Provider Strategy

HIPAA and Cash Sales

Providers must understand how HIPAA factors into the retail equation.

Increasingly, DME suppliers are seeking to diversify their income stream by selling products for cash. Assume that XYZ Medical, Inc. has a PTAN and its principal business is to provide Medicare-covered items on an assigned basis. In an effort to lessen its dependence on Medicare, XYZ wants to promote, to its existing customers, a line of cash-only “Cadillac” products. In doing so, XYZ does not set up a separate legal entity for the cash sales — but rather — XYZ sells cash items under its existing corporate entity. The question is does HIPAA let XYZ promote its cash products to existing customers.


The Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (HIPAA) outline the requirements for the use and disclosure of protected health information (“PHI”) by a covered entity or business associate. PHI is defined as “a subset of health information, including demographic information collected from an individual” that (1) can identify the individual; (2) is created or received by a health care provider or health plan; (3) relates to the past, present, or future physical or mental health or condition of an individual; and (4) is transmitted or maintained by electronic media or otherwise. A covered entity includes a health care provider “who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” A business associate is an individual or entity that performs certain services for a covered entity (the provider) and that, pursuant to such services, requires access to the covered entity’s PHI.

Generally, unless an exception applies, covered entities are prohibited from “using” or “disclosing” a patient’s PHI unless the covered entity obtains a HIPAA compliant authorization for such disclosure. Prohibitions on use or disclosure of PHI extend to using or disclosing PHI for marketing purposes. Marketing is defined as any communication “about a product or service that encourages recipients of the communication to purchase or use the product or service.” The law excepts the following marketing communications from the requirement to obtain a HIPAA authorization:

  1. A face-to-face communication by the covered entity to an individual.
  2. A nominal-value promotional gift provided by the covered entity.

As another exception to the marketing restriction, HIPAA allows communications made by the covered entity to patients to describe a “health-related product or service” provided by the covered entity. Thus, in our example, if the cash products that XYZ offers are “health related,” then XYZ may contact its existing customers and educate them regarding XYZ’s cash products. For example, XYZ can (1) mail hard copy literature to its customers, (2) send an email to its customers, and even (3) under certain conditions, call its customers. If XYZ calls a customer within 15 months following the last time that the customer obtained a Medicare-covered product from XYZ, then the phone call will not violate Supplier Standard #11 nor the telephone solicitation statute. The reason for this is because the phone call will comply with an exception to the supplier standard and statute.

HIPAA Authorizations

Now let us change the facts and assume that XYZ decides to set up a new legal entity (“XYZ Retail, Inc.”) that will sell the cash products. XYZ Retail will have a different Tax ID # from XYZ. Assume that XYZ desires to crosssell XYZ Retail’s cash products to XYZ’s customers. The challenge is that if XYZ communicates to its customers about products offered by a different legal entity (XYZ Retail), then the exception discussed above (i.e., describing a health-related product provided by the covered entity) does not apply. XYZ is not describing a health-related product provided by XYZ...but describing a product provided by another entity. In this case, before XYZ can communicate to its customers information about cash products offered by XYZ Retail, XYZ must obtain a HIPAA authorization from the patients.

A HIPAA authorization can be obtained via email, in writing, or verbally. Verbal authorization would require XYZ to retain a written transcript of its call with the customer so that it can provide the customer with a written copy of the authorization, if requested. HIPAA authorizations require certain core elements, including (1) a meaningful description of the information that will be used or disclosed; (2) the names of the parties that are disclosing the information and that are requesting disclosure of the information; (3) a description of the purpose of the disclosure; (4) an expiration date of the disclosure; and (5) the signature of the individual and date the authorization is signed. A full description of the requirements of a HIPAA-compliant authorization can be found on the Office for Civil Rights (“OCR”) website and at 45 C.F.R. §164.508(c).

So, if XYZ Retail is created, then XYZ must obtain a HIPAA authorization to:

  • Call or send email or mailers to customers regarding XYZ Retail.
  • Talk to XYZ customers over the phone about XYZ Retail.
  • Disclose PHI to XYZ Retail in order for XYZ Retail to contact XYZ’s customers.

A HIPAA authorization can be obtained by XYZ during a phone call initiated by a customer. XYZ should not initiate calls to customers for the sole purpose of obtaining a HIPAA authorization for marketing purposes. If a customer calls XYZ, or if XYZ calls a patient, about a reorder or other items and services, then an XYZ customer service representative (“CSR”) may be able to ask the customer if s/he would like to receive information about products and services offered by an affiliated company. If the customers says “yes,” then the CSR can obtain the HIPAA authorization at that time. But, note that if a customer complains to the Office for Civil Rights (“OCR”), then there is a risk that this conversation could be viewed as a “use” of PHI for marketing purposes. In order to reduce this risk, if XYZ attempts to obtain HIPAA authorizations during calls with patients, the messaging should be carefully tailored to ensure that the CSR just requests an authorization, and if the patient says “no,” then no further marketing or messaging is provided.

XYZ is not required to obtain a HIPAA authorization to advertise XYZ Retail on XYZ’s website, or direct patients to XYZ’s website that advertises XYZ Retail.

XYZ is not required to obtain a HIPAA authorization to send patients promotional gifts of nominal value printed with XYZ Retail’s information. The regulations and available guidance do not specifically state whether the promotional gift must advertise the covered entity. Absent published guidance to the contrary, it is likely acceptable for XYZ to send XYZ’s customers a promotional gift printed with XYZ Retail’s information. However, XYZ would not be permitted to include any other information with the gift (i.e., no letter, flyer, or any other explanatory information).

Lastly, in addition to HIPAA, XYZ should be mindful of other laws such as the CAN-SPAM Act, the Telephone Consumer Protection Act (“TCPA”), HIPAA security rules for securing PHI, and any analogous state laws addressing the same topics. Further, there may be restrictions in XYZ’s commercial insurance contracts that require XYZ to take assignment when it sells a product, covered by the contract, to an individual covered by the contract.

This article originally appeared in the April 2020 issue of HME Business.

About the Author

Jeffrey S. Baird, Esq., is Chairman of the Health Care Group at Brown & Fortunato, a law firm with a national health care practice based in Texas. He represents HME companies, pharmacies, infusion companies, manufacturers and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or

HME Business Podcast