On June 12th, Connecticut governor Dannel P. Malloy signed into law ”An Act Concerning Pharmacy Rewards Programs And Protected Health Information“. The law went into effect July 1st, and applies to pharmacy retailers in the state of Connecticut. We profiled the version of the law passed by the Connecticut Senate in a previous blog post, but there are some key differences to note between the Senate version and the enacted version (and we provide a redline here).

  1. Definitions:

The enacted version omits the “HIPAA authorization,” “Protected health information,” and “marketing” definitions included in the Senate bill. Instead, subsection (d) of the new law requires that these terms be defined in (i) the pharmacy rewards program’s promotional materials, (ii) in the plain language summary of the terms and conditions provided to the patient, and (iii) on the enrollment form “at the point of HIPAA authorization,” if these terms are actually used in these materials.

  1. Rewards Program Terms and Conditions Summary Contents:

The enacted version uses different language than the Senate bill to describe the information required to be provided in the summary of the terms and conditions of pharmacy rewards programs. Although both versions of the legislative text require a plain language and written disclosure of the specific uses and disclosures that the HIPAA authorization allows in the terms and conditions, the enacted law requires that the disclosure statement be in bold font and that the disclosure statement explicitly warn that once the consumer signs the HIPAA authorization the consumer’s personal health information (PHI) may no longer be protected by federal and state privacy laws. In addition, the pharmacy retailer must provide the same warning to consumers if the PHI provided to the pharmacy rewards program will be disclosed to third parties.

The enacted law still requires that the pharmacy rewards program provide instructions to consumers on how to revoke their HIPAA authorizations, and of their rights to a copy of the HIPAA authorization they signed as part of enrolling in the program.

This law is an example of how state legislatures have taken a special interest in ensuring transparency in the use and disclosure of PHI for their residents. Because Connecticut has made violations of this law actionable under the state’s unfair and deceptive acts and practices law, pharmacy retailers in Connecticut and other states considering such laws should take notice and evaluate their rewards programs accordingly.