Sending electronic prescription refill reminders helps patients stay up-to-date with their care, ultimately leading to better long-term health outcomes. However, there can sometimes be confusion around the HIPAA requirements for delivering these notifications.
HIPAA rules for prescription refill reminders
The HIPAA Privacy Rule sets specific controls over the way that protected health information (PHI) can be used and disclosed. In most cases, a patient's written authorization must be obtained before their PHI can be utilized for marketing communication. Marketing typically refers to messages that encourage the use or purchase of a product or service.
According to the Privacy Rule, refill reminders and other communications about current prescriptions are excluded from the definition of marketing. This is as long as "any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the cost of making the communication."
Therefore, patient opt-in is not required to send prescription refill reminders. Healthcare facilities are permitted to communicate this information to patients and provide prescription details to third-party organizations like pharmacies.
In addition to reminders about current prescriptions, patient consent is not needed for the following types of communications.
- Information about generic equivalents
- Guidance on following prescription directions
- Updates on prescriptions that have lapsed within the last 90 calendar days
- Drug delivery system notifications for self-administered medications
There are certain refill-related communications that are not exempt from the opt-in requirement. These include messages with information on new formulations, as well as adjunctive drugs that relate to a currently prescribed medicine. Another non-exception is encouraging patients to switch to a different medication.
More HIPAA security considerations
While prescription refill reminders are permitted without a patient's prior authorization, the content of the message makes all the difference. Ensure that reminders are as generic as possible and free of any specific health details, such as the patient's condition, treatment plan, or results. Failing to obtain patients' explicit permission before sending PHI electronically is considered a HIPAA violation.
Establish and enforce clear policies for sending prescription-related communications securely. All employees delivering these updates should be thoroughly trained on how to comply with HIPAA rules. This lowers the chance of putting patients' information at risk.
Since human error is inevitable, covered entities can add an extra layer of security to their patient outreach by signing a business associate agreement (BAA) with a HIPAA compliant email marketing platform or app. The best platforms encrypt data at rest and in transit and restrict access to authorized users. A signed BAA acknowledges the third-party service provider's responsibilities in securing PHI.
Conclusion
Prescription refill reminders are considered an exception to the HIPAA Privacy Rule's definition of marketing. Therefore, patient opt-in is not required to send these messages.
Still, covered entities should make every effort to safeguard PHI by excluding sensitive details from reminders and using a HIPAA secure platform.
