Pharmacy Benefit Managers (PBMs) and HIPAA Compliance: What Applies and How to Get It Right

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Pharmacy Benefit Managers (PBMs) and HIPAA Compliance: What Applies and How to Get It Right

Kevin Henry

HIPAA

October 25, 2025

9 minutes read
Share this article
Pharmacy Benefit Managers (PBMs) and HIPAA Compliance: What Applies and How to Get It Right

HIPAA Compliance Responsibilities for PBMs

As a pharmacy benefit manager, you routinely create, receive, maintain, and transmit Protected Health Information (PHI) while processing claims, adjudicating benefits, managing formularies, handling prior authorizations, and operating call centers. Under HIPAA, PBMs typically act as business associates to health plans and other covered entities, which makes you directly responsible for meeting Security Rule Safeguards and selected Privacy Rule provisions.

What applies to PBMs as business associates

  • Implement the full HIPAA Security Rule for ePHI, including administrative, physical, and technical protections.
  • Comply with the Privacy Rule’s limits on uses and disclosures, including the Privacy Rule Minimum Necessary Standard for workforce access and routine data exchanges not related to treatment.
  • Execute and honor Business Associate Agreements (BAAs) with covered entities and flow down equivalent protections to subcontractors.
  • Provide breach notifications to covered entities and support their Breach Notification Requirements to individuals, regulators, and (when applicable) the media.
  • Support covered entities in fulfilling individual rights, such as access, amendment, and accounting of disclosures, when you maintain the relevant records.

When PBMs are also covered entities

If your organization operates a mail-order or specialty pharmacy or sponsors a health plan, those components may be covered entities with direct Privacy Rule obligations. Treat these lines of business distinctly, designate privacy and security officials, and apply role-based controls so employees only access PHI necessary for their job functions.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Governance, culture, and training

  • Designate a privacy official and a security official, charter a cross-functional compliance committee, and establish executive reporting.
  • Deliver role-specific Workforce HIPAA Training on policies, phishing awareness, secure handling of PHI, and incident escalation; document attendance and comprehension.
  • Adopt a sanctions policy for violations and perform periodic internal audits to verify adherence.

Implementing Administrative Physical and Technical Safeguards

Administrative safeguards

  • Policies and procedures: Write clear standards for access, data handling, retention, destruction, third-party management, and remote work.
  • Workforce security: Use background checks appropriate to roles, least-privilege access, onboarding/offboarding checklists, and immediate revocation on termination.
  • Security management: Tie Risk Analysis and Risk Management into a documented program with timelines, budget, and metrics.
  • Vendor oversight: Evaluate cloud, print/mail, analytics, and call-center providers before contracting; require BAAs and ongoing monitoring.
  • Contingency planning: Maintain tested backup, disaster recovery, and emergency mode operations for critical PBM platforms.

Physical safeguards

  • Facility access controls: Restrict data centers, print rooms, and fulfillment areas; maintain visitor logs and camera coverage.
  • Workstation security: Enforce screen locks, secure docking areas, privacy screens for call centers, and clean-desk standards.
  • Device and media controls: Encrypt portable media, track chain of custody, and use certified destruction for retired drives and printed PHI.

Technical safeguards

  • Access controls: Unique IDs, multi-factor authentication, and just-in-time privilege elevation.
  • Encryption: TLS for data in transit; strong encryption at rest for databases, backups, and file stores.
  • Audit controls: Centralized logging, immutable storage for logs, and routine review of anomalous access, especially around high-profile members.
  • Integrity and authentication: Hashing and digital signatures where appropriate; API keys and mutual TLS for partner exchanges.
  • Transmission security: Network segmentation, modern cipher suites, and secure batch file transfers with key rotation.

Managing Business Associate Agreements and Third-Party Risks

Core elements of BAAs for PBMs

  • Permitted uses/disclosures and explicit prohibitions, including limits on de-identified data and secondary analytics.
  • Security Rule Safeguards commitment and prompt reporting of incidents and breaches, with defined timelines and required details.
  • Subcontractor flow-down requiring equivalent protections for any downstream entity handling PHI.
  • Access, amendment, and accounting support when you maintain the designated record set on behalf of the plan.
  • Return or destruction of PHI at termination, subject to feasibility, with ongoing protections if retention is necessary.
  • Inspection/audit rights and cooperation with investigations or regulatory inquiries.

Third-party risk management in practice

  • Due diligence: Security questionnaires, independent attestations (e.g., SOC 2), penetration testing summaries, and breach history.
  • Contract controls: Clear service boundaries, minimum security baselines, breach indemnities, and performance SLAs tied to incident response.
  • Continuous monitoring: Risk re-assessments, access reviews, sample audits of file transfers, and issue remediation tracking.

Conducting Enterprise-wide Risk Analysis and Assessments

Scope and methodology

  • Inventory where PHI lives and flows: claims engines, data warehouses, print vendors, pharmacy hubs, cloud storage, SFTP sites, APIs, and end-user devices.
  • Identify threats and vulnerabilities per asset, evaluate likelihood and impact, and document existing controls and residual risk.
  • Consider human factors (phishing, misdirected mail, improper disclosures) alongside technical exposures.

Risk Analysis and Risk Management as an ongoing cycle

  • Prioritize remediation with action owners, funding, and due dates; track to closure in a governance tool.
  • Reassess at least annually and whenever you introduce major system changes, new vendors, or regulatory updates.
  • Report metrics to leadership: risk themes, top issues, time-to-remediate, control test outcomes, and incident learnings.

Testing and validation

  • Run regular vulnerability scans and targeted penetration tests on internet-facing PBM portals and APIs.
  • Test backups, disaster recovery, and emergency mode operations; verify that recovery time and recovery point objectives are met.
  • Exercise social engineering defenses and confirm call-center verification procedures prevent inappropriate PHI disclosures.

Establishing Incident Response and Breach Notification Procedures

What constitutes an incident or breach

  • Security incident: any attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations.
  • Breach: an impermissible use or disclosure of unsecured PHI presumed to pose risk unless a documented four-factor risk assessment shows a low probability of compromise.

Breach Notification Requirements and timelines

  • Business associate to covered entity: notify without unreasonable delay and no later than 60 calendar days after discovery; include the identities of affected individuals and all information the covered entity must include in notices.
  • Individuals: the covered entity must notify affected individuals without unreasonable delay and within 60 days of discovery; notices describe what happened, the types of PHI involved, steps individuals should take, and what is being done to mitigate and prevent recurrence.
  • Regulators and media: report to HHS; for incidents affecting 500 or more residents of a state or jurisdiction, notify prominent media; log smaller breaches for annual submission.
  • Safe harbor: if PHI was properly encrypted consistent with recognized standards, notification is generally not required.
  • Law enforcement delay: you may delay notices if an authorized official states that notification would impede an investigation or cause damage.

Operational readiness

  • Maintain a 24/7 escalation path, playbooks for common scenarios (misdirected mailings, lost devices, vendor incidents), and decision trees for risk assessment.
  • Tabletop exercises at least annually with privacy, security, legal, call center, print/mail, and executive teams; document lessons learned and update procedures.
  • Coordinate with third parties in your BAA network to ensure timely data, root-cause analyses, and credit monitoring where warranted.

Supporting Individual Privacy Rights and Minimum Necessary Standard

Enabling individual rights

  • Access: when you maintain a designated record set, provide ePHI to the covered entity—or directly to individuals if delegated—within required timeframes and formats.
  • Amendment: route requests to the covered entity, implement approved amendments, and propagate corrections to downstream systems and vendors.
  • Accounting of disclosures: capture non-routine disclosures so the covered entity can produce an accurate accounting upon request.
  • Restrictions and confidential communications: honor limitations or alternative contact preferences communicated by the covered entity.

Applying the Privacy Rule Minimum Necessary Standard

  • Use role-based access, data minimization, and masking to limit PHI in routine operations such as claims research and utilization management.
  • Exclude minimum necessary constraints where the rule permits (e.g., treatment, disclosures to the individual, or as required by law), but document the rationale.
  • Leverage de-identified or limited data sets for analytics whenever feasible to reduce risk and compliance overhead.

Maintaining Documentation and Contingency Plans

What to document and retain

  • Policies, procedures, BAAs, system inventories, data flow maps, risk analyses, risk management plans, and incident/breach records.
  • Training materials, completion logs, acknowledgement receipts, and sanctions applied for violations.
  • Retention: keep required HIPAA documentation for at least six years from the date of its creation or last effective date.

Contingency planning essentials

  • Data backup plan with tested restores across core PBM platforms and print/mail operations.
  • Disaster recovery plan that meets business RTO/RPO targets and accounts for third-party dependencies.
  • Emergency mode operations to maintain claim adjudication, eligibility checks, and member support during outages.

Program oversight and continuous improvement

  • Set KPIs for control performance, incident response, and vendor risk; review results in a recurring governance forum.
  • Incorporate audit findings, complaint trends, and post-incident lessons into policy updates and Workforce HIPAA Training.

Conclusion

For Pharmacy Benefit Managers, getting HIPAA right means knowing which provisions apply, building Security Rule Safeguards into daily operations, enforcing strong BAAs, running a living Risk Analysis and Risk Management program, and being ready to execute Breach Notification Requirements. With disciplined documentation, training, and contingency planning, you protect members, earn plan sponsor trust, and keep your PBM compliant and resilient.

FAQs

What HIPAA responsibilities do PBMs have for handling PHI?

PBMs are business associates, so you must implement the HIPAA Security Rule, follow the Privacy Rule’s limits on uses and disclosures (including the Minimum Necessary Standard), execute and comply with Business Associate Agreements (BAAs), support covered entities in fulfilling individual rights, and promptly report incidents and breaches while maintaining thorough documentation and Workforce HIPAA Training records.

How do PBMs implement the HIPAA Security Rule safeguards?

Build a control framework spanning administrative, physical, and technical measures: written policies, role-based access, multi-factor authentication, encryption in transit and at rest, audit logging and monitoring, vendor oversight, secure workstations and print/mail processes, contingency plans with tested backups, and a continuous Risk Analysis and Risk Management cycle tied to remediation and executive oversight.

What are the requirements for business associate agreements for PBMs?

BAAs must define permitted uses/disclosures of PHI, require Security Rule Safeguards, mandate prompt incident/breach reporting with necessary details, compel subcontractor flow-down protections, require assistance with access/amendment/accounting when you hold the records, grant audit/inspection rights, and stipulate return or destruction of PHI at contract end when feasible.

How must PBMs respond to privacy incidents and breaches?

Activate your incident response plan, contain and investigate, perform the four-factor risk assessment, and, if a breach of unsecured PHI occurred, notify the covered entity without unreasonable delay and no later than 60 days. Provide all details needed for individual notices and regulatory reporting, coordinate with affected vendors, offer mitigation such as credit monitoring when appropriate, and capture lessons learned to strengthen controls.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles