HIPAA Regulatory Alert: Privacy and security rules affect development of care management and outcomes improvement programs
Privacy and security rules affect development of care management and outcomes improvement programs
Take all reasonable steps to comply with federal law, expert says
Many managed care organizations use care management programs to improve care to members while also saving money. To effectively manage patients’ care, providers need the most information possible, says John Jones, an attorney in the Philadelphia office of Pepper Hamilton LLP. The question becomes, under HIPAA, whether managed care organizations can disclose patient information to all providers for any reason.
Jones tells HIPAA Regulatory Alert provider disclosures usually are electronic because providers attempt to access the care management programs through their computer systems. "If you are going to a cardiologist, the doctor will want to know everything about you that is in the system," he says. "We advise care management vendors to develop software that will restrict or exclude information. What we hope will remain is the basic health care information, such as a history, that can arguably be disclosed without patient consent for treatment purposes."
According to Jones, there is a HIPAA exception for health care operations that includes information for care management. But he says state law doesn’t always consider the applicability of the information. Pennsylvania law, for instance, allows managed care organizations to disclose information for care management upon patient consent. To the extent possible, the patient is to remain anonymous.
Jones adds that depending on the jurisdiction, protected information may be delivered as part of marketing materials. Those disclosing information should note they are doing it to provide a higher quality of care, he says. If a jurisdiction requires consent but doesn’t specify the type, an opt-out form might be acceptable for implied consent.
"If the jurisdiction in which a provider is working requires express consent, you need to get the consent up front, even for treatment," Jones says. "States seem to take the privacy of health information very seriously."
There are privacy concerns any time a virtual electronic medical record is created. This may be particularly true if a National Health Information Infrastructure is developed, a move being pushed by federal officials interested in care management and the sharing of provider and patient information to improve public health. The thought behind a National Health Information Infrastructure is that it would be a secure, interconnected reporting of data from which providers and other healthcare professionals could learn about their patients and make sound health care-related decisions.
"We continue to see clients pushing and the law catching up," Jones says. "If you can demonstrate that care management improves health care and take all reasonable steps to comply with the federal law, you’re going to be pretty safe, even if you’re at risk under some state laws. If you need to be cautious at the state level, you should not make highly sensitive information available such as HIV, mental health, or substance abuse information."
[Contact John Jones at (215) 981-4706.]
To effectively manage patients care, providers need the most information possible. The question becomes, under HIPAA, whether managed care organizations can disclose patient information to all providers for any reason
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.