(a) Except as otherwise prohibited by state or federal law, an entity conducting a pharmacy audit shall keep confidential any information collected during the course of the audit and shall not share any information with any person other than the carrier, pharmacy benefit manager, or third-party payer for which the audit is being performed. An entity conducting a pharmacy audit shall have access only to previous audit reports relating to a particular pharmacy conducted by or on behalf of the same entity. Nothing in this subdivision shall be construed to authorize access to information that is otherwise prohibited by law. Nothing in this subdivision shall be construed to prohibit any employer, trust fund, government agency, or any other entity for which the audit is being performed from disclosing its general opinions or conclusions regarding the business practices of the pharmacy based on the audit.

(b) An entity that is not a carrier or pharmacy benefit manager and that is conducting a pharmacy audit on behalf of a carrier or pharmacy benefit manager shall, prior to conducting the audit, notify the pharmacy in writing that the entity and the carrier or pharmacy benefit manager have executed a business associate agreement or other agreement as required under state and federal privacy laws.

(c) An entity conducting a pharmacy audit shall, prior to leaving a pharmacy at the end of an onsite portion of the audit, provide the pharmacist in charge with a complete list of records reviewed to allow the pharmacy to account for disclosures as required by state and federal privacy laws.

(Added by Stats. 2012, Ch. 706, Sec. 1. (SB 1195) Effective January 1, 2013.)