HITECH Update #5: HHS Tightens HIPAA Marketing Requirements

Posted by Anna Kraus on January 22, 2013

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements. 

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization--unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.

Continue Reading

Supreme Court Strikes Down Vermont Law Restricting Use of Prescriber-Identifiable Data

Posted by Libbie Canter on June 23, 2011

Today, in a 6-3 decision, the U.S. Supreme Court struck down a Vermont law restricting the sale, disclosure, and use of pharmacy records that reveal the prescribing practices of individual doctors.  In so holding, the Supreme Court found that speech in aid of pharmaceutical marketing is a form of expression protected by the First Amendment.   The decision is consistent with the concerns about the statute evident from the Court’s questions at oral argument, which were discussed in a previous post.

At issue was the Vermont Prescription Confidentiality Law, which regulates the ability of pharmacies to sell information about physician prescription practices — known as “prescriber-identifying information.”  The Vermont law prohibited pharmacies and other entities from selling prescriber-identifying information for marketing purposes or allowing such information to be used for marketing purposes without a prescriber’s consent.  The law was challenged by a group of three data miners and an association of pharmaceutical manufacturers. 

The Supreme Court characterized the use of prescriber-identifying information as “speech in aid of pharmaceutical marketing” and concluded that it is a form of expression protected by the First Amendment, the regulation of which is subject to heightened scrutiny.  It rejected arguments that the law was a commercial regulation that placed only an incidental burden on expression, finding instead that “Vermont’s law imposes a burden based on the content of speech and the identity of the speaker.”  According to the Supreme Court, the law had the effect of preventing only pharmaceutical marketers, but not other speakers, from communicating with physicians in an effective and informative manner.   Because the law prohibited use of the information for only one purpose, the Court observed that while “[i]t may be assumed that . . . physicians have an interest in keeping their prescription decisions confidential,” the challenged law “is not drawn to serve that interest.”     

Justice Kennedy authored the Supreme Court’s opinion in this case, Sorrell v. IMS Health, Inc.  Justice Breyer authored a dissent, which was joined by Justices Ginsburg and Kagan.

HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 1 of 5)

Posted by Rachel Grunberger on February 16, 2011

As we previously reported, the Office for Civil Rights within the Department of Health and Human Services (HHS) has indicated that the final rule implementing changes to the HIPAA regulations under the HITECH Act will be issued in March.  The proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA.  In this and four subsequent blog posts, we will explore aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information.  These changes, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)

Communications About Currently Prescribed Drugs

The first topic we will address is HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.

Continue Reading

Supreme Court Grants Review of Second Circuit Medical Privacy Ruling

Posted by Rachel Grunberger on January 21, 2011

On January 7, 2010, the U.S. Supreme Court agreed to review a Court of Appeals decision striking down Vermont's prescription confidentiality law.  The State of Vermont had petitioned the Supreme Court to review the case on December 13, 2010, after the Second Circuit ruled that the law constituted an impermissible restriction on commercial speech under the First Amendment. 

The Vermont law at issue requires doctors’ consent before their identifying information in prescription records—i.e., prescriber-identifiable data—can be used or sold for marketing prescription drugs.

The Court of Appeals for the Second Circuit had ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling created a split with the First Circuit, which had previously upheld prescription confidentiality laws in Maine and New Hampshire.

The key legal issue that the Supreme Court will confront, as framed by the Vermont Attorney General, is whether “laws that restrict access to or commercial use of non-public drug prescriber information implicate First Amendment rights and, if so, what type of First Amendment review applies.”  Oral arguments are expected to be scheduled for the current term, with a decision potentially announced by the end of the term in June.

The Supreme Court’s ruling on this issue is likely to have significant implications for the pharmaceutical industry.  Pharmaceutical companies use prescriber-identifiable data for many different purposes, such as to focus their marketing efforts, to impart safety and risk information to prescribers of particular drugs, and to conduct research.  A ruling that Vermont’s law is constitutional could pave the way for other States to enact similar (or potentially more onerous) laws restricting the commercial use of prescriber-identifiable data. 

Vermont Seeks Supreme Court Review of Second Circuit Medical Privacy Ruling

Posted by Rachel Grunberger on December 16, 2010

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the prescriber consents.

The Court of Appeals for the Second Circuit ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling is being compared to two First Circuit decisions upholding prescription confidentiality laws in Maine and New Hampshire.

In its petition, Vermont points to other States that have considered legislation to restrict the commercial use of prescriber-identifiable data, and urges the Supreme Court to weigh in to provide States and other regulators with “guidance as to the scope of their ability to allow individual Americans to control access to and use of their information.”

Quantcast, Clearspring Agree to Settle "Flash Cookies" Suits

Posted by Steve Satterfield on December 07, 2010

Just two days after the Director of the FTC's Bureau of Consumer Protection announced that the agency would not tolerate an "arms race" aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring--which provide web analytics and certain functionality to consumer-facing websites--were named in several class action complaints this summer.  The suits alleged that the companies used "Flash cookies" (i.e., local shared objects stored in the memory of Adobe's Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional "HTTP" cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or "respawn" browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to "circumvent" users' privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.

Continue Reading

Open Data Partnership Will Give Consumers Access To Online Profiles

Posted by Libbie Canter on December 06, 2010

On the heels of last week's release of a proposed consumer privacy report by the FTC, a group of businesses that track online behavior announced that they will give consumers access to information collected about their interests.  The Open Data Partnership will also allow consumers to edit this online profile information. 

This service, which will launch in January, moves participating businesses in the direction of one of the FTC's recommended privacy-by-design features.  In last week's proposed report, the FTC admonished that "companies should take reasonable steps to ensure the accuracy of the data they collect."  Providing consumers access to and a means to edit collected information may enhance accuracy.

The announcement of the Open Data Partnership arrived the same week as the FTC's proposed report, as well as a hearing on "Do Not Track" proposals held by the House Subcommittee on Commerce, Trade, and Consumer Protection.

Older Posts