Law And Disorder: The Impact Of The Final HIPAA Privacy Rule On Disease Management
DM under the Proposed HIPAA Privacy Rule
The Department of Health and Human Services (HHS) mentioned "disease
management" only once in its proposed HIPAA privacy rules, but it
was the mother of all mentions. The proposed rule elevated disease management
(DM) to the rule's most sacrosanct realm of protected activities, including it
in the definition of "treatment" and thereby shielding it from one of
the most onerous hurdles of the rule -- the requirement for obtaining patient
consent before health plans and providers can share protected health information
with DM programs. Other than in that single but momentous mention, the proposed
rule was absolutely silent about DM, containing no regulatory history or other
explanation of HHS's intent.
But even that single mention protected the industry's most critical
activities, safeguarding patient access to high quality DM programs by
preserving their disease managers' access to crucial patient data. Disease
managers desperately need unhindered access to identifiable patient data in
insurance claims, medical records, and provider consultations in order to (i)
identify patients who would benefit from their programs; (ii) risk stratify
eligible patients; (iii) communicate best practices information to treating
physicians; (iv) conduct population management activities; and (v) teach
self-management skills. The inclusion of the two simple words "disease
management" in the proposed rule's treatment exception had a sort of
simple elegance, a clarity of interpretation that would have made it easy for
companies to ensure compliance without engaging lawyers and consultants to pore
over every pore of the rule.
DM Under the Final HIPAA Privacy Rule
The long-awaited final HIPAA privacy rule, however, turns the proposed
rule's approach to DM on its head, or at least on its side. The final rule
includes some ten pages of detailed preambular exegesis about DM, mentioning DM
at least twenty-five times and analyzing practically every aspect of health
information usage in disease and population management activities. Nevertheless,
the one thing that HHS left out is the proposed rule's vital inclusion of
disease management in the treatment definition, stripping the regulation itself
of even a single mention of disease management. The resulting confusion has left
health plans, employer welfare plans, disease management vendors, PBMs, and
other buyers and sellers of DM products as well as doctors, nurse and patients,
scratching their heads, unsure if the industry's victory in the proposed rule
is still healthy, terminally ill, or simply disordered. Why did HHS remove DM
from the rule language, and what are the implications for the industry? How do
the DM-related provisions interact with the new marketing rules? Are DM vendors
now regarded as health care providers, or even as covered entities.
This article argues that the HIPAA final privacy rule does in fact maintain
-- and even extend -- the protections of the proposed rule for legitimate
DM programs; it has simply switched these protections from the rule language to
the Preamble. Unfortunately, it may take a brain surgeon (or a lawyer with too
much time on his hands) to be able to tell you precisely how. With access to
both, the Disease Management Association of America (DMAA) is already preparing
a comprehensive guide on HIPAA compliance that will answer the hundreds of
specific questions about the application of HIPAA to all of the various DM
stakeholders. Because this lawyer has too little time on his hands, this article
can only attempt to grapple with the big picture issues.
The Industry's Impact on the Final HIPAA Rule
It is at least clear that HHS listened to the industry's concerns and
seriously deliberated upon the voluminous comments filed by DMAA, its member
companies (such as American Healthways, Inc. [NASDAQ: AMHC], and other
associations and companies with an interest in DM. HHS met with DMAA and its
members on at least four occasions, including two times following the proposed
rule, to focus specifically on disease management privacy concerns. On another
occasion, HHS invited DMAA representatives to assist it with its fact-finding
and drafting of the marketing provisions of the rules, in order to allay HHS's
initially misguided concerns that DM was indistinguishable from pharmaceutical
marketing activities.
DMAA's original input, of course, was instrumental in getting DM protected
in the treatment exception to patient authorization in the proposed rule. In its
written comments and subsequent discussions with HHS, DMAA continued to argue
for inclusion of DM in the treatment definition as the clearest and simplest
alternative. However, many of the health plan and insurer organizations who
filed...
To continue reading
Request your trial