Moving the HME Industry Forward


HIPAA: Using and Disclosing Protected Health Information

November 19, 2017

AMARILLO, TX – Assume that ABC Medical Equipment, Inc. is a Medicare-enrolled DME supplier and that XYZ Retail Sales, Inc. (a separate legal entity) is a cash-only business. Assume that ABC and XYZ have identical ownership. Lastly, assume that ABC (i) would like to provide XYZ with ABC patients’ contact information so that XYZ can advertise its products to the ABC patients and/or (ii) ABC would like to send advertisements to ABC patients that promote XYZ products.

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) governs the use and disclosure of protected health information (“PHI”) by covered entities. A covered entity includes a “health care provider who transmits any health information in electronic form in connection with a transaction covered [by HIPAA].” ABC would be considered a “covered entity;” XYZ would not be considered a “covered entity.”

HIPAA places restrictions on the “use” and “disclosure” of PHI by a covered entity. One restriction is that a covered entity must “obtain an authorization for any use or disclosure of [PHI] for marketing …” “Marketing” is defined as “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service.”

There are exceptions to the requirement to obtain a HIPAA authorization from the patient for marketing. The following types of communications are not considered “marketing”:

  • Communications made “for treatment of an individual by a health care provider;”
  • Communications made “to describe a health-related product or service … that is provided by … the covered entity making the communication;” and
  • Communications made “for case management and care coordination, contacting individuals with information about treatment alternatives, and related functions.”

Further, HIPAA permits a covered entity to forgo a HIPAA authorization where the covered entity makes the marketing communication (1) face-to-face with the patient or (2) in the form of a “promotional gift of nominal value.”

And so what are ABC’s and XYZ’s options?

HIPAA Authorizations

ABC may use patients’ PHI or share such PHI with XYZ if it has valid HIPAA authorizations from those patients who will be receiving the marketing communication. Valid HIPAA authorizations requires specific elements, including that the authorization contains a description of the information to be disclosed, the name of the individuals/entities to which the information will be disclosed, an expiration date, and the patient’s signature.

Purchase Equipment from XYZ

One exception to the HIPAA marketing rule is that a covered entity may send communications to its patients “to describe a health-related product or service … that is provided by … the covered entity making the communication” Thus, ABC is permitted to advertise its product offerings to its own patients.

If ABC purchases the equipment from XYZ and markets and sells such equipment to its own patients, then it will be able to use its patients’ PHI for such marketing. Under this scenario, XYZ will serve as the wholesaler to ABC, which will be the supplier to the patient.

Promotional Gifts of Nominal Value

ABC is permitted to send its patients a small promotional gift of nominal value (such as a magnet or pen). Although it is not explicitly stated in the law, a credible argument can be made that this statute can be interpreted to include small promotional gift items that are branded with XYZ information.

Linking of Websites

ABC can link its website to XYZ’s website. ABC can encourage its patients to visit ABC’s website.


Jeff Baird will be presenting the following webinar.

Webinar sponsored by HME Business

Collaboration With Hospitals, Physicians and Other Referral Sources

 Presented by:
Jeffrey S. Baird, Esq., Brown & Fortunato, P.C.

 Thursday, November 30, 2017

 1:00 p.m. CENTRAL TIME

There are a number of terms that have recently entered the DME industry’s vocabulary: “data analytics,” “quality outcomes,” “performance measurements,” and “collaborative care.” Collectively, these stand for the proposition that third party payors no longer intend to pay for health care services that are provided in “silos.” Said another way, payors expect health care providers (physicians, hospitals, SNFs, pharmacies, DME suppliers and home health agencies) to work together to keep patients healthy…and keep them from being readmitted to the hospital time and time again. Payors expect providers to know what other providers are doing in treating a particular patient. This program will examine the ways that DME suppliers can legally collaborate with hospitals, physicians, and other referral sources. Particular areas of focus are (i) preferred provider arrangements with hospitals; (ii) employee liaison arrangements with hospitals, physicians and other providers; (iii) consignment (“loan closet”) arrangements with hospitals, physicians and other providers; (iv) medical director agreements with physicians; and (v) agreements among providers to collect and share patient data so as to measure outcomes.

Register for “Collaboration With Hospitals, Physicians and Other Referral Sources” on Thursday, November 30, 2017, 1:00 p.m. CT, with Jeffrey S. Baird, Esq., of  Brown & Fortunato, PC.

Registration: $99 for access to the live event, plus an on-demand version of the event for three additional months

 Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato, PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or