HIPAA and Cash Sales
Providers must understand how HIPAA factors into the retail equation.
- By Jeffrey S. Baird
- Apr 01, 2020
Increasingly, DME suppliers are seeking to diversify
their income stream by selling products for cash. Assume that XYZ Medical,
Inc. has a PTAN and its principal business is to provide Medicare-covered items
on an assigned basis. In an effort to lessen its dependence on Medicare, XYZ
wants to promote, to its existing customers, a line of cash-only “Cadillac” products.
In doing so, XYZ does not set up a separate legal entity for the cash sales
— but rather — XYZ sells cash items under its existing corporate entity. The
question is does HIPAA let XYZ promote its cash products to existing customers.
The Health Insurance Portability and Accountability Act of 1996 and its
implementing regulations (HIPAA) outline the requirements for the use and
disclosure of protected health information (“PHI”) by a covered entity or business
associate. PHI is defined as “a subset of health information, including
demographic information collected from an individual” that (1) can identify
the individual; (2) is created or received by a health care provider or health
plan; (3) relates to the past, present, or future physical or mental health or
condition of an individual; and (4) is transmitted or maintained by electronic
media or otherwise. A covered entity includes a health care provider “who
transmits any health information in electronic form in connection with a
transaction covered [by HIPAA].” A business associate is an individual or
entity that performs certain services for a covered entity (the provider) and
that, pursuant to such services, requires access to the covered entity’s PHI.
Generally, unless an exception applies, covered entities are prohibited from
“using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA
compliant authorization for such disclosure. Prohibitions on use or disclosure
of PHI extend to using or disclosing PHI for marketing purposes. Marketing
is defined as any communication “about a product or service that encourages
recipients of the communication to purchase or use the product or service.” The
law excepts the following marketing communications from the requirement to
obtain a HIPAA authorization:
- A face-to-face communication by the covered entity to an individual.
- A nominal-value promotional gift provided by the covered entity.
As another exception to the marketing restriction, HIPAA allows communications
made by the covered entity to patients to describe a “health-related
product or service” provided by the covered entity. Thus, in our example, if
the cash products that XYZ offers are “health related,” then XYZ may contact
its existing customers and educate them regarding XYZ’s cash products. For
example, XYZ can (1) mail hard copy literature to its customers, (2) send an
email to its customers, and even (3) under certain conditions, call its customers.
If XYZ calls a customer within 15 months following the last time that the
customer obtained a Medicare-covered product from XYZ, then the phone call
will not violate Supplier Standard #11 nor the telephone solicitation statute. The
reason for this is because the phone call will comply with an exception to the
supplier standard and statute.
Now let us change the facts and assume that XYZ decides to set up a new
legal entity (“XYZ Retail, Inc.”) that will sell the cash products. XYZ Retail
will have a different Tax ID # from XYZ. Assume that XYZ desires to crosssell
XYZ Retail’s cash products to XYZ’s customers. The challenge is that if
XYZ communicates to its customers about products offered by a different
legal entity (XYZ Retail), then the exception discussed above (i.e., describing
a health-related product provided by the covered entity) does not apply. XYZ
is not describing a health-related product provided by XYZ...but rather...is
describing a product provided by another entity. In this case, before XYZ can
communicate to its customers information about cash products offered by XYZ
Retail, XYZ must obtain a HIPAA authorization from the patients.
A HIPAA authorization can be obtained via email, in writing, or verbally.
Verbal authorization would require XYZ to retain a written transcript of its call
with the customer so that it can provide the customer with a written copy of the
authorization, if requested. HIPAA authorizations require certain core elements,
including (1) a meaningful description of the information that will be used
or disclosed; (2) the names of the parties that are disclosing the information
and that are requesting disclosure of the information; (3) a description of the
purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the
signature of the individual and date the authorization is signed. A full description
of the requirements of a HIPAA-compliant authorization can be found on
the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).
So, if XYZ Retail is created, then XYZ must obtain a HIPAA authorization to:
- Call or send email or mailers to customers regarding XYZ Retail.
- Talk to XYZ customers over the phone about XYZ Retail.
- Disclose PHI to XYZ Retail in order for XYZ Retail to contact XYZ’s customers.
A HIPAA authorization can be obtained by XYZ during a phone call initiated
by a customer. XYZ should not initiate calls to customers for the sole purpose of
obtaining a HIPAA authorization for marketing purposes. If a customer calls XYZ,
or if XYZ calls a patient, about a reorder or other items and services, then an XYZ
customer service representative (“CSR”) may be able to ask the customer if s/he
would like to receive information about products and services offered by an affiliated
company. If the customers says “yes,” then the CSR can obtain the HIPAA
authorization at that time. But, note that if a customer complains to the Office for
Civil Rights (“OCR”), then there is a risk that this conversation could be viewed as
a “use” of PHI for marketing purposes. In order to reduce this risk, if XYZ attempts
to obtain HIPAA authorizations during calls with patients, the messaging should
be carefully tailored to ensure that the CSR just requests an authorization, and if
the patient says “no,” then no further marketing or messaging is provided.
XYZ is not required to obtain a HIPAA authorization to advertise XYZ Retail
on XYZ’s website, or direct patients to XYZ’s website that advertises XYZ Retail.
XYZ is not required to obtain a HIPAA authorization to send patients promotional
gifts of nominal value printed with XYZ Retail’s information. The regulations
and available guidance do not specifically state whether the promotional
gift must advertise the covered entity. Absent published guidance to
the contrary, it is likely acceptable for XYZ to send XYZ’s customers a promotional
gift printed with XYZ Retail’s information. However, XYZ would not be
permitted to include any other information with the gift (i.e., no letter, flyer, or
any other explanatory information).
Lastly, in addition to HIPAA, XYZ should be mindful of other laws such as
the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA
security rules for securing PHI, and any analogous state laws addressing the
same topics. Further, there may be restrictions in XYZ’s commercial insurance
contracts that require XYZ to take assignment when it sells a product, covered
by the contract, to an individual covered by the contract.
This article originally appeared in the April 2020 issue of HME Business.
Jeffrey S. Baird, Esq. is chairman of the Health Care Group at law firm Brown & Fortunato, P.C., where he represents pharmacies, HME companies, and other healthcare providers throughout the United States. He can be reached at (806) 345-6320 or firstname.lastname@example.org.