AMARILLO, TX – “Social media” is a way for people to communicate and interact online. Social media has been around since the dawn of the Internet, but in the last ten (10) years or so we’ve seen a surge in both the number and popularity of social media sites. It’s called social media because users engage with (and around) it in a social context, which can include conversations, commentary, and other user-generated annotations and engagement interactions.

Publishing content has become exponentially simpler over the last several years, which has helped skyrocket the use of social media. Non-technical web users are now able to easily create content on a rapidly growing number of platforms, including those that are owned (hosted communities, blogs, etc.), rented (social networks or third-party communities), and occupied (commenting, contributing, etc.).

The future of the DME industry is the servicing of the 78 million “Baby Boomers” who are retiring at the rate of 10,000 per day. Unlike their parents (the “Greatest Generation”) Boomers are comfortable using social media. The forward-thinking DME supplier will utilize social media to (i) advertise to prospective customers, (ii) stay in touch with existing customers, and (iii) monitor patient outcomes.

In Part 1, we discussed the multiple social media platforms. In this Part 2, we will discuss how the law is “trying to catch up to” social media. In particular, the law focuses on two types of relationships: (i) employer and employee and (ii) supplier and prospective/existing customer. Social media is an accepted means of personal communication. Instead of two employees “chatting at the water cooler,” the employees may communicate via social media. Likewise, instead of an employee describing his work environment to a neighbor “over the fence,” the employee might use social media. It is understandable for the employer to desire to place limits on social media communications so that what the employee says…..and how he says it…..will not harm the employer. On the other hand, it is understandable for an employee to feel that his employer should have no say over the employee’s private communications (if you can call social media “private”). The law is developing regarding this inherent employer-employee conflict.

Separate from the employer-employee dynamic, we have the supplier-prospective/existing customer dynamic. The supplier will want to attract new customers with the various social media platforms. Equally as important, the supplier will desire to maintain regular contact with its existing customers…..again, by using social media platforms. In utilizing social media, the supplier will need to be aware of the multiple laws that protect consumers.

Employer/Employee Dynamic
NLRB Policy Statement
“Employer policies should not be so sweeping that they prohibit the kinds of activity protected by federal labor law, such as the discussion of wages or working conditions among employees.  An employee’s comments on social media are generally not protected if they are mere gripes not made in relation to group activity among employees.”

NLRB Rejection of Employer Policies
The NLRB has rejected:
• Overly broad social media restrictions such as disciplinary action on insubordinate comments or inappropriate conversations.
• Policy that states employees may not solicit team members while on company property because that would restrict employee solicitation during paid company breaks.
• Requirements of “appropriate” social media conduct.
• Requirement of a disclaimer (e.g., “opinions expressed herein are personal”) on every post because it is overly burdensome.
• A rule requiring employees to obtain company approval or bring work concerns to the employer before publishing any comments about the company. According to the NLRB, this is an unlawfully broad restriction.
• Rule requiring that “employees should generally avoid identifying themselves as the employer’s employees unless discussing terms and conditions of employment in an appropriate manner.” According to the NLRB, this infringes on employees’ rights to discuss terms and conditions of employment.
• “Savings clauses” that say that nothing in the social media policy should be construed to prohibit employee rights under the NLRA. According to the NLRB, this is insufficient to protect or save an otherwise unlawfully restrictive policy.

NLRB Approval of Employer Policies
• Policy prohibiting use of social media to post or display comments about co-workers, supervisors, or the employer that are vulgar, obscene, threatening, intimidating, harassing, or a violation of the company’s workplace policies against discrimination, harassment, or hostility based on age, race, religion, sex, ethnicity, nationality, disability, or any other protected class, status, or characteristic. The simple rule is that if the statement would otherwise violate a company’s workplace policies if orally stated at work, then it is permissible to ban similar acts on social media.
• Policies prohibiting employees from disclosing confidential or proprietary information, such as personal health information; confidential company plans (e.g., the launch of a product); and pending reorganizations.
• In Tasker Healthcare Group v. Employee, the employee in group message with colleagues wrote: ““They [the Employer] are full of s*** … They seem to be staying away from me, you know I don’t bite my [tongue] anymore…FIRE ME. …Make my day. . .” The employee further wrote: ““it’s getting bad there [at the Employer’s workplace], it’s Just annoying as h**. It’s always some dumb s*** going on.” The employer terminated the employee, stating that it was “obvious” that the employee was no longer interested in working there. The employer also stated that it was concerned about having the employee working directly with patients given her feelings about her work and the employer. According to the NLRB, the employee’s Facebook messages did not constitute protected concerted activity. The NLRB’s test for concert is whether the activity is engaged “in with or on the authority of other employees, and not solely by and on behalf of the employee himself.” According to the NLRB, the employee’s comments merely reflected her personal contempt for her returning coworker and for her supervisor, rather than any shared employee concerns over terms and conditions of employment.

Two Principles
Two principles on what the employer may do with social media are:
• If the policy includes some specific examples for guidance about prohibited communications, it is much more likely to be acceptable to the NLRB because it will not “chill” proper communications among employees; and
• If an employee’s communication violates the law or causes the employer to violate the law, or if it violates a specific and legitimate employer interest, then the employer is probably safe to prohibit it.

Supplier-Prospective/Existing Customer Dynamic
HIPAA Marketing Guidelines
The Health Insurance Portability and Accountability Act (“HIPAA”) requires “covered entities” to obtain a valid authorization from individuals before using or disclosing protected health information (“PHI”) to market a product or service to them. See 45 CFR § 164.508(a)(3).  A DME supplier falls within the HIPAA definition of a “covered entity.”

PHI is a subset of “individually identifiable health information,” which is defined as:
• Information that is a subset of health information, including demographic information collected from an individual, and
• Is created or received by a health care provider . . . ; and
• Related to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual; and
• That identifies the individual; or
• With respect to which there is a reasonable basis to believe the information could be used to identify the individual

45 CFR §160.103.
HIPAA broadly defines “use” of PHI to include the sharing, employment, application, utilization, examination, or analysis of such information.  42 CFR § 160.103.  The HIPAA definition of marketing states what is not marketing:
• Marketing does not include a communication made: . . . [f]or the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication[,] . . . to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.

45 CFR § 164.501 (2013) (emphasis added).  Marketing communications require prior valid authorization from the customer.  45 CFR § 164.508(a). Therefore, to avoid HIPAA’s requirement that the DME supplier obtain a valid authorization from the customer before making a marketing communication, the marketing communication must concern a health-related product or service (i) provided by the supplier and (ii) the supplier cannot receive financial remuneration in exchange for making the communication.

When the Department of Health and Human Services revised the definition of marketing communication, it issued the following comments to the final rule:
• We believe Congress intended that these provisions curtail a covered entity’s ability to use the exceptions to the definition of “marketing” in the Privacy Rule to send communications to the individual that are motivated more by commercial gain or other commercial purpose rather than for the purpose of the individual’s health care, despite the communication being about a health-related product or service.

78 Fed. Reg. 5592. HIPAA applies to any patient…no matter how old or how young…and whether the patient is covered by Medicare or commercial insurance.  In other words, HIPAA is not limited to Medicare patients. These comments make it clear that a health care provider (including a DME supplier) can only use a patient’s PHI for the medical benefit of the patient. The DME supplier cannot disclose or use the PHI for purposes of marketing (i.e., for the purposes of making money) unless the patient gives a valid prior written authorization for such use or disclosure. In short, when the patient “walks into the provider’s facility,” the patient needs to feel secure that his PHI will only be used for the purpose that it was designed to be used.

Email Marketing
Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) was enacted to protect consumers from unwanted commercial e-mail, (i.e., “spam”). The act imposes restrictions on the sending of commercial e-mail, which is defined as “messages that have as their primary purpose a commercial advertisement or a promotion of a commercial product or service.” See 77 A.L.R.6th 1 (Originally published in 2012); 15 U.S.C.A. §§ 7701 to 7713; 18 U.S.C.A. §1037.

The act does not make e-mail marketing completely illegal—rather, it imposes certain standards for email marketers to follow. The CAN-SPAM Act distinguishes between commercial e-mail and transactional or relationship email. Only commercial e-mail falls within the bounds of CAN-SPAM. Commercial content is defined as “any electronic mail message the primary purpose of which is the commercial advertisement or promotion of a commercial product or service (including content on an Internet website operated for a commercial purpose).” 15 U.S.C.A. § 7702(2)(A).

Transactional or relationship emails, on the other hand, may not contain false or misleading routing information, but are otherwise exempt from most provisions of the CAN-SPAM Act. 15 U.S.C.A. § 7702(17). “Transactional or relationship message” means an e-mail with the primary purpose of one of the following:
• To facilitate, complete, or confirm a commercial transaction that the recipient has previously agreed to enter into with the sender;
• To provide warranty information, product recall information, or safety or security information with respect to a commercial product or service used or purchased by the recipient;
• To provide notification concerning a change in the terms or features of, a change in the recipient’s standing or status with respect to, or account balance information or other type of account statement with respect to, a subscription, membership, account, loan, or comparable ongoing commercial relationship involving the ongoing purchase or use by the recipient of products or services offered by the sender;
• To provide information directly related to an employment relationship or related benefit plan in which the recipient is currently involved, participating, or enrolled; or
• To deliver goods or services, including product updates or upgrades, that the recipient is entitled to receive under the terms of a transaction that the recipient has previously agreed to enter into with the sender.

Generally speaking, under the CAN-SPAM Act, unsolicited commercial email advertisements must have a functioning return email address, the legitimate physical address of the mailer, and a way for people to opt-out of future mailings. The Act also prohibits deceptive subject lines and false or misleading header information. The FTC has published the main requirements under the CAN-SPAM Act that an e-mail marketer must follow. See FTC’s webpage: http://www.business.ftc.gov/documents/bus61-can-spam-act-compliance-guide-business.

The following should be used to comply with the Act:
• An e-mail marketer cannot use false or misleading header information. The “From,” “To,” “Reply-To,” and routing information, including the originating domain name and email address, must be accurate and identify the person or business who initiated the message.
• An e-mail marketer cannot use deceptive subject lines. The subject line must accurately reflect the content of the message.
• An e-mail marketer must identify the message clearly and conspicuously as an advertisement.
• An e-mail marketer must tell recipients where the business is located. The message must include a valid physical postal address (i.e., current street address, a post office box with the U.S. Postal Service, or a private mailbox with a commercial mail receiving agency established under Postal Service regulations).
• An e-mail marketer must tell recipients how to opt out of receiving future email from the business. The message must include a clear and conspicuous explanation of how the recipient can opt out of getting email in the future.
• An e-mail marketer must honor opt-out requests promptly. Any opt-out mechanism must be able to process opt-out requests for at least 30 days after the e-mail marketer sends the message. The recipient’s opt-out request must be honored within 10 business days.
• An e-mail marketer must monitor what others are doing on its behalf. Even if another company is hired to handle the e-mail marketing, legal responsibility stays with the company.

CAN-SPAM ACT preempts any state law that “expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.”

Direct Mailing
Direct mailings must comply with the laws of three regulatory agencies: (1) FTC, (2) U.S. Postal Service, and (3) State Attorneys General. The state regulations are relatively uniform and mirror the FTC regulations. The Federal Trade Commission Act focuses on preventing and deterring consumer deception and fraud—part of which is regulating direct mail advertising. 15 U.S.C. § 41 (West). Essentially, this Act operates to prevent false advertising. 15 U.S.C.A. § 52 (West). Under the FTC Act, a direct mail advertisement is “unfair if it causes or is likely to cause substantial consumer injury which a consumer could not reasonably avoid; and it is not outweighed by the benefit to consumers.” 15 U.S.C. § 41 (West).

Additionally, an advertisement in a direct mailing is considered “deceptive if it contains a statement or omits information that is likely to mislead reasonable consumers under the circumstances and the information is material or important to a consumer’s decision to buy or use the product.” 15 U.S.C. § 41 (West). An advertisement may be deceptive if “the advertiser does not have a reasonable basis to support its claims.” 15 U.S.C. § 41 (West).

The U.S. Postal Service also has some regulations that enforce advertising through direct mail. There are prohibitions on the following: certain non-mailable matter, 39 U.S.C. § 3001 (West), mail bearing fictitious names or addresses, 39 U.S.C. § 3003 (West), 18 U.S.C. § 1462 (West), delivery of mail to people not actually residents of the place of address, 39 U.S.C. § 3004 (West), and false representations for lottery mailings. 39 U.S.C. § 3005 (West); 18 U.S.C. § 1301, 1302 (West). The Deceptive Mail Prevention and Enforcement Act of 1999 gave the Postal Service more remedial options. 39 U.S.C. § 3001, et seq.  (West) (a.k.a., Public Law 106-168).

Most state regulations on direct mailings mirror the federal statutory language and impose similar penalties for violations of the law. For example, Texas Deceptive Trade Practices Act, which applies to direct mailings to consumers, prohibits certain deceptive trade practices.

Internet Leads
Lead generation companies (“LGCs”) have been around for years in the non-health care space. However, in the last several years, LGCs have come into the health care market in droves. Unfortunately, most LGCs that have been successful in the widget market are clueless regarding the multiple federal anti-fraud laws in the health care market, such as the Medicare anti-kickback statute and the telephone solicitation statute. Equally as unfortunate, there are too many DME companies that are also clueless. What is legal in the widget market may very well not be legal in the DME market.

Governmental agencies and contractors are aggressively looking at relationships between LGCs and DME suppliers. For example, either as part of an unannounced site visit, or pursuant to a letter inquiry, the NSC is asking suppliers about how they are obtaining new customers. In particular, the NSC is asking the supplier whether it is purchasing leads. If the NSC concludes that the telephone solicitation statute and/or Supplier Standard 11 is being violated, then the NSC may suspend the supplier’s PTAN number. Accrediting Organizations (“AOs”) are asking the same questions of their clients. If the AO believes that the supplier’s marketing activities are violating the telephone solicitation statute and/or Supplier Standard 11, then the AO will threaten to revoke the accreditation unless the supplier takes corrective steps.

The ZPICs are extremely aggressive. ZPICs are asking for the names and contact information of the supplier’s marketing reps; they are interviewing (in person and/or over the phone) the supplier’s patients and the physicians whose names are on the orders; and they are drilling down on whether the supplier is purchasing leads. If the ZPIC concludes that the supplier is violating the telephone solicitation statute and/or Supplier Standard 11, then the ZPIC may instruct all four DME MACs to suspend payments to the supplier.

This brings us to the Department of Justice (“DOJ”). The DOJ is investigating lead purchase arrangements. The DOJ’s focus is not on the telephone solicitation statute/Supplier Standard 11; rather, the focus is on whether the arrangement violates the Medicare anti-kickback statute (which is a criminal statute). In short, DME suppliers that purchase leads are living in a glass house; there are multiple “camel’s noses under the tent flap.”

When a DME supplier signs a lead generation agreement (“LGA”) with an LGC, there are two main legal issues that must be addressed. The first one involves the Medicare anti-kickback statute, which provides for criminal penalties for any person or company that solicits, receives, offers or pays any remuneration to a person or company to induce the person/company to refer an individual for Medicare-covered items or services, or to purchase, lease, order, or arrange for or recommend purchasing, leasing, or ordering any Medicare-covered items or services, or to purchase, lease, order, or arrange for or recommend purchasing, leasing, or ordering any Medicare-covered item or service, subject to certain exceptions.

It is acceptable to purchase a lead; however, it is a violation of the anti-kickback statute to pay for referral. The line between the two can be blurry. In the eyes of the OIG, there is a distinction between (i) a “raw” or “unqualified” lead and (ii) a “qualified” lead. It is acceptable for an LGC to obtain basic information from a lead (name, address and telephone number) and sell this “raw” lead to a DME supplier. The supplier can, in turn, pay the LGC on a per lead basis. If, however, the LGC obtains “qualifying” information on the lead (e.g., Medicare number, other insurance information, medical condition, physician’s name, products currently being used, etc.) and sells the qualified lead to the supplier which, in turn, pays for the lead on a per lead basis, then it is likely that the government will take the position that the supplier is not buying a lead, but is paying for a referral…….which violates the anti-kickback statute.

Unfortunately, the line between a “raw” lead and a qualified lead is blurry. Picture a continuum. On the left side of the continuum is a clear “raw” lead (name, address, and phone number) while on the right side of the continuum is a clear “qualified” lead (diagnosis, medical condition, products currently being used, physician’s name, Medicare/insurance information). The chances of the raw lead ending up being a paying customer are low……similar to when a person calls the supplier in response to a newspaper ad. On the other hand, the chances of a qualified lead ending up being a paying customer are appreciably higher……similar to a referral from a physician or a hospital. Purchasing a raw lead is acceptable; it is not paying for a referral.

Purchasing a qualified lead (where the compensation is on a per lead basis) is tantamount to paying for a referral which implicates the Medicare anti-kickback statute. As the lead moves along the continuum from the left to the right, there is a line that is crossed where the lead transforms from a raw lead to a qualified lead. Unfortunately, where that line is located is not clear. If in addition to name, address and phone number the LGC collects one additional piece of information (e.g., insurance information), then the lead starts moving from the left to the right. However, is this one piece of additional information sufficient to move the lead from the raw to the qualified category? What about two pieces of additional information? Three pieces of additional information?

Jeff Baird will be presenting the following webinars in the month of December.
AAHOMECARE’S EDUCATIONAL WEBINAR
Aggressively Moving Into the Retail Market While Avoiding Legal Pitfalls
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Thursday, December 4, 2014
2:30-4:00 p.m. EASTERN TIME
Sign up now for “Aggressively Moving Into the Retail Market While Avoiding Legal Pitfalls” on Thursday, December 4, 2014, 2:30-4:00 pm ET, with Jeffrey S. Baird, Esq., of Brown & Fortunato, PC.
Please note: we have adopted a new online meeting registration system; please contact Ika Sukh at [email protected] if you experience any difficulties registering.
FEES: Member: $99.00    
Non-Member: $129.00

Oxygen: Restarting the 36 Months, Pre-Screens, Use of Concentrators and Other Hot Button Issues
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Thursday, December 18, 2014
2:30-4:00 p.m. EASTERN TIME
Sign up now for “Oxygen: Restarting the 36 Months, Pre-Screens, Use of Concentrators and Other Hot Button Issues” on Thursday, December 18, 2014, 2:30-4:00 pm ET, with Jeffrey S. Baird, Esq., of Brown & Fortunato, PC.
Please note: we have adopted a new online meeting registration system; please contact Ika Sukh at [email protected] if you experience any difficulties registering.
FEES: Member: $99.00    
Non-Member: $129.00

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization. He can be reached at (806) 345-6320 or [email protected].