Crossing the Legal Sales Line: Do You Know the Warning Signs?

The following vignettes offer hypothetical examples of potential quagmires. Commentary is provided by Today’s Wound Clinic editorial advisory board member Roger Shindell, MS, CHPS, CISA, an authority on HIPAA. However, the commentary is not meant to serve as legal instruction. Readers should contact a lawyer for all legal guidance. 

Also See Part 2 of this article series.

Scenario No. 1: VLUs & DFUs That Won’t Heal

“Bob,” the helpful sales representative for a company that manufactures wound care CTPs, really wants to meet his sales quota this month. As it turns out, the staff at Super Busy Wound Care Center has many patients scheduled who probably could be helped by the product that Bob is marketing. His company has signed a business associate agreement (BAA) with the parent hospital, and that’s why he’s been assured by his corporate legal department that it’s ok for him to view HIPAA-protected information in the patients’ charts. He spends one particular afternoon at the Super Busy center going through a stack of charts for patients living with venous leg ulcers (VLUs) or diabetic foot ulcers (DFUs) that haven’t decreased in size by at least 40% over four weeks. There are a lot of wounds here that the clinic is not aggressively treating, and it seems like what Bob is doing is actually providing a valuable service, assuming that the clinic is not going to be more proactive in treating these wounds. He finds six patients who are good candidates for a CTP and suggests to the nurses that he start the insurance verification process, and the nurses give him the OK. Did Bob cross the line? 

Roger Shindell (RS): “Goodness, there are so many questions to ask here. From a HIPAA perspective, first, we must know if Bob is a business associate (BA) of Super Busy Wound Center, or if he was erroneously deemed a BA. If vendors do not perform a function, service, or activity that uses/discloses protected health information (PHI), they would not be considered a BA. So, if Bob is simply selling a product, such as a secondary dressing, he would not be considered a BA because he would not need/have access to PHI. Therefore, he would certainly not be privy to patient charts. On the other hand, if Bob is involved in training a physician on how to use a primary wound dressing that directly involves patients, he would have access to PHI and would be considered a BA, and the BAA would be required. The BAA of Bob’s company should include what uses and disclosures are appropriate for CTP reps to access. The HIPAA Privacy Rule allows covered entities (CEs) to engage BAs if the information gained by the BA is used only for the purposes for which the CE engaged it. The information is not for the BA’s independent use or purposes. The BA contract must limit the BA’s uses and disclosures of (as well as requests for) PHI to be consistent with the CE’s ‘minimum necessary’ policies and procedures. This means that Bob would be restricted to only the PHI that is necessary to accomplish the intended purpose. The BA may only have PHI that helps the CE carry out its healthcare functions, not for independent use and purposes. In the event that Bob has access to PHI and is a BA, he is restricted to only the PHI needed to do his job. (That is, if Bob is showing ‘Dr. X’ how to use a new primary dressing on ‘Patient Y,’ Bob only has access to Patient Y’s PHI. In the unlikely event that Bob is a physician involved in the treatment procedure, treatment information would not be limited. In some situations, a CE may disclose PHI to a CTP company without a patient’s written authorization only if the CTP company is a healthcare provider (ie, if it furnishes, bills, or is paid for healthcare in the normal course of business). Healthcare is defined as ‘care, services, or supplies related to the health of an individual.’ Lastly, the public health provisions of the privacy rule allow a CE to make disclosures, without an authorization, to the CTP company or other person that is subject to the jurisdiction of a U.S. Food & Drug Administration-related product or activity for which the person or entity has responsibility. In all likelihood, Bob should not be combing patient files any more than the janitor, chaplain, or cafeteria worker!” 

Scenario No. 2: Insurance Verification 

Bob, the helpful CTP rep, offers to lighten the load of the overworked front-office staff by handling the paperwork for “Mrs. Jones’” CTP insurance verification. With her chart in hand, he calls “Vera,” the verification specialist, whose hotline services are paid for by his company, the CTP manufacturer. The problem is that “Dr. Overworked” hasn’t provided sufficient documentation in the chart to justify the medical necessity of this patient getting a CTP. So, together, Bob and Vera go to work. Vera reads a series of questions to Bob over the phone, and he combs through the chart, looking for enough information to support the medical necessity of a CTP for Mrs. Jones. Neither is completely sure about the meanings of a few of the medical terms, or whether her prediabetes can be diagnosed as diabetes. However, a diagnosis of diabetes would help justify the CTP, so they include diabetes on her list of indications. When they have completed the attestation paperwork, Dr. Overworked is grateful and he signs it without actually reading it. Did Bob and/or Vera cross the line? What should Dr. Overworked be concerned about? 

RS: “Bob certainly is a helpful rep! However, here the staff again must know whether he is a BA of this clinic. If he is not a BA, he should not be handling PHI for the clinic. His only role would be aiding the clinic with selection of the CTP products he is selling. As in the previous scenario, if Bob is a BA, he should be receiving the ‘minimum necessary information’ needed in order for him to do his job. Presumably, this information would be related to the use of his product established within the clinic. Thus, calling about insurance verification would be outside of the scope of the ‘minimum necessary’ rule. If Bob is a BA, but is calling Vera about something outside of the scope of his BAA, he has engaged in a breach of PHI. The clinic and his company can both be responsible for this sort of breach. It is even worse (enforcement-wise) if the clinic staff knew Bob was engaging in activities outside the scope of the BAA and did nothing to prevent it, stop it, or report it. It appears to be a conflict of interest as well if Bob pays for the hotline services that Vera uses. However, if the hotline staff is a subcontractor of Bob’s company, then this, too, is inappropriate access of PHI. This would mean the subcontractor is also engaging in inappropriate access of PHI (a HIPAA breach), and the subcontractor and Bob’s company could face consequences from the U.S. Department of Health & Human Services’ (HHS’) Office for Civil Rights, which enforces HIPAA regulations. It is a HIPAA requirement that HIPAA CEs and BAs be trained on the privacy regulations. In this case, all involved appear to need training in the ‘minimum necessary’ rule, the use and disclosure of PHI, the inappropriate access of PHI/electronic PHI, and the general patient rights, such as confidentiality. State and federal criminal and civil penalty discussions may also be of use.” 

Scenario No. 3: APCs & Package Pricing  

“Pam,” the passionate program director, is having an increasingly hard time keeping her hospital-based outpatient wound center in the financial black since the advent of package pricing for cellular products. She appreciates it when Bob, the helpful CTP rep, donates products, because that’s a huge help to her bottom line. The way this transaction works is that Bob donates the product and Pam still charges the high-bucket Ambulatory Payment Classification (APC) rate without having to fork over practically the entire sum to cover the cost of the product. What a huge help! Did Pam cross the line?  

RS: “HIPAA requires patient authorization for marketing, but prior authorization is not needed to give a promotional gift of nominal value. In this case, Pam is passing on Bob’s ‘gift’ of products to patients. Passing on Bob’s free product to patients has no consequences under the privacy rule. However, HIPAA established a national Health Care Fraud and Abuse Control
(HCFAC) program through the HHS Office of Inspector General (OIG) that’s designed to coordinate federal, state, and local law enforcement activities with respect to healthcare fraud and abuse. Pam’s skirting of the rules may land her in hot water through HCFAC or the False Claims Act (FCA).  If Bob is receiving additional business by providing Pam with product, Pam and Bob may also be guilty of the federal anti-kickback statute, a criminal law that prohibits the knowing and willful payment of ‘remuneration’ to induce or reward patient referrals or generation of business involving any item or service payable by federal healthcare programs (eg, drugs, supplies, healthcare services for Medicare or Medicaid patients [as defined by the OIG]). While this may put Pam in the black, she may want to keep a good lawyer on speed dial.”

Scenario No. 4: Donated CTPs

“Dr. Top Cellular User” prides herself in keeping up with all the newest CTPs. However, it takes a long time for new products to get on the hospital formulary (if they ever do at all), so if she wants to keep up with what’s new, she can only do that by trying donated cellular products. Sometimes, half of the CTP applications she does each week are actually donated by the manufacturer. However, since she gets reimbursed the same amount regardless of which product she applies, it doesn’t matter. She bills them all the same, regardless of whether the product was purchased by the hospital or donated. After all, the hospital is the party that is supposed to buy the CTP, so as far as her charges are concerned, it really doesn’t matter that the product was donated. Has Dr. Top Cellular User crossed the line?  

RS: “Again, Dr. Cellular has gifts presumably of nominal value here, so HIPAA privacy regulations do not apply. However, to summarize sections from the FCA: ‘Any person who knowingly presents, or causes to be presented, a false or fraudulent claim for payment or approval … or causes to be made or used, a false record or statement material to a false or fraudulent claim … intending to defraud the government, is liable to the United States government for a civil penalty of not less than $5,000 and not more than $10,000,’ and potentially criminal charges — insurance fraud also is a criminal act. Perhaps Dr. Cellular could share attorney costs with Pam, the program director.” 

Scenario No. 5: CTP Samples

Bob, the helpful CTP rep, has offered to provide CTP samples to “Dr. Interested” for any three patients of her choice. Dr. Interested identifies a candidate patient, explains to the patient that he or she has the opportunity to have a free product, so that she (the physician) can gain experience with it, and asks if the patient is comfortable with allowing Bob to be in the room during the procedure. The patient agrees. Bob provides Dr. Interested and the clinic nurse with instruction and advice on how to prepare and best apply the product. The patient agrees to let Bob take wound photos, but Dr. Interested tells Bob that the photos he takes should have no PHI visible, so the ruler in the photo does not have a date or the patient’s initials on it. Bob returns next week when the patient is seen for follow up, and Bob provides further guidance to Dr. Interested regarding the normal appearance of his CTP after a few days have elapsed. The clinic nurses confer and confirm with Bob on his instructions regarding which dressings the manufacturer recommends using with the product. Neither the physician nor the hospital charges for the application of the cellular product. The application is documented in the chart, including the lot number and expiration date, but with a note that there was no charge “because the product was donated as a part of a product evaluation.”
Did Bob cross the line? 

RS: “We again land back at the question of whether or not Bob is a BA with a BAA in place. If Bob is a BA and the BAA covers disclosures of PHI of this sort, Bob did not cross the line. If the BAA does not cover this type of procedure, a specific authorization from the patient is required.  The patient would also need to give authorization for the photographs, which is often enveloped in the informed consent for treatment. If Bob takes the photographs out of the clinic or hospital, this type of behavior should also be included in the BAA.” 

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at rshindell@carosh.com.