110 likes | 657 Views
Disease Management and the HIPAA Privacy Rule. Bradley J. Trudell WPS Health Insurance. Definition of Disease Management (from DMAA.org).
E N D
Disease Management and the HIPAA Privacy Rule Bradley J. Trudell WPS Health Insurance
Definition of Disease Management (from DMAA.org) • Disease Management is a system of coordinated healthcare interventions and communications for populations with conditions in which patient self-care efforts are significant . Disease management: • supports the physician or practitioner/patient relationship and plan of care, • emphasizes prevention of exacerbations and complications utilizing evidence-based • practice guidelines and patient empowerment strategies, and • evaluates clinical, humanistic, and economic outcomes on an going basis with the goal of improving overall health.
Disease Management Components include: • Population Identification processes • Evidence-based practice guidelines • Collaborative practice models to include physician and support-service providers • Patient self-management education (may include primary prevention, behavior modification programs, and compliance/surveillance) • Process and outcomes measurement, evaluation, and management • Routine reporting/feedback loop (may include communication with patient, physician, health plan and ancillary providers, and practice profiling) • Full Service Disease Management Programs must include all 6 components. Programs consisting of fewer components are Disease Management Support Services.
Disease Management (“DM”) is an approach to patient care that seeks to limit “preventable” events by maximizing patient adherence to prescribed treatments and to health-promoting behaviors. • For patients with chronic diseases, the anticipated benefits of DM include: • Superior clinical outcomes • Improved functional capacity and quality of life • Lower health care costs • Reduced need for hospitalization, surgery, or other invasive care • Greater access to care support service
The Disease Management Dilemma • HIPAA’s authors struggled to categorize DM • The dilemma: How to not undercut the benefits of DM – reining in the high costs of chronic diseases and improving treatment outcomes – by requiring DM companies to obtain patient authorizations • Why? Authorizations would impede DM, since protected health information (“PHI”) must be received in advance to ID patients who should participate • But under the HIPAA Privacy Rule, DM companies are not “providers,” so they do not have unfettered access to PHI for treatment, payment, and health care operations
DM and the Proposed HIPAA Privacy Rule • Under originally proposed rule, DM companies were considered “providers” and would have had easy access to PHI • DM was included under definition of “treatment” • But HHS scrapped this approach because “DM industry” is relatively new • Due to lack of a widely accepted definition of DM, HHS didn’t want to create an exception to use and disclosure of PHI w/o patient authorization that could be used by anyone calling themselves DM, including marketers and drug companies
DM and the Final HIPAA Privacy Rule • Under the Final Privacy Rule, DM is taken out of definition of “treatment” and isn’t mentioned at all in Rule itself • Instead, Rule specifically lists many DM activities under the “treatment” and “health care operations” exceptions • Rule’s Preamble says virtually all DM activities should be protected from authorization requirement under either the “treatment” or “health care operations” exceptions • Important victory for DM, because requiring DM companies to get opt-in authorizations would have killed the industry
DM and the Final HIPAA Privacy Rule • Treatment: DM activities focused on a specific individual fall within treatment, even though DM is no longer mentioned in the treatment definition, and include – • Nurse chat • Patient self-management coaching • Drug compliance reminders • Other activities that engage the patient in direct health care improvement • Concern: Under the Rule, it’s unclear if health plans can use this treatment exception to use internally, or provide PHI to DM organizations, which are business associates of health plans. HHS must clarify.
DM and the Final HIPAA Privacy Rule • Health Care Operations: DM activities that are population-based fall under health care operations and include – • Quality assessment and improvement, including outcomes evaluation and development of clinical guidelines • Population-based activities related to improving health or reducing health care costs • Protocol development • Case management and care coordination • Contacting providers and patients with information on treatment alternatives • Related functions that do not include treatment • Health plans may use internally,or disclose PHI for these activities to DM organizations as their business associates.
DM and the Modified Final HIPAA Privacy Rule • Aug. 14, 2002 modifications to Privacy Rule clarify that communications regarding DM will generally NOT be considered Marketing • “Marketing” means “to make a communication about a product or service that encouraged recipients of the communication to purchase or use the product or service” • Modifications state that care coordination and case management -- core services of DM -- are not Marketing • This distinction will help DM programs, which do not push any particular drug, treatment, or medical equipment, to maintain their credibility