Re: HIPAA/HITECH Final Rule Clarification and Guidance Sought on Refill Reminder Programs

Similar documents
NEW HIPAA PRIVACY RULES ALTER OPTIONS FOR HEALTH CARE MARKETING AND RESEARCH

Medical Research Law & Policy Report

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

July 19, Re: CMS-9957-P. Dear Administrator Tavenner,

OCR Issues Final Modifications to the HIPAA Privacy, Security, Breach Notification and Enforcement Rules to Implement the HITECH Act

HHS Issues New HITECH/HIPAA Rule: Implications for Hospice Providers

HIPAA/HITECH Rules Proposed: Major Changes Looming for Business Associates and Subcontractors

RE: HIPAA Privacy Rule Accounting for Disclosures, RIN 0991-AB62

By Ross C. D Emanuele, John T. Soshnik, and Kari Bomash, Dorsey & Whitney LLP Minneapolis, MN

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Re: REG , Additional Requirements for Charitable Hospitals, Proposed Rule

Comments to Notice of Proposed Amendments to Federal Sentencing Guidelines Federal Register: F.R. Doc. E F.R. Publication Date: January 28, 2008

Memorandum. Factual Background

Business Associates and Breach Reporting Under HITECH and the Omnibus Final HIPAA Rule

GENERAL OVERVIEW OF STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH INFORMATION [45 CFR Part 160 and Subparts A and E of Part 164]

HIPAA and HITECH Compliance Under the New HIPAA Final Rule. HIPAA Final Omnibus Rule ( Final Rule )

Structuring Physician Recruitment Arrangements in Accordance with the Stark II/Phase II Interim Final Rule

Registration of Municipal Advisors [Release No ; File No. S ]

January 25, P a g e

ReedSmith. CMS and the OIG Extend Protections for Electronic Health Record Donations. Client Alert. Life Sciences Health Industry Group

New HIPAA Rules: A Guide for Radiology Providers

ELECTRONIC HEALTH RECORDS. Nonfederal Efforts to Help Achieve Health Information Interoperability

Health Care Information Privacy The HIPAA Regulations What Has Changed and What You Need to Know

October 27, The Honorable John Berry Director Office of Personnel Management 1900 E Street, NW Washington, DC Dear Director Berry:

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

I. Pharmacy Programs Offer Substantial Benefits To Patients And Government Programs

Business Associates, HITECH & the Omnibus HIPAA Final Rule

RE: File Code CMS-1345-NC2 Medicare Program Waiver Designs in Connection with the Medicare Shared Savings Program and Innovation Center

September 24, RIN 1210-AB32 Conflict of Interest Rule. Dear Sir or Madam,

Final Rule: Modifications to the HIPAA Privacy, Security, Enforcement, and HITECH Act Breach Notification Rules, 78 Fed. Reg (Jan.

HIPAA/HITECH and Texas Privacy Laws Comparison Tool Updated 2013

FAQ: HIPAA AND CLOUD COMPUTING (v1.0)

Health Record Banking Alliance

GAO PRESCRIPTION DRUG DATA. HHS Has Issued Health Privacy and Security Regulations but Needs to Improve Guidance and Oversight

Business Associate Agreement

Under section 1128A(a)(5) of the Social Security Act (the Act), enacted as part of

April 2, Re: Comments on Connected Health and Care for the Nation. Dear Dr. DeSalvo:

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

RE: CMS-1345-P; Comments to Medicare Shared Savings Program: Accountable Care Organizations Proposed Rule

A s a covered entity or business associate, you have

HIPAA Privacy FAQ s. 3. Generally, what does the HIPAA Privacy Rule require the average provider or health plan to do?

Long-Expected Omnibus HIPAA Rule Implements Significant Privacy and Security Regulations for Entities and Business Associates

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

800 17th Street, NW Suite 1100, Washington, DC 20006

Senate Bill No. 48 Committee on Health and Human Services

Health Care in the Cloud Think You Are Doing Fine on Cloud Nine? Hey You! Think Again. Better Get Off of My Cloud

Docket No. R-14 19, RIN 7100-AD76 Electronic Fund Transfers

HITECH Privacy, Security, Enforcement, Breach & GINA The Final Omnibus Rule Frequently Asked Questions and Answers

Signed into law on February 17, 2009, the Stimulus Package known

Legislative & Regulatory Information

340B Omnibus Guidance Would Significantly Narrow the Pool of Eligible Patients

Society of Corporate Compliance and Ethics

HIPAA Privacy and Security Changes in the American Recovery and Reinvestment Act

Following is a restatement of the primary duties of the six paralegals you describe:

May 18, Georgina Verdugo Director Office for Civil Rights United States Department of Health and Human Services

The Ten Steps to Improve Preexisting Condition Exclusions

Healthcare Practice. Breach Notification Requirements Under HIPAA/HITECH Act and Oregon Consumer Identity Theft Protection Act. Oregon.

Stark and Anti-kickback Regulations: Proposed Changes for E-prescribing and Electronic Health Records

Loan Originator Compensation Requirements under the Truth In Lending Act

Welcome to the Privacy and Security PowerPoint presentation in the Data Analytics Toolkit. This presentation will provide introductory information

B October 6, The Honorable Lane Evans Ranking Minority Member Committee on Veterans Affairs House of Representatives

DEPARTMENT OF JUSTICE WHITE PAPER. Sharing Cyberthreat Information Under 18 USC 2702(a)(3)

New HIPAA regulations require action. Are you in compliance?

Loan Originator Compensation Requirements under the Truth In Lending Act

INTERPRETATION OF THE SEC S WHISTLEBLOWER RULES UNDER SECTION 21F OF THE SECURITIES EXCHANGE ACT OF 1934

what your business needs to do about the new HIPAA rules

B. For example, a health system could own a hospital, medical groups and DME supplier and designate them as an ACE.

The Importance of Sharing Health Information in a Healthy World

REPRODUCTIVE ASSOCIATES OF DELAWARE (RAD) NOTICE OF PRIVACY PRACTICES PLEASE REVIEW IT CAREFULLY.

Minimum Performance and Service Criteria for Medicare Part D

October 22, CFR PARTS 160 and 164

The Benefits (and Dangers) of Outsourcing Medical Practice Ancillary Support Services Overseas. Sponsored by:

JPMorgan Chase & Co. 1 Chase Manhattan Plaza, Floor 25 New York, NY Telephone: (212) Facsimile: (212) Jay.soloway@chase.

A fter much-anticipation, the Health Resources and

February 13, 2012

Maintaining the Privacy of Health Information in Michigan s Electronic Health Information Exchange Network. Draft Privacy Whitepaper

This letter has been withdrawn. See Administrtor Interpretation September 8, 2006

De-Identification of Health Data under HIPAA: Regulations and Recent Guidance" " "

RE: Proposed Minimum Requirements for Appraisal Management Companies (AMCs)

AMWELL SERVICE PROVIDER SUBSCRIPTION AGREEMENT

Department of Education - Proposed Rule Change to Effect on Student Data and Information

April 17, 2008 CFP Board Standards of Professional Conduct Raise Serious Concerns for Independent Financial Advisors and Broker-Dealers

Data Breach Notification Burden Grows With First State Insurance Commissioner Mandate

Thursday, October 10, 2013 POTENTIAL BARRIERS TO HOSPITAL SUBSIDIES FOR HEALTH INSURANCE FOR THOSE IN NEED

RE: Study Regarding Obligations of Brokers, Dealers, and Investment Advisers, File No , 75 Federal Register (July 30, 2010).

By U.S. Mail and

Business Associates under HITECH: A Chain of Trust

Finally! HHS Issues Proposed Rule Implementing Changes to the HIPAA Privacy, Security and Enforcement Rules under HITECH

CRS Report for Congress

STARK AND ANTI-KICKBACK PROTECTION FOR E-PRESCRIBING AND ELECTRONIC HEALTH RECORDS

April 12, CMS-9981-P Comments on Proposed Rules Relating to Student Health Insurance Coverage Under the Affordable Care Act

July 26, RESPA: Home Warranty Companies Payments to Real Estate Brokers and Agents Docket No. FR-5425-IA-01

Data Breach, Electronic Health Records and Healthcare Reform

Department of Health and Human Services. Final Guidance Document

Department of Health and Human Services. No. 17 January 25, Part II

Privacy & Security The HHS Rule is Out What s New and What s Next. Mary Jo Carden, RPh, JD Director, Regulatory Affairs AMCP mcarden@amcp.

United States House of Representatives United States House of Representatives. Washington, DC Washington, DC 20515

The Stark Law Opportunities to Address Barriers to Clinical Integration January 29, 2016

E-Discovery: New to California 1

Transcription:

June 5, 2013 Ms. Susan McAndrew Deputy Director for Health Information Privacy Office for Civil Rights Department of Health and Human Services 200 Independence Ave., SW 56E 5 th Floor Washington, D.C. 20201 Re: HIPAA/HITECH Final Rule Clarification and Guidance Sought on Refill Reminder Programs Dear Ms. McAndrew: We respectfully submit this letter requesting further clarifications to and guidance on the January regulations implementing HITECH revisions to the HIPAA Privacy Rule. Specifically, we write regarding the provisions implementing the statutory exception to patient authorization requirements for refill reminders. The Center for Democracy & Technology ( CDT ) is a non-profit Internet and technology advocacy organization that promotes public policies that preserve privacy and enhance civil liberties in the digital age. As information technology is increasingly used to support the exchange of medical records and other health information, CDT, through its Health Privacy Project, champions comprehensive privacy and security policies to protect health data. CDT promotes its positions through public policy advocacy, public education and litigation, as well as through the development of industry best practices and technology standards. Recognizing that a networked health care system can lead to improved health care quality, reduced costs and empowered consumers, CDT is using its experience to shape workable privacy solutions for a health care system characterized by electronic health information exchange. CDT applauds the Office for Civil Rightsʼ (OCR) for strengthening the HIPAA marketing provisions in its January 2013 Final Omnibus Rule. Adding the requirement that patients authorize communications involving protected health information (PHI) that are paid for by the manufacturer of the product or service

being pitched in the communications strengthened an important privacy protection. Marketing is of substantial concern to many individuals when it comes to their health information. We recommended just this revision in our comments to the proposed privacy rule in 2010 1, and we sincerely thank OCR for addressing the concerns of consumer and privacy advocates. We also supported the HITECH exception to the definition of marketing for patient refill reminders. As described in more detail below, medication adherence is an important component of public health; consequently, communications to patients about drugs they are already taking should be permitted to occur without the need to first obtain patient authorization. Remuneration from the manufacturer for such communications provides an incentive for covered entities to spend the time and resources to send them. Congress recognized this and expressly allowed manufacturers to financially support the sending of refill reminders, as long as the support is reasonable in amount. The statute reflects a careful balancing of interests, as we discuss at greater length in this letter. Providers and pharmacies should be encouraged to send communications to their patients regarding currently prescribed medications; yet some guardrails must exist to protect the sensitivity of this information and address consumer concerns about marketing uses of their health information. We write because we are concerned that language in the preamble to the Final Rule does not effectively strike this balance and will instead jeopardize the sending of refill reminders. Specifically, we respectfully request that OCR issue additional guidance that: Makes clear that when pharmacies enter into business associate relationships with third parties in order to carry out their refill reminder programs, such relationships do not automatically trigger a patient authorization requirement; and Clarifies that permissible reasonable in amount payment for such medication adherence programs explicitly includes all reasonable direct and indirect costs related to them. I. Introduction The public health value of adherence to prescribed medications is well recognized, and HHS has promoted such adherence and patient reminder programs in a number of its initiatives over the years. Notably, the Meaningful 1 CDT comments to Proposed Rule, available at: https://www.cdt.org/comments/cdt-commentshhs-proposed-rule. 2

Use incentive program explicitly includes the issuance of patient reminders in its criteria qualifying providers for payments. 2 Studies suggest that nearly 75 percent of Americans do not take their medication as directed and that the cost to the health care system of non-adherence annually totals nearly $290 billion. 3 More than one in three medicine-related hospitalizations occur because the patient did not take his or her medication as directed, and almost 125,000 people die every year as a result of failing to take their medication as prescribed. 4 To address this problem, pharmacies, health plans and doctors frequently provide a broad range of patient-directed communications regarding prescription drug therapies, including those explicitly focused on promoting and increasing medication adherence. As described in more detail below, often these services are provided or assisted by third parties, who contract with covered entities to manage such messaging programs. Recognizing the clear benefit of and need for such communications and programs, Congress included in the HITECH Act of 2009 an exception to the patient authorization requirement for communications about a currentlyprescribed drug or biologic, which include refill reminders. 5 Payment for such communications is allowed only in cases where such payment is reasonable in amount. 6 II. Clarify that Use of a Business Associate Does Not Automatically Trigger Authorization Requirement In the preamble to the final HIPAA/HITECH regulations released in January, the Department writes that where a business associate (including a subcontractor), as opposed to the covered entity itself, receives financial remuneration from a third party in exchange for making a communication about a product or service, such communication also requires prior authorization from the individual. 7 Further, it explains that [e]ven where a business associate of a covered entity, such as a mailing house, rather than the covered entity itself, receives the financial remuneration from the entity whose product or service is being 2 42 C.F.R. sec. 495.6(j)(9)(i). 3 See, e.g., New England Healthcare Institute, Waste and Inefficiency in the Health Care System Clinical Care: A Comprehensive Analysis in Support of System-wide Improvements (2007). 4 See, e.g., Bosworth, H. and the National Consumers League. Medication Adherence: Making the Case for Increased Awareness, available at: http://scriptyourfuture.org/wpcontent/themes/cons/m/script_your_future_briefing_paper.pdf. 5 42 U.S.C. Sec. 13406(a)(2). 6 Id. at (a)(2)(a)(ii). 7 78 Fed. Reg. 5568-5702 (Jan. 25, 2013) at 5595. 3

promoted to health plan members, the communication is marketing communication for which prior authorization is required. 8 Taken out of context, this phrasing suggests that any payment from the sponsor of communications about a currently prescribed drug or biologic to a business associate automatically triggers the need for patient authorization. We urge the Department to clarify that this was not its intent. We are confident that the Department meant merely to explain that a business associate conducting refill reminder programs must follow the same rules as the covered entity (allowing reasonable compensation for such programs), and we certainly support emphasizing this important point. Unfortunately, the language as written runs a too high a risk of misinterpretation. Compensation to a business associate for conducting a patient messaging program should not automatically trigger authorization requirements, and we urge the Department to clarify this point as soon as possible. Failing to provide such clarification could have real consequences for patients. Recent research conducted by Avalere Health to calculate the cost of administering refill reminder programs found that a large number of pharmacies outsource some or nearly all of the processes related to their patient messaging programs. 9 Given current practice, creating a per se barrier to the use of third parties to conduct these programs could be a death blow to many refill programs. We recommend that the guidance also remind covered entities and business associates operating these programs of the strengthened Privacy Rule requirements for business associate agreements. These agreements should spell out the permitted purposes for which third parties may use PHI to execute refill reminder programs. OCR should take steps to help ensure that the refill reminder exception does not inadvertently end up opening doors to other uses of PHI by third party business associates that are not reasonably related to executing refill reminder programs and that patients would not reasonably expect. III. Broaden and More Clearly Define Scope of Reasonable in Amount We are concerned as well that the narrow definition of what constitutes remuneration reasonable in amount for refill reminder programs also could have a chilling effect on medication adherence programs. The regulationsʼ preamble states that any financial remuneration received by a pharmacy that covers anything other than the pharmacyʼs cost of drafting, printing, and mailing the 8 Id. at 5597. 9 Methodology to Calculate Pharmacy Costs Related to Patient Messaging Programs, Avalere Health LLC (Feb. 17, 2010). 4

refill reminders will trigger the authorization requirement. 10 Costs are deemed to include only those of labor, supplies, and postage to make the communication. 11 Further, the Rule states that [w]here the financial remuneration a covered entity receives in exchange for making the communication generates a profit or includes payment for other costs, such financial remuneration would run afoul of the Actʼs ʻreasonable in amountʼ language. 12 The strict interpretation of what constitutes reasonable costs has the very real potential to limit interest in or make financially impossible participation in sponsored refill reminder programs. Limiting permissible remuneration to these categories makes it highly unlikely that such programs could continue to be outsourced. The CVS pharmacy chain which fills or manages over one billion prescriptions annually 13 announced in early May of this year that it no longer will mail prescription refill notices to consumers because of uncertainty regarding application of the HIPAA Omnibus regulations. 14 We believe this is an unintended consequence of the Departmentʼs final regulations and therefore urge the Department to define reasonable in amount to account for direct and indirect costs that ideally capture the full spectrum of legitimate program expenses, including the costs of outsourcing these programs, subject to the requirement that, overall, such amounts be reasonable. We share OCRʼs concern that profit motive has the potential to skew the judgment of covered entities regarding the use of PHI, even in the case of refill reminders; however, the cramped definition of reasonable in amount included in the Omnibus tilts too far in the other direction and provides an enormous disincentive to conduct refill reminder programs. It is highly unlikely that third parties will conduct these programs if there is no prospect for a reasonable return on investment or the ability to have all reasonable direct and indirect costs covered. As noted above, concerns about third party access to this data should be addressed by strengthened requirements for business associates. A more balanced approach to reasonable is needed, and we believe is what Congress intended. We recommend that HHS bring the refill reminder exception in line with the provisions in the same final regulations related to sale 10 78 Fed. Reg. at 5597. 11 Id. 12 Id. 13 CVS Caremark facts, available at: http://info.cvscaremark.com/our-company/cvs-caremarkfacts. 14 See, e.g., CVS Ends Rx Company-Sponsored Drug Refill Notices, Citing HIPAA, ihealthbeat (May 7, 2013), available at: http://www.ihealthbeat.org/articles/2013/5/7/cvs-ends-rxcompanysponsored-drug-refill-notices-citing-hipaa.aspx. 5

of PHI for research purposes. 15 Research similarly represents another important use of PHI. However, with respect to research, HHS provides that the exception to the authorization requirement applies so long as the only remuneration received by the covered entity or business associate is a reasonable cost-based fee to cover the cost to prepare and transmit [the PHI] for such purposes. 16 In the preamble language detailing the research exception, the reasonable fee is explained to include both indirect and indirect costs, including labor, materials, and supplies for generating, storing, retrieving, and transmitting the [PHI]; labor and supplies to ensure the [PHI] is disclosed in a permissible manner; as well as related capital and overhead costs. 17 Importantly, HHS wrote this regulatory language despite the fact that the HITECH statutory language explicitly says that the research exception to the prohibition on unauthorized sale of PHI applies when the price charged reflects the costs of preparation and transmittal of the data for such purpose. 18 Thus the regulatory text serves to significantly broaden the statutory exception by including the word reasonable in its description of a cost-based fee and further defining reasonable to allow for flexible interpretation. In crafting the research exception, OCR seems to have relied on arguments that cost-based fee requirements imposed on infrastructure do not mean at cost, and that the Supreme Court and others have affirmed that a cost-based fee has to include capital and operational costs and some reasonable return on investment. 19 Those arguments arguably have resonance in the context of refill reminders as well. We urge the Department to be consistent with respect to its regulatory exceptions allowing the use of PHI for important public health purposes without first requiring individual authorization and to adopt the broader and more flexible approach to the research exception for payments for refill reminders as well. 15 HHS could also look to the safe harbor provisions of the Anti-Kickback Statute for another example of how to ensure that compensation provided by product manufacturers does not provide an undue influence on health care delivery. 78 Fed. Reg. at 5607. In order to fit into the personal services and management contracts safe harbor, the remuneration must be fair market value for legitimate, reasonable, and necessary services. 43 C.F.R. 1001.952; see also: http://oig.hhs.gov/fraud/docs/complianceguidance/042803pharmacymfgnonfr.pdf. 16 45 C.F.R. Sec. 164.502(a)(5)(ii)(B)(2)(ii). 17 78 Fed. Reg. at 5607. 18 HITECH sec. 13405(d)(2)(B). 19 Evans, B. Waiving Your Privacy Goodbye: Privacy Waivers and the HITECH Actʼs Regulated Price for Sale of Health Data to Researchers, University of Houston/Health Law & Policy Institute Working Paper No. 2010-A-22. 6

IV. Conclusion In providing more explicit guidance related to the permissible outsourcing of refill reminder programs and more broadly interpreting the statutory provision related to reasonable costs, HHS would be adhering more accurately to Congressʼs intent to bolster, rather than inadvertently curtail, these important health-related education programs. We appreciate your consideration and would welcome the opportunity to speak further with you regarding this letter and our recommendations. Sincerely, Deven McGraw, Director, Health Privacy Project Alice Leiter, Policy Counsel, Health Privacy Project 7

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information