HIPAA privacy regs to impact, alter CM responsibilities

Discharge planning likely to be significantly affected

Case managers struggling to determine what steps they must take to cope with the patient privacy regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) should bear in mind that privacy laws and guidelines have been around for some time. "We are living with privacy laws now," says health care attorney James Pyles, JD, a partner with Pyles, Powers, Sutter & Verville in Washington, DC. "These [HIPAA] regulations mainly try to codify the requirements that we have and, in some cases, increase the requirements."

Pyles argues that the final privacy regulations are actually better than they sound. "They are intimidating when we look at the bulk of them," he says. "But they largely codify what providers, physicians, hospitals, and home health agencies have been doing for years."

Mohit Ghose, senior vice president at the American Association of Health Plans in Washington, DC, says there are ways to make sure that patients are satisfied with the level of privacy they have in the health care system. "That is critical, because without a patient feeling secure that their information will not be sold to vendors or marketers, a strong doctor-patient relationship is impossible," he explains.

While the principle of protecting private medical information is critical, and the federal government is looking at alternatives that might better serve patients, hospitals, health plans, and physicians, Ghose says the way the law currently is written could seriously threaten the provision of health care. One problem with the law is that only the minimum amount necessary of a patient’s information can be transferred between physicians and hospitals. "What we are looking at is basically a situation where some part of a medical history could be left out that could be very pertinent to ongoing treatment regimens," he explains.

To cope with the new requirements, Heather Jahnke, HIPAA project manager at General Health System in Baton Rouge, LA, says her organization has established an oversight committee with various operational teams; case managers will fall into the hospital operation team. "Case management is not yet a core member of the team," she explains. "But as we address their issues, [case managers] will either be pulled into the team ad hoc or will meet with the team individually."

Jahnke says that General performed a two-level assessment. First, it created an internal assessment tool focusing on privacy, she reports. That tool comprised 102 questions and was administered to all team members, who meet twice a month.

General also distributed a smaller assessment with roughly a dozen questions that was distributed to every departmental manager in the hospital, including case management. That assessment asked about their use of disclosures and health information as well as a few security-related questions, such as whether they have processes for determining access, what information is stored, and how it is secured. The next step will be to prioritize what issues under privacy will be addressed first, she says.

"Much of what we will have to spell out under case management is going to be how much of what they do is considered treatment, because a lot of the discharge planning involves continued treatment," she says. The remainder of what case managers do is considered normal health care operations, and that requires making a determination about what information will require an authorization from the patient.

According to Jahnke, case managers will need a lot of extra consent in terms of internal planning and discussions with patients and designated family members. Some of the areas already have been broadly discussed. But General has yet to look at every process in case management, she says. From the perspective of an internal hospital case manager involved in discharge planning, there are still many questions about how payers will view the role of case managers.

Most payers consider it to be normal health care operations, Jahnke says. "I don’t know how many patients are aware of the case management function within their insurance company. The question is, Do they really know that somebody is looking at all this information?’"

One of the issues General discussed from an organizational standpoint is what will happen when a physician calls to schedule a test or appointment. "They should have consent to release that information," she says. "But now we have that information, and even though we might not see the patient for two weeks, there are things we need to use that information for and disclose it for." That means the hospital must check with the payer to determine if it gets the authorization or precertification, Jahnke says. It also means determining if the hospital can take information received by another source and then disclose it back to the payer without contacting the patient, she adds.

Unfortunately, the answers to these questions are not entirely evident, she says. Everybody is still waiting for the Department of Health and Human Services to release their documents clarifying these questions. "There are still a lot more questions than answers," Jahnke says.

According to Pyles, the privacy regulations are complex. On the other hand, they really only have four or five "moving parts," he explains. The regulations essentially do two things, says Pyles. First, they establish privacy standards and ways of exercising those standards. Second, they establish the process and procedures to access patient information. With respect to privacy, there are three basic protections or tools by which privacy will be protected — consent, authorization, and the opportunity to agree or reject.

"Consent is not new," asserts Pyles. "You have been getting consent for as long as you have been in this business or you should not be in it." But a hospital has to give patients notice that they are going to release some limited information, he adds.

Where authorization is concerned, it is critical to understand that when services are provided in a patient’s home, there is a special duty to the patient, Pyles says. When patients enter a hospital, they understand and expect that they give up some of their rights to privacy, he argues. When patients enter a nursing home, they give up some of their rights to privacy. However, when patients receive services in their homes, they want their privacy to remain intact if at all possible, he says.