AMARILLO, TX – Increasingly, DME suppliers are seeking to diversify their income stream by selling products for cash. Assume that XYZ Medical, Inc. has a PTAN and its principal business is to provide Medicare-covered items on an assigned basis. In an effort to lessen its dependence on Medicare, XYZ wants to promote, to existing customers, a line of cash-only “Cadillac” products. In doing so, XYZ needs to decide whether to set up a separate legal entity for the cash sales or sell cash items under its existing corporate entity. Equally as important, XYZ must determine how HIPAA factors into these two business models.
The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) outline the restrictions and requirements for the use and disclosure of protected health information (“PHI”) by a covered entity or business associate. PHI is defined as “a subset of health information, including demographic information collected from an individual” that (1) can identify the individual; (2) is created or received by a health care provider or health plan; (3) relates to the past, present, or future physical or mental health or condition of an individual; and (4) is transmitted or maintained by electronic media or otherwise. A covered entity includes a health care provider “who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” A business associate is an individual or an entity that performs certain services for or on behalf of a covered entity and that, pursuant to such services, requires access to the covered entity’s PHI. A DME supplier, such as XYZ is a “covered entity” as defined by HIPAA.
Generally, unless an exception applies, covered entities are prohibited from “using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA compliant authorization for such disclosure. Prohibitions on use or disclosure of PHI extend to using or disclosing PHI for marketing purposes. Marketing is defined as any communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” The law excepts the following marketing communications from the requirement to obtain a HIPAA authorization:
- A face-to-face communication by the covered entity to an individual.
- A nominal-value promotional gift provided by the covered entity.
As another exception to the marketing restriction, HIPAA allows communications made by the covered entity to patients to describe a “health-related product or service” provided by the covered entity.
Sale of Cash Items Under XYZ’s Existing Tax ID Number
Assume that XYZ decides not to set up a separate legal entity – but rather – to promote the sale of cash items under its existing Tax ID Number. If the cash products that XYZ offers are “health related,” then XYZ may contact its existing customers and educate them regarding XYZ’s cash products. For example, XYZ can (1) mail hard copy literature to its customers, (2) send an email to its customers, and even (3) under certain conditions, call its customers. If XYZ calls a customer within 15 months following the last time that the customer obtained a Medicare-covered product from XYZ, then the phone call will not violate Supplier Standard #11 nor the telephone solicitation statute. The reason for this is because the phone call will comply with an exception to the supplier standard and statute.
Sale of Cash Items By a Separate Legal Entity
Now let us change the facts and assume that XYZ decides to set up a new legal entity (“XYZ Retail, Inc.”) that will sell the cash products. XYZ Retail will have a different Tax ID # from XYZ. Assume that XYZ desires to cross-sell XYZ Retail’s cash products to XYZ’s customers. The challenge is that if XYZ communicates to its customers about products offered by a different legal entity (XYZ Retail), then the exception discussed above (i.e., describing a health-related product provided by the covered entity) does not apply. XYZ is not describing a health-related product provided by XYZ…but rather…is describing a product provided by another entity. In this case, before XYZ can communicate to its customers information about cash products offered by XYZ Retail, XYZ must obtain a HIPAA authorization from the patients.
A HIPAA authorization can be obtained via email, in writing, or verbally. Verbal authorization would require XYZ to retain a written transcript of its call with the customer so that it can provide the customer with a written copy of the authorization, if requested. HIPAA authorizations require certain core elements, including (1) a meaningful description of the information that will be used or disclosed; (2) the names of the parties that are disclosing the information and that are requesting disclosure of the information; (3) a description of the purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the signature of the individual and date the authorization is signed. A full description of the requirements of a HIPAA-compliant authorization can be found on the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).
And so if XYZ Retail is created, then XYZ will be required to obtain a HIPAA authorization to:
- Call or send email or mailers to customers regarding XYZ Retail.
- Talk to XYZ customers over the phone about XYZ Retail.
- Disclose PHI to XYZ Retail in order for XYZ Retail to contact XYZ’s customers.
A HIPAA authorization can be obtained by XYZ during a phone call initiated by a customer. XYZ should not initiate calls to customers for the sole purpose of obtaining a HIPAA authorization for marketing purposes. If a customer calls XYZ, or if XYZ calls a patient, about a reorder or other items and services, then an XYZ customer service representative (“CSR”) may be able to ask the customer if s/he would like to receive information about products and services offered by an affiliated company. If the customers says “yes,” then the CSR can obtain the HIPAA authorization at that time. But, note that if a customer complains to the Office for Civil Rights (“OCR”), there is a risk that this conversation could be viewed as a “use” of PHI for marketing purposes. In order to reduce this risk, if XYZ attempts to obtain HIPAA authorizations during calls with patients, the messaging should be carefully tailored to ensure that the CSR just requests an authorization, and if the patient says “no,” then no further marketing or messaging is provided.
XYZ is not required to obtain a HIPAA authorization to:
- Advertise XYZ Retail on XYZ’s website.
- Direct patients to XYZ’s website that, in turn, advertises XYZ Retail.
XYZ is not required to obtain a HIPAA authorization to send patients promotional gifts of nominal value printed with XYZ Retail’s information. The regulations and available guidance do not specifically state whether the promotional gift must advertise the covered entity. Absent published guidance to the contrary, it is likely acceptable for XYZ to send XYZ’s customers a promotional gift printed with XYZ Retail’s information. However, XYZ would not be permitted to include any other information with the gift (i.e., no letter, flyer, or any other explanatory information).
Lastly, in addition to HIPAA, XYZ should be mindful of other laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA security rules for securing PHI, and any analogous state laws addressing the same topics. Further, there may be restrictions in XYZ’s commercial insurance contracts that require XYZ to take assignment when it sells a product, covered by the contract, to an individual covered by the contract.
AAHOMECARE’S EDUCATIONAL WEBINAR
Life in the Post-COVID World: The New Normal for DME Suppliers
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato & Kelly T. Custer, Esq., Brown & Fortunato
Tuesday, November 9, 2021
1:30-2:30 p.m. CENTRAL TIME
COVID-19 has presented DME suppliers with significant opportunities for growth and change in addition to the unfortunate operational and regulatory challenges. Suppliers who make the best of the new reality while appropriately handling the challenges of the pandemic, will grow and succeed in this rapidly changing market. This program will explore real-time topics of interest to DME suppliers in legal, regulatory and operational areas with a practical approach to identifying opportunities and overcoming challenges in the post-COVID world. Among other topics, this program will discuss the (i) status of the Public Health Emergency, various CMS waivers and anticipated long-term changes that CMS and payors may embrace, along with an update on telehealth and its anticipated role in DME in a post-COVID world; (ii) compliance with reporting requirements for programs like the Provider Relief Fund; and (iii) opportunities associated with vaccine administration and COVID testing.
Register for Life in the Post-COVID World: The New Normal for DME Suppliers on Tuesday, November 9, 2021, 1:30-2:30 p.m. CT, with Jeffrey S. Baird, Esq. and Kelly T. Custer, Esq. of Brown & Fortunato.
AAHOMECARE’S EDUCATIONAL WEBINAR
Sales Tax and Products Billed Through Insurance: Avoid the Landmines
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato & Steve Moore, Esq., Jackson Walker
Tuesday, December 14, 2021
1:30-2:30 p.m. CENTRAL TIME
In the past, DME suppliers primarily billed traditional Medicare and Medicaid. This is changing. With the expansion of Medicare and Medicaid managed care, suppliers are now increasingly billing commercial insurers. Unfortunately, a number of suppliers have the mistaken impression that they do not have to remit sales tax. Failure to remit sales tax, even when the supplier is unable to collect the sales tax from the patient or insurer, can have serious consequences for the supplier. Each state has the authority to determine its sales tax requirements. While there are similarities across states, there are also differences. For example, a particular product may be subject to sales tax in State A, but not in State B. This program will present an overview of state sales tax laws and will then focus on the laws of five of the larger states. The program will discuss the sources that DME suppliers can go to in order to determine if a product is subject to sales tax in a particular state. The program will also discuss the steps that a DME supplier can take if it and a state enforcement agency disagree on whether a product is subject to sales tax.
Register for Sales Tax and Products Billed Through Insurance: Avoid the Landmines on Tuesday, December 14, 2021, 1:30-2:30 p.m. CT, with Jeffrey S. Baird, Esq., of Brown & Fortunato and Steve Moore, Esq., of Jackson Walker.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or email@example.com.