Disease Management and the HIPAA Privacy Rule

1
Disease Management and the HIPAA Privacy Rule

• Bradley J. Trudell
• WPS Health Insurance

2
Definition of Disease Management (from DMAA.org)

• Disease Management is a system of coordinated
  healthcare interventions and communications for
  populations with conditions in which patient
  self-care efforts are significant . Disease
  management
• supports the physician or practitioner/patient
  relationship and plan of care,
• emphasizes prevention of exacerbations and
  complications utilizing evidence-based
• practice guidelines and patient empowerment
  strategies, and
• evaluates clinical, humanistic, and economic
  outcomes on an going basis with the goal of
  improving overall health.

3
Disease Management Components include

• Population Identification processes
• Evidence-based practice guidelines
• Collaborative practice models to include
  physician and support-service providers
• Patient self-management education (may include
  primary prevention, behavior modification
  programs, and compliance/surveillance)
• Process and outcomes measurement, evaluation, and
  management
• Routine reporting/feedback loop (may include
  communication with patient, physician, health
  plan and ancillary providers, and practice
  profiling)
• Full Service Disease Management Programs must
  include all 6 components. Programs consisting of
  fewer components are Disease Management Support
  Services.

4
Disease Management (DM) is an approach to
patient care that seeks to limit preventable
events by maximizing patient adherence to
prescribed treatments and to health-promoting
behaviors.

• For patients with chronic diseases, the
  anticipated benefits of DM include
• Superior clinical outcomes
• Improved functional capacity and quality of life
• Lower health care costs
• Reduced need for hospitalization, surgery, or
  other invasive care
• Greater access to care support service

5
The Disease Management Dilemma

• HIPAAs authors struggled to categorize DM
• The dilemma How to not undercut the benefits of
  DM reining in the high costs of chronic
  diseases and improving treatment outcomes by
  requiring DM companies to obtain patient
  authorizations
• Why? Authorizations would impede DM, since
  protected health information (PHI) must be
  received in advance to ID patients who should
  participate
• But under the HIPAA Privacy Rule, DM companies
  are not providers, so they do not have
  unfettered access to PHI for treatment, payment,
  and health care operations

6
DM and the Proposed HIPAA Privacy Rule

• Under originally proposed rule, DM companies were
  considered providers and would have had easy
  access to PHI
• DM was included under definition of treatment
• But HHS scrapped this approach because DM
  industry is relatively new
• Due to lack of a widely accepted definition of
  DM, HHS didnt want to create an exception to use
  and disclosure of PHI w/o patient authorization
  that could be used by anyone calling themselves
  DM, including marketers and drug companies

7
DM and the Final HIPAA Privacy Rule

• Under the Final Privacy Rule, DM is taken out of
  definition of treatment and isnt mentioned at
  all in Rule itself
• Instead, Rule specifically lists many DM
  activities under the treatment and health care
  operations exceptions
• Rules Preamble says virtually all DM activities
  should be protected from authorization
  requirement under either the treatment or
  health care operations exceptions
• Important victory for DM, because requiring DM
  companies to get opt-in authorizations would have
  killed the industry

8
DM and the Final HIPAA Privacy Rule

• Treatment DM activities focused on a specific
  individual fall within treatment, even though DM
  is no longer mentioned in the treatment
  definition, and include
• Nurse chat
• Patient self-management coaching
• Drug compliance reminders
• Other activities that engage the patient in
  direct health care improvement
• Concern Under the Rule, its unclear if health
  plans can use this treatment exception to use
  internally, or provide PHI to DM organizations,
  which are business associates of health plans.
  HHS must clarify.

9
DM and the Final HIPAA Privacy Rule

• Health Care Operations DM activities that are
  population-based fall under health care
  operations and include
• Quality assessment and improvement, including
  outcomes evaluation and development of clinical
  guidelines
• Population-based activities related to improving
  health or reducing health care costs
• Protocol development
• Case management and care coordination
• Contacting providers and patients with
  information on treatment alternatives
• Related functions that do not include treatment
• Health plans may use internally,or disclose PHI
  for these activities to DM organizations as their
  business associates.

10
DM and the Modified Final HIPAA Privacy Rule

• Aug. 14, 2002 modifications to Privacy Rule
  clarify that communications regarding DM will
  generally NOT be considered Marketing
• Marketing means to make a communication about
  a product or service that encouraged recipients
  of the communication to purchase or use the
  product or service
• Modifications state that care coordination and
  case management -- core services of DM -- are not
  Marketing
• This distinction will help DM programs, which do
  not push any particular drug, treatment, or
  medical equipment, to maintain their credibility

11

• Questions/Discussion