As patient behavior becomes increasingly consumer-like, many practices are experimenting with bolder, more creative marketing strategies. But tread carefully! What works for other businesses can be downright dangerous for healthcare providers, who are subject to a veritable spider’s web of laws and regulations regarding marketing compliance.
Many providers “may not realize that a lot of the things that you can do in other industries, you simply can’t do in the healthcare industry,” explained attorney Kim C. Stanger in a webinar for Holland & Hart, LLP. Whoever handles your marketing—you, a staff member, or an outside company—must be well-trained in HIPAA, fraud and abuse statutes, and even consumer protection laws.
As an eye care provider, you face a special challenge: you can’t afford not to market your practice, but you also can’t afford to make marketing compliance mistakes—often inadvertent ones—that lead to vile violations, frightening fines, and other chilling consequences. So be not afraid. We’ve got the marketing mojo you need to avoid those macabre missteps.
The HIPAA Privacy Rule details how covered entities (that’s you) may use and disclose patient Protected Health Information (PHI). HITECH—the Health Information Technology for Economic and Clinical Health Act—is a separate but related law that, among other things, broadens HIPAA privacy and security protections.
Under HIPAA, a patient authorization is required for any use or disclosure of PHI for marketing. You must have it prior to sending marketing communications to patients. There are a few built-in exceptions (more on those later), but HITECH imposes additional limitations on some of them. The level of negligence determines the severity of HIPAA violation penalties.
Example: You post patient testimonials on your website with first names and photos. You don’t have valid, HIPAA compliant authorizations on file.
Stay compliant with both HIPAA and HITECH by follow a few key rules:
- Know when an authorization is necessary. You must obtain a written authorization prior to any use or disclosure of a patient’s PHI for marketing purposes. If the marketing involves financial remuneration from a 3rd party, the authorization must say so.
- Know what PHI consists of. HIPAA specifies 18 key categories of personal health information that can lead to patient identification. Be sure to remove any patient identifying information from marketing, unless you have an authorization.
- Keep on top of contractors. If you contract with an outside company to help with marketing efforts that involve PHI, you need a BAA (business associate agreement). Marketers must ensure that they protect the PHI stored in their systems.
How do I know if I need an authorization?
The need for an authorization under HIPAA and HITECH depends on two things. First, whether or not an activity is considered “marketing” Second, whether or not you are receiving third-party remuneration for those activities. HIPAA defines marketing in two ways:
- “Oral or written communication about a product or service that encourages the recipient of the communicationto purchase or use the product or service.” Remember, digital communication is considered “written.”
- The disclosure of PHI to a third party—in exchange for direct or indirect payment—so that the third party can communicate about its product or service to encourages recipients of the communication to purchase or use that product or service.
If you are receiving either direct or indirect payment from a third party to communicate with patients about that third party’s product or service, you need an authorization.
There are exceptions: you do not need an authorization for the following types of marketing regardless of whether it involves any third party remuneration:
- Face-to-face communication between you (the provider) and your patient about a product or service.
- Promotional gifts of nominal value (like contact lens cases, pens, or coffee mugs).
- Refill reminders for a drug or biologic that is currently being prescribed for that patient, as long as the remuneration for those reminders is reasonably related to your cost of making the communications (like postage).
Other Scary Statutes Your Marketing Must Sidestep
HIPAA and HITECH aren’t the only statutes you could be violating if your marketing compliance isn’t up to par. “Any time you do a deal with the government…there are always strings attached,” says Stanger. “Some of those strings are the Stark, the Anti-Kickback and the CMPL law,” she continues. Those sneaky statutes can affect your marketing in some surprising ways:
A physician may not refer a patient to receive services at an entity that has a financial relationship with that physician or a member off their immediate family. If a prohibited referral is made, that entity may not file a claim related to that referral unless a specific exception is met. The Stark law “applies any time you’re doing any kind of a marketing arrangement in which you are benefitting a physician or a member of a physicians family,” says Stanger.
Example: A physician-owner of an ASC wants to create an ad campaign for LASIK. The campaign features one of the ASC’s well-known surgeons as a spokesperson. This type of advertising could constitute remuneration to those physicians for bringing their cases to that facility. Why? The Feds cold construe that you’re not marketing your ASC, but you’re actually marketing the individual surgeon, says attorney Mary Jean Geroulo, who spoke at the Ambulatory Surgical Center Association’s 2017 annual meeting.
How to stay safe? “Any time you’re doing a marketing deal with, or that benefits, a referring physician…you need to make sure you structure that deal to fit within one of the Stark safe harbors,” advises Stanger. The better thing to do would be to either mention all the physicians, or just the center, adds Geroulo. The idea is to make sure you’re not promoting individual physicians. Instead, you’re presenting all of the physicians equally and the patient can decide who they want to contact.
The Anti-Kickback Statute (AKS) prohibits offering or receiving any type of payment meant to induce or reward patient referrals for services reimbursable by a federal healthcare program. The AKS is broader in scope than Stark, because “the Anti-kickback statue applies to your financial relationship with anybody who may be a referral source,” notes Stanger. Like Stark, safe harbors exist.
Problem: You’ve decided to outsource your practice’s marketing to the trendiest firm in town. You’re paying the firm based on the percentage of new business they generate. Payment by a healthcare provider to a marketer could be interpreted as an inducement for the marketer to refer patients to your practice.
Solution: The OIG “believe[s] that many marketing and advertising activities may involve at least technical violations of the statute.” They simply choose to overlook those violations because the majority of them pose little risk for fraud and abuse. Nevertheless, you should:
- Structure all marketing arrangements to meet safe harbors (like the employment or personal service and management safe harbors)
- Make sure all payments for marketing are fair market value. Document how you determined FMV and document that the marketer actually performed all of the services.
- Be careful when contracting with marketing companies, Geroulo advises. Add contractual obligations to disclose what, if any, types of physician arrangements they have. You may not realize that marketing companies have a whole team of folks behind them, including physicians.
The Civil Monetary Penalties Law prohibits many different behaviors. In terms of marketing compliance, it prohibits offering, soliciting, or receiving kickbacks for referrals. It also prohibits offering inducements to program beneficiaries if you know—or should know—that the remuneration is likely to influence that beneficiary’s selection of a particular provider, practitioner, or supplier of an item or service paid for by a federal or state program.
Example: You want to attract more new patients, so you decide to run a Facebook promotion where new patients who “like and share” your post will receive a discounted exam. When those patients arrive, you bill their insurance company your regular fee but discount the patient’s bill by their co-pay amount.
Solution: Carefully consider whether your marketing activity involves the offer of “remuneration” to beneficiaries in an effort to get them to come to your practice. The CMPL definition of “remuneration” includes “transfers of items or services for free or for other than fair market value.” You may offer items or services of low value (for example, lens cleaning cloths).
You cannot usually waive patient co-pays or deductibles unless you’ve made good faith determination of financial need. It should never be routine or part of any advertisement. Be sure that you apply any discounts or waivers consistently and compliantly. These inclued thing such as prompt pay discounts, cash discounts, or hardship waivers. You should also have a corresponding written policy.