Moving the HME Industry Forward

General Healthcare

Sale of Patient Information: HIPAA Restrictions

November 23, 2015

AMARILLO, TX – It is not uncommon for a DME supplier to accumulate a large database of patients that it has sold products to in the past. This database of patients (“patient list”) will likely include Medicare patients, Medicaid patients, and commercial insurance patients. Assume that the DME supplier would like to monetize the portion of the patient list that does not include patients covered by a government health care program.

For example, assume that the DME supplier has relationships with multiple laboratories (“labs”) that conduct various types of medical tests. Assume that the DME supplier proposes that the labs pay compensation to the supplier for the information. Assume that the DME supplier proposes to send each patient, whose information is contained in the patient list, a postcard to sign that would give (i) the supplier the right to send the patient’s name and contact information to the labs, and (ii) the labs permission to contact the patient by phone or by other means.

The HIPAA Privacy Rule requires a covered entity or business associate to “not use or disclose protected health information, except as permitted or required.” A “covered entity” means a health plan, health care clearinghouse, or a health care provider that transmits any health information in electronic form in connection with a transaction.

“Protected health information” is defined as individually identifiable health information that is transmitted by or maintained in electronic media, or transmitted or maintained in any other form or medium. Information is considered “individually identifiable health information” if it contains demographic information collected from an individual, and:

• is created or received by a health care provider; and
• relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and
• that identifies the individual; or
• with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Assume that over the years, the DME supplier has provided products and services to a large number of patients. During this time, the supplier has collected information relating to each patient’s physical condition, medical diagnosis, insurance information, as well as other demographic information. If the DME supplier has transmitted any health information in electronic form in connection with a health care transaction, then the supplier will be considered a covered entity under HIPAA. Assuming that the DME supplier meets the definition of a covered entity, it will be required to not use or disclose protected health information, except as permitted or required.

Assume that the DME supplier desires to sell patient lists to laboratories that likely contain protected health information, such as patient names, telephone numbers, email addresses, medical conditions, health insurer information, or other information that may be used to market laboratory services. Such information may only be disclosed if permitted by the HIPAA Privacy Rule.

The HIPAA Privacy Rule permits the sale of protected health information, with a valid authorization. A valid authorization for the sale of protected health information must be written in plain language and include the following:

• a statement that the disclosure will result in remuneration to the covered entity;
• a description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion;
• the name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure;
• the name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure;
• a description of each purpose of the requested use or disclosure. The statement “at the request of the individual” is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose;
• an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. “The statement ‘end of the research study,’ ‘none,’ or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research, including for the creation and maintenance of a research database or research repository”;
• signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative’s authority to act for the individual must also be provided;
• the individual’s right to revoke the authorization in writing, and either:
— the exceptions to the right to revoke and a description of how the individual may revoke the authorization; or
— to the extent that the information in paragraph (a) of this section is included in the Notice of Privacy Practices for protected health information, a reference to the covered entity’s Notice.

The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either:
• the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations applies under 45 C.F.R. § 164.508(b)(4); or
• the consequences to the individual of a refusal to sign the authorization when, in accordance with 45 C.F.R. § 164.508(b)(4), the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization.
• the potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this subpart.

To meet the requirements of HIPAA, the DME supplier must document and retain the signed authorization that contains the above language and provide a copy to the patient.

State Kickback Issues
Because the patients will not be covered by a government health care program, then the Medicare anti-kickback statute will not be implicated. However, even if the HIPAA requirements are met, the DME supplier needs to determine if the arrangement violates an applicable state anti-kickback statute.

For example, the Illinois Patient and Client Procurement Statute, which is contained in the Illinois Insurance Claims Fraud Prevention Act, states, in pertinent part, that:

• It is unlawful to knowingly offer or pay any remuneration directly or indirectly, in cash or in kind, to induce any person to procure clients or patients to obtain services or benefits under a contract of insurance or that will be the basis for a claim against an insured person or the person’s insurer.

• A person who violates any provision of this Act … shall be subject, in addition to any other penalties that may be prescribed by law, to a civil penalty of not less than $5,000 nor more than $10,000, plus an assessment of not more than 3 times the amount of each claim for compensation under a contract of insurance … The penalty prescribed in this subsection shall be assessed for each fraudulent claim upon a person in which the defendant participated.

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization, and can be reached at (806) 345-6320 or