(a) A pharmacist shall provide adequate security of prescription drug orders, medication orders, and patient medication records to prevent indiscriminate or unauthorized access to confidential health information. If prescription drug orders, requests for refill authorization, or other confidential health information are not transmitted directly between a pharmacy and a physician but are transmitted through a data communication device, confidential health information may not be accessed or maintained by the operator of the data communication device unless specifically authorized to obtain the confidential information by this section.
(b) Confidential records are privileged and may be released only to:
(1) the patient or the patient's agent;
(2) a practitioner or another pharmacist if, in the pharmacist's professional judgement, the release is necessary to protect the patient's health and well being;
(3) the board or to a person or another state or federal agency authorized by law to receive the confidential record;
(4) a law enforcement agency engaged in investigation of a suspected violation of Chapter 481 or 483, Health and Safety Code, or the Comprehensive Drug Abuse Prevention and Control Act of 1970 (21 U.S.C. Section 801 et seq.);
(5) a person employed by a state agency that licenses a practitioner, if the person is performing the person's official duties; or
(6) an insurance carrier or other third party payor authorized by a patient to receive such information.
(c) A pharmacy shall provide written policies and procedures to prohibit the unauthorized disclosure of confidential records.
Source Note: The provisions of this §291.27 adopted to be effective September 18, 2007, 32 TexReg 6318; amended to be effective August 27, 2023, 48 TexReg 4670