An important element of the success of DME suppliers is a vibrant marketing program. In implementing a marketing program, the supplier needs to avoid pitfalls pertaining to the Medicare anti-kickback statute, the federal beneficiary inducement statute, the federal telephone solicitation statute, the Stark physician self-referral statute, federal and state telephone consumer protection laws, and federal and state do-not-call registries.
Equally important, suppliers need to be aware of the restrictions set out in HIPAA.
HIPAA has a number of “rules” that must be followed, including the “Privacy Rule.” This rule addresses the “use and disclosure” of confidential information pertaining to patients. HIPAA refers to this info as “protected health information”.
Unless an exception is met, the Privacy Rule requires a supplier to obtain authorisation from a patient before the supplier can “use” or “disclose” the patient’s PHI.
Covered Entities and Business Associates
HIPAA applies to “covered entities” and their “business associates.” The term “covered entities” includes an entity that “furnishes, bills, or is paid for health care.” A “business associate” is a person or entity, other than an employee of the covered entity, that “creates, receives, maintains, or transmits [PHI] on behalf of the covered entity in our case, a DME supplier.
Examples of services provided by business associates include claims processing, data analysis, data processing, utilisation review, and billing.
For example, an outside marketing company would be a business associate of a DME supplier if, when performing services, the marketing company uses PHI provided by the supplier.
On the other hand, if the marketing company does not contact the DME supplier’s patients (on behalf of the supplier) and the marketing company does not utilise PHI provided by the supplier, then the marketing company would not be considered the supplier’s “business associate.” In this case, HIPAA would not apply to the marketing company’s arrangement with the DME supplier.
Patient Authorisation
A DME supplier must obtain a patient’s “blue ink” or electronic authorisation for use or disclosure of PHI that is not for “treatment, payment, or healthcare operations” or otherwise permitted under the Privacy Rule. Communications, for the purpose of marketing, require written authorisation under HIPAA.
If communications meet the HIPAA definition of “marketing” then the DME supplier will have to obtain the patient’s written (”blue ink” or electronic) authorisation for the “use” or “disclosure” before the supplier uses the PHI for marketing purposes.
Marketing
HIPAA defines “marketing” as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”
The Privacy Rule generally requires suppliers to obtain a prior authorisation for use or disclosure of PHI for marketing purposes unless the communication is in the form of
(i) a face-to-face communication made by the supplier to the patient, or
(ii) a promotional gift of nominal value provided by the DME supplier.
When Authorisation is Not Required?
The Privacy Rule sets out two exceptions to the definition of “marketing.” If one of these two exceptions is met, then the patient’s prior authorisation is not required prior to the supplier “using” or “disclosing” the patient’s PHI.
The first exception allows the DME supplier to provide refill reminders to its patients. The second exception allows the supplier to make communications for certain treatment and health care operations purposes, except where the supplier receives remuneration in exchange for the communication.
Communications made for treatment and health care operations that are not considered marketing include “communications to describe a health-related product or service that is provided by the covered entity making the communication.” This exception allows the supplier to communicate to its patients about the supplier’s own health-related products and services.
Feel free to contact our team to learn more about HIPAA privacy rule and marketing for your supplies.