Some HIPAA issues may be unique to case managers

Think through your solutions in advance

If you work for a large organization, the Health Insurance Portability and Accountability Act (HIPAA) practices that are defined for your organization would apply to you as you practice in that environment.

However, case managers will have some unique challenges with respect to HIPAA compliance.

For example, there may be some other areas you have to grapple with, particularly when it comes to privacy issues, such as the requirement that you give referral sources only the minimum necessary information, points out Linda Reeder, RN, MBA, RNCm, president of Envision Consulting, a Seattle e-health and clinical information technology consulting firm.

The variety of organizations and agencies that the case manager deals with will require careful consideration of what each needs to know. "They may have gotten used to giving these agencies all the information about a client, but under HIPAA they have to be careful," Reeder says.

In addition, some of the organizations that case managers refer clients to are not covered entities as defined by HIPAA. For instance, job-retraining agencies generally are not covered by HIPAA, as they do not provide health care services. However, they are business associates, and the case manager needs to ensure that contracts with these organizations contain appropriate clauses requiring the associates to protect any health information.

Social service vs. medical model

Furthermore, these business associates may very well be unaware of HIPAA, which requires case managers to educate them on the requirements.

"A lot of case managers straddle the line between a social service model of care management and a purely medical model of care management. However, the HIPAA transaction and code set regulations were developed around the medical model," Reeder says.

Typical case managers are as involved in social support activities as they are in coordinating direct health care services. They deal with independent living skills, transportation, education and literacy issues, community programs, and other activities that help patients get the social support they need to deal with their medical issues.

Trying to fit a social services model of care into the HIPAA model may be difficult.

For instance, a developmentally disabled person needs medical services but also needs job training, independent living skills, personal care, and transportation.

Therefore, the eligibility, enrollment, billing, and payment processes do not follow the typical "medical model" but still need to be HIPAA- compliant if the case manager’s organization does business electronically.

Transitions and code sets

The security regulations may produce the biggest changes in practice for case managers, particularly if they are out in the field, where mobile computing devices and remote access are increasingly commonplace. For instance, you’ll have to deal with the physical security of the records, whether they are in your office or in the field, including the records that might be included in handheld devices or laptops.

Case managers should make sure they review their organization’s policies and make sure that the people creating the policies understand the case manager’s role in the field.

It’s a big mistake to ignore the transaction and code set rules, thinking it’s simply a technical issue, Reeder says.

"The transaction and code set regulations represent the real value for case managers. Having standardized code sets and data gathering will facilitate e-case management and e-health. It could to be a big efficiency boom for case managers," Reeder says.

The way you authorize treatment, enroll participants in disease management and other programs, or set up referrals to providers is likely to change dramatically.

When the transactions and code sets for health care are standardized, you’ll be able to go on-line to check eligibility, get authorization for treatment, submit claims, and check on the status of payments. In addition to other online activities such as scheduling appointments, checking diagnostic results, performing utilization review, and other activities, this can significantly improve the workflow for case managers.

HIPAA has the potential for saving money by streamlining the business processes of health care. Reeder cites studies that estimate that checking eligibility or issuing a referral could drop from a cost of approximately $20 or more to less than $1 if it’s done electronically, using standardized transactions and code sets.

HIPAA regulations will mean you’ll have to take additional steps to ensure that your client’s protected health information is secure, particularly when you use today’s technology, points out Beth Hjort, HIA, AHIM, practice manager for health information management for the American Health Information Management Association in Chicago.

For instance, you will have to be extremely careful when faxing identifiable health care information that the information goes to the proper person. It’s easy to misdial a telephone number or hit the wrong button on a speed dial, sending the information to the wrong recipient.

Cell phones pose another security risk, because conversations can be intercepted.

Here are some other areas case managers should look at when they think of HIPAA compliance, Hjort suggests:

• Gather together the main functions you do that involve release of information. Look at the mechanisms you use to access and share the information and make sure they are secure.

• Work closely with the security staff to make sure that an infrastructure is in place to protect each mechanism.

• Get in the habit of using a call-back procedure to know who is on the other end of the telephone line. "It’s a good fall-back to help validate that you are getting through to the right organization," she says.

• Ask your security people to ensure that your e-mail is secure.

• Make sure that the privacy rules cover all employees, no matter where they work. For instance, if your case managers work at home or access patient records from home, make sure their computers and telephones are secure.

• Make sure a policy on personal digital assistants and laptop computers is in place to secure the data in the best way possible. Laptops and personal digital assistants are of concern because it’s difficult to secure them physically.

• Make sure your staff are available when your organization’s HIPAA information training is given. Keep up with new procedures, updates, and reminders.

• Be a team player and part of the core of people key to making sure privacy is honored.

• Examine the physical security measures within your department. For instance, do you secure hard-copy records overnight, where they can’t be seen by the cleaning staff or other unauthorized people? Is your fax machine located in a secure place, where the faxes can’t be read by everyone? Do you and your staff routinely log out when you leave your computer workstation, rather than leaving protected information on the screen?