AMARILLO, TX – Historically, the DME industry has been an “assignment” industry. That is, the DME supplier (i) provides the product to the Medicare beneficiary, (ii) takes assignment from the beneficiary, (iii) bills Medicare, and (iv) collects the copayment from the beneficiary. And…historically, Medicare beneficiaries have been content to receive the type of products that the supplier carries in its inventory.
As Baby Boomers age and retire, this dynamic is changing. Unlike many in earlier generations, Boomers want to stay active for as long as possible. Many Baby Boomers are willing to spend their children’s inheritance on products and services that will help the Boomers remain active. Said another way, many Boomers are willing to pay cash for top-of-the-line products (i.e, the “Cadillac” products) … as opposed to having Medicare pay the DME supplier on an assignment basis for “Cavalier” products.
This phenomenon is motivating DME suppliers to promote the sale, for cash, of Cadillac products to beneficiaries who in prior years might have been satisfied with receiving Cavalier products. As a DME supplier expands into the cash market, there are a number of legal issues that must be addressed. One issue is whether the DME supplier can cross market Cadillac products to the supplier’s existing patient base. The short answer is “yes” … but the devil is in the details.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (“HIPAA”) outline the restrictions and requirements for the use and disclosure of protected health information (“PHI”) by a covered entity or business associate. PHI is defined as “a subset of health information, including demographic information collected from an individual” that (1) can identify the individual; (2) is created or received by a health care provider or health plan; (3) relates to the past, present, or future physical or mental health or condition of an individual; and (4) is transmitted or maintained by electronic media or otherwise. A covered entity includes a health care provider “who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” A business associate is an individual or an entity that performs certain services for or on behalf of a covered entity and that, pursuant to such services, requires access to the covered entity’s PHI. A DME supplier is a “covered entity” as defined by HIPAA.
Generally, unless an exception applies, covered entities are prohibited from “using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA compliant authorization for such disclosure. Prohibitions on use or disclosure of PHI extend to using or disclosing PHI for marketing purposes. Marketing is defined as any communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” The law excepts the following marketing communications from the requirement to obtain a HIPAA authorization:
- A face-to-face communication by the covered entity to an individual.
- A nominal-value promotional gift provided by the covered entity.
As another exception to the marketing restriction, HIPAA allows communications made by the covered entity to patients to describe a “health-related product or service” provided by the covered entity.
Sale of Cash Items Under Existing Tax ID Number
Assume that XYZ Medical Equipment, Inc. decides not to set up a separate legal entity – but rather – to promote the sale of cash items under its existing Tax ID Number. If the cash products that XYZ Medical offers are “health related,” then XYZ Medical may contact its existing customers and educate them regarding XYZ Medical’s cash products. For example, XYZ Medical can (i) mail hard copy literature to its customers, (ii) send an email to its customers, and even (iii) under certain conditions, call its customers.
Sale of Cash Items by a Separate Legal Entity
Now let us change the facts and assume that the owner of XYZ Medical decides to set up a new legal entity (“XYZ Retail, Inc.”) that will sell the cash products. XYZ Retail will have a different Tax ID # from XYZ Medical. Assume that XYZ Medical desires to cross market XYZ Retail’s cash products to XYZ Medical’s customers. The challenge is that if XYZ Medical communicates to its customers about products offered by a different legal entity (XYZ Retail), then the exception discussed above (i.e., describing a health-related product provided by the covered entity) does not apply. XYZ Medical is not describing a health-related product provided by XYZ Medical … but rather … is describing a product provided by another entity. In this case, before XYZ Medical can communicate to its customers information about cash products offered by XYZ Retail, XYZ Medical must obtain a HIPAA authorization from the patients.
A HIPAA authorization can be obtained via email, in writing, or verbally. Verbal authorization would require XYZ Medical to retain a written transcript of its call with the customer so that it can provide the customer with a written copy of the authorization, if requested. HIPAA authorizations require certain core elements, including (1) a meaningful description of the information that will be used or disclosed; (2) the names of the parties that are disclosing the information and that are requesting disclosure of the information; (3) a description of the purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the signature of the individual and date the authorization is signed. A full description of the requirements of a HIPAA-compliant authorization can be found on the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).
And so if XYZ Retail is created, XYZ Medical will be required to obtain a HIPAA authorization to:
- Call or send emails or mailers to XYZ Medical customers regarding XYZ Retail.
- Talk to XYZ Medical customers over the phone about XYZ Retail.
- Disclose PHI to XYZ Retail in order for XYZ Retail to contact XYZ Medical’s customers.
A HIPAA authorization can be obtained by XYZ Medical during a phone call initiated by a customer. XYZ Medical should not initiate calls to customers for the sole purpose of obtaining a HIPAA authorization for marketing purposes. If a customer calls XYZ Medical, or if XYZ Medical calls a patient, about a reorder or other items and services, then an XYZ Medical customer service representative (“CSR”) may be able to ask the customer if s/he would like to receive information about products and services offered by an affiliated company. If the customers says “yes,” then the CSR can obtain the HIPAA authorization at that time. But, note that if a customer complains to the Office for Civil Rights (“OCR”), there is a risk that this conversation could be viewed as a “use” of PHI for marketing purposes. In order to reduce this risk, if XYZ Medical attempts to obtain HIPAA authorizations during calls with patients, the messaging should be carefully tailored to ensure that the CSR just requests an authorization, and if the patient says “no,” then no further marketing or messaging is provided.
XYZ Medical is not required to obtain a HIPAA authorization to:
- Advertise XYZ Retail on XYZ Medical’s website. This may take the form of (i) a link between the websites and/or (ii) an XYZ Retail banner on XYZ Medical’s website.
- Direct patients to XYZ Medical’s website that, in turn, advertises XYZ Retail.
XYZ Medical is not required to obtain a HIPAA authorization to send patients promotional gifts of nominal value printed with XYZ Retail’s information. The regulations and available guidance do not specifically state whether the promotional gift must advertise the covered entity (i.e., XYZ Medical). Absent published guidance to the contrary, it is likely acceptable for XYZ Medical to send XYZ Medical’s customers a promotional gift printed with XYZ Retail’s information. However, XYZ Medical would not be permitted to include any other information with the gift (i.e., no letter, flyer, or any other explanatory information).
Lastly, in addition to HIPAA, XYZ Medical should be mindful of other laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA security rules for securing PHI, and any analogous state laws addressing the same topics. Further, there may be restrictions in XYZ Medical’s commercial insurance contracts that require XYZ Medical to take assignment when it sells a product, covered by the contract, to an individual covered by the contract.
Jeffrey S. Baird, Esq., is Chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents pharmacies, infusion companies, HME companies, manufacturers, and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or [email protected]
AAHOMECARE’S EDUCATIONAL WEBINAR
Managed Care Contracts: Key Provisions
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato
Monday, June 13, 2022
1:30-2:30 p.m. CENTRAL TIME
DME suppliers serve multiple categories of patients, including the elderly (Medicare) and those on the lower end of the socio-economic scale (Medicaid). Both the Medicare and Medicaid programs are gravitating towards “managed care.” Approximately 40% of Medicare beneficiaries are signed up with Medicare Advantage Plans (“MAPs”), while approximately 70% of Medicaid beneficiaries are signed up with Medicaid Managed Care Plans (“MMCPs”). These percentages are increasing. MAPs and MMCPs work essentially the same way: (i) the government health care program contracts with a “Plan” that is owned by an insurance company; (ii) the Plan signs up patients; (iii) the Plan signs contracts with hospitals, physicians, DME suppliers and other providers … these providers/suppliers will take care of the Plan’s patients; and (iv) the government program pays the Plan that, in turn, pays the provider/supplier. In order to serve MAP and MMCP patients, DME suppliers must sign managed care contracts. In so doing, the supplier needs to be careful. Not only must the contract provide sufficient reimbursement to the supplier, but the contract will have some “trap” provisions that may be harmful to the supplier. This program will discuss the most important provisions that are contained in managed care contracts. The program will discuss how the supplier can negotiate with Plans; and the discussion will point out the provisions that are often non-negotiable and the provisions that are open to negotiation.
Register for Managed Care Contracts: Key Provisions on Monday, June 13, 2022, 1:30-2:30 p.m. CT, with Jeffrey S. Baird, Esq. of Brown & Fortunato.
Members: $99
Non-Members: $129