Cover your bases with HIPAA privacy forms

Privacy notice, consent form, authorization form

When the Health Insurance Portability and Accountability Act (HIPAA) privacy regulations go into effect April 2003, all covered entities will have to produce three sets of forms. Case managers should familiarize themselves with these forms and make sure their activities are covered, advises Janice Cunningham, an attorney with The Health Care Group, a Plymouth Meeting, PA-based health care consulting firm.

These include:

• A notice to patients of the privacy regulations and procedures of that organization. This includes patients’ rights to access information, to amend their chart, and what they can do if they feel their privacy has been violated.

• A consent form, authorizing the organization to share protected health information for treatment purposes, payment purposes, and health care operations, such as quality assurance and utilization review.

• An authorization form that enables the organization to use health information for purposes that fall outside the treatment area. Examples include research and fund raising.

Typically, case managers won’t have to worry about the privacy notice, because their employer will handle it. However, you should pay attention to your organization’s consent forms, which patients must sign to authorize the release of their personally identifiable health information, says Cunningham. Case managers should make sure the consent form also includes people to whom your organization’s staff may speak about protected health information. "If you are a case manager, you should have something in writing that authorizes you to speak to any support people, such as spouses, children, or friends if they are the patient’s support person," Cunningham says.

Case managers also may have to be involved with activities that require an authorization form. If you are working in a facility that does drug research and you are required to approach the patient about drug research authorization, you must make sure that the form the patient signs is very specific, Cunningham says. For example, a typical authorization would state that the provider would release a patient’s blood test results monthly to XYZ Pharmaceuticals from Jan. 1 to June 30. It should be as specific as possible as to the person or department to whom the information will be released.

If you are working in a rehabilitation facility that wants to use a patient’s success story in a fund-raising brochure, you must get a specific authorization for that particular use. A blanket authorization won’t work, Cunningham notes. If you’re a case manager in a private practice, you will also have to sign a "business associate" contract with the entities with which you contract.

HIPAA requires a written contract that gives the covered entity assurances that the business associate has systems in place to comply with HIPAA requirements and will abide by them. The business associate agreement specifies what information may be disclosed and covers any protected health information that you are given or that you create. If you are contracting with five different insurance companies or providers, expect to have to sign five slightly different business associate agreements, Cunningham says.