HHS Publishes Guidance on how the HIPAA Privacy Rule Applies to Refill Reminders
The HIPAA Privacy Rule gives individuals greater control over how their medical data can be used and disclosed to third parties. The Rule prohibits the disclosure or use of patient PHI for the purposes of marketing. Before health information can be used to market products, services or pharmaceuticals to a patient, a written authorization must be provided stating that the patient opted in for this service.
The purpose of the Privacy Rule is to offer patients better protection; however, the legislation should not interfere with patients receiving the care they need. Oftentimes, communications must be sent to patients advising them of medical matters, services, and even products. While there may be some overlap between marketing and general communications, provisions have been included in the legislation to take these into account.
The HHS has now published further clarification on how the Privacy Rule applies to sending refill reminders and other communications that involve the provision of products and services, and explanations have been provided on exceptions to the Privacy Rule.
The Privacy Rule does not cover the sending of refill reminders to patients. Communications about drugs or biologics that are currently being prescribed for the individual in question can be the subject of communications with the patient, although only if the entity sending that communication is not receiving financial remuneration for contacting patients.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
If a healthcare provider wishes to send a communication to a patient they are not permitted to receive payment from the provider of the drug or service mentioned in the correspondence, other than to cover reasonable costs such as the cost of printing and postage.
Refill reminders – for the same drug or a generic equivalent – information about recently lapsed prescriptions (within 90 days), communications reminding patients to take their medications, or information relating to how a self-administered treatment is issued – new drug delivery systems for example – are all exceptions and are permitted under the Privacy Rule.
Clarification has also been published on what constitutes remuneration; and under what circumstances business associates can be paid to send refill reminders and other communications that are permitted under the Privacy Rule. Examples have been provided to aid understanding and scenarios where healthcare providers have found it difficult to interpret the rules are now detailed on the website. The guidance can be found on the HHS website.
