AMARILLO, TX – Increasingly, DME suppliers are seeking to diversify their income stream by selling products for cash. Assume that ABC Medical, Inc. has a PTAN and its principal business is to provide Medicare-covered items on an assigned basis. In an effort to lessen its dependence on Medicare, assume that ABC wants to promote, to new and existing customers, a line of cash-only products. In doing so, assume that ABC does not set up a separate legal entity for the cash sales – but rather – ABC sells cash items under its existing corporate entity. In other words, ABC’s Part B business and cash sales business are under the same Tax ID #. The question is whether HIPAA allows ABC to promote its cash products to its existing Part B customers.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) outline the restrictions and requirements for the use and disclosure of protected health information (“PHI”) by a covered entity or business associate. PHI is defined as “a subset of health information, including demographic information collected from an individual” that (1) can identify the individual; (2) is created or received by a health care provider or health plan; (3) relates to the past, present, or future physical or mental health or condition of an individual; and (4) is transmitted or maintained by electronic media or otherwise. A covered entity includes a health care provider “who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” A business associate is an individual or an entity that performs certain services for or on behalf of a covered entity and that, pursuant to such services, requires access to the covered entity’s PHI. A DME supplier, such as ABC is a “covered entity” as defined by HIPAA.
Generally, unless an exception applies, covered entities are prohibited from “using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA compliant authorization for such disclosure. Prohibitions on use or disclosure of PHI extend to using or disclosing PHI for marketing purposes. Marketing is defined as any communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” The law excepts the following marketing communications from the requirement to obtain a HIPAA authorization:
- A face-to-face communication by the covered entity to an individual
- A nominal-value promotional gift provided by the covered entity
As another exception to the marketing restriction, HIPAA allows communications made by the covered entity to patients to describe a “health-related product or service” provided by the covered entity. Thus, in our example, if the cash products that ABC offers are “health related,” then ABC may contact its existing Part B customers and educate them regarding ABC’s cash products. For example, ABC can (1) mail hard copy literature to its Part B customers, (2) send an email to its Part B customers, and even (3) under certain conditions, call its Part B customers. If ABC calls a Part B customer within 15 months following the last time that the customer obtained a Medicare-covered product from ABC, then the phone call will not violate Supplier Standard #11 nor the telephone solicitation statute. The reason for this is because the phone call will comply with an exception to the supplier standard and statute.
HIPAA Authorizations
Now let us change the facts and assume that ABC decides to set up a new legal entity (“ABC Retail, Inc.”) that will sell the cash products. ABC Retail will have a different Tax ID # from ABC. Assume that ABC desires to cross-sell ABC Retail’s cash products to ABC’s Part B customers. The challenge is that if ABC communicates to its customers about products offered by a different legal entity (ABC Retail), then the exception discussed above (i.e., describing a health-related product provided by the covered entity) does not apply. ABC is not describing a health-related product provided by ABC…but rather…is describing a product provided by another entity. In this case, before ABC can communicate to its Part B patients information about cash products offered by ABC Retail, ABC must obtain a HIPAA authorization from the patients.
A HIPAA authorization can be obtained via email, in writing, or verbally. Verbal authorization would require ABC to retain a written transcript of its call with the customer so that it can provide the customer with a written copy of the authorization, if requested. HIPAA authorizations require certain core elements, including (1) a meaningful description of the information that will be used or disclosed; (2) the names of the parties that are disclosing the information and that are requesting disclosure of the information; (3) a description of the purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the signature of the individual and date the authorization is signed. A full description of the requirements of a HIPAA-compliant authorization can be found on the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).
And so if ABC Retail is created, then ABC will be required to obtain a HIPAA authorization to:
- Call or send email or mailers to customers regarding ABC Retail.
- Talk to ABC customers over the phone about ABC Retail.
- Disclose PHI to ABC Retail in order for ABC Retail to contact ABC’s customers.
A HIPAA authorization can be obtained by ABC during a phone call initiated by a customer. ABC should not initiate calls to customers for the sole purpose of obtaining a HIPAA authorization for marketing purposes. If a customer calls ABC, or if ABC calls a patient, about a reorder or other items and services, then an ABC customer service representative (“CSR”) may be able to ask the customer if s/he would like to receive information about products and services offered by an affiliated company. If the customers says “yes,” then the CSR can obtain the HIPAA authorization at that time. But, note that if a customer complains to the Office for Civil Rights (“OCR”), then there is a risk that this conversation could be viewed as a “use” of PHI for marketing purposes. In order to reduce this risk, if ABC attempts to obtain HIPAA authorizations during calls with patients, the messaging should be carefully tailored to ensure that the CSR just requests an authorization, and if the patient says “no,” then no further marketing or messaging is provided.
ABC is not required to obtain a HIPAA authorization to:
- Advertise ABC Retail on ABC’s website.
- Direct patients to ABC’s website that, in turn, advertises ABC Retail.
ABC is not required to obtain a HIPAA authorization to send patients promotional gifts of nominal value printed with ABC Retail’s information. The regulations and available guidance do not specifically state whether the promotional gift must advertise the covered entity. Absent published guidance to the contrary, it is likely acceptable for ABC to send ABC’s customers a promotional gift printed with ABC Retail’s information. However, ABC would not be permitted to include any other information with the gift (i.e., no letter, flyer, or any other explanatory information).
Lastly, in addition to HIPAA, ABC should be mindful of other laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA security rules for securing PHI, and any analogous state laws addressing the same topics. Further, there may be restrictions in ABC’s commercial insurance contracts that require ABC to take assignment when it sells a product, covered by the contract, to an individual covered by the contract.
AAHomecare’s Retail Work Group
The Retail Work Group is a vibrant network of DME industry stakeholders (suppliers, manufacturers, consultants) that meets once a month via video conference during which (i) an expert guest will present a topic on an aspect of selling products at retail, and (ii) a question and answer period will follow. The next Retail Work Group video conference is scheduled for December 13, 2018, at 11:00 a.m. Central. Lisa Wells and Kristina Rhoades, Cure Medical, will present “Learning the Voice of the Customer/End User with Disabilities.” Participation in the Retail Work Group is free to AAHomecare members. For more information, contact Ashley Plauché Manager of Government Affairs, AAHomecare ([email protected]).
AAHOMECARE’S EDUCATIONAL WEBINAR
Negotiating Managed Care Contracts
Presented by: Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.
Tuesday, December 11, 2018
2:30-3:30 p.m. EASTERN TIME
Until relatively recently, DME suppliers only dealt with Medicare and Medicaid fee-for-service (“FFS”) programs. The FFS programs would establish coverage and reimbursement criteria…and suppliers would submit claims directly to the FFS programs. All of this is changing. Today, approximately 35% of Medicare beneficiaries are covered by Medicare Advantage Plans and this percentage is increasing. Approximately 70% of state Medicaid beneficiaries are covered by Medicaid Managed Care Plans; this percentage is also increasing. A supplier’s obligations to the Plan and the Plan’s covered lives are set out in a Plan contract that the supplier signs. The contract contains coverage and reimbursement requirements. Many suppliers believe that when it is presented with a Plan contract, then it is a “take it or leave it” proposition. This is not the case. While there are some contractual provisions that the Plan will likely not budge on, there are other provisions that can be negotiated. This webinar will discuss (i) the most important provisions in Plan contracts, (ii) those provisions that are normally non-negotiable, and (iii) those provisions that Plans are open to modify. Equally as important, this program will discuss practical steps that the supplier can take that will increase its chances to successfully negotiate key provisions in Plan contracts.
Contact Amy Watson at [email protected] for the registration form for Negotiating Managed Care Contracts on Tuesday, December 11, 2018, 2:30-3:30 p.m. ET, with Jeffrey S. Baird, Esq., of Brown & Fortunato, PC.
FEES: Member: $99.00; Non-Member: $129.00
Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or [email protected].