Don’t debate; get authorization
Whether as employees of a covered health care entity or independent business associates, case managers must ensure that they are in compliance with the privacy requirements of the Health Insurance Portability and Accountability Act (HIPAA).
The burden of compliance may be greater, however, for the independent case manager, notes Cathy Kauffman-Nearhoof, RN, BSN, CCM, CMCN, CLNC, owner of Integrist Health Care Consulting, LLC, a Duncansville, PA-based firm that provides case management and legal nurse consulting services. "[Independent case managers] must assume responsibility not only to comply, but also to conduct their own risk assessments and develop their own policies and documents."
Despite a provision of HIPAA that includes case management in the list of health care "providers" who do not need a signed authorization to use and disclose the protected health information (PHI) of their clients in the course of coordinating patient care, Kauffman-Nearhoof says, the most sensible course for independent case managers probably is not to fight the battles that claiming that right would entail.
45 CFR 164.502 (a) (1) "A permitted entity is permitted to use or disclose protected health information as follows: (i) to the individual; (ii) for treatment, payment, or health care operations, as permitted by law and in compliance with 164.506.
A parenthetical statement in HIPAA "throws case managers in" with the list of health care providers who do not need the authorization, she adds.
CFR45 164.502 (Health Care Operations) permits use and disclosure of PHI for certain activities, including "population-based activities relating to improving health or reducing health care costs, protocol development, case management, and care coordination . . . and related functions that do not include treatment."
HIPAA defines a health care provider (45 CFR 164.501 (5) (1) & (2) as one who "delivers health care to the individual based on the orders of another health care provider; [and] typically provides services or products or reports the diagnosis or results associated with the health care directly to another health care provider who provides the services or products or reports to the individual."
45 CFR 164.506 (c) "A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations (2) for treatment activities of a health care provider; (4) for health care operations activities of the entity that receives the information, if each entity either has or had relationship with the individual who is the subject of the protected health information being requested (5).
But Kauffman-Nearhoof says, "The health care world simply does not always see independent case managers in that bucket. My recommendation is just to get the authorization, get it signed, and move on."
In this situation, it is critical to understand the difference between an independent case manager and one who is working for a covered entity such as a hospital, says Jackie Birmingham, RN, MS, CMAC, vice president for professional services for eDischarge with Curaspan Inc. in Newton, MA, and a veteran case management consultant.
"An independent case manager may be hired by a family to work with an at-risk patient, and this case manager may be working with hospital-based case managers on the discharge plan," she notes. "Since the independent case manager is not acting on behalf of the hospital, it is wise to have a signed authorization."
In the case of hospital or other facility case managers, Birmingham says, there is no need for this additional authorization before contacting post-acute providers to determine if they can provide the services needed by a patient. "Case managers who are carrying out the function of discharge planning do not need authorization from the patient before contacting the post-acute provider. However, the discharge planner should always verify that the patient has signed the consent form that the hospital uses to provide care."
In the case of independent case managers, says Kauffman-Nearhoof, "there is a lack of agree-ment within the HIPAA consultation community. Under treatment, care coordination by providers is determined not to require an authorization. However, the issue is further muddled when we attempt to clarify the role of the case manager."
"Among the attorneys I’ve worked with," she continues, "there is indecision as to whether a case manager can be called a health care provider. For example, under treatment,’ which is defined as coordination of health care,’ the interpretation is left up in the air. [Case managers] are not really hands-on, but they do provide care coordination. It’s a gray area but appears to be clarified under the statement from HIPAA in its definition of "health care operations," as noted above.
Rather than argue, she suggests, in the case of case managers not acting on behalf of a hospital or other health care facility, "just proceed with the appropriate authorization. It is the most conservative and safest approach, rather than attempting to garner consensus as to the case manager as care coordinator’ role."
Further complicating the issue, she notes, there is another exception to the rule. "Workers compensation management and [management] of similar programs do not require an authorization when efforts are focused on coordination of care and payment of services."
Kauffman-Nearhoof adds that although the stipulation that patients sign a consent form before receiving treatment was removed in the final version of HIPAA - at the same time that notice of privacy and authorization regulations were enhanced - there is a strong possibility the consent requirement could be reinstated.
"HIPAA did away with it but left the door open" for its return, she adds. "There are a lot of legislators demanding that it be looked at again."
Another related point of concern, Birmingham says, is that states also have privacy rules that must be followed. "Some states have more restrictions than HIPAA and set out specific guidelines," she notes. "The burden of knowing all the privacy rules related to releasing PHI in the course of planning post-acute care is an important issue. And it is only one of the regulations directing how discharge planning is carried out."
Even among discharge planners working for health care facilities, there has been confusion concerning whether authorization is needed for them to use PHI when seeking appropriate post-acute care for a patient, Birmingham says. "When I do seminars about HIPAA, a question that comes up is, Can discharge planners contact a post-acute care provider to determine if a bed or service is available without specific authorization?’"
Her answer to that question is "yes," she says, citing a reference from the Department of Health and Human Services’ web site (www.hhs.gov/ocr/privacysummary.pdf). "When you are contacting a post-acute provider for a specific patient who needs a rehabilitation facility that provides physical therapy, occupational therapy, and is located within five miles of where the patient lives,’ you don’t need specific authorization."
"When implementing the eDischarge work flow management tool for discharge planning," Birmingham adds, "we spend a lot of time going over the regulations, including HIPAA and the Conditions of Participation for Medicare, regarding patient choice issues that drive discharge planning work."
When that discussion starts, she says, case managers who are doing discharge planning as part of their workday sometimes are shocked at how many rules they must follow. Knowing the rules when doing discharge planning is critical, she emphasizes, since the very nature of the work is to send out patient information to other health care providers.