Changes to HIPAA privacy rule should ease case managers’ burden

CMs are among those most affected’ by changes

In what may be good news for case managers, the Department of Health and Human Services (HHS) published a proposed regulation March 21 that, when final, will amend the existing privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA). Health care attorneys say the resulting changes could ease the administrative burden on case managers.

"I think case managers are going to be one of the groups of people most affected by these changes," says Rebecca Williams, JD, a health care attorney for the law firm Davis Wright Tremaine in Seattle. Under the current regulation, case managers are able to contact home health, skilled nursing facilities, and others on behalf of patients about to be discharged because it is for treatment purposes. The problem is that the entity receiving the call is unable to use protected health information (PHI) until it has the patient’s consent.

"It is ludicrous," asserts Williams, who co-chairs Davis Wright’s HIPAA practice group. The wording of the current privacy rule threatens to interfere with continuity of care, she says. For case managers attempting to make arrangements on the patient’s behalf, that spells major headaches. Fortunately, HHS recognized this unintended consequence and is attempting to fix that problem in the proposed regulations, Williams says.

The proposed rule would allow, but not require, covered providers to obtain advance consent for treatment, payment, and operations. Instead, covered providers will need to provide their notice of privacy practices to individuals on the first date of service and make a good-faith attempt to obtain the patient’s acknowledgement. This approach is less likely to interfere with treatment and continuity of care, she says.

Additionally, the proposed rule clarifies how a covered entity may disclose PHI for treatment, payment, and operations. "One very important thing for case managers is to understand that this proposed rule, and ultimately the final amendment, are going to be very important for them. It will change how they currently function," Williams says.

The second thing case managers should realize is that the privacy rule will be effective in less than a year: April 2003. When Congress passed an extension for the transaction and code set portions of HIPAA earlier this year, it emphasized that there will be no delay for implementation of the privacy regulation.

Williams says it also is important for case managers to become accustomed to the limits on how they will use and disclose PHI.

Crane Pomerantz, JD, health care attorney with Morgan Lewis in Washington, DC, takes a similar view. "My sense is that the biggest risk is going to come in the form of inadvertent disclosures," he says. The provision in the regulation that addresses intentional disclosures for financial gain is likely to be the exception rather then the rule, Pomerantz explains. Conversations in elevators and disclosure of PHI to contractors without adequate assurances in a business associate agreement are likely to be the type of violations more frequently cited, he predicts.

Flexible though challenging

While the privacy regulations no doubt will be challenging for case managers, the privacy standards are written with considerable flexibility, Pomerantz says. That is particularly true in the area of safeguards, where the regulations say only that appropriate administrative, technical, and physical standards must be implemented. "’Appropriate’ does not seem like a very exacting standard," he says.

Pomerantz points to a simple example included in the preamble: If patient files are stored in an office, the door should be locked and the number of keys that are distributed should be limited. "It seems to me that HHS is taking a very flexible functional approach to how these rules should be implemented." Likewise, the standard for policies and procedures says they should be reasonably designed to ensure compliance. "That does not sound like a terribly exacting standard to meet, and it suggests to me that there is a significant degree of understanding and reasonableness from the government," Pomerantz adds.

There still are likely to be some confusing days ahead, Williams warns. "It is possible that HHS will make a few more changes to the proposed regulations before they become final, and that will impact the final regulation."

It also is important for case managers not to overstate the potential impact the privacy regulation will have on their day-to-day activities, says Patrice Spath, BA, RHIT, president of Brown-Spath & Associates, a health care quality consulting firm based in Forest Grove, OR.

"The privacy regulations create new liabilities, but they do not create new responsibilities. I don’t think the original regulation was going to significantly threaten what hospital case managers were already doing," explains Spath, who recently spoke on HIPAA privacy issues at the 7th Annual Hospital Case Management Conference in Atlanta.

CMs responsible to guard patient’s privacy

Even if the privacy regulations did not exist, case managers still would have responsibilities in this area. "Regardless of how these regulations are finalized, the bottom line is that it is our duty to protect the patient’s privacy and make every reasonable effort to do that," Spath says. Like-wise, there are state requirements, which often are more stringent than the proposed federal requirements.

According to Spath, the privacy regulation is more threatening to independent case managers and those who work for disease management firms because they often are the recipients of information that they cannot act on until they have patient consent. The hospital case manager, on the other hand, is essentially going to be covered by the consent form the patients sign when they come into the hospital. "There is already a process established for anything related to treatment or business practices and operations."

For example, if a case manager orders durable medical equipment (DME) for a patient, the DME company would be responsible for obtaining appropriate consents prior to using protected information for any treatment, business, or operations purposes, Spath says.

Further, if a patient is transferred to another hospital, that hospital has not yet started treating the patient, so that hospital can obtain consent when the patient is transferred, she explains.

One exception may be the area of marketing, which actually is strengthened under the proposed changes. For example, case managers may be viewed as "marketers" when they share information with patients about support groups or other services sponsored by pharmaceutical companies, insurance companies, or other vendors.

Leigh-Ann Patterson, JD, a partner with Nixon Peabody in Boston, says the proposed regulation would tighten the restrictions on health-related marketing activities.

The current rule allows private health care information to be used for marketing purposes without prior patient authorization as long as the solicitation or promotional materials contain certain disclosures and opt-out provisions, Patterson says.

The proposed change closes this loophole by requiring prior patient authorization before any protected health care information may be used for marketing purposes, which means permission-based marketing programs will no longer be the exception but the rule, she adds.

"What’s the bottom line? Case managers, as well as all health care professionals, must constantly reinforce the importance of patient privacy during the provision of services," Spath says.

"Case managers should get to know their institution’s privacy officer. This person is knowledgeable about state and federal regulations and is an excellent resource for case management-related questions," she points out.

[For more information, contact: