctor’s office to ask for your date of birth, these entities must take steps to protect that information so as to not violate the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, Protected Health Information (PHI) means any information linked to the health status of an individual that is related to the provision of or payment for health care. PHI includes names, geographic identifiers, Social Security numbers, phone and fax numbers, email addresses, medical record numbers, health insurance numbers, account numbers, license numbers, vehicle identifiers, biometric identifiers, and birth dates (excluding the year).
However, in the pharmacy context, HIPAA allows the use of PHI for treatment, requesting or receiving payment, or pharmacy operations. For example, a pharmacy may need your birth date to differentiate you from another individual who may have your same name and birth year. Still, pharmacies must take steps to ensure nothing more than the minimum PHI is disclosed. As such, you may have to provide your full birth date to a pharmacist, but the pharmacy and its staff must take steps to ensure that information is protected.
Similarly, a doctor’s office may require an individual to provide his or her birth date for identification verification or administrative purposes. While birth dates fall under PHI, it remains one of the least intrusive forms of confirming identification, which is necessary in order to avoid confusion between two patients with the same name, address, birth years, or the like. Other less intrusive forms of PHI, such as telephone numbers and email addresses, are less reliable for identification confirmation because they can change or be associated with more than one individual.
It should also be noted that the law requires that individuals provide a government-issued photo ID verifying their identity in order to purchase certain controlled substances. Pharmacies in Georgia are also required to maintain patient record systems that include the full name of the patient for whom the drug is intended and the date of birth of the patient.
If you are concerned about the possibility of identity theft, you can always ask your pharmacy or doctor’s office about alternatives to providing sensitive information. If the pharmacy or doctor’s office still requires that you provide that information, see if you can provide it by writing it down or showing a form of photo identification containing that information rather than saying it out loud. You can also ask about the measures the pharmacy or doctor’s office takes to protect your information and how your information may be used.