OCR Issues Guidance on HIPAA Refill Reminder Marketing Exception, and other Modifications to Privacy Protections

by Ropes & Gray LLP

On September 19, 2013, the Office of Civil Rights of the Department of Health and Human Services (“OCR”) released guidance on a number of privacy protections, the most significant of which relates to the refill reminder marketing exception.

I. Marketing Exception for Refill Reminders

The newly issued guidance on refill reminders was prompted in part by a lawsuit filed by Adheris, a provider of prescription adherence and refill reminder messaging, seeking a preliminary injunction against the enforcement of the HIPAA Omnibus Final Rule’s (Omnibus Rule) authorization requirement for certain types of subsidized treatment communications. Adheris claimed that OCR’s limiting remuneration to “reasonably related costs” of making such communication threatened its business. OCR responded by promising to issue additional guidance on what constituted acceptable remuneration, and to delay enforcement of the refill reminder marketing exception until November 7, 2013.

Under the Omnibus Rule, any communication to an individual by a covered entity or its business associate about a drug or biologic currently prescribed to that individual does not generally require prior authorization, so long as any financial remuneration provided by the third party whose product is being described is “reasonably related” to the covered entity’s cost of making the communication. The Omnibus Rule was a departure from OCR’s proposed rule and prior practice, in which communications regarding treatment were exempt from the definition of marketing, regardless of whether any remuneration was involved.

In defining “reasonably related” costs, OCR provided a definition that differs depending upon whether a covered entity or a business associate is receiving a direct or indirect payment from a pharmaceutical manufacturer in exchange for making the communication:

  • Covered Entities – If a Covered Entity receives a payment, such payment will be limited to the reasonable direct or indirect costs related to the labor, materials, supply, and capital and overhead costs of making the communication.
  • Business Associates – If a Business Associate receives the payment, such payment may be up to the fair market value for the services provided by the business associate.

The guidance also clarifies whether certain types of remunerated communications require prior authorization:

  • Recently-lapsed prescriptions – Communications that encourage an individual to renew a prescription that has lapsed may be made if the communication is made within the first ninety (90) days after the prescription has lapsed.
  • Adjunctive drugs – Communications regarding a drug that may be used in conjunction with a currently prescribed drug or biologic do not meet the “currently prescribed” requirement and may only be made in a general manner, such as recommending that an individual ask his/her doctor about common side effects of a currently-prescribed drug or biologic.
  • New formulations – Communications regarding new formulations of a currently- prescribed drug or biologic do not meet the exception and may only be made in a general manner, such as providing information about dosing schedules or a liquid rather than pill formulation.
  • Switch messaging – Communications encouraging an individual to switch from a currently prescribed drug or biologic to a different drug or biologic do not meet the exception.

OCR also clarified the timing of receipt of authorizations for existing patients, and the scope and content of the authorizations:

  • Existing patients – Authorizations will not be required by the September 23, 2013 Omnibus Rule compliance date, but must be obtained by the earlier of either prescription renewal or September 24, 2014.
  • Scope – An authorization does not have to be limited to a single drug or biologic and does not have to be re-obtained at each subsequent prescription renewal.
  • Disclosure – The authorization must disclose that the covered entity will receive financial remuneration from one or more pharmaceutical manufacturers in exchange for making the communication, and that the authorization may be revoked by the individual at any time.

II. Health Information of Deceased Individuals

OCR also published a separate guidance on the Omnibus Rule’s modifications to privacy protections for the protected health information (PHI) of deceased individuals. The guidance explains that HIPAA’s restrictions on uses and disclosures of PHI apply to individually identifiable health information for fifty (50) years following the individual’s date of death. The fifty year rule does not apply to information about a decedent that may be included in the PHI of another living person’s medical history.

OCR also discussed the circumstances under which decedent PHI may be used or disclosed without authorization during the fifty year period. Disclosures of decedent information to law enforcement (if a crime is suspected to have been the cause of death); to coroners, medical examiners or funeral directors; for research solely on the PHI of decedents; and to organ procurement organizations or tissue banks are all permitted without authorization.

In addition, a decedent’s PHI may be disclosed to the decedent’s family members or other person(s) involved in the decedent’s care, unless the disclosure would be inconsistent with the prior expressed preference of the decedent. Such disclosures should be limited to PHI relevant to the surviving person’s involvement in the decedent’s care or payment for care, and a covered entity should use its reasonable professional judgment in determining whether the surviving person is entitled to receive the information. OCR recommends, but does not require, covered entities to keep track of these preferences. A covered entity may, however, disclose decedent PHI to the administrator or executor of the decedent’s estate, regardless of whether the decedent previously objected to the disclosure.

For any other uses or disclosures of a decedent’s PHI, a covered entity must obtain a HIPAA authorization from the decedent’s executor, administrator, or other person authorized to act on behalf of the decedent.

III. Disclosure of Student Immunization Status

OCR also released guidance on privacy protections relevant to Student Immunizations. Under the Omnibus Rule, a covered entity may disclose proof of immunization to a school without a formal HIPAA authorization in states where state or local law requires proof of immunization in order to admit a student. The guidance provides additional information about the documentation necessary to demonstrate that the student’s parent or guardian has agreed to the disclosure of the student’s immunization status by the health care provider.

IV. Enforcement Delay for Certain CLIA and CLIA-Exempt Laboratories

Finally, OCR also announced its intent to delay the enforcement of the Omnibus Rule requirement for certain CLIA and CLIA-exempt laboratories to revise their notices of privacy practices (NPP), previously scheduled to begin on September 23, 2013. The delay is due to the impending finalization of the amended CLIA regulations and HIPAA Privacy Rule, both of which are expected to result in material changes to the affected laboratories’ NPPs. OCR indicated that it would issue a notice in the Federal Register and on its website at least thirty (30) days in advance of the end of the enforcement delay.

We continue to monitor developments with respect to Omnibus Rule implementation and HIPAA more generally. If you have any questions or concerns, please contact the Ropes & Gray attorney who normally advises you.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ropes & Gray LLP | Attorney Advertising

Written by:

Ropes & Gray LLP

Ropes & Gray LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.