AMARILLO, TX – There are 78 million Baby Boomers retiring at the rate of 10,000 per day. Boomers are the Woodstock generation. Even though their bodies are aging, emotionally and psychologically most Boomers refuse to get old. While earlier generations may have been content spending their retirement years playing shuffleboard in Scottsdale, AZ, today’s generation of Boomers want to spend their retirement engaging in triathlons and attending Rolling Stones concerts. In short, many of today’s Boomers want to be active until the day they die. For these Boomers, the most valuable asset they have is time; they want to use their time wisely. If these Boomers need an a DME item to help them stay active, then (i) they do not want to wait around for Medicare to approve coverage and (ii) they want to purchase the “Cadillac” product, not the “Cavalier” product.
So what does any of this have to do with the title of this article? Increasingly, DME suppliers are seeking to diversify their income stream by selling products for cash. Assume that XYZ Medical, Inc. has a PTAN and its principal business is to provide Medicare-covered items on an assigned basis. In an effort to lessen its dependence on Medicare, assume that XYZ wants to promote, to its existing customers, a line of cash-only “Cadillac” products. In doing so, assume that XYZ does not set up a separate legal entity for the cash sales – but rather – XYZ sells cash items under its existing corporate entity. In other words, XYZ’s Part B business and cash sales business are under the same Tax ID #. The question is whether HIPAA allows XYZ to promote its cash products to its existing customers.
The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) outline the restrictions and requirements for the use and disclosure of protected health information (“PHI”) by a covered entity or business associate. PHI is defined as “a subset of health information, including demographic information collected from an individual” that (1) can identify the individual; (2) is created or received by a health care provider or health plan; (3) relates to the past, present, or future physical or mental health or condition of an individual; and (4) is transmitted or maintained by electronic media or otherwise. A covered entity includes a health care provider “who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” A business associate is an individual or an entity that performs certain services for or on behalf of a covered entity and that, pursuant to such services, requires access to the covered entity’s PHI. A DME supplier, such as XYZ is a “covered entity” as defined by HIPAA.
Generally, unless an exception applies, covered entities are prohibited from “using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA compliant authorization for such disclosure. Prohibitions on use or disclosure of PHI extend to using or disclosing PHI for marketing purposes. Marketing is defined as any communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” The law excepts the following marketing communications from the requirement to obtain a HIPAA authorization:
- A face-to-face communication by the covered entity to an individual.
- A nominal-value promotional gift provided by the covered entity.
As another exception to the marketing restriction, HIPAA allows communications made by the covered entity to patients to describe a “health-related product or service” provided by the covered entity. Thus, in our example, if the cash products that XYZ offers are “health related,” then XYZ may contact its existing customers and educate them regarding XYZ’s cash products. For example, XYZ can (1) mail hard copy literature to its customers, (2) send an email to its customers, and even (3) under certain conditions, call its customers. If XYZ calls a customer within 15 months following the last time that the customer obtained a Medicare-covered product from XYZ, then the phone call will not violate Supplier Standard #11 nor the telephone solicitation statute. The reason for this is because the phone call will comply with an exception to the supplier standard and statute.
Now let us change the facts and assume that XYZ decides to set up a new legal entity (“XYZ Retail, Inc.”) that will sell the cash products. XYZ Retail will have a different Tax ID # from XYZ. Assume that XYZ desires to cross-sell XYZ Retail’s cash products to XYZ’s customers. The challenge is that if XYZ communicates to its customers about products offered by a different legal entity (XYZ Retail), then the exception discussed above (i.e., describing a health-related product provided by the covered entity) does not apply. XYZ is not describing a health-related product provided by XYZ…but rather…is describing a product provided by another entity. In this case, before XYZ can communicate to its customers information about cash products offered by XYZ Retail, XYZ must obtain a HIPAA authorization from the patients.
A HIPAA authorization can be obtained via email, in writing, or verbally. Verbal authorization would require XYZ to retain a written transcript of its call with the customer so that it can provide the customer with a written copy of the authorization, if requested. HIPAA authorizations require certain core elements, including (1) a meaningful description of the information that will be used or disclosed; (2) the names of the parties that are disclosing the information and that are requesting disclosure of the information; (3) a description of the purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the signature of the individual and date the authorization is signed. A full description of the requirements of a HIPAA-compliant authorization can be found on the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).
And so if XYZ Retail is created, then XYZ will be required to obtain a HIPAA authorization to:
- Call or send email or mailers to customers regarding XYZ Retail.
- Talk to XYZ customers over the phone about XYZ Retail.
- Disclose PHI to XYZ Retail in order for XYZ Retail to contact XYZ’s customers.
A HIPAA authorization can be obtained by XYZ during a phone call initiated by a customer. XYZ should not initiate calls to customers for the sole purpose of obtaining a HIPAA authorization for marketing purposes. If a customer calls XYZ, or if XYZ calls a patient, about a reorder or other items and services, then an XYZ customer service representative (“CSR”) may be able to ask the customer if s/he would like to receive information about products and services offered by an affiliated company. If the customers says “yes,” then the CSR can obtain the HIPAA authorization at that time. But, note that if a customer complains to the Office for Civil Rights (“OCR”), then there is a risk that this conversation could be viewed as a “use” of PHI for marketing purposes. In order to reduce this risk, if XYZ attempts to obtain HIPAA authorizations during calls with patients, the messaging should be carefully tailored to ensure that the CSR just requests an authorization, and if the patient says “no,” then no further marketing or messaging is provided.
XYZ is not required to obtain a HIPAA authorization to:
- Advertise XYZ Retail on XYZ’s website.
- Direct patients to XYZ’s website that, in turn, advertises XYZ Retail.
XYZ is not required to obtain a HIPAA authorization to send patients promotional gifts of nominal value printed with XYZ Retail’s information. The regulations and available guidance do not specifically state whether the promotional gift must advertise the covered entity. Absent published guidance to the contrary, it is likely acceptable for XYZ to send XYZ’s customers a promotional gift printed with XYZ Retail’s information. However, XYZ would not be permitted to include any other information with the gift (i.e., no letter, flyer, or any other explanatory information).
Lastly, in addition to HIPAA, XYZ should be mindful of other laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA security rules for securing PHI, and any analogous state laws addressing the same topics. Further, there may be restrictions in XYZ’s commercial insurance contracts that require XYZ to take assignment when it sells a product, covered by the contract, to an individual covered by the contract.
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Texas. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or firstname.lastname@example.org.