The Privacy Rule amended the Health Insurance Portability and Accountability Act of 1996 to give people better controls over how their medical history can be used and disclosed to third parties. The Rule now prevents the disclosure or use of patient PHI for the purposes of marketing. Before health data can be used to market products, services or pharmaceuticals to a patient, a written authorization must be given stating that the patient chose to avail of this service.
The purpose of the Privacy Rule is to provide patients better protection; however the legislation should not interfere with patients receiving the care they require. Oftentimes, communications must be issued to patients advising them of medical matters, services and even products. While there may be some crossover between marketing and general communications, provisions have been incorporated in the legislation to take these into account.
The HHS has now published a release providing further clarification on how the Privacy Rule applies to sending refill reminders and other communications which involve the provision of products and services, and explanations have been given on exceptions to the privacy Rule.
The Privacy Rule does not cover the issuing of refill reminders to patients. Communications regarding drugs or biologics which are currently being prescribed for the person in question can be the subject of communications with the patient, although only if the body sending that communication is not receiving financial remuneration for contacting patients.
If a healthcare provider wants to send a correspondence to a patient they are not permitted to receive payment from the provider of the drug or service referred in the correspondence, other than to cover reasonable costs such as the cost of printing and postage.
Refill reminders – for the same drug or a generic equivalent – information about recently lapsed prescriptions (within 90 days), communications reminding patients to take their medications or information relating to how a self administered treatment is issued – new drug delivery systems for instance – are all exceptions and are allowed under the Privacy Rule.
Clarification has also been released on what constitutes payment; under what circumstances business associates can be paid to issue refill reminders and other communications that are allowed under the Privacy Rule. Examples have been provided to help understanding and scenarios where healthcare suppliers have found it difficult to interpret the rules are now detailed on the website. The guidance can be downloaded from the HHS website.