The Use of Authorizations by Specialty Pharmacies to Provide Protected Health Information to Pharma

What are some of the pitfalls that a pharmacy needs to avoid when setting up a relationship with a pharma manufacturer to accept authorizations from individuals to release information to that manufacturer?

How to Avoid Pitfalls and Set Up a Process

Specialty pharmacies are almost by definition dealing with high-cost drugs that generally are not available in any sort of generic form. The manufacturers of those drugs are increasingly using drug-specific programs to help get both patients and doctors to use their product. As part of the participation in such programs, the member is usually asked to sign an authorization form that would allow specialty pharmacies to release protected health information (PHI) and other data to the pharma manufacturers to assist these programs.

Of course, an authorization is going to be needed by a specialty pharmacy to release PHI to a pharma company. The general rule under HIPAA is that a Covered Entity (like a pharmacy) cannot release an individual’s PHI without that individual’s authorization. There are many exceptions to that rule, but those exceptions don’t apply to the situation where a pharma company is asking a specialty pharmacy to provide patient data about the individual’s use of its drug. For example, a pharmacy could not release the information under HIPAA’s treatment exception, since the manufacturer is neither a health care provider nor in a treatment relationship with the individual.

Since an authorization is going to be needed, what are some of the pitfalls that a pharmacy needs to avoid when setting up a relationship with a pharma manufacturer to accept authorizations from individuals to release information to that manufacturer?

One obvious pitfall lies in the authorization form itself. The HIPAA Privacy Rule has specific requirements for authorization forms for it to be considered a valid authorization. If those requirements are not met, then the authorization is considered defective. Release of PHI to a pharma manufacturer using a defective authorization form would not be a permissible disclosure of PHI and could be considered a HIPAA breach depending on the circumstances of the release.

A valid HIPAA authorization has 6 “core” elements:

• Description of the information to be used or disclosed that identifies it in a specific and meaningful way;
• Names of persons, or classes of persons, authorized to make the requested use or disclosure;
• Names of persons, or classes of persons, to whom the Covered Entity may release the information;
• Description of the purpose of the use or disclosure;
• An expiration date or event;
• Signature of the individual authorizing and the date.

Additionally, the authorization must have statements about the individual’s right to revoke the authorization in writing; the ability or inability to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and the potential for information released pursuant to an authorization to be further disclosed by the recipient and no longer have the protections of the HIPAA Privacy Rule.

Finally, HIPAA also only allows a compound authorization—multiple authorizations within 1 document—in certain situations.

You can see there are quite a few things that go into creating a valid authorization form under HIPAA.

Understanding State Requirements

Then there are state requirements for authorization forms. We don’t have the space to cover the breadth of other state-specific requirements that are out there, but do realize that many states have them. At the very least, you should research whether there are any requirements in the state of residence of your pharmacy or where the majority of your members reside if you serve a local population.

State laws also represent a challenge for the pharma manufacturers in creating an authorization form. The pharma manufacturers are most likely going to have individuals from a variety of states involved in their programs. With that potential variety, it may be difficult to impossible for the pharma manufacturer to create a single authorization form that covers all the combinations of requirements between HIPAA and state law. Additionally, the authorization form for patients is usually combined with other program participation materials, and some states have requirements that authorizations be on a separate page from other documentation.

So, when a pharma manufacturer approaches your pharmacy with an authorization form, what should you do?

One option would be to accept the authorization form without any review. The obvious advantage of this approach is that it does not require the time and effort to engage your internal legal/compliance team or outside counsel. This approach assumes that the pharma manufacturer has made sure that its form meets the applicable HIPAA and state law requirements. That assumption is not unwarranted, as pharma companies have their own incentives to create a valid authorization. However, as mentioned, especially with state laws, a pharma company may be challenged with creating an authorization that meets all the legal requirements for every individual it may be seeking release of information about. The risk with this approach is that if the authorization is defective, either from a HIPAA or state perspective, then releases made based on that authorization are not permissible ones.

Another option would be to engage in a review of the pharma company’s authorization form before agreeing to accept the forms. While review takes time and costs money, there is a potential risk-saving component to that investment for both your pharmacy and pharma manufacturers. If you do find a missing component from either a HIPAA or state law perspective and report that deficiency to the pharma manufacturer, you are providing the manufacturer with an opportunity to correct its mistake. You are also building a record for any complaints to a regulator that you took reasonable steps to ensure that an authorization met applicable standards.

Some of the standards for authorizations can involve differing reasonable determinations of what is sufficient, so there should be some thought given to what kind of perceived deficiencies are worth taking back to a manufacturer. Continual battling with manufacturers over interpretations of the sufficiency of certain provisions may have a negative reputational effect (pharma will opt to stop dealing with you) with no real benefit to your organization.

Next Steps

Before moving on to our next subject, one comment about who in your pharmacy should be doing the review of your authorization form if you choose that route. While the most obvious choice would be your legal counsel or your privacy office, if you have one, another option could be for those groups to train and provide templates/checklists to operational employees to empower them to conduct the reviews.

Once you’ve gotten to the point where you are comfortable with the authorization form, there are still some other issues to consider. Someone needs to review the authorization to ensure that it has been completed, signed, and dated. A template form that meets all the requirements is useless if it is not correctly filled out and signed and dated. Failure to complete the authorization makes it invalid in the same way as not including the core elements in the template. Having a legal or privacy team review every single completed authorization may be too taxing on your legal/privacy resources and is probably an unnecessary step, as long as you have operational employees who have been adequately trained on the required elements of a completed authorization.

Next, and probably most importantly, you need to have a system in place to track who you have an authorization for and who you don’t. Depending on the level of sophistication of your organization, this could be a binder full of authorizations that you consult or an automated tracking system that tags the individual’s record with a notation that pharma company X is authorized to receive information about that individual. If you do have an automated system, keeping the original hard copy of the authorization or making an electronic copy of the hard copy form is a best practice to follow.

The reason you need that system in place is to be able to respond to the request from the pharma company to hand over the data that individuals have authorized you to give to pharma on their behalf. You don’t want to exclude people that have given you a valid authorization and you don’t want to include individuals that haven’t given you an authorization.

In closing, there are several considerations that have to be taken into account to make sure that your pharmacy is in a position to take authorizations from pharmaceutical companies. Once you’ve made your strategic decisions on how to handle these authorizations, create a repeatable process that is understood by your employees—and then you’ll be ready to accept pharma authorizations and properly disclose data to pharma.

About the AuthorNiels Quist, JD, is privacy director at OptumRx. Based in Irvine, California, OptumRx is a pharmacy benefit manager and mail pharmacy that provides a full spectrum of pharmacy services, all rooted in evidence-based clinical and technological innovation to improve health outcomes and reduce health care costs. Mr. Quist holds a JD from the George Mason University School of Law and was previously employed at the US Department of Justice.