Your delivery drivers don’t need to see medication names

HIPAA’s minimum-necessary standard is not new. It’s been a Privacy Rule provision since 2003. At the pharmacy counter it produces reflexes nobody thinks about anymore: you don’t print the drug name on the outside of the bag, you don’t page a patient by medication, you don’t leave a pill vial on the consult counter between customers.

Somehow that rule evaporates the moment a package crosses the back door and becomes a “delivery.” I’ve watched driver apps list full medication names next to patient addresses, next to dosage strengths, next to prescriber notes. None of it is necessary for the driver to complete the task. All of it is PHI.

What a delivery driver actually needs

Think about the job from the driver’s side of the windshield. To complete one stop, they need:

• A name to confirm identity against (first + last)
• An address and optional apartment / gate code
• A phone number, in case the patient isn’t home
• A package count, so they know whether they have everything
• Signature or photo-proof requirements, if the pharmacy has any
• A copay amount, if collection is part of the stop

That’s it.

They do not need:

• Drug names
• NDC numbers
• Rx numbers visible on the screen
• Dosage or strength
• Prescriber name
• Diagnosis codes
• Refill history

A driver who shows up at the door does not need to know whether he’s delivering a statin or a controlled substance. The pharmacy’s pick-and-pack process already confirmed the right medications are in the bag. The driver’s job is chain-of-custody from the pharmacy door to the patient’s door, with a verification step at the end. Nothing about that job requires knowing what’s inside.

Why this matters beyond the compliance officer

Three things happen when minimum-necessary is ignored on the delivery side.

The BAA question gets harder to answer honestly.A pharmacy Business Associate Agreement should represent that the BA (your delivery software vendor) limits PHI to the minimum necessary for the services performed. If the driver app displays data the driver doesn’t need, you’re out of alignment with your own signed agreement. Our public BAA template spells this out explicitly.

Incidental disclosure risk multiplies.A driver’s phone screen is visible to anyone near them — passengers, coworkers, the patient’s neighbor who opens the door because the patient isn’t home. Medication names create stigma-vectors that a name-and-address label does not. HIPAA’s incidental-disclosure safe harbor only covers disclosures that couldn’t reasonably have been prevented. Showing a drug name on a handheld is a disclosure you could have prevented by hiding the field.

Breach notification math changes. A lost or stolen phone with a driver app containing drug names becomes a reportable breach on a set of records the pharmacy now has to enumerate. The same phone with only name, address, and package count is a much cleaner risk assessment and, often, not a reportable incident at all.

What to audit in your current setup

Grab a driver’s phone at the end of a shift. Open the app. For each stop in the route, write down every field visible on the screen. Then score each field: necessary to complete this stop, useful but not necessary, or not needed.

Three rules of thumb for the scoring:

• Necessary: the driver cannot complete the stop without it.
• Useful but not necessary:it makes the stop marginally smoother but the driver can finish without it. This column should be empty or nearly so. Most “it’s convenient” fields end up here and shouldn’t.
• Not needed: delete it from the screen. If a downstream workflow genuinely requires the data (e.g., returns handling), show it at that later step, not on the route list.

If any medication-identifying field lands in columns 2 or 3, that’s a minimum-necessary violation hiding inside an otherwise-compliant platform.

How ScriptRun draws the line

Our driver app never renders medication_name, rx_number, strength, NDC, or prescriber fields. The driver endpoints in our API return a deliberately narrow StopForDrivershape that excludes those columns at the query layer, not just the UI layer — so a misconfigured build of the mobile app can’t accidentally show them either.

Dispatchers and pharmacy staff see the full package record, because they need it. Drivers see the stop. That’s the line, and we don’t move it for customer requests.

It’s not a feature we charge for. It’s a rule that comes free with the software — which is how minimum-necessary was supposed to work at the pharmacy counter all along.