Since the HIPAA Privacy Rule went into effect in 2003, pharmacies, health plans, and other covered entities have been permitted to send communications to patients about products and services of third parties, as long as these communications are for purposes of treatment or to recommend alternative therapies. Prior authorization of patients has not been required to send such communications, even where the covered entity has been paid to send the communications by a third party whose products/services are the subject of the communications. The Department of Health and Human Services’ HIPAA/HITECH Omnibus Final Rule (Final Rule) modifies the definition of “marketing” in the Privacy Rule and will require as of the compliance deadline (September 23, 2013) that covered entities obtain patient authorizations before sending such communications paid for by third parties.
HHS, under several administrations, has struggled with how to appropriately protect patient privacy in the context of pharmacy and health plan communication programs paid for by third parties. On the one hand, such programs can provide valuable information to patients on treatment options and disease management. For example, pharmaceutical companies frequently sponsor pharmacy programs designed to promote patient adherence to physician-prescribed treatments. Companies also have sponsored programs that communicate information about adjunctive, new or alternative treatments that might be appropriate for patients. These programs can help patients recognize disease symptoms and understand treatment options, so that they can more effectively seek appropriate care and make better-informed health decisions. On the other hand, privacy advocates have argued that a patient’s consent should be required before a covered entity is able to use his or her protected health information (PHI) for profit-generating activities.
HHS’s position on these types of communication programs has changed over time. Under the Clinton administration, HHS opted to treat such communication programs as “marketing,” but to allow them without prior patient authorization, provided the communications contained opt-out instructions. However, HHS under the Bush administration reversed course and declared: “The Department does not agree that the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service. For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication.” In 2002, HHS modified the Clinton-era HIPAA rulemaking to broadly exempt communications for the treatment of the individual and communications about alternative therapies from the scope of what was defined as “marketing.” In doing so, HHS commented that “The Department believes that certain health care communications, such as refill reminders or informing patients about existing or new health care products or services, are appropriate, whether or not the covered entity receives remuneration from third parties to pay for them.”
Under the HITECH Act, signed into law in 2009 as part of the larger American Recovery and Reinvestment Act, Congress instructed HHS to modify its prior position. The challenge for HHS, however, was that these instructions were far from clear. Specifically, the HITECH Act declared that a communication about a product or service that encourages recipients of the communication to purchase or use the product or service “shall not be considered a health care operation” if the covered entity receives direct or indirect payment in exchange for making the communication. This left unanswered whether some communications should nevertheless be considered “treatment” communications excluded from the definition of “marketing.” Moreover, in its 2009 Proposed Rule to implement this section of the HITECH Act, HHS proposed to distinguish remunerated “treatment” communications from remunerated “health care operations” communications. As proposed, the latter would have required the patient’s prior authorization while the former would have required only notice and the provision of an opt-out option.
The Final Rule modifies the definition of “marketing” by stipulating that marketing includes making a communication that encourages the purchase or use of a product or service where the covered entity receives financial remuneration from a third party for making the communication. As a result, the Final Rule departs from prior versions of the rule in that it requires individual authorization for all communications, whether for “treatment” or “health care operations” purposes, where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. “Financial remuneration” means direct or indirect payment from or on behalf of a third party whose product or service is being described.
Nevertheless, the Final Rule retains a narrow exemption, which was expressly provided for under the HITECH Act for refill reminders and other communications that are about a drug or biologic that is currently being prescribed for the individual. Such communications are excluded from the definition of “marketing,” provided that any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication. In the preamble, HHS clarifies that “where an individual is prescribed a self-administered drug or biologic, communications regarding all aspects of a drug delivery system, including, for example, an insulin pump, fall under this exception.”
With respect to the restriction on remuneration under the exception, HHS states that it interprets this language as allowing a third party to cover the covered entity’s cost of drafting, printing, and mailing the communications. However, “where [a] drug manufacturer also provides [a] pharmacy with a financial incentive beyond the cost of making the communication to encourage the pharmacy’s continued willingness to send such communications on behalf of the drug manufacturer, the exception would not apply and the pharmacy must obtain individual authorization.”
Notably, the Final Rule does not change the existing exception to the authorization requirement for marketing communications that are made face-to-face by a covered entity to an individual. Moreover, in preamble to the Final Rule, HHS clarifies that this exception covers both verbal and written communications: “[A] health care provider could, in a face to face conversation with the individual, recommend, verbally or by handing the individual written materials such as a pamphlet, that the individual take a specific alternative medication, even if the provider is otherwise paid by a third party to make such communications.” The rationale for the face-to-face exception, as previously explained by HHS, is that “[i]n this context, the individual can readily stop any unwanted communications, including any communications that may otherwise meet the definition of ‘marketing.’ ”
The Final Rule also retains the exception to the authorization requirement for subsidized marketing communications where the “communication” is a “promotional gift of nominal value” provided by the covered entity to the individual. HHS has previously explained that this exception allows a covered entity to distribute calendars, pens, and the like, that display the name of a product. Most of these types of gifts are likely distributed in face-to-face encounters and would thereby also be permitted under the exception for face-to-face communications, to the extent that PHI is used at all in targeting the gifts to specific patient populations. Nevertheless, the exception would appear to permit health care providers and health plans to send such gifts through the mail without patient authorization, even where the covered entity is paid by a third party for doing so and makes a profit from the activity. For example, the exception would appear to allow a pharmacy to send a product-branded calendar with refill reminder stickers to be applied by the patient to the appropriate days/months, even where the pharmacy is paid by the drug manufacturer for doing so and such payment exceeds the pharmacy’s costs.
It is important to recognize that although the Final Rule creates a much stricter set of requirements for third-party subsidized communication programs, some state laws may nevertheless impose greater obligations. In particular, California’s Confidentiality of Medical Information Act imposes a strict standard for health care provider and health plan communications paid for by third parties. Covered entities and sponsors of subsidized communication programs should be sure to take into account state law requirements when developing their overall compliance approach.
 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013) [hereinafter 2013 Omnibus Final Rule].
 Standards for Privacy of Identifiable Health Information; Final Rule, 67 Fed. Reg. 53,182, 53,187 (Aug. 14, 2002) [hereinafter 2002 Final Rule].
 2002 Final Rule at 53,188.
 HITECH Act § 13406.
 See Modifications to the HIPAA Privacy, Security, and Enforcement Rules Under the Health Information Technology for Economic and Clinical Health Act; Proposed Rule, 75 Fed. Reg. 40,868 (July 14, 2010).
 2013 Omnibus Final Rule at 5596.
 2013 Omnibus Final Rule at 5597.
 2013 Omnibus Final Rule at 5596.
 2002 Final Rule at 53,190.
 2002 Final Rule at 53,184.
 Cal. Civ. Code § 56.05 et seq.