Photo of Anna D. Kraus

Anna Durand Kraus has a multi-disciplinary practice advising clients on issues relating to the complex array of laws governing the health care industry. Her background as Deputy General Counsel to the U.S. Department of Health and Human Services (HHS) gives her broad experience with, and valuable insight into, the programs and issues within the purview of HHS, including Medicare, Medicaid, fraud and abuse, and health information privacy. Ms. Kraus regularly advises clients on Medicare reimbursement matters, the Medicaid Drug Rebate program, health information privacy issues (including under HIPAA and the HITECH Act), and the challenges and opportunities presented by the Affordable Care Act.

As we discussed in a prior post, the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would allow remote access to PHI for purposes preparatory to research and that would permit individuals to make a one-time authorization of the use and disclosure of their PHI for research purposes.
Continue Reading Draft House Cures Legislation Would Amend Federal Privacy Laws (Second Post in a Series)

On April 29, 2015, the U.S. House Energy and Commerce Committee released a revised discussion draft of the 21st Century Cures Act (“Cures”). The Cures bill would make several changes to existing federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. These changes would primarily affect the use and disclosure of protected health information (PHI) for “research purposes.” This post discusses a provision that would expand covered entities’ ability to use or disclose PHI for research purposes without authorization from the subject individual. Future posts will discuss provisions that would allow remote access to PHI for certain research purposes; allow a one-time authorization of the use and disclosure of PHI for research; eliminate limitations on remuneration for PHI disclosed for research purposes; and allow disclosure of PHI to FDA-regulated entities for research purposes such as comparative effectiveness analysis.
Continue Reading Draft House Cures Legislation Would Amend Federal Privacy Laws (First Post in a Series)

On September 19, HHS released additional guidance on the “refill reminder exception” in HIPAA, which allows — in some circumstances — paid communications regarding a drug or biologic currently prescribed to a patient.


In January 2013, HHS finalized new restrictions on marketing as part of the final omnibus rule implementing changes to HIPAA under the HITECH Act.  The new rules modified how and when covered entities and business associates may receive financial remuneration from a third party for making communications about a drug or biologic currently prescribed to an individual (i.e., “the refill reminder exception” to the marketing prohibition).  We previously discussed the new restrictions here.  In short, the new rules prohibit any financial remuneration above and beyond what is reasonable.  HHS indicated that reasonable remuneration would include  the costs of labor, supplies, and postage to make the communication.  These restrictions appeared to prohibit a covered entity or business associate from generating a profit to make these subsidized communications.

As we discussed earlier, these new restrictions were challenged in a lawsuit filed earlier this month by Adheris, Inc..  Since the filing of the complaint, HHS announced that it would promulgate additional guidance on the refill reminder exception.

HHS Guidance

The new guidance describes both the scope of communications that fall within the exception and what third party payments are considered “reasonable” under the statute and regulations for making such communications. 

What communications are included in the exception?

HHS explains that the following communications are permitted under the exception:

  • Refill reminders.
  • Communications about generic equivalents of a drug being prescribed.
  • Communications about a recently lapsed prescription (one that has lapsed within the last 90 calendar days).
  • Adherence communications encouraging individuals to take prescribed medicines as directed.
  • Where an individual is prescribed a self-administered drug, communications regarding all aspects of a drug delivery system.

Continue Reading HHS Issues Guidance on Refill Reminders under HIPAA

This post is part of our series on key aspects of the final HITECH omnibus rule issued by the U.S. Department of Health and Human Services (HHS) on January 17, 2013 (available here), and scheduled to be published in the Federal Register on January 25.  Previous posts are available here.  The regulations are effective March 26, 2013, but covered entities and business associates have until September 23, 2013, to comply with most new requirements.

The final HITECH omnibus rule significantly tightens the HIPAA marketing restrictions.  As described below, HHS has modified the proposed approach to require authorization for almost all treatment and health care operations communications where the covered entity receives, from a third party, financial remuneration for making the communication.  This change will have major implications for the design of medical messaging programs.

Background.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate receives direct or indirect payment in exchange for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization–unless the communication qualifies for a limited exception for communications about currently prescribe drugs or biologics where the payment received is reasonable in amount.

Continue Reading HITECH Update #5: HHS Tightens HIPAA Marketing Requirements

The U.S. Supreme Court heard oral argument last week in Sorrell v. IMS Health, Inc.  As described in our earlier post, the case involves a constitutional challenge to a Vermont law prohibiting the use or sale of doctors’ identifying information in prescription records—i.e., prescriber-identifiable data—without the doctor’s express consent.

The key legal issue, as

Improper disposition of medical records appears to be an international problem.  The Saskatchewan Information and Privacy Officer recently issued regulatory guidance to health care providers on complying with the province’s health data protection law.  The guidance is being sent to all health regulatory bodies and health care organization privacy boards in Saskatchewan to remind them

The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) announced Tuesday that it has issued a Notice of Final Determination finding that Cignet Health of Prince George’s County, Maryland (Cignet) violated the HIPAA Privacy Rule.  HHS imposed a $4.3 million civil money penalty on Cignet for the violations—the first civil money penalty ever issued by HHS for violations of the Privacy Rule.

The civil money penalty imposed on Cignet is based on the new violation categories and increased penalty amounts established under the HITECH Act, which we reported on previously.  In a Notice of Proposed Determination issued on October 20, 2010, OCR found that:

  • Between September 2009 and October 2009, Cignet failed to provide 41 individuals with timely access to copies of protected health information (PHI) about them in the designated record sets maintained by Cignet, in violation of 45 C.F.R. § 164.524.
  • From March 2009 through April 2010, Cignet failed to cooperate with OCR’s investigation of 27 complaints regarding Cignet’s noncompliance described above, in violation of 45 C.F.R. § 160.310(b).

Continue Reading HHS Imposes $4.3 Million Civil Money Penalty for HIPAA Privacy Violations

This is the fourth in our series on provisions of the Department of Health and Human Services (HHS) proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, and authorizations for future research.

Today we will address how HHS may relax the current restrictions on “compound authorizations” for research purposes.

Compound Authorizations

HHS is proposing to amend the compound authorization requirements under the HIPAA Privacy Rule, which currently prohibit combining an authorization that conditions treatment, payment, enrollment in a health plan, or eligibility for benefits with an authorization for another purpose for which treatment, payment, enrollment, or eligibility may not be condition.  HHS recognized that the excess paperwork that results from this restriction has been found to be burdensome and potentially confusing to patients, as well as administratively burdensome for clinical researchers.

Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 4 of 5)