On September 19, 2013, the Office of Civil Rights of the Department of Health and Human Services (“OCR”) released guidance on a number of privacy protections, the most significant of which relates to the refill reminder marketing exception.
I. Marketing Exception for Refill Reminders
The newly issued guidance on refill reminders was prompted in part by a lawsuit filed by Adheris, a provider of prescription adherence and refill reminder messaging, seeking a preliminary injunction against the enforcement of the HIPAA Omnibus Final Rule’s (Omnibus Rule) authorization requirement for certain types of subsidized treatment communications. Adheris claimed that OCR’s limiting remuneration to “reasonably related costs” of making such communication threatened its business. OCR responded by promising to issue additional guidance on what constituted acceptable remuneration, and to delay enforcement of the refill reminder marketing exception until November 7, 2013.
Under the Omnibus Rule, any communication to an individual by a covered entity or its business associate about a drug or biologic currently prescribed to that individual does not generally require prior authorization, so long as any financial remuneration provided by the third party whose product is being described is “reasonably related” to the covered entity’s cost of making the communication. The Omnibus Rule was a departure from OCR’s proposed rule and prior practice, in which communications regarding treatment were exempt from the definition of marketing, regardless of whether any remuneration was involved.
In defining “reasonably related” costs, OCR provided a definition that differs depending upon whether a covered entity or a business associate is receiving a direct or indirect payment from a pharmaceutical manufacturer in exchange for making the communication:
- Covered Entities – If a Covered Entity receives a payment, such payment will be limited to the reasonable direct or indirect costs related to the labor, materials, supply, and capital and overhead costs of making the communication.
- Business Associates – If a Business Associate receives the payment, such payment may be up to the fair market value for the services provided by the business associate.
The guidance also clarifies whether certain types of remunerated communications require prior authorization:
- Recently-lapsed prescriptions – Communications that encourage an individual to renew a prescription that has lapsed may be made if the communication is made within the first ninety (90) days after the prescription has lapsed.
- Adjunctive drugs – Communications regarding a drug that may be used in conjunction with a currently prescribed drug or biologic do not meet the “currently prescribed” requirement and may only be made in a general manner, such as recommending that an individual ask his/her doctor about common side effects of a currently-prescribed drug or biologic.
- New formulations – Communications regarding new formulations of a currently- prescribed drug or biologic do not meet the exception and may only be made in a general manner, such as providing information about dosing schedules or a liquid rather than pill formulation.
- Switch messaging – Communications encouraging an individual to switch from a currently prescribed drug or biologic to a different drug or biologic do not meet the exception.
OCR also clarified the timing of receipt of authorizations for existing patients, and the scope and content of the authorizations:
- Existing patients – Authorizations will not be required by the September 23, 2013 Omnibus Rule compliance date, but must be obtained by the earlier of either prescription renewal or September 24, 2014.
- Scope – An authorization does not have to be limited to a single drug or biologic and does not have to be re-obtained at each subsequent prescription renewal.
- Disclosure – The authorization must disclose that the covered entity will receive financial remuneration from one or more pharmaceutical manufacturers in exchange for making the communication, and that the authorization may be revoked by the individual at any time.
II. Health Information of Deceased Individuals
OCR also published a separate guidance on the Omnibus Rule’s modifications to privacy protections for the protected health information (PHI) of deceased individuals. The guidance explains that HIPAA’s restrictions on uses and disclosures of PHI apply to individually identifiable health information for fifty (50) years following the individual’s date of death. The fifty year rule does not apply to information about a decedent that may be included in the PHI of another living person’s medical history.
OCR also discussed the circumstances under which decedent PHI may be used or disclosed without authorization during the fifty year period. Disclosures of decedent information to law enforcement (if a crime is suspected to have been the cause of death); to coroners, medical examiners or funeral directors; for research solely on the PHI of decedents; and to organ procurement organizations or tissue banks are all permitted without authorization.
In addition, a decedent’s PHI may be disclosed to the decedent’s family members or other person(s) involved in the decedent’s care, unless the disclosure would be inconsistent with the prior expressed preference of the decedent. Such disclosures should be limited to PHI relevant to the surviving person’s involvement in the decedent’s care or payment for care, and a covered entity should use its reasonable professional judgment in determining whether the surviving person is entitled to receive the information. OCR recommends, but does not require, covered entities to keep track of these preferences. A covered entity may, however, disclose decedent PHI to the administrator or executor of the decedent’s estate, regardless of whether the decedent previously objected to the disclosure.
For any other uses or disclosures of a decedent’s PHI, a covered entity must obtain a HIPAA authorization from the decedent’s executor, administrator, or other person authorized to act on behalf of the decedent.
III. Disclosure of Student Immunization Status
OCR also released guidance on privacy protections relevant to Student Immunizations. Under the Omnibus Rule, a covered entity may disclose proof of immunization to a school without a formal HIPAA authorization in states where state or local law requires proof of immunization in order to admit a student. The guidance provides additional information about the documentation necessary to demonstrate that the student’s parent or guardian has agreed to the disclosure of the student’s immunization status by the health care provider.
IV. Enforcement Delay for Certain CLIA and CLIA-Exempt Laboratories
Finally, OCR also announced its intent to delay the enforcement of the Omnibus Rule requirement for certain CLIA and CLIA-exempt laboratories to revise their notices of privacy practices (NPP), previously scheduled to begin on September 23, 2013. The delay is due to the impending finalization of the amended CLIA regulations and HIPAA Privacy Rule, both of which are expected to result in material changes to the affected laboratories’ NPPs. OCR indicated that it would issue a notice in the Federal Register and on its website at least thirty (30) days in advance of the end of the enforcement delay.