About OAHHS
Member Center
Data Center
Key Issues
Legal Issues
 
     
  What is Disease Management?
  How Does HIPAA Apply?
  Frequently Asked Questions
 
 
 
 
   
   
     
     
 
  Return to HIPAA Main Menu  
     
 
     
 

 

Disease Management : Guidelines to Compliance

 

OAHHS HIPAA Taskforce

Gwen M. Dayton, Vice President and General Counsel
 


What is Disease Management?

HIPAA does not define disease management. According to the Disease Management Association of America, disease management is a multi-disciplinary, continuum-based approach to healthcare that proactively identifies populations with, or at risk for established medical conditions and commonly involves:

  • A population identification process

  • Evidence-based practice guidelines

  • Risk identification and matching of interventions with need

  • Patient self-management education

  • Process and outcomes measurement, evaluation and management

  • Routine reporting/feedback loop

  • Appropriate use of information technology

The Disease Management Association of America may be reached at http://www.dmaa.org.

Top

How Does HIPAA Apply?

Generally, disease management is considered either treatment or healthcare operations. Accordingly, protected health information used for disease management purposes may be released without patient authorization. Sometimes disease management and marketing can look a lot alike. Make sure you do not engage in marketing in the guise of disease management.

  • Treatment: disease management activities focused on a specific individual generally fall within the definition of treatment, even though it is not specifically mentioned. Disease management focused on an individual may include:

    • Nurse consultation;

    • Patient self-management coaching;

    • Drug compliance reminders; and

    • Other activities that engage the patient in direct healthcare improvement.

  • Healthcare Operations: Disease management activities that are population-based or otherwise not focused on a specific patient fall within the healthcare operations exception. Healthcare operations includes:

    • Quality assessment and improvement;

    • Population-based activities related to improving health or reducing healthcare costs;

    • Protocol development ;

    • Case management and care coordination;

    • Contacting healthcare providers and patients with information about treatment alternatives; and

    • Related functions that do not include treatment.

Source: Warren Todd, James M. Jacobson, HIPAAcratic or HIPAAcritic? The Final HIPAA Privacy Rule's Impact on Disease Management, presented at The Second National HIPAA Summit, Washington, D.C. Feb. 28-March 2, 2001.

  • Disease Management v. Marketing: Do not confuse disease management with marketing. The regulations define marketing as a communication about a product or service the purpose of which is to encourage recipients of the communication to purchase or use the product or service. Use of protected health information for marketing requires a patient authorization unless specified exceptions apply (see, the Marketing section of these guidelines). Any appearance of improperly using protected health information for your own financial benefit will bring with it severe enforcement penalties. Ask yourself such questions as:

    • Are you helping a patient manage their medication use or encouraging them to purchase a particular medication?

    • Are you identifying a population at risk for a particular disease or trying to promote your services as they relate to that disease

 

Implementation Tip: If a covered entity wants to release protected health information for disease management purposes, it must include this activity in its Privacy Notice.


 

Implementation Tip: A health plan need not obtain consent to engage in disease management activities that qualify as healthcare operations.

Top

Frequently Asked Questions

  • Is a disease management vendor my business associate? Probably yes. A vendor would be your business associate if you are a covered entity, the vendor receives patient protected health information from you, and uses the information on your behalf.

  • Can a health plan release protected health information to a disease management vendor under the treatment exception? Probably not. The preamble to the HIPAA privacy regulations states that activities of a health plan are not considered to be treatment, and a vendor may not qualify as a health care provider (see the question below). As a practical matter, however, most releases of protected health information by a health plan would be population-based rather than for a particular individual and thus covered under healthcare operations.

  • Are disease management organizations covered entities? Conceivably, but the answer is not entirely clear. The preamble to the rules states that disease management organizations may be health care providers if they offer "health care" services. To qualify as a covered entity, however, the health care provider also must transmit health information in electronic form in connection with a transaction. It is unclear how many disease management organizations engage in these transactions.

Top

 

Home | Contact Us
© Copyright 2008 OAHHS