In our final post on what pharmaceutical companies should know about the forthcoming HIPAA/HITECH regulations, we will discuss provisions in the proposed rule relating to the sale of protected health information. We previously covered the Department of Health and Human Service’s (HHS) proposed treatment of communications about currently prescribed drugs, remunerated treatment communications, authorizations for future research, and compound authorizations.
Sale of Protected Health Information
The HITECH Act added a new circumstance where a covered entity must obtain authorization: the sale of protected health information. (The HIPAA Privacy Rule also requires authorizations for uses and disclosures for marketing and most uses and disclosures of psychotherapy notes.)
Specifically, under the HITECH Act, a covered entity may not receive direct or indirect remuneration in exchange for the disclosure of protected health information unless the covered entity has received a valid authorization from the individual. The authorization must state whether the information can be further exchanged for remuneration by the recipient. There are exceptions where the purpose of the exchange of information is for:
- public health activities
- research purposes, if the price charged reflects the cost of preparation and transmittal of the data
- treatment of the individual
- the sale, transfer, merger, or consolidation of all or part of a covered entity and for related due diligence
- services rendered by a business associate pursuant to a business associate agreement and at the specific request of the covered entity
- providing an individual with access to his or her protected health information; and
- such other purposes as the Secretary determines to be necessary and appropriate by regulation.
These provisions will take effect six months after the date of the promulgation of final regulations implementing this section of the HITECH Act.
In the proposed rule, HHS incorporates these requirements into the regulations in a manner that largely tracks the statutory language, with some important changes. For example, HHS would require the authorization to include a statement that the covered entity is receiving remuneration in exchange for the protected health information, as opposed to the HITECH language regarding further exchanges. Moreover, HHS is proposing to add additional exceptions for:
- disclosures that are required by law as permitted under 45 C.F.R. § 164.512(a)
- disclosures of protected health information for any other purpose permitted by and in accordance with the applicable requirements of subpart E, “where only remuneration received by the covered entity is a reasonable, cost-based fee to cover the cost to prepare and transmit the protected health information for such purpose or a fee otherwise expressly permitted by other law.”
Stay tuned for more on the final HIPAA/HITECH regulations, which HHS is expected to issue in March.