By Mary M. Bearden and Allison Shelton , Brown & Fortunato , P.C.
During the month of September, the Office for Civil Rights (OCR) posted several implementation guides for health care providers that qualify as covered entities under the Health Insurance Portability and Accountability Act (HIPAA). These guides were posted as an effort to assist covered entities in implementing provisions of the Omnibus Health Insurance Portability and Accountability Act Final Rule (Omnibus Rule) that went into effect on September 23, 2013. Even though the Omnibus Rule was first published on January 25, 2013, OCR waited until September to issue guidance for covered entities.
Over the month of September, OCR posted guidance for drafting Notices of Privacy Practices (NPPs), applying HIPAA protections to decedents, issuing refill reminders, and preparing for emergency situations. This article provides an overview of OCR’s guidance regarding NPPs and refill reminders.
NPPs enable individuals to be informed of their privacy rights under HIPAA and of the covered entity’s practices that relate to those rights. Because the Omnibus Rule made several changes to the HIPAA Privacy Rule, covered entities were required to modify their NPPs by September 23, 2013. Specifically, according to the Omnibus Rule, health care providers should have added statements indicating the following: (1) The covered entity’s use or disclosure of the individual’s protected health information (PHI) for marketing purposes requires the individual’s written authorization. (2) A disclosure that constitutes the sale of PHI requires the individual’s written authorization. (3) The covered entity may contact the individual to raise funds for the covered entity, and the individual has a right to opt out of receiving such communications. If the covered entity does not engage in any fundraising, however, then the entity is not required to insert this information into the NPP. (4) Generally, a covered entity is not required to agree to restrictions on certain uses and disclosures of PHI requested by an individual. However, in the event a patient requests a restriction on payment or health care operational disclosures to a health plan about items paid in full by the individual, the covered entity must comply with the restriction as long as the disclosure is not required by law. (5) The covered entity is required by law to notify affected individuals following a breach of unsecured PHI.
On September 13, 2013, OCR and the Office of the National Coordinator for Health Information Technology developed and published model language for the NPPs of health care providers and health plans. The model language is provided in various formats that a covered entity may customize and distribute.
Six days later, on September 19, 2013, OCR released guidance entitled, “The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Prescribed for the Individual.” This guidance concerns the new definition of “marketing” adopted in the Omnibus Rule.
Generally, a covered entity may not use or disclose an individual’s PHI for marketing purposes unless the individual has authorized the communication in writing. Under the HIPAA rules, marketing is defined as a communication that encourages the recipient to use or purchase a product or service. At times, such communications are necessary for treatment and health care purposes; therefore, certain exceptions apply to the marketing definition, including refill reminders or other communications about a currently prescribed drug or biological, when the covered entity receives “financial remuneration . . . [that] is reasonably related to the . . . cost of making the communication. OCR’s guidance breaks down the elements of the refill reminder exception and provides clarification on a number of scenarios that are potentially affected by the exception.
Several covered entities in the industry awaited this guidance because of a suit filed by Adheris Inc., against the Department of Health and Human Services on September 5, 2013. Adheris contracts with pharmacies to provide refill reminders and medication adherence messages to patients. These communications are paid for by pharmaceutical companies. Therefore, under the changes adopted in the Omnibus Rule, the messages could qualify as prohibited marketing communications unless the patients authorized the communications in writing or the “financial remuneration . . . is reasonably related to the . . . cost of making the communication.” Claiming that the restrictions on marketing communications violate the First Amendment, Adheris sought a preliminary injunction. In a response filed on September 11, 2013, HHS asked the court to suspend proceedings and indicated that guidance regarding reasonable financial remuneration for refill reminders would be released by September 23, 2013.
In the guidance posted on September 19, 2013, OCR discusses (1) payments from a third party to a covered entity for refill reminders; (2) payments from a covered entity to a business associate when a third party directly or indirectly covers the payments to the business associate; and (3) payments from a covered entity to a business associate when no third party is involved. In the first case, the third party may only cover the direct and indirect costs related to the refill reminder. For example, the third party may pay reasonable costs related to labor, supplies, materials, overhead and capital expenditures. In the second case, when a business associate receives remuneration directly or indirectly from the third party, the third party may pay fair market value for the business associate’s services. This is the case under Adheris’ business model. Finally, in the third case, the exception for refill reminders will not limit the financial remuneration that the covered entity may pay the business associate because no third party is involved.
Even though OCR’s information concerning reasonable financial remuneration was the most anticipated aspect of the guidance, clarification for other interesting scenarios is also provided in the guidance. For example, various messages can qualify for the refill reminder exception, including information about generic equivalents of the prescribed drug; communications about prescriptions that have lapsed within the last ninety calendar days; and communications encouraging individuals to take medications as directed. Also, if a drug is administered through durable medical equipment (DME), such as an insulin pump or a nebulizer, then the refill reminder exception will encompass “communications regarding all aspects of the drug delivery system,” including the DME.
Other communications will not qualify for the exception, including communications about new formulations of the prescribed drug; information about adjunctive drugs that may be used along with the currently prescribed drug; and messages encouraging the recipient to switch to an alternative medicine. Such communications may qualify for the treatment exception, however, as long as the covered entity does not receive financial remuneration for the communication. Also, OCR indicates that covered entities may communicate with the individual about new formulations and adjunctive drugs in a general manner and without naming the actual drug. For example, a pharmacy may encourage an individual to speak with his or her doctor about medications that may treat the side effects of a currently prescribed drug.
When a covered entity obtains an individual’s written authorization for communications funded by a pharmaceutical manufacturer, OCR indicates that a new authorization is not required for each new prescription. HIPAA compliant authorizations must include an expiration date or event. According to the Refill Guidance, this requirement may be met if the authorization expires when the individual opts out of receiving the authorized communication. Moreover, the scope of the authorization need not be limited to a single drug or biological or to a single pharmaceutical manufacturer.
In addition to posts concerning NPPs and refill reminders, OCR has provided guidance on applying HIPAA protections to decedents and on preparing for emergency situations. Hospitals, physicians, and other covered entities should visit HHS.gov to ensure that their policies, procedures, and forms are consistent with OCR’s guidance. ▼