The Connecticut State Senate recently passed a bill that would impose additional disclosure and consent requirements on retailers offering pharmacy rewards programs to consumers.  If the bill passes the Connecticut House and becomes law in its current form, violations would expose retail providers of such programs to suit under the state’s consumer protection laws as soon as July 1, 2014.

The bill would require a retailer, prior to enrolling a consumer in a pharmacy rewards program, to provide the consumer with a plain language summary of the terms or conditions of the program.  If a HIPAA authorization is required to participate in the program, the summary must include a “conspicuous notice, in bold font” of what constitutes a HIPAA authorization.  HIPAA requires an authorization for uses and disclosures of PHI for all marketing communications, except for face-to-face encounters and communications involving a promotional gift of nominal value (such as pens and notepads).

If the pharmacy rewards program will provide the consumers’ Protected Health Information (PHI) to third parties, the notice must also inform the consumer of which third parties will receive the PHI and warn that once a consumer signs the HIPAA authorization, the consumer’s PHI will no longer be protected by federal and state privacy laws.  Finally, the notice also must provide instructions to consumers on how to revoke their HIPAA authorizations, and of their rights to a copy of the authorization they signed.

Several pharmacy retailers already require consumers to sign a HIPAA authorization in order to join their prescription rewards programs, but some state legislatures and agencies may believe that consumers do not understand the implications of signing (or clicking to agree to) such an authorization.