State Privacy Laws and Their HIPAA Implications for Pharmaceutical Manufacturers
Compliance Strategies Needed
The HHS Privacy Rule, part of the Administrative Simplification standards adopted under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), generally affects pharmaceutical manufacturers only in their "business associate" and research roles. Drug companies typically are not subject to the more comprehensive regulation applicable to "covered entities." However, certain states are now enacting their own privacy laws that define pharmaceutical manufacturers as "covered entities," thus subjecting them to a broader array of HIPAA or HIPAA-like privacy constraints. To date, laws in California and Texas have the most substantial privacy compliance implications for drug companies.
Because state privacy laws that are more stringent than the HIPAA Privacy Rule are not preempted by federal law, they pose new compliance dilemmas for pharmaceutical manufacturers. One is the very real problem of identifying reliably what conduct is subject to regulation by the state in question. Another concerns selecting among compliance strategy options, which include (1) standardizing the company's privacy policies using the most stringent rules or (2) implementing tailored guidelines on a state-by-state basis. Seeking to reduce costs and compliance risks, many drug companies are expected to follow the lead of national managed care organizations and include the strictest state privacy laws in their company-wide privacy guidelines. In any event, pharmaceutical manufacturers must become familiar with HIPAA, state privacy laws, the relationship between these bodies of law, and how best to integrate the more stringent state privacy requirements into their business practices.
New California Privacy Law
In California, the Confidentiality of Medical Information Act (CMIA) governs the disclosure of medical information by providers of health care, health plans and contractors. Cal. Civ. Code § 56et seq. (2002). Effective January 1, 2003, Assembly Bill 2191 will extend the requirements of this Act specifically to pharmaceutical companies. This Act will then forbid pharmaceutical manufacturers (or their agents or representatives) from selling, intentionally sharing, or otherwise using individually identifiable health information (IIHI) regarding a patient's medical history, mental or physical condition, or treatment for any purpose not necessary to the provision of health care services, unless authorized by the patient or specifically permitted by the Act. Cal. Civ. Code § 56.10 (2002). IHII includes patient information collected directly from the patient or obtained from health IIHI providers, health care service plans, other pharmaceutical makers, or contractors. Because pharmaceutical manufacturers do not typically provide health care services, it is expected that most, if not all, of their uses and disclosures will require an authorization from the patent. Manufacturers are likewise forbidden from requiring patients, as a condition of receiving drugs, to sign an authorization, release, consent, or waiver permitting the disclosure of medical information, except in limited circumstances specified by the statute. Under the Act, however, pharmaceutical companies will still be able to require that patients allow pharmaceutical firms access to their medical information in order to participate in clinical trials and patient-assistance programs. Drug companies, like all covered entities, will likewise be bound by confidentiality requirements for the creation, maintenance, storage, and disposal of IHII. Cal. Civ. Code § 56.101 (2002).
Texas Privacy Law
In Texas, Senate Bill 11 (SB11) established an integrated set of privacy protections that extend most HIPAA standards to a broad array of entities, including pharmaceutical manufacturers. SB11, enacted as Texas Health & Safety Code Ann. § 181 et seq. (2002), specifically adopts the current HHS HIPAA privacy standards relating to: (i) an individual's access to his/her "protected health information" (PHI); (ii) amendment, or correction of PHI in records; (iii) uses and disclosures of PHI; and (iv) notice of privacy practices for PHI. By the September 1, 2003 Texas compliance date, these HIPAA standards will apply not only to traditional "covered entities," but also to "any person who uses, transmits, assembles, analyzes, evaluates, comes into possession of, obtains, or stores protected health information" for essentially any reason. Texas law applies additional constraints, more stringent than those in HIPAA, on uses and disclosures of PHI for several purposes, including marketing. It is now unclear exactly how these constraints will impact pharmaceutical manufacturers and how "marketing" will be defined under this Texas law. Without exception, however, the law requires patient authorizations for marketing uses or disclosures and sets forth strict criteria for written marketing communications.