HIPAA Privacy Rule Applies to Refill Reminders According to HHS Guidance

by | Oct 1, 2013

The Privacy Rule amended the Health Insurance Portability and Accountability Act of 1996 to give people better controls over how their medical history can be used and disclosed to third parties. The Rule now prevents the disclosure or use of patient PHI for the purposes of marketing. Before health data can be used to market products, services or pharmaceuticals to a patient, a written authorization must be given stating that the patient chose to avail of this service.

The purpose of the Privacy Rule is to provide patients better protection; however the legislation should not interfere with patients receiving the care they require. Oftentimes, communications must be issued to patients advising them of medical matters, services and even products. While there may be some crossover between marketing and general communications, provisions have been incorporated in the legislation to take these into account.

The HHS has now published a release providing further clarification on how the Privacy Rule applies to sending refill reminders and other communications which involve the provision of products and services, and explanations have been given on exceptions to the privacy Rule.

The Privacy Rule does not cover the issuing of refill reminders to patients. Communications regarding drugs or biologics which are currently being prescribed for the person in question can be the subject of communications with the patient, although only if the body sending that communication is not receiving financial remuneration for contacting patients.

If a healthcare provider wants to send a correspondence to a patient they are not permitted to receive payment from the provider of the drug or service referred in the correspondence, other than to cover reasonable costs such as the cost of printing and postage.

Refill reminders – for the same drug or a generic equivalent – information about recently lapsed prescriptions (within 90 days), communications reminding patients to take their medications or information relating to how a self administered treatment is issued – new drug delivery systems for instance – are all exceptions and are allowed under the Privacy Rule.

Clarification has also been released on what constitutes payment; under what circumstances business associates can be paid to issue refill reminders and other communications that are allowed under the Privacy Rule. Examples have been provided to help understanding and scenarios where healthcare suppliers have found it difficult to interpret the rules are now detailed on the website. The guidance can be downloaded from the HHS website.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy