Law And Disorder: The Impact Of The Final HIPAA Privacy Rule On Disease Management

The Department of Health and Human Services (HHS) mentioned "disease management" only once in its proposed HIPAA privacy rules, but it was the mother of all mentions. The proposed rule elevated disease management (DM) to the rule’s most sacrosanct realm of protected activities, including it in the definition of "treatment" and thereby shielding it from one of the most onerous hurdles of the rule -- the requirement for obtaining patient consent before health plans and providers can share protected health information with DM programs. Other than in that single but momentous mention, the proposed rule was absolutely silent about DM, containing no regulatory history or other explanation of HHS’s intent.

But even that single mention protected the industry’s most critical activities, safeguarding patient access to high quality DM programs by preserving their disease managers’ access to crucial patient data. Disease managers desperately need unhindered access to identifiable patient data in insurance claims, medical records, and provider consultations in order to (i) identify patients who would benefit from their programs; (ii) risk stratify eligible patients; (iii) communicate best practices information to treating physicians; (iv) conduct population management activities; and (v) teach self-management skills. The inclusion of the two simple words "disease management" in the proposed rule’s treatment exception had a sort of simple elegance, a clarity of interpretation that would have made it easy for companies to ensure compliance without engaging lawyers and consultants to pore over every pore of the rule.

The long-awaited final HIPAA privacy rule, however, turns the proposed rule’s approach to DM on its head, or at least on its side. The final rule includes some ten pages of detailed preambular exegesis about DM, mentioning DM at least twenty-five times and analyzing practically every aspect of health information usage in disease and population management activities. Nevertheless, the one thing that HHS left out is the proposed rule’s vital inclusion of disease management in the treatment definition, stripping the regulation itself of even a single mention of disease management. The resulting confusion has left health plans, employer welfare plans, disease management vendors, PBMs, and other buyers and sellers of DM products as well as doctors, nurse and patients, scratching their heads, unsure if the industry’s victory in the proposed rule is still healthy, terminally ill, or simply disordered. Why did HHS remove DM from the rule language, and what are the implications for the industry? How do the DM-related provisions interact with the new marketing rules? Are DM vendors now regarded as health care providers, or even as covered entities.

This article argues that the HIPAA final privacy rule does in fact maintain -- and even extend -- the protections of the proposed rule for legitimate DM programs; it has simply switched these protections from the rule language to the Preamble. Unfortunately, it may take a brain surgeon (or a lawyer with too much time on his hands) to be able to tell you precisely how. With access to both, the Disease Management Association of America (DMAA) is already preparing a comprehensive guide on HIPAA compliance that will answer the hundreds of specific questions about the application of HIPAA to all of the various DM stakeholders. Because this lawyer has too little time on his hands, this article can only attempt to grapple with the big picture issues.

It is at least clear that HHS listened to the industry’s concerns and seriously deliberated upon the voluminous comments filed by DMAA, its member companies (such as American Healthways, Inc. [NASDAQ: AMHC], and other associations and companies with an interest in DM. HHS met with DMAA and its members on at least four occasions, including two times following the proposed rule, to focus specifically on disease management privacy concerns. On another occasion, HHS invited DMAA representatives to assist it with its fact-finding and drafting of the marketing provisions of the rules, in order to allay HHS’s initially misguided concerns that DM was indistinguishable from pharmaceutical marketing activities.

DMAA’s original input, of course, was instrumental in getting DM protected in the treatment exception to patient authorization in the proposed rule. In its written comments and subsequent discussions with HHS, DMAA continued to argue for inclusion of DM in the treatment definition as the clearest and simplest alternative. However, many of the health plan and insurer organizations who filed comments with HHS argued that DM should be protected in the "health care operations" exemption of the rules, because they feared that health plans could not conduct treatment under the rule, and therefore could not disclose protected health information pursuant to the treatment exception. On the other side of the political spectrum, the consumer and certain provider lobbies argued that covered entities and their business associates should not be able to use or disclose protected health information for DM purposes without patient (or physician) consent. They feared that unless HHS corralled DM into a specific set of entities, activities, or definitions, virtually anyone could say they were doing DM, thereby avoiding the burden to seek permission for data exchanges that might have nothing to do with improving a patient’s health care condition (e.g., marketing).

1. Uses and Disclosures of Protected Health Information for DM Purposes. Based on its comprehensive consideration of all three sides of the issue, HHS determined that there was no consensus industry definition or core set of activities applicable to all (or even most) DM programs and entities. Interestingly, HHS did explicitly acknowledge DMAA’s input on this question and, in a unique reference, cited to DMAA’s definition of DM and website address directly in the text of the Preamble. Unfortunately, however, HHS declined to adopt DMAA’s definition of DM – as the State of California has in its privacy law – because it believed that the industry is still too young to fix a definition. Therefore, without a definition, HHS thought that mentioning DM by name would be confusing and open to abuse by wolves in sheeps’ clothing.

Nonetheless, HHS did specifically name many DM activities in the actual language of the "health care operations" exception, and in the Preamble recognized that virtually all other activities carried out as part of legitimate DM programs (both internal health plan and outsourced) should be protected from the requirement to obtain patient consents or authorizations under either the "treatment" or "health care operations" exceptions. This is an overwhelming success for patients, payors, vendors, and other DM industry stakeholders.

2. Treatment. As a general rule, HHS determined in the final rule that DM activities focused on a specific individual fall within treatment, even though DM is no longer mentioned in the treatment definition. These would presumably include:

• nurse chat;
• patient self-management coaching;
• drug compliance reminders; and
• other activities that engage the patient in direct health care improvement.

But here’s the rub. By removing DM from the "treatment" definition, it not clear how health plan covered entities can make use of the treatment exception in order to provide data to DM organizations for these purposes, even though that is HHS’s clear intent. The "treatment" exception definition provides:

According to this definition, DM organizations still may obtain protected health information from a health care provider, even if they are not "health care providers" themselves (but see below). This much we already clearly understood before the release of the final rule. What has not been well understood so far is that, arguably, DM organizations may also receive identifiable patient data directly from a health plan via the "treatment" exception because of an arcane passage buried deep within the Preamble: "We [HHS] note that this rule permits a covered entity [which would include a health plan] to disclose protected health information to any person for treatment purposes, without specific authorization from the patient." But just when it seems that HHS has it right, it throws us a curveball. The Preamble also states that "activities of a health plan are not considered to be treatment." So how are we to read these two statements together? As simply an example of law and disorder? Unfortunately, it seems that nothing in this mega-rule is clear and simple; rather, it is just protean enough that one can always find some language to contravene one’s previous understanding of the rule. Clearly, if HHS is to protect managed care enrollees’ access to high quality DM programs, this particular question should be resolved in future rule amendments or on Capitol Hill by adopting the former meaning and discarding the latter.

3. Health Care Operations. Those DM activities that are population-based or otherwise not focused on a specific patient fall within the healthcare operations exception. Happily, this exception is better defined and more clearly applicable to health plans sharing data with their DM business associates. Protected functions include:

• quality assessment and improvement, including outcomes evaluation and development of clinical guidelines;
• population-based activities related to improving health or reducing health care costs;
• protocol development;
• case management and care coordination;
• contacting healthcare providers and patients with information about treatment alternatives; and
• related functions that do not include treatment.

Moreover, for all population-based activities that fall within the health care operations exception above, not only is there no "authorization" required, but there is also no requirement for the one-time "consent" (which is applicable to health care providers who use or disclose protected health information for treatment, payment, or health care operations purposes). The rule and Preamble make absolutely clear that covered entities such as HMOs, insurers, and employer health plans may disclose protected health information to DM organizations as their business associates; DM organizations may then redisclose the information to their own business associates for these health care operations purposes without the need for either a "consent" or "authorization." This, too, was a huge success for DMAA and for the disease management industry.

4. DM Vendors as Health Care Providers? In its comments on the proposed rule, DMAA and others had asked HHS to verify that a DM organization would not be considered a "health care provider" under that phrase’s definition. (In relevant part, the definition states: "Health care provider means . . . any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." In relevant part, the definition of "health care" includes, in relevant part, "services, or supplies related to the health of an individual. . . [and] includes, but is not limited to . . . [p]reventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body. . .")

The concern for DM organizations, beyond the potential for increased state liability and regulatory exposure, was the prospect that DM organizations could be treated as "covered entities" under the rule, and therefore subject not only to the rule’s penalties, but also to the monstrously expensive and burdensome administrative requirements, policies and procedures, and workplace reforms that make up the bulk of the rule’s predicted $20 to 40 billion HIPAA price tag. HHS itself, in all of our meetings, had always referred to DM organizations as "business associates," not as "health care providers" or "covered entities"; they seemed to understand that the HIPAA statute did not intend to cover organizations simply because they employed providers. In the final rule, however, HHS has muddied things further, rather than clarified them. The actual rule’s definitions, above, provide little guidance, and the massive Preamble is entirely tautological; it provides that DM organizations may indeed be health care providers, if they offer "health care" services. (Interestingly, the Preamble also applies this doctrine to other entities, which, like DM organizations, are not health care providers themselves, but often employ health care providers to deliver services, such as employee assistance companies, pharmaceutical benefits managers, and pharmaceutical and device makers.)

Therefore, unfortunately, many DM vendors are at risk of being labeled as health care providers. While that risk carries unacceptable and unintended consequences for DM vendors under state and other federal law (as well as much higher legal and consulting needs), we believe, fortunately, that it still may not affect HIPAA’s treatment of DM vendors. The Preamble, in HIPAA’s typically contrapuntal scheme, also provides that simply being a "health care provider" does not make a company a "covered entity" unless it transmit health information in electronic form in connection with a "transaction." "Transactions" are data transmissions between two parties to carry out financial or administrative activities related to health care, including: claims processing or similar encounters; payment or remittance advice; coordination of benefits; healthcare claims status; enrollment, disenrollment or eligibility in a health plan; premium payments; referral certification or authorization; and health care claims attachments. However, it is unclear how many DM vendors may transmit data in connection with a transaction, and even if no vendor currently does so, once Medicare begins to reimburse disease management services directly, they clearly will have to do so.

To its credit or shame, we are not sure which, HHS confesses at one point in the Preamble that it is not really sure after all what a health care provider is, and decides to leave the question open to future rule amendments. For that reason, in addition to the intent of the HIPAA Congress only to include traditionally recognizable providers (e.g., doctors, nurses, hospitals) in the definition of health care provider, we believe that HHS would not make any attempt to treat DM vendors as providers or to enforce the rule against them as covered entities, even if they did transmit data in connection with transactions. But HHS should remove all doubt as quickly as possible in order to prevent the needless expense of risk management and the potential that state agencies will begin to piggyback off HIPAA to treat DM vendor companies as providers.

5. DM and Marketing.

Perhaps the DM industry’s biggest success in the final rule was its impact on HHS’s treatment of uses and disclosures of patient data for marketing purposes. HHS specifically asked DMAA to assist it in separating "the wheat from the chaff," i.e., those patient contacts and communications that were for the patient’s health care benefit versus those whose only or primary purpose was to sell a product. While HHS did not adopt a "primary purpose" test, as some states have done, it did clearly separate out and protect important patient contacts, including DM, from other marketing that will now require patient authorization. HHS therefore defines "marketing" in the final rule, in relevant part, as:

While the definition does not specifically mention DM vendors, other sections of the rule do very clearly permit all covered entities, including health plans, to transmit key patient data to DM vendors as their business associates, and therefore permits DM vendors to further use and disclose the data without authorization.

'The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.'