HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

HHS Publishes Guidance on how the HIPAA Privacy Rule Applies to Refill Reminders

The Privacy Rule amended the Health Insurance Portability and Accountability Act of 1996 to give individuals greater controls over how their medical data can be used and disclosed to third parties. The Rule now prohibits the disclosure or use of patient PHI for the purposes of marketing. Before health information can be used to market products, services or pharmaceuticals to a patient, a written authorization must be provided stating that the patient opted in for this service.

The purpose of the Privacy Rule is to offer patients better protection; however the legislation should not interfere with patients receiving the care they need. Oftentimes, communications must be sent to patients advising them of medical matters, services and even products. While there may be some overlap between marketing and general communications, provisions have been included in the legislation to take these into account.

The HHS has now published further clarification on how the Privacy Rule applies to sending refill reminders and other communications which involve the provision of products and services, and explanations have been provided on exceptions to the privacy Rule.

The Privacy Rule does not cover the sending of refill reminders to patients. Communications about drugs or biologics which are currently being prescribed for the individual in question can be the subject of communications with the patient, although only if the entity sending that communication is not receiving financial remuneration for contacting patients.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

If a healthcare provider wishes to send a communication to a patient they are not permitted to receive payment from the provider of the drug or service mentioned in the correspondence, other than to cover reasonable costs such as the cost of printing and postage.

Refill reminders – for the same drug or a generic equivalent – information about recently lapsed prescriptions (within 90 days), communications reminding patients to take their medications or information relating to how a self administered treatment is issued – new drug delivery systems for example – are all exceptions and are permitted under the Privacy Rule.

Clarification has also been published on what constitutes remuneration; under what circumstances business associates can be paid to send refill reminders and other communications that are permitted under the Privacy Rule. Examples have been provided to aid understanding and scenarios where healthcare providers have found it difficult to interpret the rules are now detailed on the website. The guidance can be found on the HHS website.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.