Safeguard protected health information
CMSA, AAOHN offer guidance
Regardless of their practice setting, case managers need to take steps to maintain the confidentiality of protected health information under the Health Insurance Portability and Accountabi-lity Act (HIPAA) of 1996.
"Confidentiality of a client’s protected health information is a professional obligation of nurse case managers to ensure public trust and prevent unauthorized and inappropriate disclosure," says Jeanne Boling, executive director of the Case Management Society of America (CMSA), with headquarters in Little Rock, AR.
CMSA and the American Association of Occupational Health Nurses Inc. (AAOHN) joined together to offer guidance to case managers and occupational environmental health nurses in protecting their employees’ and clients’ privacy rights.
The joint position paper addresses the privacy, legal, and ethical issues affecting case managers and occupational and environmental health nurses in all practice settings.
The document outlines specific steps that nurse case managers and occupational and environmental health nurses can take to ensure the proper handling of personal health information. They include:
- developing written policies and procedures regulating access, release, transmittal, and storage of all health information;
- implementing educational activities to inform clients, health care providers, and other appropriate individuals of their need to maintain confidentiality of client health records;
- obtaining legal guidance as necessary to aid in the interpretation of unclear practice situations;
- establishing and maintaining security standards for transmission and storage of employee personal health information;
- knowing state and local laws and company or facility policies that relate to the privacy and security of protected health information.
Organizations that are directly affected by HIPAA, called "covered entities" under the law, are health plans, health care providers, health care clearinghouses, and business associates of covered entities. This includes companies that help covered entities with treatment, payment, or health care operations, or contract with nurse case managers.
For instance, if a nurse case manager is working as an independent third party and engaged in treatment, payment, or health care operations for or on behalf of a covered entity, a business association relationship is created and the case manager is required to protect clients’ health information under the rules applicable to the covered entity, Boling points out.
"The passage of the 1996 Health Insurance Portability and Accountability Act has validated the nurse’s obligation to maintain confidentiality of health information," she adds.
There are some exceptions in which a covered entity does not have to get the individual’s permission to disclose protected health information:
- Treatment, coordination, or management of health care or related services by a health care provider. For instance, when a nurse case manager coordinates client care, he or she is providing treatment and doesn’t have to get permission to disclose the protected health information.
- Payment or reimbursement to a health care provider for services and the process by which a health plan obtains premiums. Nurse case managers employed by health care providers to assess whether needed services are eligible for coverage under an individual’s health plan do not have to get permission from the patient to disclose information.
- Health care operations, whether they are administrative, financial, legal, or quality improvement. If a nurse case manager is employed as a health plan administrator, a plan case manager, or a utilization review nurse, he or she is performing health care operations and does not have to seek permission from the individual.
In all other situations, HIPAA mandates that covered entities obtain written authorization from an individual before disclosing protected health information, the paper states.
[A copy of the position paper is available at www.cmsa.org.]