Can pharmacies transmit PHI to manufacturers for rebate processing?
With the April compliance deadline for the Health Insurance Portability & Accountability Act fast approaching, one area generating considerable confusion has to do with the payment of pharmaceutical rebates. Do HIPAA regulations have to be observed when pharmacies communicate rebate information to manufacturers?
In order for providers and health plans to obtain rebates from manufacturers, they must provide the drug companies with pharmacy claims showing the drug utilization of their patients. Manufacturers need this information to make sure that duplicate claims have not been submitted. This raises the following questions:
According to Diane Sacks, a lawyer, independent HIPAA consultant, and former v.p. of government affairs for AdvancePCS based in Scottsdale, Ariz., covered entities, including pharmacies and health plans, have received conflicting advice from various sources on this matter. Based on her analysis of the HIPAA regulations, she has come to the following conclusions.
If pharmacies remove 19 identifiers from the claims data they submit to manufacturers, the information would qualify as de-identified under a "safe harbor," in which case it would not be considered protected health information (PHI) covered by the HIPAA privacy rule. The 19 identifiers, which are listed in the privacy rule, encompass such elements as the patient's name, Social Security number, and other information that could identify the individual covered under the claim.
Unfortunately, manufacturers frequently require pharmacies to provide some identifiers, such as the prescription number or the date the prescription was filled. Once this information has been furnished, the pharmacy claims fail to qualify as de-identified under the safe harbor. When this happens, Sacks said, pharmacies have another route they could take to make sure the claims data they provide are not subject to the HIPAA requirements.
This second method involves hiring a statistical expert to certify that there is only a small probability that the information pharmacies submit could be used to reveal a patient's identity. These statistical tests could be done once, upfront, with no need to do them again, Sacks noted. If these statistical probability tests are not performed, disclosure of any of the 19 identifying elements in pharmacy claims would require the information to be treated as PHI covered under HIPAA.
This brings the rebate discussion to the second question: May PHI be disclosed to manufacturers for rebate payment purposes? The preamble to the privacy rule makes it clear that pharmacies and health plans may transmit PHI to manufacturers for rebate processing as part of their payment or healthcare operations activities, Sacks replied. However, only "minimum necessary" information that allows manufacturers to verify and pay the rebates they owe should be shared. Any additional information could not be relayed without individual authorization, the HIPAA expert cautioned.
So if pharmacies are transferring PHI to manufacturers, must they obtain a business associate agreement from them, restricting the disclosure of this information? As Sacks sees it, when a manufacturer verifies rebate claims, it is acting on its own behalf in determining the amount of rebates it owes. It is not acting on behalf of pharmacies or health plans and, therefore, should not be considered a business associate. This being the case, no business associate agreement is needed.
While this means that the PHI will lose the protections of the privacy rule once in the hands of manufacturers, Sacks pointed out that the Department of Health & Human Services recognizes that PHI could flow to parties that are neither covered entities nor business associates of covered entities. Fortunately, the amount of information manufacturers obtain would probably be so minimal that it could not serve to reveal any patient identities, she added.
In sum, Sacks said pharmacies and health plans can disclose minimum necessary PHI to manufacturers for rebate processing purposes without any need for obtaining a business associate agreement from them. "I feel this is the correct interpretation of the regulations," she concluded.
Judy Chi. Rebates and HIPAA: What's covered, what's not?.