Are refill reminders considered marketing under HIPAA?

Refill reminders are not considered marketing under HIPAA if they concern a drug currently prescribed to the patient if the remuneration involved is reasonable enough to cover costs. However, any communication that extends beyond a current prescription or involves unreasonable remuneration requires explicit patient authorization.

What is marketing under HIPAA?

Under HIPAA's Privacy Rule, marketing refers to communication that encourages the recipient to purchase or use a product or service. However, HIPAA does make an exception for refill reminders. 

Marketing specifically excludes refill reminders or communications about a drug "currently being prescribed for the individual", as long as the covered entity’s financial remuneration is "reasonably related to the covered entity’s cost of making the communication" (45 CFR 164.501).

How does this apply to refill reminders?

The HHS explains that providers should use the following criteria to determine whether a communication falls within the refill reminder exception to marketing:

1. If the communication is about “a currently prescribed drug or biologic.”

2. “Whether the financial remuneration is reasonably related to the covered entity’s cost of making the communication.”

What communications fall within the exception?

Communications that meet the refill reminder exception include:

• Refill reminders.
• Communications about generic equivalents of a drug being prescribed.
• Adherence communications urging individuals to take medicines as prescribed.

However, HIPAA does not permit the following types of communications about medications without patient authorization:

• Information regarding new formulations of a prescribed drug.
• Messages about adjunctive medications associated with the current prescription but not prescribed.
• Communications that encourage switching to a different medication.

Financial remuneration and reasonability

Using the HHS guidelines, remuneration can be accepted as long as it covers reasonable direct and indirect communication costs like "labor, materials, and supplies, as well as capital and overhead costs".

Financial consideration does not include non-financial or in-kind benefits, such as third-party supplies or equipment.

Examples of permitted communications

If a pharmacy uses HIPAA compliant emails for refill reminders to encourage patients to take their prescribed drugs, and the pharmacy is paid by the pharmaceutical manufacturers to cover their reasonable communication costs.

Another example is insulin pump manufacturers paying a pharmacy a reasonable fee to securely email information about the pumps to diabetic patients.

Learn more: HIPAA compliant email marketing

FAQs

Can providers use HIPAA compliant email marketing for lapsed prescriptions?

Yes, HIPAA allows providers to use compliant email marketing to send refill reminders for prescriptions that have lapsed within the last 90 days. These communications fall under the "refill reminder" exception and do not require patient authorization if payment received is limited to covering the cost of sending the reminder.

Are adherence reminders allowed under HIPAA?

Yes, adherence reminders, which encourage patients to take their medications as prescribed, are allowed without authorization if they meet HIPAA’s refill reminder exception.

Are secure email solutions user-friendly for both healthcare providers and patients? 

Yes, secure email solutions like Paubox are designed to be user-friendly and integrated into existing email workflows for healthcare providers. For patients, accessing encrypted emails is as simple as opening a regular email without additional login credentials or portals.