Law And Disorder: The Impact Of The Final HIPAA Privacy Rule On Disease Management

DM under the Proposed HIPAA Privacy Rule

The Department of Health and Human Services (HHS) mentioned "disease

management" only once in its proposed HIPAA privacy rules, but it

was the mother of all mentions. The proposed rule elevated disease management

(DM) to the rule's most sacrosanct realm of protected activities, including it

in the definition of "treatment" and thereby shielding it from one of

the most onerous hurdles of the rule -- the requirement for obtaining patient

consent before health plans and providers can share protected health information

with DM programs. Other than in that single but momentous mention, the proposed

rule was absolutely silent about DM, containing no regulatory history or other

explanation of HHS's intent.

But even that single mention protected the industry's most critical

activities, safeguarding patient access to high quality DM programs by

preserving their disease managers' access to crucial patient data. Disease

managers desperately need unhindered access to identifiable patient data in

insurance claims, medical records, and provider consultations in order to (i)

identify patients who would benefit from their programs; (ii) risk stratify

eligible patients; (iii) communicate best practices information to treating

physicians; (iv) conduct population management activities; and (v) teach

self-management skills. The inclusion of the two simple words "disease

management" in the proposed rule's treatment exception had a sort of

simple elegance, a clarity of interpretation that would have made it easy for

companies to ensure compliance without engaging lawyers and consultants to pore

over every pore of the rule.

DM Under the Final HIPAA Privacy Rule

The long-awaited final HIPAA privacy rule, however, turns the proposed

rule's approach to DM on its head, or at least on its side. The final rule

includes some ten pages of detailed preambular exegesis about DM, mentioning DM

at least twenty-five times and analyzing practically every aspect of health

information usage in disease and population management activities. Nevertheless,

the one thing that HHS left out is the proposed rule's vital inclusion of

disease management in the treatment definition, stripping the regulation itself

of even a single mention of disease management. The resulting confusion has left

health plans, employer welfare plans, disease management vendors, PBMs, and

other buyers and sellers of DM products as well as doctors, nurse and patients,

scratching their heads, unsure if the industry's victory in the proposed rule

is still healthy, terminally ill, or simply disordered. Why did HHS remove DM

from the rule language, and what are the implications for the industry? How do

the DM-related provisions interact with the new marketing rules? Are DM vendors

now regarded as health care providers, or even as covered entities.

This article argues that the HIPAA final privacy rule does in fact maintain

-- and even extend -- the protections of the proposed rule for legitimate

DM programs; it has simply switched these protections from the rule language to

the Preamble. Unfortunately, it may take a brain surgeon (or a lawyer with too

much time on his hands) to be able to tell you precisely how. With access to

both, the Disease Management Association of America (DMAA) is already preparing

a comprehensive guide on HIPAA compliance that will answer the hundreds of

specific questions about the application of HIPAA to all of the various DM

stakeholders. Because this lawyer has too little time on his hands, this article

can only attempt to grapple with the big picture issues.

The Industry's Impact on the Final HIPAA Rule

It is at least clear that HHS listened to the industry's concerns and

seriously deliberated upon the voluminous comments filed by DMAA, its member

companies (such as American Healthways, Inc. [NASDAQ: AMHC], and other

associations and companies with an interest in DM. HHS met with DMAA and its

members on at least four occasions, including two times following the proposed

rule, to focus specifically on disease management privacy concerns. On another

occasion, HHS invited DMAA representatives to assist it with its fact-finding

and drafting of the marketing provisions of the rules, in order to allay HHS's

initially misguided concerns that DM was indistinguishable from pharmaceutical

marketing activities.

DMAA's original input, of course, was instrumental in getting DM protected

in the treatment exception to patient authorization in the proposed rule. In its

written comments and subsequent discussions with HHS, DMAA continued to argue

for inclusion of DM in the treatment definition as the clearest and simplest

alternative. However, many of the health plan and insurer organizations who

filed...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT