AMARILLO, TX – Assume that ABC Medical Equipment, Inc. (“ABC”) is a Part B DME supplier. It bills Medicare and other third party payors (“TPPs”). As such, ABC is a “covered entity” as defined by HIPAA. Assume that the owner of ABC also owns XYZ Retail Sales, Inc. (“XYZ”). XYZ does not have a PTAN and it only sells DME for cash. XYZ does not bill TPPs. As such, XYZ is not a “covered entity” under HIPAA. Assume that ABC desires to educate its existing and future patients about the cash products sold by XYZ. In doing so, ABC needs to comply with HIPAA guidelines.
HIPAA Guidelines
HIPAA prohibits a covered entity from using or disclosing patients’ protected health information (“PHI”), except as permitted or required under the HIPAA statute. A “covered entity” means: “(1) a health plan; (2) a health care clearinghouse; and (3) a health care provider that transmits any health information in electronic form in connection with a transaction” for which the Department of Health and Human Services (“DHHS”) has adopted a standard. DME companies, such as ABC, are covered entities under HIPAA. PHI is individually identifiable health information, that is
“information that is a subset of health information, including demographic information collected from an individual and, (1) is created or received by a health care provider …; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
HIPAA broadly defines “use” of PHI to include the sharing, employment, application, utilization, examination, or analysis of such information.
HIPAA generally prohibits the use and/or disclosure of patient PHI for the purposes of marketing without first obtaining a HIPAA-compliant authorization from the patient. Marketing is defined under HIPAA as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.” If a communication falls under this definition, then it will be considered marketing unless it falls under one of the exceptions to this general definition. Specifically, marketing does not include:
- Communications “[t]o provide refill reminders or otherwise communicate about a drug or biologic that is currently being prescribed for the individual, only if any financial remuneration received by the covered entity in exchange for making the communication is reasonably related to the covered entity’s cost of making the communication;”
- Communications for the following treatment or healthcare operations purposes, so long as the covered entity does not receive financial remuneration for making the communication:
- Communications made “[f]or treatment of an individual by a health care provider, including case management or care coordination for the individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to the individual;”
- Communications made “[t]o describe a health-related product or service … that is provided by … the covered entity making the communication;” or
- Communications made “[f]or case management and care coordination, contacting of individuals with information about treatment alternatives, and related functions to the extent these activities do not fall within the definition of treatment.”
In addition, marketing communications that are (1) face-to-face with the patient or (2) in the form of a nominally valued promotional gift are permitted by HIPAA and do not require a HIPAA-compliant authorization.
“Treatment” is defined as “the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party; consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”
“Health care operations” is defined as any of the following: (1) “conducting quality assessment and improvement activities, including case management and care coordination [and] contacting of health care providers and patients with information about treatment alternatives;” (2) “reviewing the competence or qualifications of health care professionals;” (3) “activities related to the creation, renewal, or replacement of a contract of health insurance or benefits;” (4) “conducting or arranging for medical review, legal services, and auditing functions;” (5) “business planning and development;” and (6) “business management and general administrative activities of the entity.” To meet the exceptions to the definition of “marketing” under the second bullet, above, the purpose of the communication must meet the definition of treatment or health care operations and one of the three sub-bullets under the second bullet, above.
Real World Examples
ABC can (i) place a link on its website to XYZ’s website, (ii) place a banner ad on its website for XYZ’s website, and (iii) institute a pop-up notification on its website that, if clicked on, leads the user to XYZ’s website. If ABC does not receive any remuneration for these actions, then it can encourage existing/future patients to visit ABC’s website. ABC should ensure that the pop-up notification does not “pop up” as a result of specific patient PHI.
ABC can send a hard copy document or an email to its existing patients inviting them to visit ABC’s website. Such a communication can be sent so long as it (i) describes ABC’s products and services and (ii) invites the patient to visit ABC’s website in order to learn more. The fact that there will be a link to the XYZ website, or an ad for XYZ on the website, will not interfere with ABC making such a communication.
ABC can send a hard copy document or an email to its existing patients asking if they would like to discuss with ABC the products offered by an affiliated company. In this scenario, ABC must access the patients’ PHI and use it to send the communication. If ABC simply sends an e-mail or hard copy document that only contains the question of whether the patient would like to discuss products offered by an affiliated company, then ABC would likely need to obtain an authorization from the patient because that communication is not for treatment or health care operations purposes. Alternatively, if ABC includes in the communication language that can be attributed to a treatment or healthcare operations purpose, such as for case management or care coordination, or provides information about treatment or healthcare provider alternatives, then such a communication would likely not require ABC to obtain an authorization from the patient. This issue would need to be analyzed according to a particular patient’s condition and needs.
ABC can call an existing patient about an issue related to the patient’s care or refill of supplies, and also ask whether the patient would like to discuss with ABC products offered by an affiliated company. This presents a different scenario than the preceding scenario because, in this scenario, ABC calls an existing patient about an issue related to a patient’s care or refill of supplies. Such a call from the outset has a treatment purpose. Nevertheless, if ABC also wants to ask the patient if he would like to discuss products offered by an affiliated company, then in order to avoid having to obtain an authorization, ABC needs to show that that specific question has a treatment or healthcare operations purpose.
To do this, ABC should have a similar conversation to what was contemplated in the previous scenario, by which ABC is involved in care coordination or is making a recommendation for an alternative treatment and/or healthcare provider. In addition, ABC needs to engage in the same type of analysis as described in the preceding scenario. ABC needs to be able to credibly argue that the purpose of the communication is in furtherance of the patient’s care. As such, the communication needs to be based on the condition and needs of the patient.
Without having to obtain a prior authorization, ABC can ask a new patient (who calls ABC) whether he would like to discuss with ABC products offered by an affiliated company…on condition that the question is properly worded to fit within an exception to a marketing communication. As discussed in the previous two scenarios, ABC will need to ensure that such a communication is for treatment or healthcare operations purposes by ensuring that the communication recommends the patient to an alternative treatment or healthcare provider. This type of communication would also fit under the definition of “healthcare operations” as care coordination.
Without having to obtain a prior authorization, ABC may call existing non-Medicare patients “out of the blue” for the sole purpose of asking them if they would like to discuss with ABC products offered by an affiliated company…so long as the question is properly worded to fit within an exception to a marketing communication. As seen in the preceding three scenarios, these communications are permitted without first obtaining an authorization from the patients if ABC properly words such communications to fit within treatment or healthcare operations purposes such as care coordination or recommendations of treatment or health care provider alternatives. In doing this, ABC needs to ensure compliance with the Telephone Consumer Protection Act (“TCPA”).
In calling Medicare patient, ABC needs to be aware of the restrictions set out in Supplier Standard #11 and in the telephone solicitation statute. The standard and statute prohibits ABC from calling a Medicare patient unless one of the following applies: (i) the individual has given written permission to the supplier to contact him by telephone concerning the furnishing of a Medicare-covered item; (ii) the supplier has furnished a Medicare-covered item to the individual and the supplier is contacting the individual regarding that item; or (iii) if the contact concerns the furnishing of a Medicare-covered item other than a covered item previously furnished to the individual, the supplier has furnished at least one covered item to the individual during the 15-month period preceding the date on which the supplier makes such contact.
A Medicare-covered item means “medical equipment and supplies as defined in section 1834(j)(5) of the [Social Security] Act.” These items include durable medical equipment, prosthetic devices, orthotics and prosthetics, surgical dressings, and more. The definition of a Medicare-covered item is broad enough to encompass any equipment or supplies that, regardless of whether a provider of such equipment or supplies is enrolled in Medicare, is covered by Medicare.
Accordingly, if the XYZ products that ABC would be discussing are Medicare-covered items, ABC is prohibited from contacting a Medicare beneficiary “out of the blue” for the sole purpose of asking the patient whether he or she would like to discuss products offered by an affiliated company, despite the fact that XYZ will not be enrolled in Medicare. The only circumstance in which ABC would be allowed to make this call to a Medicare beneficiary is if (i) the beneficiary has given written permission or if (ii) the contact concerns the furnishing of a Medicare-covered item other than a covered item previously furnished to the beneficiary…and ABC has furnished at least one covered item to the beneficiary during the 15-month period preceding the date on which ABC makes the contact.
Assume that ABC desires to send a hard copy document or email to its existing patients marketing XYZ’s products. Alternatively, assume that ABC desires to call an existing patient and talk to him about XYZ’s products. Under these two scenarios, in which ABC communicates with an existing patient via the telephone, e-mail, or mail and markets XYZ’s products, ABC would likely need to first obtain a HIPAA-compliant authorization. On its face and with no additional information, this communication is an obvious “marketing communication” and does not meet any of the HIPAA exceptions.
However, if ABC can word the communication to fit within an exception to “marketing communication” to constitute a treatment or healthcare operations purpose such as care coordination or recommendation of alternative treatments or health care providers, then this communication may be permissible without first obtaining a HIPAA-compliant authorization. Once again, the situation will need to be analyzed by ABC to determine the patient’s condition and treatment needs. If this communication takes place via telephone, ABC must ensure compliance with the TCPA for all patients…and compliance with Supplier Standard #11 and the telephone solicitation statute when dealing with Medicare beneficiaries. Lastly, the email communications need to comply with the CAN-SPAM Act.
If a new or existing patient physically visits an ABC location, then ABC may market XYZ’s products to the new or existing patient without a HIPAA-compliant authorization because face-to-face communications with patients are exceptions to the requirement that marketing communications require an authorization.
ABC may provide patients with a promotional gift of nominal value without obtaining a HIPAA-compliant authorization because such a gift is explicitly excepted from that requirement in the regulations. DHHS has provided guidance on what it considers to be a promotional gift of nominal value, including such things as “sample products during a face-to-face communication, or … calendars, pens, and the like, that display the name of a product or provider.” As such, ABC can provide patients with similar items displaying XYZ’s name without first obtaining a HIPAA-compliant authorization.
HIPAA-Compliant Authorization
A valid HIPAA authorization must contain at least the following:
- A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
- The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
- The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
- A description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
- An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The statement “end of the research study,” “none,” or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository;
- Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided.
In addition to the requirements above, a valid authorization must contain the following statements:
- The individual’s right to revoke the authorization in writing, and either:
- The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
- To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by § 164.520, a reference to the covered entity’s notice.
- The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
- The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations … applies; or
- The consequences to the individual of a refusal to sign the authorization when … the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
- The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected.
Moreover, the authorization must be written in plain language and the covered entity must provide the individual with a copy of the signed authorization.
Accordingly, in the event ABC engages in a marketing activity that requires ABC to obtain a valid authorization, ABC must document and retain the signed authorization containing the above language and provide a copy to the patient.
AAHomecare’s Retail Work Group
The Retail Work Group is a vibrant network of DME industry stakeholders (suppliers, manufacturers, consultants) that meets once a month via video conference during which (i) an expert guest will present a topic on an aspect of selling products at retail, and (ii) a question and answer period will follow. The next Retail Work Group video conference is scheduled for June 13, 2019, at 11:00 a.m. Central. Tim Rutti, Valley Medical Supplies, will present “Designing a Storefront Based on Your Company’s Retail Focus.” Participation in the Retail Work Group is free to AAHomecare members. For more information, contact Ashley Plauché Manager of Government Affairs, AAHomecare ([email protected]).
Jeffrey S. Baird, JD, is Chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or [email protected].