Friday, May 04, 2007

AstraZeneca's Pink Cupcakes May Violate AMA Guidelines and HIPAA law

A few days ago I brought the story "AstraZeneca's Secret Oncology Plans: Sell Cancer Drugs to Patients with Pink Cupcakes" to you.

According to AstraZeneca's secret sales plan, the company planned to use the Chemo Injection area to serve pink cupcakes to patients.

AstraZeneca wrote, "Refreshments and food will help attract patients to the table. Cupcakes are easier for patients to handle and less messy than a cake. Have them made with pink frosting."

They also wrote, "Provide the small pink Arimidex bags for patients to fill with information. They will also be highly visible throughout the entire office."

There is only one problem with the pink cupcake program; not only do patients who get chemo feel nauseous and would rather vomit than eat pink cupcakes, the entire sales program may also violate the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and certainly violates American Medical Association (AMA) guidelines, unless patients sign a written authorization.

According to AMA guidelines, a sales representative may not willy-nilly sit in on any patient's exam or treatment: "A sales representative may sit in on a patient's exam or treatment only if the patient has signed a valid authorization expressly allowing the sales representative to do so."
And that's just not likely to happen. Here's why:

This is what a chemo treatment area looks like. It can often have ten or twenty patients getting treatment at the same time.

Anyone thinks the AstraZeneca rep is getting authorization from all these patients before serving cupcakes?

Ain't very likely.

And, according to the HIPAA Act, "covered entities must first obtain an individual's specific authorization before disclosing their patient information for marketing." Like "here is Mrs. Smith and she's getting chemo treatment." Can't disclose that. No way. Big violation.

And there's more:

HIPAA Violations and Enforcement: Failure to comply with HIPAA can result in civil and criminal penalties (42 USC § 1320d-5).

Criminal Penalties

In June 2005, the U.S. Department of Justice (DOJ) clarified who can be held criminally liable under HIPAA. Covered entities and specified individuals, as explained below, whom "knowingly" obtain or disclose individually identifiable health information in violation of the Administrative Simplification Regulations face a fine of up to $50,000, as well as imprisonment up to one year. Offenses committed under false pretenses allow penalties to be increased to a $100,000 fine, with up to five years in prison. Finally, offenses committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain or malicious harm permit fines of $250,000, and imprisonment for up to ten years.

Of course, I'm not sure how this will be interpreted, but doctors who let sales reps serve pink cupcakes to patients during treatment would appear to set themselves up for trouble.

You may wonder what's the difference between the chemo area and a waiting room. Well, in the waiting room you don't know for sure the patients' treatment, which is confidential information, per HIPAA.

Here's the guidance doctors get on how to follow HIPAA in the waiting room, per AMA:

"May a physician use a sign-in sheet? Call out names in the waiting area? Place charts outside a patient's room while the patient is waiting to see the physician?

Yes. To the extent these activities result in other people learning a patient's name or other information, the disclosure would be considered "incidental" to the physician's treatment of the patient, and therefore acceptable under HIPAA.

Physicians should take appropriate precautions to limit the amount of information that might be incidentally disclosed in this manner. For example, physicians should not ask patients to list "reason for visit" on a sign-in sheet. With respect to placing charts outside of an examination room or the patient's hospital room while the patient is waiting to see the physician, the physician should take precautions such as turning the front of the chart towards the wall so others do not have the opportunity to read the front page while walking past the room."

So, at a minimum, having any sales rep present in the Chemo Injection area, would appear to create the possibility for several violations. With or without pink cupcakes.

And, uh, one more thing-this program is ongoing right now, according to the AstraZeneca group of 7 whistleblowers.



PharmaGuy said...


Being a little familiar with HIPAA, I'd say that without further information about how the reps interact with patients, you cannot assume that HIPAA is being violated. If the reps are in a waiting room outside the treatment area, for example, that's perfectly HIPAA compliant. We've all experienced this (see "Basics of Sales Rep Watching" at

I seriously doubt that reps would be allowed into the actual treatment room.

Even if reps were doing this inside the treatment room they still would not be violating HIPAA regulations.

Only the doctor could be in violation of HIPAA, not the reps. The covered entity is responsible for protecting the personal/protected health information (PHI) of his/her patients and only the doctor can be prosecuted under HIPAA.

Even if the reps were in the actual treatment areas would they necessarily be able to identify patients by name, unless the patients freely revealed their names? If so, it is not a violation of HIPAA. I can tell anyone my personal health information. The gov't can't prevent me from doing so and the recipient is not violating any law.

Sales reps are often invited into treatment areas with the permission of patients to observe how physicians prescribe.

Sales reps should not enter a treatment area without patient permission. To do so does not necessarily violate HIPAA privacy laws, but puts the physician in an awkward position. HIPAA allows for "incidental" exposure of PHI as when a sales rep is wandering the halls outside treatment rooms and sees medical charts on exam room doors. The rep might pull the chart out of the box and read it and this still would not be a violation of HIPAA because the doctor did provide a way to protect the information (it was inside the box and not in plain sight). in this case, the rep did not violate HIPAA (not subject to the law) and neither did the doctor (it was incidental exposure).

This is not to say that doctors should feel free to have reps wander the halls and exam rooms or that pharma companies should condone the practice. My point is that it can be done without violating HIPAA and even if HIPAA were volated, it was by the physician, not the pharma company.



Peter Rost said...

I agree with that John, that's why I wrote-in pink-"Of course, I'm not sure how this will be interpreted, but doctors who let sales reps serve pink cupcakes to patients during treatment would appear to set themselves up for trouble."

It is the doctors potentially getting into the do-do both with HIPAA and AMA guidelines.

Anonymous said...

I thought cancer loves sugar. (See here

Giving cancer patients pink cupcakes is like killing them (by growing/feeding their cancer).

Anonymous said...

Appending to previous post: Here is a link that provides scientific references to sugar and cancer:
(Number 6 in the list)

Just to have reliable sources :)

Anonymous said...

As a patient, I would be torked if a dr. did anything-- intentionally OR negligently-- that allowed a drug rep. to see my chart.

It's tough enough getting a doctor to correctly diagnose and treat a patient-- I don't need the guy who last month was selling cell phones at the kiosk at the mall, but now hired by the drug company, to start interfering with any potentially sound medical judgment my doctor might be able to offer me.

If HIPPA really allows drug reps to do this without recourse, HIPPA needs to be changed!!!