Stimulating Privacy: Changes to HIPAA in the Stimulus Bill

March 2, 2009

By Susan Matthees and Jeff Wasserstein

Although the stimulus bill that President Obama recently signed into law received significant attention for its economic implications, less noticed was Title XIII of the stimulus bill, entitled the "Health Information Technology for Economic and Clinical Health Act" or the "HITECH Act."  The HITECH Act includes a provision related to the HIPAA Privacy Standards that will restrict certain communications made by pharmacies and other providers relating to pharmaceutical products.

Prior to the HITECH Act, communications made by pharmacies or other providers to recommend alternative treatments or therapies or to recommend refilling prescriptions were considered to be communications for the purposes of "health care operations" and thus were permitted without patient authorization, even if a third party was funding the communication.  Thus, a manufacturer could without a patient authorization pay a doctor or pharmacy to send prescription refill reminders to patients as well as pay a doctor or pharmacy to recommend an alternative medication – see HIPAA Frequent Questions.  However, the HITECH Act limits marketing that is based on protected health information.  Under the HITECH Act, if a third party is paying for the communication, absent an authorization a pharmacy or provider can only send such a communication to a patient who has already been prescribed the drug or biologic.  Thus, manufacturers can continue to pay for refill reminders, but not for alternative drug recommendations.  This limitation applies to covered entities and business associates, and thus would apply to pharmacies, physicians, health plans, as well as pharmacy benefit managers.

The Act also will also change liability for business associates.  Business associates contract with entities that must comply with the HIPAA Privacy Standards to provide services on behalf of the covered entity.  Prior to the stimulus bill, business associates were not liable under the civil or criminal penalty provisions of HIPAA, and were only liable for breach of contract (the business associate agreement) if they violated the provisions of the contract.  However, the HITECH Act makes business associates directly subject to HIPAA enforcement.

Pharmaceutical companies should take careful note of these new provisions, as it may significantly impact their marketing practices.  These provisions go into effect 12 months from the signing of the stimulus package, or February 17, 2010.

Categories: Health Privacy