Skip Ribbon Commands
Skip to main content
Sign In

 Sunshine Act FAQs

​​What is the Sunshine Act?

The Physician Payments Sunshine Act, commonly called the Sunshine Act, is intended to make the relationships between the healthcare industry and healthcare professionals more transparent. The Sunshine Act requires applicable manufacturers of drugs, devices, biologicals, and medical supplies to report certain payments or transfers of value provided to physicians or teaching hospitals and other research entities to the Centers for Medicare & Medicaid Services (CMS) on an annual basis.​

What are "payments" and "transfers of value?"

"Payments" are fees for services rendered such as for speaker programs or consulting, and for associated approved out-of-pocket reimbursements (e.g., mileage and parking). "Transfers of value" are in-kind items such as meals, airfare, and/or educational materials that Orthofix pays for or provides in connection with medically relevant interactions with healthcare professionals and healthcare organizations.

Why does Orthofix makes payments and transfers of value to physicians and hospitals?

Orthofix interacts with physicians and teaching hospitals in many important ways. We consult doctors to get their insights and advice on developing treatments that meet the needs of patients. We facilitate programs where physicians who are experts in their fields meet with their peers to help educate them about the appropriate use of FDA-approved treatments; this helps them make informed prescribing decisions with their patients. We also engage physicians as clinical trial investigators and work with hospitals to conduct clinical research studies, which are fundamental to the development of innovative treatments for patients.  

Who is considered a "physician" under the Sunshine Act?

A physician with an active license in the US who possess any of the following degrees: Medical Doctor (M.D.), Doctor of Osteopathy (D.O.), Doctor of Dental Surgery (D.D.S.), Doctor of Dental Medicine (D.M.D.), Doctor of Optometry (O.D.), Doctor of Podiatry (D.P.M.) or Doctor of Chiropractic Medicine (D.C.).

What are "teaching hospitals?"

Every year, CMS publishes a list of teaching hospitals identified as reportable "Covered Recipients." The teaching hospital list contains all hospitals that CMS has recorded as receiving a payment(s) under a Medicare direct GME, IPPS IME, or psychiatric hospital IME programs during the latest full fiscal year for which such information is available to CMS.

What are some of the payments and transfers of value that Orthofix will report to fulfill Sunshine Act reporting requirements?

  • Meals provided to physicians during medically relevant discussions and presentations
  • Consulting fees and related expenses paid to physicians
  • Hospital-hosted convention fees and other payments to teaching hospitals

Does Sunshine Act require all payments or transfers of value to be reported?

A manufacturer is not required to submit 2015 data on a payment/transfer of value to a covered recipient that is less than $10.21, unless the total payments/transfers of value to that covered recipient exceed $102.07 during the year.

If I have a question about the data that Orthofix has reported, what can I do?

If you have any questions about the Sunshine Act, Open Payments or published data, please email or call +1.800.527.0404 and request to speak with a member of our Compliance team. 


What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act. This law was passed in 1996 in order to protect individual's Protected Health Information (PHI) from impermissible uses and disclosures by Covered Entities and their Business Associates.

What is PHI?

PHI means any information, whether oral or recorded, in any form or medium that is created by a health plan, a health care provider, or a health care clearinghouse that relates to the past, present or future physical or mental health of an individual, including the provision of and payment for health care, that either identifies the individual or provides a reasonable basis for such identification.

Is Orthofix required to comply with HIPAA?

Yes. HIPAA applies to all Covered Entities and their Business Associates. Covered Entities include healthcare providers, healthcare plans and billing clearinghouses. Since Orthofix is defined as a healthcare provider, it is considered a Covered Entity under HIPAA and must comply with all HIPAA requirements.

What is a Business Associate?

A Business Associate is a person or entity that performs certain functions or activities on behalf of a Covered Entity. Business Associate services include, but are not limited to: legal; actuarial; accounting; consulting; data aggregation; management; administrative; accreditation; and financial.

Is Orthofix a Business Associate of other healthcare providers?

The HIPAA Privacy Rule explicitly excludes from the Business Associate requirements disclosures by a Covered Entity to a healthcare provider for treatment purposes. Therefore, Orthofix may share PHI with other healthcare providers for treatment purposes without a Business Associate Agreement (BAA). Other healthcare providers such as hospitals and physician offices frequently request Orthofix to sign their BAAs. In most instances, Orthofix does not sign these BAAs due to the reasons explained above. Please forward all such requests to the Privacy Officer so that the requestor can be contacted to explain Orthofix's position.

May we "fax" a patient's medical information to physicians or health plans?

Yes. The Privacy Rules do not prohibit a Covered Entity from faxing PHI. However, we should verify the recipient's fax number and use a cover sheet that does not include patient PHI.

May we leave messages on patient's answering machines?

Yes. The Privacy Rules allow us to communicate with patients, including communications to the patient's home. When making these types of communications, however, we should take precautions to safeguard the patient's privacy. For example, when leaving a message on the patient's answering machine, we should limit the amount of information left in the message to just the information necessary to confirm the appointment time or to request that the patient call us back.

 What are the HIPAA requirements for the disposal of PHI?

Covered Entities are not permitted to simply abandon PHI or dispose of it in containers that are accessible by the public or other unauthorized persons. Examples of proper disposal methods may include, but are not limited to:

  • For PHI in paper records, shredding, burning, pulping, or pulverizing the records so that PHI is rendered essentially unreadable, indecipherable, and otherwise cannot be reconstructed.
  • For PHI on electronic media, clearing (using software or hardware products to overwrite media with non-sensitive data), purging (degaussing or exposing the media to a strong magnetic field in order to disrupt the recorded magnetic domains), or destroying the media (disintegration, pulverization, melting, incinerating, or shredding).

What are the most common HIPAA violations?

  1. Impermissible Uses and Disclosures – e.g. using patient data to commit fraud
  2. Lack of Safeguards – e.g. allowing visitors entry into workplace without sign-in
  3. Failure to Provide Access – e.g. denying patients the ability to access their records
  4. More than Minimum Necessary – e.g. ability to access PHI without work-related reason
  5. Lack of Administrative Safeguards of PHI – e.g. coworkers sharing login information

Who can I contact regarding HIPAA related questions?

If you have any questions about HIPAA, please email or call +1.800.527.0404 and request to speak with a member of our Compliance team. ​