Innovative marketing has always been important to the successful DME supplier. There is now a confluence of events that is pushing the importance of marketing to the critical level. These events include competitive bidding, aggressive post-payment audits and prepayment review, increasingly stringent documentation requirements, and reduced reimbursement. And yet, with 78 million baby boomers retiring at the rate of 10,000 per day, the demand for what the DME industry has to offer is increasing exponentially. Most suppliers are aware that when implementing a marketing program involving Medicare/Medicaid patients, they need to avoid violating the commonly-known federal antifraud statutes, including the Medicare anti-kickback, beneficiary inducement, telephone solicitation and Stark physician self-referral statutes. In implementing a marketing program, if the DME provider either complies with the federal antifraud laws or avoids servicing patients covered by a federal or state health care program, then the supplier may feel this is enough. While this approach may make things a bit easier, the DME provider still needs to be aware of other marketing restrictions. The Health Insurance Portability and Accountability Act (HIPAA) requires covered entities to obtain a valid authorization from individuals before using or disclosing protected health information (PHI) to market a product or service to them. A DME provider falls within the HIPAA definition of a covered entity. PHI is a subset of "individually identifiable health information," which is defined as (i) information that is a subset of health information, including demographic information collected from an individual, and (ii) is created or received by a health care provider . . . ; and (iii) related to the past, present, or future physical or mental health or condition of any individual, the provision of health care to an individual; and (iv) that identifies the individual; or (v) with respect to which there is a reasonable basis to believe the information could be used to identify the individual. The new HIPAA definition of marketing defines what is not marketing: Marketing does not include a communication made: . . . [f]or the following treatment and health care operations purposes, except where the covered entity receives financial remuneration in exchange for making the communication[,] . . . to describe a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits. Marketing communications require prior valid authorization from the customer. Therefore, to avoid HIPAA's requirement that the DME supplier obtain a valid authorization from the customer before making a marketing communication, the marketing communication must concern a health-related product or service (i) provided by the supplier and (ii) the supplier cannot receive financial remuneration in exchange for making the communication. Earlier this year, when the Department of Health and Human Services revised the definition of marketing communication, it issued the following comments to the final rule: We believe Congress intended that these provisions curtail a covered entity\'92s ability to use the exceptions to the definition of marketing in the Privacy Rule to send communications to the individual that are motivated more by commercial gain or other commercial purpose rather than for the purpose of the individual\'92s health care, despite the communication being about a health-related product or service. HIPAA applies to any patient, regardless of age or Medicare participation. Providers can only use a patient's PHI for the medical benefit of the patient, and are prohibited from using the PHI for marketing unless the patient gives a valid prior written authorization.
Regardless of your business model, HIPAA regulations apply
Tuesday, March 10, 2015