PA 14-197—SB 208
General Law Committee
AN ACT CONCERNING PHARMACY REWARDS PROGRAMS AND PROTECTED HEALTH INFORMATION
SUMMARY: This act requires a retailer to give consumers a written, plain-language summary of a pharmacy reward program's terms and conditions before enrolling consumers in the program. Under the act, a “pharmacy rewards program” is a promotional arrangement where a retailer gives a consumer store credits, discounts, or other tangible benefits in exchange for the consumer filling prescriptions through the retailer or its affiliate.
The act requires additional disclosures about the use of protected health information if consumers must sign a HIPAA authorization form to participate in the programs. The act defines “HIPAA authorization” as permission to disclose medical records that meet the privacy requirements of the 1996 federal Health Insurance Portability and Accountability Act or its associated regulations (see BACKGROUND).
The act requires certain terms, if used, to be defined in the programs' (1) promotional materials, (2) plain-language summary, and (3) HIPAA authorization.
A violation of the act's requirements is deemed an unfair or deceptive trade practice.
EFFECTIVE DATE: July 1, 2014
HIPAA AUTHORIZATION FORM
Under the act, if retailers make consumers sign a HIPAA authorization form in order to participate in their pharmacy rewards programs, the retailers must include the following information on the form:
1. the specific uses or disclosures of protected health information the authorization allows;
2. whether protected health information the retailer obtains will be disclosed to third parties and, if so, that the information will not be protected by federal or state privacy laws;
3. which, if any, third parties will have access to the health information;
4. how to revoke the authorization; and
5. that the consumer is entitled to a copy of the signed authorization.
This information must be provided next to where the form is signed.
Federal regulations already require authorizations to include such things as (1) a description of protected health information that will be used and disclosed and (2) the people allowed to use, disclose, or receive the information (45 CFR Parts 160 and 164).
The act requires certain terms, if they are used, to be defined in the program's promotional materials, the plain-language summary, and on the HIPAA authorization form next to where it is signed. The terms included are:
2. Health Insurance Portability and Accountability Act of 1996,
3. HIPAA authorization,
4. protected health information, and
The act uses certain definitions from HIPAA regulations. “Protected health information” includes individually identifiable health information transmitted by or maintained in electronic media or transmitted or maintained in some other form, but not information included in certain records such as education or employment records (45 CFR § 160. 103). “Marketing” generally means making a communication about a product or service to encourage the purchase or use of the product or service. It does not include certain communications about health care treatment and operations (45 CFR § 164. 501).
The HIPAA “privacy rule” sets national standards to protect the privacy of health information. It protects individually identifiable health information by defining and limiting the circumstances under which covered entities may use or disclose such information.
Connecticut Unfair Trade Practices Act (CUTPA)
CUTPA prohibits unfair and deceptive acts or practices. It allows the consumer protection commissioner to issue regulations defining what constitutes an unfair trade practice, investigate complaints, issue cease and desist orders, order restitution in cases involving less than $5,000, enter into consent agreements, ask the attorney general to seek injunctive relief, and accept voluntary statements of compliance. It also allows individuals to sue. Courts may issue restraining orders; award actual and punitive damages, costs, and reasonable attorneys fees; and impose civil penalties of up to $5,000 for willful violations and $25,000 for violation of a restraining order.
OLR Tracking: KLM: JO: JKL: ro