Understand the HIPAA implications when selling patient lists & records
by Edward Vishnevetsky

Even though the Medicare DMEPOS Competitive Bidding Program only allows contract suppliers to supply competitively-bid items in particular areas, non-contract suppliers in these areas are not so quick to give up their patients.
 
Instead, non-contract suppliers are finding ways to capitalize on their former patient base. One way is to sell patient lists and patient records to contract suppliers by way of an asset sale. Depending on  the arrangement structure and how the information will be used by the buyer, this type of sale may raise patient privacy issues. Recent multimillion-dollar fines against health care entities should be taken seriously.
 
The Health Information Portability and Accountability Act of 1996 (HIPAA) is a federal law that prevents a health care provider, such as a DME supplier or “Covered Entity,” from disclosing individually identifiable “protected health information” (PHI) unless authorized by the individual. The exception is when this prohibition would result in unnecessary interference with access to quality health care or with certain other important public benefits or national priorities.
 
PHI includes information that (a) relates to (i) an individual’s past, present or future physician or mental health or condition; (ii) the provision of health care to the individual; or the (iii) the past, present, or future payment for the provision of health care to the individual, and (b) that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual (name, address, birth date, social security number).
  
One circumstance by which a covered entity can disclose PHI of an individual without obtaining the individual’s authorization is for “treatment, payment and health care operations.” Treatment is the provision, coordination or management of health care and related services among or by a health care provider with a third party consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another. Payment is all activities of health care providers to obtain payment or be reimbursed for their services.
 
Health care operations are administrative, financial, legal and quality improvement activities of a Covered Entity that are necessary to run its business and to support treatment and payment.
 
Disclosure is complicated by how HIPAA defines marketing. The Privacy Rule defines marketing as making a communication about a product or service that encourages recipients of the communication to purchase or use the product or service. If the communication is marketing, then the communication can occur only if the Covered Entity first obtains an individual’s authorization.
 
Marketing also includes an arrangement between a Covered Entity and any other entity whereby the Covered Entity discloses PHI to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to communicate about its own product/service that encourages recipients to purchase or use that product or service.
 
Since DME suppliers make more money by selling various types of DME to their patients, buying patient lists or records to encourage patients to buy other types of DME may be construed as the archetypal example of marketing.
   
According to the U.S. Department of Health and Human Services, one example of marketing is when a health plan sells a list of its members to a DME company that sells blood glucose monitors, which intends to send the plan’s members brochures on the benefits of purchasing and using the monitors. Because the DME company does not know if the individual requires a monitor, marketing the monitor to the individual without their authorization is a violation of HIPAA.
 
If the health plan transfers the actual medical records of its patients to the DME company without authorization, this may be a violation of HIPAA, because the patient records are not transferred for purposes of treatment, payment or health care operations.
 
DME suppliers should analyze every asset sale to determine if the sale implicates the treatment, payment and operations exception to disclosure under HIPAA or marketing. DME suppliers should review and compare their respective state privacy laws to HIPAA laws.