HHS Finalizes HIPAA/HITECH Rule: Dramatic Revisions to Marketing Practices and Research Authorizations

By Jeffrey N. Wasserstein –

On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health and Human Services announced the issuance of its much anticipated (and long-awaited) final rule (in prepublication form) relating to the modification to the HIPAA Privacy, Security and Enforcement Rules under the HITECH Act (see our prior posts here and here).  While there is a great deal of interesting material in the Final Rule if, like me, you are a health privacy geek, this blogpost will focus on just two provisions that will be of interest to our loyal readers – paid marketing communications and compound research authorizations.

Marketing Communications

First, a little background.  Prior to the HITECH Act, pharmaceutical companies could pay pharmacies to communicate with their patients for the purpose of either reminding patients to refill their prescription (“refill reminders”), or to recommend switching to alternative therapies (“switch communications”).  Such communications were considered “health care operations” and therefore did not require a written authorization from the patient.  The HITECH Act changed the definition of “health care operations” such that paid switch communications were no longer considered “health care operations” and thus required an authorization.  As we noted, the HITECH Act did not directly address whether paid switch communications might remain treatment communications which do not require an authorization, as per the FAQ referenced in our prior blogpost.  This omission created confusion – it appeared that Congress left open an exception so big as to render the prohibition on paid switch communications a nullity.

According to the proposed rule, HHS determined that that was exactly what Congress did, and HHS in the proposed rule separated out paid communications that were for treatment purposes from those that were for health care operations purposes, essentially drawing a line in the sand between those that were based on an individual and those that were population based, requiring an authorization only for the latter.  We noted at the time that this seemed a little confusing.

Apparently, we weren’t the only ones confused.  Many of the public comments submitted objected to the regulatory scheme in the proposed rule, noting that covered entities were likely to violate the rule inadvertently by incorrectly deeming a communication to be a treatment communication (and thus permitted) when it was really for health care operations purposes, and thus not permitted absent an authorization.

HHS agreed and dramatically revised the proposed rule.  The final rule now requires patient authorization before using protected health information for all paid communications that recommend a product or service to the patient, regardless of whether the purpose is treatment or health care operations.  (This being a regulation, of course “all” doesn’t really mean “all” but we’ll get to the exceptions in a minute.)  HHS did away with their proposal that would have permitted certain paid treatment communications provided that (1) the covered entity’s Notice of Privacy Practices included a statement informing patients that the health care provider may send the paid switch communications and the individual has the right to opt out of receiving such communication, and (2) that the communication itself disclosed the financial payment and the ability to opt out.  Rather, all such communications will now require prospective authorization.

Now, the exceptions:  Refill reminders, adherence communications, and other communications about a drug or biologic that is currently prescribed for the individual do not require authorization, provided that the payment received by the covered entity is “reasonably related to the covered entity’s cost of making the communication.”  What does “reasonably related” mean?  Basically, it means the covered entity cannot profit from the communication.  If the covered entity receives a financial incentive beyond their cost, they must obtain the patient’s authorization. 

HHS also clarified that communications about a drug or biologic currently prescribed includes communications about generic equivalents.  They also clarified that for self-administered drugs or biologics, communications about the entire drug delivery system, such as an insulin pump are considered communications about the drug itself. 

HHS also left untouched the exception for face-to-face communications, and clarified that that included handing printed materials to a patient during a face-to-face interaction.  HHS noted that telephone calls, or materials sent via mail or email do not constitute face-to-face communications.

Research Authorizations

As we noted in our prior blogpost, HHS proposed to permit compound research authorizations; that is, an authorization permitting a covered entity to use protected health information for more than one purpose, if both (or all) purposes relate to the same research project.  Thus, a single authorization could be used for a clinical study as well as for specimen collection for a central repository.  Currently, compound authorizations are prohibited, which increases the burden on clinical trial sites when obtaining consent and authorization from subjects for the research project.  HHS also requested comment on whether (and how) an authorization could be used to permit future unspecified research studies using the subject’s protected health information, thus simplifying the ability of sponsors and institutions to use collected information and data in future studies.

HHS finalized the first proposal and will now permit compound authorizations provided the authorization clearly delineates which aspects are conditioned authorizations (such that a patient cannot participate in a clinical study without signing the authorization) from those aspects that are unconditioned (e.g., allowing tissue samples to reside in a sample repository or central database).  HHS also modified its prior interpretation of authorizations for research studies such that an authorization need no longer be “study specific” provided that the authorization adequately describes such purposes so that it would be reasonable for the subject to expect that his PHI could be used or disclosed for future research.  This is excellent news for industry, research institutions, and IRBs. 

Take a deep breath and hang in there, we’re almost done.  The rule goes into effect on March 26, 2013, and covered entities and business associates must comply with applicable requirements by September 23, 2013.  Given that the marketing communications represents a sea-change, this gives industry time to review and revise any arrangements they have with covered entities for marketing communications in order to come into compliance.