Wednesday, May 30, 2007

On Cupcakes and HIPAA

Do certain pharmaceutical physician marketing practices violate HIPAA -- the Health Insurance Portability and Accountability Act -- specifically, the patient privacy regulations under that act?

This is a very big topic, but I'd like to focus on one small piece of it, which has to do with AstraZeneca, cancer patients, and free cupcakes!

My friend Ed Silverman over at the Pharmalot Blog recently wrote:
"Do you remember AstraZeneca's promotional campaign for its cancer meds? MUMS - Mothers United for Mammograms - was designed to promote awareness of the test, in part. The program was put together by the drugmaker's oncology team and emphasized distribution of pink-frosted cupcakes, along with pink carnations and pink Arimidex bags in which info can be stuffed." See "Taxing Question: How Did AstraZeneca Account For Pink Cupcakes Given To Patients?"
Ed then asks these questions:
"The cupcakes may seem innocent enough, but could they cause a legal issue for AstraZeneca? The cupcakes were distributed in doctors’ office and hospitals, by the thousands. And this raises a question - how were all those cupcakes accounted for? Did the drugmaker properly expense the cupcakes? Company policy prohibits paying for patient meals.

"And meals are only supposed to be provided to health care providers and their staff, not patients. But all attendees are supposed to be listed on an expense report. List a patient by name and you run into HIPAA issues. Would writing off thousands and thousands of pink cupcakes as a general business expense leave a bad taste in an auditor's mouth?"
Let me take on the HIPAA question first, because I have some experience in advising pharmaceutical companies about privacy regulations under HIPAA (see the VirSci Corporation We site).

Not many people understand HIPAA and who is subject to HIPAA (aka, "Covered Entities"). Simply stated, covered entities are physicians and those people employed by physicians to carry out medical operations; eg, physicians' staffs. The rest of us -- patients included -- are not subject to HIPAA's privacy regulations.

You (even physicians) and me and patients are completely free to identify ourselves by name and talk about our medical problems to anyone! HIPAA does not apply to us.

Consequently, anybody, including a pharmaceutical sales rep, can go into a doctor's office -- if invited -- and talk to patients in the waiting room and ask their names, what medical condition they have, etc. and none of that would violate HIPAA. It may violate the doc's or the pharma company's business ethics or our moral compasses, but it does not violate HIPAA.

Only if a sales rep asked a physician (or a physician staff member) the names of patients would there be a violation of HIPAA. And then, only the physician or his staff member would violating the law, not the rep.

BTW, pharmaceutical marketers routinely ask consumers for their names, what drugs they take, etc. You've undoubtedly seen the BRC cards attached to print ads in magazines. There's no HIPAA issue there.

About Expensing Free Lunches to Patients
Ed also cites AZ policy on legitimate business expenses:
Health care providers and staff who would benefit from the educational information being provided may be invited to attend. Because of the educational focus of these programs, spouses, other family members, and/or GUESTS MAY NOT ATTEND these discussions.

The IRS requires a complete list of attendees, business relationship, and the business purpose in order to demonstrate the business nature of the expense. This documentation supports both the deductibility of the expense for the Company and the non-taxability of the reimbursement to the employee. This information must be included on the expense report form.
This last bit is where Ed thought that the cupcake dispensing sales reps would have to get patient names. However, I don't believe providing food (even cupcakes) to patients violates AZ policy -- it just would not meet the requirement of a legitimate business expense by IRS.

I am sure that the cost of the cupcakes could easily be "hidden" under some other legitimate business expense or, better yet, the AZ reps could have given the cupcakes to physicians and suggested that they be put out in the waiting room along with the bags full of patient information to aid in the physician's medical practice. This would then be a legitimate business expense by IRS standards -- the good were given to the physician, not the patients -- and may even comply with PhRMA and AMA guidelines regarding gifts to physicians -- in so far as you can say that all this was medically relevant (cupcakes could be a stretch -- but if you can add flavors to make taking medicines easier, then cupcakes could induce people to read pamphlets).

The AZ policy Ed quotes concerns "lunch and learn" sessions, which patients would not generally be invited to because these sessions are NOT patient education sessions. I am sure, however, that pharmaceutical companies sponsor other educational activities that ARE designed for patients -- such as health fairs -- at which food may be served. Again, this would be a legitimate business expense. The way it could work is the same as the cupcake scenario I described above: give money to the hospital to support the health fair. in this case, the direct recipient of the cash is a legitimate BUSINESS contact, not patients.

I am not defending AZ's cupcake caper. I am merely pointing out that such marketing and "educational" activities can be done without violating HIPAA and without violating IRS business expense requirements (although I am arguing only that these practices don't seem to violate AZ' policies regarding legitimate IRS business expenses -- I'm not an expert in tax law).

The focus so far in this post has been about legality, not with what's "right and wrong." Is it wrong for pharma sales reps to wander around doctors' offices and hospital corridors seeking out physicians? That's not a HIPAA issue, it's a business issue for docs and pharma companies.

Docs can ask reps to leave a waiting room or not to talk with patients and pharma companies may have policies against talking to patients. Nevertheless, this is completely up to the doc and the pharma company and is not mandated by HIPAA.

The doc and the patient may be afraid of violating HIPAA and use that as an excuse to bar reps, but HIPAA even allows for "incidental" exposure of confidential medical information. For example, if a rep is invited into the back office and happens to see a patient's chart inadvertently left open on a desk, that could be "incidental" exposure under HIPAA and not violative of the law -- bad privacy practice to be sure, but not necessarily a violation of HIPAA. Once you invite the rep in, "shit can happen," but it's not necessary HIPAA-violation shit.

BTW, I have consulted with many pharmaceutical companies about HIPAA and made many HIPAA privacy presentations at industry meetings -- so I know a little more about this than the average person.

5 comments:

  1. Hi John,

    Just to keep the dialogue flowing on both ends - your site and mine - I'll mention what I wrote in response to your note on Pharmalot.

    And that is you make some interesting points. However, I believe the issue in my post isn’t actually talking to patients, but accounting - in writing - for the cost of the food. Just to clarify, listing patients as itemized expenses would be an issue.

    And yes, there’s a way to hide those expenses, as you suggested. But it would still appear to violate company policy if the cupcakes don’t qualify as a business meal, as described. Besides, if something doesn’t meet an IRS test, but not company policy, then perhaps the policy is out of whack.

    You’re correct to suggest that there may be nuances, and one can argue there are different ways to interpret such a scenario. But there’s also the spirit of the policy - it’s worth questioning dodgy ways that may be used to circumvent standards.

    Regards
    ed

    ReplyDelete
  2. Thanks Ed. I responded on your blog as follows:

    Regarding accounting for food for patients…doing what I suggested — giving the cupcakes to the docs to give to patients — probably is a stretch. I’m sure it didn’t happen that way. But that’s how the cupcakes can be expensed legitimately following the letter of AZ’s policy if not the spirit.

    My other point is that AZ may not have any policy that generally forbids giving food to patients. The policy you cite is a very specific one regarding “lunch and learns” for physicians. It was drafted in repsonse to PhRMA, AMA, and OIG guidelines concerning gifts to physicians. I don’t know of any similar guidelines concerning gifts to patients!

    ReplyDelete
  3. Here is the source for our HIPAA research:

    May a sales representative sit in on a patient's exam or treatment?

    No — unless the physician has obtained a valid authorization from the patient to share the information for these purposes. A sales representative may sit in on a patient's exam or treatment only if the patient has signed a valid authorization expressly allowing the sales representative to do so. The physician should provide the patient with sufficient opportunity to read the authorization form and ask questions before the patient decides whether to provide permission.

    ReplyDelete
  4. Dear Group of Seven:

    Thanks for your comment.

    Reps in the examination room is a completely different scenario from reps in the waiting room, which is what I was talking about and presumably where AZ put the cupcakes.

    Reps often do get invited into the exam room when patients are consulting with physicians under what's called preceptorship programs. In this case, HIPAA privacy regulations DO require express patient authorization.

    Note, however, that it is perfectly possible that some reps may be acting under contract with physicians to assist in the provision of care (eg, medical device reps) -- these contracts are allowed under HIPAA, which refers to them as Business Associate Contracts (BACs).

    In that situation, patient authorization is NOT required under HIPAA just as HIPAA does not require patient authorization for the doc to send blood samples to outside labs.

    I would note, however, that very few pharma companies would ever enter into BACs because these are very serious contracts. Most opt to make sure that the HIPAA authorization is in place.

    BTW, I have written some of these HIPAA-related guidelines for sales rep training at a very large pharmaceutical company, which shall remain nameless.

    P.S. If you want to post anonymously to myb "AZ Group of Seven" blog (see http://azgroupof7.blogspot.com/), let me know -- I will give you free reign.

    ReplyDelete
  5. AstraZeneca has banned all flowers, food and pink cupcakes. Wonder why??

    See my post today.

    ReplyDelete