In Managed Care's November 1999 issue, Al Lewis, president of the Disease Management Association of America, wrote about potential pitfalls facing DM. One identified by Lewis was state privacy laws, a topic that merits further attention.
When the Health Insurance Portability and Accountability Act became law in 1996, it was the most sweeping health care legislation in decades. We haven't felt the full brunt of it yet.
HIPAA covers broad categories that include provisions for health insurance coverage portability when employees lose or change jobs. It also expands the scope for fraud-and-abuse investigations.
However, the part of the law that has been simmering on the back burner — "administrative simplification" — is going to envelop the entire health care industry in a little more than two years.
Administrative simplification requires all health care organizations — including HMOs, physicians groups, and clearinghouses — to use specific computer technology that is standard to all.
It standardizes transactions between physicians, payers, and the government — covering such things as health care claim encounter information, enrollment and disenrollment data, eligibility and referral activity, and premium payments.
Implementation will be painful and expensive for all involved. Short-term pain and suffering, however, should yield long-term benefits of reduced costs and improved quality for our health care system.
One pothole along the road to standardization is violations of privacy. On Nov. 3, 1999, the U.S. Department of Health and Human Services proposed a rule containing standards to protect privacy of health information covered under HIPAA.
The proposal includes provisions for security when exchanging the information, and more provisions that would guarantee the privacy of health information.
Privacy, insofar as DMAA is concerned, however, is where problems begin to mount. DM programs need access to information, plain and simple. Privacy guarantees that impair such accessibility can have a crippling effect on the process.
DMAA lobbied Congress intensely last summer and its efforts may have paid off. Privacy protections under the proposed rule do not extend to health care management of the individual through risk management, case management, and disease management.
Each of these is considered an extension of patient treatment under the rule. Information, in turn, may be used and disclosed in furtherance of patient treatment.
The rule is proposed, however — not final. HHS is accepting comments from the public right now pertaining to the proposal (the department is being besieged, actually) and it will review those comments before making the rule final with or without modification.
DMAA, rest assured, will do everything in its power to be sure that there is no modification with respect to carveouts.
Enter state statutes
Unfortunately, the proposed federal privacy rule does not preempt more stringent state statutes that relate to the privacy of health information. Preemption is a major issue under the rule, and is likely to be the topic of considerable debate in the future because the rule includes many exceptions to preemption.
Most states have privacy laws. Few, however, address privacy within this context. This figures to change in a hurry. In 1999 alone, lawmakers in 35 states introduced more than 300 bills relating to the confidentiality of medical records.
In 1999, California passed legislation that allows access to patient information by DM programs only after receiving authorization by treating physicians.
DMAA views the physician authorization requirement as a substantial impediment to its purpose and, undoubtedly, hopes that other states choose to follow the proposed federal rule.
Whether states choose to emulate the federal law or enact legislation along the lines of California's law remains to be seen. In making the decision, they'll no doubt be forced to weigh the importance of patient privacy rights against the public need for proactive programs that are designed to improve overall health and reduce costs.
Different ball game
DMAA successfully lobbied Congress, but lobbying successfully at the state level would be a different, more difficult, ballgame. A more likely scenario would have the DMAA hoping that most state legislation falls in line with the federal rule.
The DMAA would then have to resort to lobbying medical societies in those states, such as California, where physician authorization is required for access.
Still, I don't share the DMAA's gloom that state statutes like California's are terrible obstacles. At the present time, most states have broad physician-patient privacy statutes. Patient authorization for access to records is common, however.
For example, physicians — as a condition of treatment — generally require patient authorization to submit patient information to insurers in connection with the reimbursement process.
This is nothing more than formality. Is the DMAA's contention that physicians don't want to deal with the hassle of authorization or that they would rather not provide authorization for financial or other reasons?
Frankly, I don't see either as a viable concern for the DMAA. In any event, it's my hope that this doesn't become a widespread issue and that the majority of states will support disease management and follow the federal rule.