Do certain pharmaceutical physician marketing practices violate HIPAA — the Health Insurance Portability and Accountability Act — specifically, the patient privacy regulations under that act?

This is a very big topic, but I’d like to focus on one small piece of it, which has to do with AstraZeneca, cancer patients, and free cupcakes!

My friend Ed Silverman over at the Pharmalot Blog recently wrote:

“Do you remember AstraZeneca’s promotional campaign for its cancer meds? MUMS – Mothers United for Mammograms – was designed to promote awareness of the test, in part. The program was put together by the drugmaker’s oncology team and emphasized distribution of pink-frosted cupcakes, along with pink carnations and pink Arimidex bags in which info can be stuffed.” See “Taxing Question: How Did AstraZeneca Account For Pink Cupcakes Given To Patients?

Ed then asks these questions:

“The cupcakes may seem innocent enough, but could they cause a legal issue for AstraZeneca? The cupcakes were distributed in doctors’ office and hospitals, by the thousands. And this raises a question – how were all those cupcakes accounted for? Did the drugmaker properly expense the cupcakes? Company policy prohibits paying for patient meals.

“And meals are only supposed to be provided to health care providers and their staff, not patients. But all attendees are supposed to be listed on an expense report. List a patient by name and you run into HIPAA issues. Would writing off thousands and thousands of pink cupcakes as a general business expense leave a bad taste in an auditor’s mouth?”

Let me take on the HIPAA question first, because I have some experience in advising pharmaceutical companies about privacy regulations under HIPAA (see the VirSci Corporation We site).

Not many people understand HIPAA and who is subject to HIPAA (aka, “Covered Entities”). Simply stated, covered entities are physicians and those people employed by physicians to carry out medical operations; eg, physicians’ staffs. The rest of us — patients included — are not subject to HIPAA’s privacy regulations.

You (even physicians) and me and patients are completely free to identify ourselves by name and talk about our medical problems to anyone! HIPAA does not apply to us.

Consequently, anybody, including a pharmaceutical sales rep, can go into a doctor’s office — if invited — and talk to patients in the waiting room and ask their names, what medical condition they have, etc. and none of that would violate HIPAA. It may violate the doc’s or the pharma company’s business ethics or our moral compasses, but it does not violate HIPAA.

Only if a sales rep asked a physician (or a physician staff member) the names of patients would there be a violation of HIPAA. And then, only the physician or his staff member would violating the law, not the rep.

BTW, pharmaceutical marketers routinely ask consumers for their names, what drugs they take, etc. You’ve undoubtedly seen the BRC cards attached to print ads in magazines. There’s no HIPAA issue there.

About Expensing Free Lunches to Patients
Ed also cites AZ policy on legitimate business expenses:

Health care providers and staff who would benefit from the educational information being provided may be invited to attend. Because of the educational focus of these programs, spouses, other family members, and/or GUESTS MAY NOT ATTEND these discussions.

The IRS requires a complete list of attendees, business relationship, and the business purpose in order to demonstrate the business nature of the expense. This documentation supports both the deductibility of the expense for the Company and the non-taxability of the reimbursement to the employee. This information must be included on the expense report form.

This last bit is where Ed thought that the cupcake dispensing sales reps would have to get patient names. However, I don’t believe providing food (even cupcakes) to patients violates AZ policy — it just would not meet the requirement of a legitimate business expense by IRS.

I am sure that the cost of the cupcakes could easily be “hidden” under some other legitimate business expense or, better yet, the AZ reps could have given the cupcakes to physicians and suggested that they be put out in the waiting room along with the bags full of patient information to aid in the physician’s medical practice. This would then be a legitimate business expense by IRS standards — the good were given to the physician, not the patients — and may even comply with PhRMA and AMA guidelines regarding gifts to physicians — in so far as you can say that all this was medically relevant (cupcakes could be a stretch — but if you can add flavors to make taking medicines easier, then cupcakes could induce people to read pamphlets).

The AZ policy Ed quotes concerns “lunch and learn” sessions, which patients would not generally be invited to because these sessions are NOT patient education sessions. I am sure, however, that pharmaceutical companies sponsor other educational activities that ARE designed for patients — such as health fairs — at which food may be served. Again, this would be a legitimate business expense. The way it could work is the same as the cupcake scenario I described above: give money to the hospital to support the health fair. in this case, the direct recipient of the cash is a legitimate BUSINESS contact, not patients.

I am not defending AZ’s cupcake caper. I am merely pointing out that such marketing and “educational” activities can be done without violating HIPAA and without violating IRS business expense requirements (although I am arguing only that these practices don’t seem to violate AZ’ policies regarding legitimate IRS business expenses — I’m not an expert in tax law).

The focus so far in this post has been about legality, not with what’s “right and wrong.” Is it wrong for pharma sales reps to wander around doctors’ offices and hospital corridors seeking out physicians? That’s not a HIPAA issue, it’s a business issue for docs and pharma companies.

Docs can ask reps to leave a waiting room or not to talk with patients and pharma companies may have policies against talking to patients. Nevertheless, this is completely up to the doc and the pharma company and is not mandated by HIPAA.

The doc and the patient may be afraid of violating HIPAA and use that as an excuse to bar reps, but HIPAA even allows for “incidental” exposure of confidential medical information. For example, if a rep is invited into the back office and happens to see a patient’s chart inadvertently left open on a desk, that could be “incidental” exposure under HIPAA and not violative of the law — bad privacy practice to be sure, but not necessarily a violation of HIPAA. Once you invite the rep in, “shit can happen,” but it’s not necessary HIPAA-violation shit.

BTW, I have consulted with many pharmaceutical companies about HIPAA and made many HIPAA privacy presentations at industry meetings — so I know a little more about this than the average person.