The Refill reminder exception is a provision within the HIPAA Privacy Rule that allows covered entities, such as healthcare providers or pharmacies, to communicate with patients about their currently prescribed drugs or biologics without obtaining the patient's written authorization.
The exception permits certain healthcare communications without being categorized as marketing communications.
By meeting the following criteria, a communication can be considered part of the "refill reminder" exception in the HIPAA Privacy Rule, allowing it to be made without an individual's written authorization.
The communication must be about a drug or biologic currently prescribed to the individual. This includes
In the case of self-administered drugs, communications about all aspects of a drug delivery system are also included in the exception.
If a healthcare provider gets paid for sending you reminders about your medication, that payment must be fair and directly related to the cost of sending you that message. This is what's known as "financial remuneration." It's any payment made to the healthcare provider (or their business partner) by a third party, e.g., a drug company whose product is being discussed in the reminder.
Permitted remuneration includes:
See also: Do you need patient opt-in for prescription refill reminders?
No, communications about specific adjunctive drugs are not considered part of the "refill reminder" exception to marketing within the HIPAA Privacy Rule. The "refill reminder" exception is specifically related to communications about a currently prescribed drug and related messages that encourage adherence to that medication.
Adjunctive drugs are medications used alongside primary treatments to enhance their effectiveness, manage side effects, or treat additional symptoms. Because adjunctive drugs are not the currently prescribed drug itself, they do not fall within the "refill reminder" exception.
If a healthcare organization or pharmacy wishes to engage in HIPAA compliant email marketing regarding adjunctive drugs, they must adhere to the rules and requirements for other types of healthcare-related communications. These may include obtaining the individual's written authorization or ensuring compliance with other exceptions to marketing under the HIPAA Privacy Rule.