On January 17, 2013, the U.S. Department of Health and Human Services (HHS) issued a long-awaited pre-publication copy of revisions to the federal medical privacy requirements commonly referred to as the HIPAA Privacy Rule. The final rule, issued pursuant to the HITECH Act, will be published in the Federal Register on January 25, 2013.
Although the final rule expands the definition of “marketing” and, consequently, requires patient “authorization” (i.e., affirmative “opt in”), statutory and regulatory exceptions should leave most pharmacy-, physician-, and managed care-based sponsored educational programs unaffected. HHS’s decision to reject its proposed notice/disclosure/opt-out procedure for “treatment” communications and to impose a mandatory opt-in process for such communications could, however, run afoul of the Supreme Court’s decision in Sorrell.
Exceptions to Requirement for Patient “Authorization”
- Refill Reminders Exempt From “Authorization” (42 U.S.C. § 17936(a)(2)(A); 45 C.F.R. § 164.501)
The final rule codifies Congress’s statutory exception from “authorization” for “refill reminders” (i.e., currently prescribed therapy), making clear that “communications about the generic equivalent of a drug being prescribed to an individual as well as adherence communications encouraging individuals to take their prescribed medication as directed fall within the scope of this exception.” Final Rule at 125. The “refill reminder” exception is, however, subject to caveat – i.e., it is available only if compensation related by the covered entity is “reasonably related” to the covered entity’s costs of making the communication. HHS clarified that:
we consider permissible costs for which a covered entity may receive remuneration under this exception are those which cover only the costs of labor, supplies, and postage to make the communication. . . . Thus, under this final rule, if a pharmacy receives financial remuneration from a drug manufacturer to provide refill reminders to individuals taking a particular drug that covers only the pharmacy’s cost of drafting, printing, and mailing the refill reminders, the exception would apply and no authorization would be required.
Final Rule at 126.
- “Face-To-Face” Delivery Of Sponsored Communication Exempt From “Authorization” (45 C.F.R. § 164.508(a)(3)(i)(A))
HHS did not curtail or otherwise amend the “face-to-face” exception so there continues to be no “authorization” required if the subsidized communication is made “face-to-face” by, or on behalf of, a covered entity to an individual. Accordingly, as HHS observed, “a health care provider could, in a face to face conversation with the individual, recommend, verbally or by handing the individual written materials such as a pamphlet, that the individual take a specific alternative medication, even if the provider is otherwise paid by a third party to make such communications.” Final Rule at 124 (emphasis added). Thus, sponsored communications programs in the pharmacy or doctor’s office/clinic remain exempt from patient opt-in requirements.
- Messages That Do Not Promote A Specific Product Not Considered “Marketing”
HHS clarified in the preamble to the final rule that “communications promoting health in general and that do not promote a product or service from a particular provider, such as communications promoting a healthy diet or encouraging individuals to get certain routine diagnostic tests, such as annual mammograms, do not constitute marketing and thus, do not require individual authorization.” Final Rule at 127. Many pharmaceutical and medical device company-sponsored communications address topics like those discussed by HHS. Other communications may discuss a patient’s underlying disease or condition, without referencing a specific drug product. Communications of these types are not regarded as “marketing” and thus do not require patient “authorization.” Id.
Sponsored Messages Not Otherwise Exempt Require Authorization
In a significant reversal from its proposal, HHS concluded that the distinction between “treatment” and “health care operations” was sufficiently unclear such that all sponsored messages would be considered “marketing” requiring “authorization,” unless otherwise exempt. HHS made this change despite limited support in the rulemaking record and only a conclusory explanation in the preamble to the final rule.
HHS’s final rule requiring “authorization” or “opt-in” likely will curtail the number of patients receiving sponsored, health-related, educational messages. Such a ruling could run afoul of the Supreme Court decision in Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011). Sorrell analyzed a Vermont law that imposed a specific, content- and speaker-based burden on First Amendment-protected expression. The Court applied a heightened standard of judicial scrutiny to Vermont’s statute that prohibited, absent the physician’s opt-in, the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of that doctor. The law failed that stringent test. To sustain a targeted, content-based burden a state statute imposes on protected expression, the State must show at least that the statute directly advances a substantial governmental interest and that the measure is drawn to achieve that interest. Sorrell, 131 S.Ct. at 2667-68. The Court’s imposition of heightened scrutiny appears to raise the bar from the intermediate scrutiny traditionally applied to First Amendment issues of governmental restrictions on commercial speech under Central Hudson Gas & Elec. Corp. v. Public Serv. Comm’n of N.Y., 447 U.S. 557 (1980).
The final HIPAA privacy rule requires authorization for all treatment and health care operations communications where the covered entity receives financial remuneration for making the communications from a third party whose product or service is being marketed. HHS’s distinction between sponsored and non-sponsored communications is suspect under Sorrell’s heightened scrutiny analysis. Although Sorrell involved restrictions on prescriber-identifiable information as opposed to the use of patient-identifiable information, given the imposition of heightened scrutiny, there may be reasonable grounds for a Constitutional challenge. That is, the decision to require “authorization” or “opt-in,” instead of the significantly less burdensome notice/disclosure/opt-out, may run afoul of this Supreme Court precedent given that HHS could have adopted a less-restrictive alternative curtailing speech that would still have accomplished the legitimate objective of protecting patient privacy.
Finally, it should be noted that the final HIPAA privacy rule may be suspect on administrative procedure grounds. The proposal did not specifically seek comment on eliminating the distinction between “treatment” and “health care operations” in the context of “marketing” by requiring “authorization” for all such sponsored communications. Combined with the fact that there was limited support in the record for such an alternative, it is possible that HHS could be compelled to re-propose its rule in order to provide adequate notice and opportunity for comment. See, e.g., Natural Resources Defense Council v. United States Envtl. Prot. Agency, 279 F.3d 1180 (9th Cir. 2002).
All in all, though the final HIPAA medical privacy regulation should continue to allow most sponsored educational programs to continue without mandatory “authorization,” the new restrictions may also be vulnerable to a legal challenge. Moreover, HHS has sacrificed the sponsored-delivery of high-quality medical and health education for, at most, negligible enhancement of patient privacy.