Face Challenges Confidently

HIPAA Privacy Rule and Marketing

Wednesday, February 14th, 2018

By: Jeffrey S. Baird, Esq. & Elizabeth H. Jepson, Esq.

An important element of the success of a DME supplier is a vibrant marketing program. In implementing a marketing program, the supplier needs to avoid pitfalls pertaining to the Medicare anti-kickback statute (“AKS”), the federal beneficiary inducement statute, the federal telephone solicitation statute, the Stark physician self-referral statute, federal and state telephone consumer protection laws, and federal and state do-not-call registries. Equally as important, the supplier needs to be aware of the restrictions set out in HIPAA. HIPAA has a number of “rules” that must be followed, including the “Privacy Rule.” This rule addresses the “use and disclosure” of confidential information pertaining to patients. HIPAA refers to this information as “protected health information” or “PHI.” Unless an exception is met, the Privacy Rule requires a DME supplier to obtain authorization from a patient before the supplier can “use” or “disclose” the patient’s PHI.

Covered Entities and Business Associates

HIPAA applies to “covered entities” and their “business associates.” The term “covered entities” includes an entity that “furnishes, bills, or is paid for health care.” A “business associate” is a person or entity, other than an employee of the covered entity, that “creates, receives, maintains, or transmits [PHI] on behalf of the covered entity”…in our case, a DME supplier. Examples of services provided by business associates include claims processing, data analysis, data processing, utilization review, and billing. For example, an outside marketing company would be a business associate of a DME supplier if, when performing services, the marketing company uses PHI provided by the supplier.

On the other hand, if the marketing company does not contact the DME supplier’s patients (on behalf of the supplier) and the marketing company does not utilize PHI provided by the supplier, then the marketing company would not be considered the supplier’s “business associate.” In this case, HIPAA would not apply to the marketing company’s arrangement with the DME supplier.

Patient Authorization

A DME supplier must obtain a patient’s “blue ink” or electronic authorization for use or disclosure of PHI that is not for “treatment, payment, or healthcare operations” or otherwise permitted under the Privacy Rule. Communications, for the purpose of marketing, require written authorization under HIPAA. If communications meet the HIPAA definition of “marketing” then the DME supplier will have to obtain the patient’s written (”blue ink” or electronic) authorization for the “use” or “disclosure” before the supplier uses the PHI for marketing purposes.

Marketing

HIPAA defines “marketing” as “a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service.” The Privacy Rule generally requires the supplier to obtain a prior authorization for use or disclosure of PHI for marketing purposes unless the communication is in the form of (i) a face-to-face communication made by the supplier to the patient, or (ii) a promotional gift of nominal value provided by the DME supplier.

When Authorization is Not Required

The Privacy Rule sets out two exceptions to the definition of “marketing.” If one of these two exceptions is met, then the patient’s prior authorization is not required prior to the supplier “using” or “disclosing” the patient’s PHI. The first exception allows the DME supplier to provide refill reminders to its patients. The second exception allows the supplier to make communications for certain treatment and health care operations purposes, except where the supplier receives remuneration in exchange for the communication. Communications made for treatment and health care operations that are not considered marketing include “communications to describe a health-related product or service…that is provided by…the covered entity making the communication.” This exception allows the supplier to communicate to its patients about the supplier’s own health-related products and services.


Jeffrey S. Baird, JD, is Chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Mr. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or jbaird@bf-law.com.

Elizabeth H. Jepson, Esq, is an attorney with the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. She represents pharmacies, HME companies, hospitals, and other health care providers throughout the United States. Ms. Jepson is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6312 or ejepson@bf-law.com.