(a) For purposes of this section:
(1) “Pharmacy rewards program” means a promotional arrangement under which a retailer provides a consumer with store credits, discounts or other tangible benefits in exchange for the consumer filling drug prescriptions through such retailer or its affiliate;
(2) “HIPAA authorization” means an authorization to disclose medical records that meets the privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (P.L. 104-191) (HIPAA), as amended from time to time, or regulations adopted thereunder;
(3) “Protected health information” has the meaning assigned to it in 45 CFR 160.103, as amended from time to time; and
(4) “Marketing” has the meaning assigned to it in 45 CFR 164.501, as amended from time to time.
(b) Prior to enrolling a consumer in a pharmacy rewards program, a retailer shall provide the consumer with a written plain language summary of the terms and conditions of such program. If the consumer is required to sign a HIPAA authorization form to participate in the program, the retailer shall include information on the form, adjacent to the point where the HIPAA authorization form is to be signed, that states: (1) The specific uses or disclosures of protected health information the HIPAA authorization allows, (2) whether protected health information obtained by the retailer will be disclosed to third parties and, if so disclosed, that such information will not be protected by federal or state privacy laws, (3) which, if any, third parties will have access to the consumer’s protected health information, (4) how the consumer may revoke the HIPAA authorization, and (5) that the consumer is entitled to a copy of the HIPAA authorization form once signed.
(c) The terms “HIPAA”, “Health Insurance Portability and Accountability Act of 1996”, “HIPAA authorization”, “protected health information” and “marketing” shall be defined in promotional materials, in the plain language summary required pursuant to subsection (b) of this section, and on the HIPAA authorization form adjacent to the point where the HIPAA authorization form is to be signed, if such terms are used in such materials, summary or enrollment form.
(d) A violation of subsection (b) or (c) of this section shall be deemed an unfair or deceptive act or practice in the conduct of trade or commerce under subsection (a) of § 42-110b.