No. Kalderos works with stakeholders throughout the pharmaceutical supply chain on behalf of the drug manufacturer that provides the 340B discount. Health care providers that are “covered entities” under HIPAA can disclose information covered by HIPAA consistent with HIPAA for their own payment purposes without a BAA as part of their payment activities, among other purposes. See 45 C.F.R. § 164.501. Particularly in light of guidance from the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) on permissible disclosures in a similar context, it is Kalderos’ view that the disclosure of such information by providers, or their business associates acting on their behalf, to a manufacturer, or an entity acting on the manufacturer’s behalf, for the purposes of evaluating the propriety of discounts associated with 340B utilization is permitted under HIPAA
without a BAA.
OCR has explained that HIPAA covered entities (in those cases, health plans) can disclose information to manufacturers consistent with HIPAA and without a BAA for purposes of adjudicating claims in the following two FAQs:
FAQ 455: Does the Privacy Rule permit health plans to disclose protected health information to pharmaceutical manufacturers for the adjudication of drug rebate contracts?
Yes. The Privacy Rule permits a health plan to disclose protected health information, such as prescription numbers, to a pharmaceutical manufacturer for purposes of adjudicating claims submitted under a drug rebate contract. Because the amount of the rebate is based on drug utilization by individual enrollees, such disclosures are permitted as part of a covered entity’s payment activities. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
A business associate agreement is not required to make these disclosures. However, a health plan must make reasonable efforts to limit the information disclosed to that which is the minimum necessary to adjudicate claims under the contract. See 45 CFR 164.502(b) and 164.514(d) for more information on the minimum necessary standard.
HHS, OCR, FAQ, June 5, 2003, https://www.hhs.gov/hipaa/for-professionals/faq/455/does-hipaa-permit-health-plans-to-disclose-information-to-pharmaceutical-manufacturers/index.html.
FAQ 456: Does the Privacy Rule permit state Medicaid agencies to disclose protected health information to pharmaceutical manufacturers and third party data vendors for purposes of validating claims under the Medicaid Drug Rebate program?
Yes. The Privacy Rule permits State Medicaid agencies to disclose protected health information, such as prescription numbers, to pharmaceutical manufacturers and third party data vendors that assist the pharmaceutical manufacturers, for purposes of validating claims submitted under the Medicaid Drug Rebate program. Because the amount of the rebate is based on drug utilization by individual enrollees, such disclosures are permitted as part of a State Medicaid agency’s payment activities. See 45 CFR 164.502(a)(1)(ii) and the definition of “payment” at 45 CFR 164.501.
A business associate agreement is not required to make these disclosures. State Medicaid agencies are required by law to disclose certain information to drug manufacturers as part of the drug rebate program. To the extent that the law requires a disclosure, the minimum necessary standard does not apply. (See 45 CFR 164.512(a) for further information and limitations on disclosures required by law.) To the extent that protected health information is disclosed for payment purposes but not pursuant to a legal requirement, the State Medicaid agency must make reasonable efforts to limit that information to that which is the minimum necessary to adjudicate the rebate claims. See 45 CFR 164.502(b) and 164.514(d) for more information on the minimum necessary standard.
HHS, OCR, FAQ, June 5, 2003, https://www.hhs.gov/hipaa/for-professionals/faq/456/does-hipaa-permit-state-medicaid-agencies-to-disclose-information-to-pharmaceutical-manufacturers/index.html.
As with such claims adjudication – where OCR has made clear that a BAA is not required – here, it is our view that a BAA is not required for a provider to disclose information to a manufacturer (or its contractor) for purposes of the manufacturer’s determination of whether a discount is consistent with 340B Program rules and whether a prohibited duplicate discount scenario exists in connection with a drug dispensed by a provider. This disclosure is subject to the minimum necessary standard. As noted above, in order to make these determinations, the manufacturers on whose behalf Kalderos operates need the following information about each patient for whom a provider seeks a discount: prescription ID, NDC, units, date of service, NPI, 340B covered entity ID, and certain drug information because these data elements are each necessary for the manufacturers to validate whether
discounts are consistent with 340B Program rules and whether a prohibited duplicate discount
scenario exists.