This is the second in our series on provisions of the HHS proposed rule implementing the HITECH Act that, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  We previously covered HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  HHS has indicated that the final rule will be issued in March.

Today, we will look at the new requirements contained in the HHS proposed rule issued last July for what HHS is calling “remunerated treatment communications.” 

Remunerated Treatment Communications

The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.  As we previously reported, the HITECH Act contains one limited exception for communications about currently-prescribed drugs.

Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 2 of 5)

As we previously reported, the Office for Civil Rights within the Department of Health and Human Services (HHS) has indicated that the final rule implementing changes to the HIPAA regulations under the HITECH Act will be issued in March.  The proposed rule, released last July, contains sweeping changes to the privacy, security, and enforcement rules promulgated under HIPAA.  In this and four subsequent blog posts, we will explore aspects of the proposed rule relating to marketing, clinical research, and the sale of protected health information.  These changes, if included in the final rule, are likely to have the greatest impact on the business operations of pharmaceutical and other life sciences companies.  (Although generally not regulated under HIPAA directly, such companies often have arrangements with entities that are covered entities or business associates under HIPAA.)

Communications About Currently Prescribed Drugs

The first topic we will address is HHS’s proposed treatment of refill reminders and other communications about currently prescribed drugs.  The HIPAA Privacy Rule generally requires that a covered entity obtain prior written authorization from an individual before using that individual’s protected health information for marketing purposes.  Prior to the HITECH Act, certain communications, including those related to treatment and care coordination, were excluded from the definition of marketing.  But under the HITECH Act, if a covered entity or business associate is compensated by a third party for making certain communications (including those related to treatment and care coordination), the covered entity generally must obtain prior authorization.

Continue Reading HIPAA/HITECH Regulations are Coming: What do Pharmaceutical Companies Need to Know? (Part 1 of 5)

On January 7, 2010, the U.S. Supreme Court agreed to review a Court of Appeals decision striking down Vermont’s prescription confidentiality law.  The State of Vermont had petitioned the Supreme Court to review the case on December 13, 2010, after the Second Circuit ruled that the law constituted an impermissible restriction on commercial speech under the

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the

Just two days after the Director of the FTC’s Bureau of Consumer Protection announced that the agency would not tolerate an “arms race” aimed at developing technologies that subvert user choice regarding online tracking, two firms accused of employing such technologies agreed to settle lawsuits against them.  Quantcast and Clearspring–which provide web analytics and certain functionality to consumer-facing websites–were named in several class action complaints this summer.  The suits alleged that the companies used “Flash cookies” (i.e., local shared objects stored in the memory of Adobe’s Flash Player plug-in) to track user activity on websites where Quantcast and Clearspring provide their services.  The publishers of some of those sites were also named in the suits.  

Although the use of traditional “HTTP” cookies for tracking has become so commonplace as to be relatively uncontroversial, Flash cookies have been criticized because they are unaffected by browser privacy settings.  Moreover, as noted by researchers at UC-Berkeley, Flash cookies can be used to re-create or “respawn” browser cookies after a user deletes the latter.  The plaintiffs in the Quantcast and Clearspring cases seized on these distinctive qualities in asserting that the defendants used Flash cookies to “circumvent” users’ privacy settings.  The complaints included claims under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and various state laws.

Continue Reading Quantcast, Clearspring Agree to Settle “Flash Cookies” Suits

On the heels of last week’s release of a proposed consumer privacy report by the FTC, a group of businesses that track online behavior announced that they will give consumers access to information collected about their interests.  The Open Data Partnership will also allow consumers to edit this online profile information. 

This service, which will launch