Compliance

DME Compliance Guide: Marketing Within CMS and HIPAA Boundaries

An essential overview of the compliance landscape for DME marketing. Understanding these rules is not optional — it is the foundation of sustainable business growth.

By Fairfax Marketing9 min read

Why Compliance Is a Business Priority

For DME providers, compliance is not simply a legal requirement — it is a competitive advantage. Providers who operate within CMS and HIPAA guidelines build stronger relationships with referral sources, experience fewer claim denials, and face significantly lower audit risk. In contrast, providers who work with marketing partners that cut corners on compliance often discover the consequences only after they have already invested substantial time and resources.

The DME industry has faced increased regulatory scrutiny in recent years, particularly in product categories like power wheelchairs, braces, and orthotics. CMS has implemented prior authorization requirements, expanded audit programs, and increased penalties for non-compliant marketing practices. For providers, this means that the marketing partner you choose is not just a vendor — they are a compliance risk factor.

This guide provides an overview of the key compliance areas that DME providers should understand when evaluating marketing strategies and partners. It is not legal advice — it is a practical framework for asking the right questions.

Key Regulatory Areas for DME Marketing

DME marketing intersects with several regulatory frameworks. Understanding where these rules apply helps providers make informed decisions about how they acquire patients.

Medicare Anti-Kickback Statute (AKS)

The AKS prohibits offering, paying, soliciting, or receiving anything of value to induce or reward referrals for services covered by federal healthcare programs. In the DME context, this means that marketing arrangements must be carefully structured to avoid any appearance of paying for patient referrals. Compensation models based on per-patient fees require particular scrutiny.

HIPAA Privacy and Security Rules

Any marketing activity that involves patient health information must comply with HIPAA's Privacy Rule. This includes how patient data is collected during intake, how it is stored and transmitted, and who has access to it. Marketing partners who handle protected health information (PHI) should have Business Associate Agreements (BAAs) in place.

False Claims Act (FCA)

Submitting claims for items or services that were not medically necessary, or that were obtained through improper marketing, can trigger False Claims Act liability. This is particularly relevant when marketing materials make coverage guarantees or imply that patients will automatically qualify for devices.

CMS Supplier Standards

CMS maintains specific standards for DME suppliers, including requirements around how products are marketed to Medicare beneficiaries. Suppliers must not use unsolicited telephone contacts to sell or market items, and must comply with specific rules about advertising and promotional materials.

Telephone Consumer Protection Act (TCPA)

The TCPA restricts unsolicited telemarketing calls, text messages, and faxes. DME marketing that involves outbound calling must comply with these requirements, including obtaining proper consent and maintaining do-not-call lists. Violations can result in significant per-call penalties.

Red Flags in DME Marketing Partners

When evaluating marketing partners, certain practices should raise immediate concerns. These red flags do not necessarily indicate illegal activity, but they suggest a level of compliance risk that most providers should avoid.

Guaranteeing Medicare coverage or approval

No marketing partner can guarantee that a patient will qualify for Medicare coverage. Making such promises to patients creates false expectations and can be considered misleading advertising under CMS guidelines.

Per-patient or per-referral compensation models

Payment structures that tie compensation directly to the number of patients referred raise Anti-Kickback Statute concerns. Legitimate marketing arrangements typically use flat-fee or percentage-of-spend models that are not contingent on patient volume.

Cold-calling Medicare beneficiaries

Unsolicited telephone marketing to Medicare beneficiaries is restricted under CMS supplier standards and the TCPA. Marketing partners who rely on cold-calling as a primary strategy expose providers to regulatory risk.

No documentation of patient consent

Proper consent documentation is essential for both HIPAA compliance and TCPA compliance. If a marketing partner cannot demonstrate how and when patient consent was obtained, the entire intake process is at risk.

Sharing patient information with multiple providers

Selling the same patient contact to multiple DME suppliers raises both HIPAA and ethical concerns. Patients should understand which provider will be receiving their information and should have given specific consent for that sharing.

What Compliance-Aware Marketing Looks Like

A marketing partner that takes compliance seriously will demonstrate specific practices and policies. These are the characteristics that distinguish responsible patient acquisition from high-risk lead generation.

Clear, truthful messaging that never guarantees coverage

Documented consent processes for all patient interactions

HIPAA-compliant data handling with BAAs in place

Exclusive patient matching — not shared across providers

Transparent compensation models reviewed by counsel

Willingness to provide compliance documentation on request

Regular training for staff on regulatory requirements

Proactive communication about regulatory changes

How Fairfax Marketing Approaches Compliance

At Fairfax Marketing, compliance is not an afterthought — it is built into every aspect of our patient acquisition process. We understand that our compliance posture directly affects the providers we work with, and we take that responsibility seriously.

Our outreach messaging is reviewed for accuracy and regulatory alignment. We never guarantee coverage, we never use misleading benefit claims, and we never contact patients without proper consent. Patient information is handled in accordance with HIPAA requirements, and each patient opportunity is matched exclusively to a single provider.

We believe that compliance and growth are not opposing forces. When patients are acquired through responsible, transparent processes, they convert at higher rates, generate fewer claim denials, and create a more sustainable business for the providers we serve.

Important Disclaimer

This guide is provided for informational purposes only and does not constitute legal advice. DME providers should consult with qualified healthcare compliance attorneys regarding their specific marketing practices and arrangements. Regulatory requirements change frequently, and providers are responsible for staying current with applicable rules.

Want to Work With a Compliance-Aware Partner?

We work with a limited number of DME providers per region. Contact us to discuss how our compliance-first approach can support your growth.

No obligation. We are happy to answer questions about our compliance practices and patient acquisition process.