Moving the HME Industry Forward

General Healthcare

Understanding the HIPAA Marketing Guidelines

September 23, 2013

AMARILLO, TX – One of the lynchpins of a successful DME supplier is an aggressive and innovative marketing program. Most suppliers are aware that when implementing a marketing program involving Medicare/Medicaid patients, they need to avoid violating the commonly-known federal anti-fraud statutes: Medicare anti-kickback statute, beneficiary inducement statute, telephone solicitation statute and the Stark physician self-referral statute.  

In implementing a marketing program, if the DME supplier avoids servicing patients covered by a federal or state health care program, then the supplier may feel that it is “home free” and can structure the program however the supplier wants to structure it.  While it is certainly helpful that the DME supplier does not have to be concerned about federal anti-fraud statutes, the supplier is not entirely out of the woods.  The DME supplier needs to be aware of the HIPAA marketing restrictions.

The Health Insurance Portability and Accountability Act (HIPAA) requires “covered entities” to obtain a valid authorization from individuals before using or disclosing protected health information (“PHI”) to market a product or service to them. See 45 CFR § 164.508(a)(3).  A DME supplier falls within the HIPAA definition of a “covered entity.” PHI is a subset of “individually identifiable health information,” which is defined as:
• information that is a subset of health information, including demographic information collected from an individual;
• created or received by a health care provider . . . ;
• related to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual; and
• that identifies the individual; or
• with respect to which there is a reasonable basis to believe the information could be used to identify the individual.
45 CFR §160.103.
HIPAA broadly defines “use” of PHI to include the sharing, employment, application, utilization, examination, or analysis of such information. 42 CFR § 160.103. The new HIPAA definition of marketing states what is not marketing:
Marketing does not include a communication made: . . . [f]or the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication[,] . . . to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.
45 CFR § 164.501 (2013) (emphasis added). Marketing communications require prior valid authorization from the customer. 45 CFR § 164.508(a).
Therefore, to avoid HIPAA’s requirement that the DME supplier obtain a valid authorization from the customer before making a marketing communication, the marketing communication must concern a health-related product or service (i) provided by the supplier and (ii) the supplier cannot receive financial remuneration in exchange for making the communication.
Earlier this year, when the Department of Health and Human Services revised the definition of marketing communication, it issued the following comments to the final rule:
We believe Congress intended that these provisions curtail a covered entity’s ability to use the exceptions to the definition of “marketing” in the Privacy Rule to send communications to the individual that are motivated more by commercial gain or other commercial purpose rather than for the purpose of the individual’s health care, despite the communication being about a health-related product or service.
78 Fed. Reg. 5592. HIPAA applies to any patient…no matter how old or how young…and whether the patient is covered by Medicare or commercial insurance.  In other words, HIPAA is not limited to Medicare patients.  These comments make it clear that a health care provider (including a DME supplier) can only use a patient’s PHI for the medical benefit of the patient.

The DME supplier cannot disclose or use the PHI for purposes of marketing (i.e., for the purposes of making money) unless the patient gives a valid prior written authorization for such use or disclosure.  In short, when the patient “walks into the provider’s facility,” the patient needs to feel secure that his PHI will only be used for the purpose that it was designed to be used.

Jeffrey S. Baird, JD, is chairman of the Health Care Group at Brown & Fortunato PC, a law firm based in Amarillo, Tex. He represents pharmacies, infusion companies, HME companies, and other health care providers throughout the United States. Baird is Board Certified in Health Law by the Texas Board of Legal Specialization and can be reached at (806) 345-6320 or