Privacy & Cybersecurity Law Blog

On June 12, 2014, Connecticut Governor Dannel Malloy signed a bill into law that may require retailers to modify their existing Health Insurance Portability and Accountability Act (“HIPAA”) authorizations for pharmacy reward programs. The law, which will become effective on July 1, 2014, obligates retailers to provide consumers with a “plain language summary of the terms and conditions” of their pharmacy reward programs before the consumers may enroll. It also requires retailers to include specific content in their authorization forms that are required pursuant to the HIPAA. If the consumer is required to sign a HIPAA authorization to participate in a pharmacy reward program, the authorization must include the following items “adjacent to the point where the HIPAA authorization form is to be signed:”

•  The specific uses and disclosures of protected health information (“PHI”) permitted by the HIPAA authorization;
• Whether PHI will be disclosed to third parties, and that such information will not be protected by federal or state privacy laws;
• Which third parties will have access to the PHI;
• How the consumer may revoke his or her HIPAA authorization; and
• That the consumer is entitled to a copy of the signed HIPAA authorization.

Because the requirements of the Connecticut law go beyond the current content requirements for HIPAA authorizations in the HIPAA Privacy Rule, retailers should consider whether they need to revise existing HIPAA authorizations to comply.