In late January of this year, we reported that the U.S. Department of Health & Human Services (HHS) issued four final rules, combined to create an omnibus final rule addressing several aspects of patient privacy under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The rules were combined—563 pages—to "reduce the impact and number of times certain compliance activities need to be undertaken by regulated entities."
HHS' Office of Civil Rights (OCR), which implements HIPAA and its related provisions recently estimated that healthcare organizations will spend 32.8 million hours complying with the modified HIPAA omnibus rule. The bulk of that time--30.655 million hours--will involve the dissemination and acknowledgement of privacy practices at provider offices.
Recently, OCR issued model Notice of Privacy Practices for health care providers and health plans, which can be accessed here. The model concisely reflects the regulatory changes of the Final Rule. Specifically, it highlights
- the patient's right to an electronic copy of her medical record (if the practice uses an electronic health record),
- the patient's right to restrict disclosure to her health insurer for out-of-pocket payments made in full, and
- the written authorization required for marketing and sale of protected health information (PHI).
The model is available in four formats (booklet, layered, full page, and text only) and can be easily customized for distribution to patients and display on the practice's website.
First Amendment Challenge to Omnibus Rule
In response to this final rule, Adheris, Inc. has filed a complaint (and accompanying memorandum) seeking injunctive and declaratory relief to prohibit HHS regarding from enforcing provisions of the final rule as they pertain to certain paid marketing communications, as reported by the FDA Law Blog.
At issue is whether Adheris can continue to communicate refill and adherence reminders and whether HHS' case violates the First Amendment.
The final rule went into effect on September 23rd, 2013.
As explained by the FDA Law Blog, "Adheris's core business model involves sending reminders to customers of participating pharmacies to refill their existing prescriptions before their refills are due, and also preparing and sending letters that encourage customers to adhere to their prescribed treatment regimens. The letters the company sends include "educational information about the medication, safety information, positive reinforcement to stay on therapy, and a direction to follow the treating physician's advice."
Adheris's complaint states its services have a "verifiably significant impact on the percentage of patients still complying with their prescribed regimens at the end of a program period," and, therefore, improve patient health. Although pharmaceutical companies are the sponsors of these refill reminders and adherence messages, Adheris does not disclose protected health information to pharmaceutical manufacturers. According to the complaint, Adheris derived total revenues of $49 million from these services in 2012."
In addition to this lawsuit, Pharmalot reported that InVentive Health filed a similar lawsuit, challenging the final rule as violating Free Speech rights with respect to refill reminders. "This rule undermines a valuable extension of a physician's treatment that promotes patient health, helps save lives and reduces healthcare costs, all of which are in the public interest and consistent with the objectives of the Affordable Care Act," says InVentiv Health general counsel Eric Sherbet in a statement. "It is a misguided regulation and one that impinges on our right to speech that serves a significant public health interest."
HHS' Final Rule
The blog post explains that prior to the HITECH Act, which became law on February 17, 2009, "pharmaceutical companies could hire pharmacies and pharmacy chains to remind patients to refill their prescriptions, or recommend switching to alternative therapies. These types of communications were considered treatment communications and did not require a written authorization from the patient to comply with HIPAA."
Congress called these types of communications "health care operations" (a separate category under HIPAA) without addressing treatment communications. Consequently, HHS' final rule seeks "to implement the HITECH Act and requires patient authorization before using protected health information to direct any paid communication recommending a product or service to the patient, regardless of whether the purpose of the communication is treatment or health care operations," according to the post.
One exception provided for in the final rule "is that refill reminders, adherence communications, and other communications to patients with current prescriptions for that drug do not require authorization if the payment received by the covered entity" is "reasonably related to the covered entity's cost of making the communication." HHS explained that this means that a covered entity cannot profit from the communication.
"If the covered entity receives a financial incentive beyond its cost, it must obtain the patient's authorization. Because, as the complaint states, Adheris's service-related expenses far exceed its permissible remuneration, Adheris's business is threatened by the rule."
However, several days after the lawsuit was filed, the FDA Law Blog reported that HHS filed a joint motion requesting the suspension of Adheris's motion for a preliminary injunction seeking to prohibit HHS from enforcing its final rule restricting certain paid marketing communications.
HHS informed the court that that it intends to issue guidance pertaining "to the final remuneration that would be considered 'reasonable' for providing refill reminders or other communications about a drug or biologic currently being prescribed to an individual." HHS stated that it expects to issue such guidance by September 23, 2013.
In addition, HHS announced that it decided "not to enforce the restrictions on remuneration refill reminders and other communications about drugs and biologics (as set forth in 45 C.F.R. § 164.501) for a period of 45 days . . . or until November 7, 2013."
Additionally, OCR announced that it will delay its enforcement of the new requirement that "certain HIPAA-covered laboratories revise their notices of privacy practices (NPPs)."
This Enforcement Delay applies to HIPAA-covered laboratories that are subject to CLIA (i.e., CLIA-certified) or exempt from CLIA (i.e., CLIA-exempt) and that are not required to provide an individual with access to his or her laboratory test reports under § 164.524 of the HIPAA Privacy Rule because the information is subject to the exceptions to the right of access at § 164.524(a)(1)(iii)(A) or (B). The Enforcement Delay does not apply to laboratories that operate as part of a larger legal entity, such as a hospital, and by virtue of that relationship, do not have their own, laboratory-specific, NPPs.
HHS OCR Refill Guidance
Consequently, OCR released guidance regarding the refill reminders. A summary of the guidance was written and edited for the American Health Lawyers Association (AHLA) by Mary Bearden and Allison Shelton of the law firm Brown & Fortunato PC, in Amarillo, Texas.
On September 19, the Office for Civil Rights (OCR) of the U.S. Department of Health & Human Services (HHS) released guidance entitled, "The HIPAA Privacy Rule and Refill Reminders and Other Communications about a Drug or Biologic Currently Prescribed for the Individual" (Guidance). This Guidance concerns the new definition of "marketing" adopted in the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Final Rule.
OCR's Guidance breaks down the elements of the refill-reminder exception and provides clarification on several scenarios that are potentially affected by the exception.
Under the Guidance, OCR will permit payment "up to the fair market value of [the] services" to qualify as reasonable financial remuneration and to, therefore, fall within the exception for refill reminders in the case of Adheris. In the Guidance, OCR discusses:
- payments from a third party to a covered entity for refill reminders;
- payments from a covered entity to a business associate when a third party directly or indirectly covers the payments to the business associate; and
- payments from a covered entity to a business associate when no third party is involved.
In the first case, the third party may only cover the direct and indirect costs related to the refill reminder. For example, the third party may pay reasonable costs related to labor, supplies, materials, overhead, and capital expenditures.
In the second case, when a business associate receives remuneration directly or indirectly from the third party, the third party may pay fair market value for the business associate's services as would be the case under Adheris' business model.
Finally, in the third case, the exception for refill reminders will not limit the financial remuneration that the covered entity may pay the business associate because no third party is involved.
Even though OCR's interpretation concerning reasonable financial remuneration was the most-anticipated aspect of the Guidance, clarification for other interesting scenarios is also provided in the Guidance. For example, various messages can qualify for the refill-reminder exception, including information about generic equivalents of the prescribed drug; communications about prescriptions that have lapsed within the last 90 calendar days; and communications encouraging individuals to take medications as directed.
Also, if a drug is administered through durable medical equipment (DME), such as an insulin pump or a nebulizer, then the refill-reminder exception will encompass "communications regarding all aspects of the drug delivery system," including DME.
Other communications will not qualify for the exception, including communications about new formulations of the prescribed drug; information about adjunctive drugs that may be used along with the currently prescribed drug; and messages encouraging the recipient to switch to an alternative medicine.
Such communications are permitted under the treatment exception so as long as the covered entity does not receive financial remuneration for the communication. Also, the Guidance indicates that covered entities may communicate with the individual about new formulations and adjunctive drugs in a general manner and without naming the actual drug. For example, a pharmacy may encourage an individual to speak with his or her doctor about medications that may treat the side effects of a currently prescribed drug.
When a covered entity obtains an individual's written authorization for communications funded by a pharmaceutical manufacturer, the Guidance indicates that a new authorization is not required for each new prescription. HIPAA-compliant authorizations must include an expiration date or event. According to the Guidance, this requirement may be met if the authorization expires when the individual opts out of receiving the authorized communication. Moreover, the scope of the authorization need not be limited to a single drug or biological or to a single pharmaceutical manufacturer.
In light of the new Omnibus Rule going into effect on September 23rd, a number of articles have been published offering stakeholders advice and recommendations to ensure compliance and to assist with implementation.
For example, Zachary Landman, M.D., chief medical officer at DoctorBase, an m-Health-as-a-service-provider, debunked common myths about HIPAA in a mHealthNews, as reported by FierceHealthIT. The story covered five myths:
- HIPAA doesn't apply to me because I'm not a medical provider or part of a healthcare institution. Landman pointed out that the Omnibus rule now includes enforcement to any business or vendor that "creates, receives, maintains or transmits personal health information (PHI)."
- HIPAA applies to all health data. Actually, it only applies to data held by a patient's physician or care team, Landman explained. So if you record your weight and diet on an app and then don't share it with a physician, HIPAA doesn't apply.
- Data is secure, so that means it's private. Data transmission must be highly encrypted, or it is subject to third-party attacks, like stolen laptops, Landman said.
- Being HIPAA-complaint is only an IT problem. It's everyone's problem, Landman said--something as small as putting a note with your username and password on your monitor is a HIPAA violation.
- A smartphone's PIN makes it secure. They're too easy to crack, plain and simple, he said.
In another article reported by FierceHealthIT, Mark Dill, director of information security at Cleveland Clinic offered five (5) recommendations to prepare for a HIPAA audit. Starting Oct. 1, 2014, a permanent HIPAA security audit program will begin, according to OCR officials.
- Know what gaps are in your program in advance. The worst time to find out about problems are at the time of the audit, Dill said.
- Be organized. If you look disorganized, HHS will think you are disorganized, Dill said. In addition, you will be able to prevent an on-site audit if your documentation is of the highest quality.
- Display your results in the right format. Dill suggested using the OCR recommended format (800-30); Cleveland Clinic, he said, uses "an improved format based on the standard."
- Use three-year benchmarks as "tabs in your book of evidence" for compliance and formal, organization-wide analysis. He suggests keeping a written calendar and schedule of business impact analysis.
- Partner with a reputable third-party consultant or firm. "Third party attestation can reveal at least 30 percent about what you don't know, and peer comparisons give you a really clear picture," Dill said.
The overall goal of HIPAA to protect patient privacy may be laudable, but with the tremendous cost of implementation and restrictions on patient communications in the end we may look at this as just another burdensome regulation with little real benefit to patients.