View Expert Insights

March • 29 • 2024

Vendors in Patient Care Areas: Liability Exposures


Marlene Icenhower, BSN, JD, CPHRM



Pharmaceutical and device vendors in the healthcare setting can pose risks to patient privacy and create bias in prescribing patterns.

Would you want a salesperson in your exam room? Pharmaceutical and medical device vendors sometimes visit healthcare facilities to talk to providers face to face. Although there may be some benefits to meetings with sales representatives, allowing vendors in patient care areas brings considerable risks to patient privacy as well as concerns regarding cost and effectiveness.

Patient Privacy and Consent

For an example of how a vendor’s presence in patient care areas can go wrong, consider the case of Sanchez Scott v. Alza Pharmaceuticals

Alza Pharmaceuticals sent a male sales representative to an oncology practice to participate in a “mentor program” that involved observing patient care. The sales representative was present during a breast examination of a female patient who was undergoing treatment for breast cancer. The patient asked about his presence and was told that he “was looking at the doctor’s work.” It was only later, when she spoke to the receptionist about the unknown man in her exam room, that she learned he was a drug salesperson. Embarrassed and angry over what had occurred, she filed a lawsuit alleging an invasion of privacy. 

Patients don’t need to be present to suffer a privacy violation. In a recent case, the Department of Justice indicated that a former physician with practices in New Jersey, New York, and Florida admitted that he wrongfully disclosed patients’ protected personal health information to a pharmaceutical sales representative, in violation of HIPAA. The sales representative had access to the office during and outside of normal business hours (including areas restricted to staff). He also had access to medical files and patient information. Under HIPAA, the maximum penalty for the violation is one year in jail and a $50,000 fine.

Bias and Prescribing Patterns 

Patient privacy is the most obvious issue when allowing vendors access to patient care areas, but the presence of bias in prescribing patterns is another concern.

A study published in JAMA Dermatology looked at the relationship between free drug samples and prescription patterns for acne vulgaris and rosacea. The study concluded that free drug samples may alter the prescribing patterns of physicians, steering them away from less expensive generic options. 

Although advocates of the practice argue that samples improve access to expensive medications, critics point out that samples add to the overall cost of medications. Furthermore, patients may lack the consumer medical information they would normally receive from pharmacists, which raises concerns over potentially dangerous drug interactions.

As an article from the AMA Journal of Ethics points out, the information provided by sales representatives is likely biased in favor of the products they are selling. To overcome these potential biases, the AMA advises physicians to review more reliable sources of information, keep time spent with sales representatives to a minimum, and develop solid information management strategies.

Creating Commonsense Risk Mitigation Strategies

Despite the potential exposures, physicians may still need to meet with sales representatives occasionally, and there may be legitimate reasons for having medical device vendors on site. With strong risk mitigation strategies in place, providers can prevent these interactions from turning into privacy violations and liability claims.

Consider the following risk management strategies:
  • Develop clear policies. By establishing clear policies, facilities can reduce liability associated with vendor interactions. For maximum effect, they should provide policies (with acknowledgement of receipt and a signed agreement to comply) to employees who interact with vendors. Policies should address when representatives may visit, where they are allowed, how they can access providers, the use of identification badges, how they sign in and out, procedures for sampling, rules about gifts and meals, privacy and confidentially requirements, and the consequences of violations. Vendors and sales representatives should be made aware of the components of the policies as well.
  • Credential and train vendors. Both the visiting representative’s employer and the facility should develop training programs to properly educate and inform those who will be visiting. Facilities may want to use third-party companies to provide their training. Credentialing can ensure all vendors allowed at the facility have received the proper training, authorization, and insurance from their employers. In addition to privacy concerns, training should address infection control, fire safety, and other critical procedures. 
  • Protect patient privacy. Device representatives may have a justifiable reason for being in patient care areas when they need to calibrate or otherwise oversee device operation, but facilities should limit their exposure to protected information to the full extent possible. In most cases, pharmaceutical representatives should not be given access to patient care areas. 
  • Obtain a business associate agreement. Facilities should review federal guidelines to determine whether they need a business associate agreement. According to HHS, a business associate is “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”
  • Obtain patient consent. If facilities require a vendor to be present in a patient care area – for example, because a representative needs to help with the operation of a device during a procedure – informed consent is critical. The patient should know the vendor’s identity, reason for being there, extent of involvement, and whether any alternative arrangements are possible. Facilities should document consent in the patient’s medical record.
  • Ensure legal compliance. In addition to HIPAA and other federal laws, various state and municipal regulations may apply to vendor interactions. These regulations may require vendors to register with the state or meet licensing and training requirements. Other laws may restrict who is allowed in the operating room.   

Vendor interactions are less common than they used to be, but they are still a potential source of liability. With the right risk management practices in place, healthcare leaders can protect the privacy of patients while reducing the facility’s exposure to liability.

This article is based in part on a Coverys presentation “Pharmaceutical and Device Vendors in Patient Care Areas” by Marlene Icenhower, BSN, JD, CPHRM. 

Copyrighted. No legal or medical advice intended. This post includes general risk management guidelines. Such materials are for informational purposes only and may not reflect the most current legal or medical developments. These informational materials are not intended, and must not be taken, as legal or medical advice on any particular set of facts or circumstances. 


  • Risk Management & Patient Safety