In celebrating 35 years of practice, OFW Law’s Drugs, Biologics, and Controlled Substances and Healthcare Privacy practice groups are taking a look back to share some highlights from throughout the years. Part I focused on Hatch-Waxman. Today’s blog focuses on the development of medical privacy laws and regulations. Please stay tuned for Part III, which will review the changes to our drug practice brought by PDUFA and GDUFA.
The modern medical privacy landscape grew from infancy in the mid-1990s with enactment of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A true toddler, though, the original HIPAA law had few teeth but lots of potential. It provided the statutory basis for HHS’s Office for Civil Rights’ (OCR) implementing regulations concerning medical privacy – commonly known as the Privacy Rule (and the attendant Security Rule, Breach Notification Rule, and Enforcement Rule). HHS originally published its final Privacy Rule in December 2000, which was modified in August 2002, with an April 2003 compliance date.
Amid this childhood, Covered Entities (health plans, health care clearinghouses, and health care providers transmitting health information in electronic form) were actively regulated by HHS/OCR. Their Business Associates (BA) were liable solely in contract – via Business Associate Agreements (BAA). For the next ten years or so, HHS issued guidance on a variety of issues under the Privacy Rule. It took moderate enforcement action. Its baby teeth were slow to fall out. But the tooth fairy was on her way.
During this time (and currently), many of OFW Law’s clients included BAs that assist Covered Entities in administering prescription drug adherence and compliance messaging to patients (e.g., refill reminder and similar communications including educational information about the patient’s disease condition, the drug’s side effects, dosage information and effects of non-compliance). Failure to comply with clinician-prescribed therapy costs Americans $290 billion annually, results in $100 billion in annual costs for hospitalization alone, and causes 89,000 premature deaths each year. As the World Health Organization observed, “there is growing evidence to suggest that because of the alarmingly low rates of adherence, increasing the effectiveness of adherence interventions may have a far greater impact on the health of the population than any improvement in specific medical treatments.” These adherence messages did not require patient authorization because they fell within the “treatment” exception to “marketing” communications.
Then came the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the American Recovery and Reinvestment Act of 2009, to jolt young HIPAA, do a cavity check, and slip some cash under the pillow. Although it took four more years for all her choppers to come in – HHS published in January 2013 its long-awaited omnibus final rule revising the federal medical privacy requirements – it came with a sharp, full set of 32 that included: robust enforcement tools including Imposition of Civil Monetary Penalties on Covered Entities and their BAs; regulatory audits; required Risk Analyses; strict breach reporting standards; and required revisions to BAAs.
Of particular concern were arguably restrictive interpretations in the rulemaking preamble with potential to disrupt many customized pharmacy communications programs sponsored by pharmaceutical companies.
As we noted, the final rule conflicted with Congressional support for medication adherence programs. Indeed, as part of HITECH itself, Congress (led by Senators Kennedy and Harkin) specifically enacted a statutory exception to the requirement for patient authorization for sponsored refill reminder programs. The sole limitation was that any payment going to the covered entity healthcare provider be “reasonable in amount.” 42 U.S.C. § 17936(a)(2)(A). The problem was that HHS’s final rule implementing HITECH thwarted Congress’s intent to allow these important communication programs to proceed without patient opt-in.
Furthermore, the majority of other HHS agencies – aside from OCR – clearly recognized the magnitude of the medication adherence problem and the importance of programs to address it, actively promoting the communications through its other agencies – e.g., CMS (“meaningful use” and MTMP) and AHRQ (studies and promotes compliance and persistence programs).
HHS promulgated the final rule ostensibly to strengthen consumers’ medical privacy rights. The likely result, however, was harm to patients by restricting, among other things, clinicians’ and pharmacists’ ability to provide them with adherence messages – e.g., refill reminders – about currently prescribed drug therapy. Those concerns were soon realized as pharmacies such as CVS, citing the new Privacy Rule concerns, ended their long-standing sponsored refill reminder programs.
HHS’s decision to reject its proposed (and less burdensome) notice/disclosure/opt-out procedure for “treatment” communications in favor of a mandatory patient opt-in process for sponsored communications also appeared to run afoul of the First Amendment under the Supreme Court’s decision in Sorrell v. IMS Health Inc., 131 S. Ct. 2653 (2011). Sorrell made clear that, in order to sustain a targeted, content-based burden a state statute imposes on protected expression, the government must show at least that the statute directly advances a substantial governmental interest and that the measure is drawn to achieve that interest. HHS’s distinction between sponsored and non-sponsored communications appeared suspect under Sorrell’s heightened scrutiny analysis.
On behalf of a number of clients, and with the support of various industry associations and well-recognized groups representing consumer and privacy interests alike, OFW set out to obtain clarification from OCR that the agency never intended to undermine Congress’s strong endorsement of medication adherence programs. Following substantial public outcry and a lawsuit challenging the rule on First Amendment grounds (subsequently voluntarily dismissed by the plaintiff), HHS agreed to address the confusion. In September 2013, the Department issued Guidance providing substantially more flexibility than the interpretations set forth in the preamble to the final rule.
Critically, the Guidance addressed most of the concerns raised. Sponsored “refill reminder” communications that are provided to pharmacy patients outside of the retail pharmacy setting (such as by mail, e-mail, or telephone) could, per the Guidance, now be conducted without express patient authorization if, among other requirements, any compensation flowing from the sponsor of the program to the pharmacy is reasonable in amount – “including labor, materials, and supplies, as well as capital and overhead costs.” OCR’s Guidance further recognized that a message about a prescription that has expired within the last 90 days was eligible for the refill reminder exception as were sponsored messages advising the patient to “ask your doctor” about such products, as long as the specific product is not named. Although it did not use the “P” word, the Guidance also effectively resolved a concerning issue and clarified that a BA can make a reasonable profit by assisting covered entities in executing these patient messaging programs by recognizing that a BA can receive payment for the “fair market value” of its services.
All in all, 2013 and 2014 arguably saw more regulatory activity under HIPAA/HITECH than the prior ten years combined. Given HHS’s increased focus on overall enforcement, audits, strict breach reporting requirements, and the like, we see no sign of active or impending tooth decay in what is now a fully-toothed mouth of medical privacy requirements. Indeed, OCR’s dentists remain busy and we expect forthcoming guidance on a variety of issues, including minimum necessary, breach safe harbors, risk assessments, and related issues.
So don’t forget to floss!