Home / Medicine & the Law / Privacy implications of disease management programs

Privacy implications of disease management programs

By John W. Jones, Esq..

In an effort to keep health care costs down and improve quality of health care, organizations including health plans and providers have begun adopting and implementing disease and/or care management programs. The Disease Management Association of America (DMAA) has defined disease management as “a system of coordinated health care interventions and communications for populations with conditions in which patient self-care efforts are significant.” Specifically, DMAA provides that disease management:

· Supports the physician/patient relationship and plan of care.

· Emphasizes prevention of complications and exacerbations utilizing evidence-based practice guidelines and patient empowerment strategies.

· Evaluates humanistic, clinical and economic outcomes on an on-going basis with the goal of improving a patient’s overall health.

With the advent of electronic medical records, a patient’s health history and current health condition can be made instantly available to an entire medical treatment team. Such access and use of a patient’s medical information can be very beneficial resulting in the most appropriate and best care being delivered to a patient, as the provider would have available to him the current health status of the patient, as well as any treatments he is receiving or medications he is taking. This information could impact the treating physician’s suggested care plan, work to prevent bad outcomes and ultimately improve patient care.

Typically, organizations such as managed care organizations and other types of health plans license for use by institutional and group providers disease management software to facilitate the sharing of patient information with a beneficiary’s participating physicians and other members of the treatment team. Utilizing a PC and web-based software, participating physicians can log on to a managed care organization’s website and quickly gain access to a beneficiary’s health information. Once subscribed onto the database, physicians can retrieve and review the health care information of their patients. At a minimum, this allows the participating physicians to fully consider the patient’s general health status, as well as other diagnoses and conditions that could potentially impact the care and treatment of the patient. Consequently, the physicians and their patients can take on a more active role in care planning and clinical decision-making.

On the opposite end of the spectrum, however, any electronically-based disease management program can create significant risk to an organization for unauthorized use or disclosure of such patient information. Accordingly, any disease management program must comply with applicable federal and state patient confidentiality, privacy and consent requirements.

Federal Law

Generally, under federal law, a covered entity, including a health care provider, health plan and health care clearing house, may not use or disclose protected health information (PHI) except as permitted or required under the privacy regulations (Privacy Rule) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A health care provider includes a physician, who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule.

PHI includes individually identifiable health information, including demographic information collected from an individual and is created or received by a covered entity or employer and relates to the past, present, or future physical or mental heath or condition of an individual; the provision of health care to an individual; or the past, present or future payment for the provision of health care to an individual and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

The Privacy Rule prohibits a covered entity from using or disclosing PHI without a valid authorization unless such use or disclosure is otherwise permitted by the rule. Since a participating physician would be permitted access to an individual’s PHI through use of the web-based disease management program, any such disclosure of PHI to the physician would have to comply with HIPAA and the Privacy Rule. Requiring a health care provider to obtain the authorization of a patient before using or disclosing PHI of the patient for disease management purposes, however, is simply not practical. One of the strengths of these programs is the immediate availability of patient information for the care and treatment of the patient. Accordingly, in order to comply with HIPAA and the Privacy Rule, the parties would have to rely on an exception to the HIPAA authorization requirement. The treatment and health care operations exceptions may be viable alternatives for uses and disclosures of PHI related to disease management.

Disease management was originally mentioned in the proposed draft of the Privacy Rule under the treatment definition. In the final Privacy Rule, however, disease management had been removed from such definition. The Department of Health and Human Services (HHS) concluded that there existed no consensus industry definition or core set of activities that applied to most, if not all, disease management programs. Accordingly, without a single definition of disease management, HHS thought that utilizing it in the definition of treatment would be confusing and ripe for abuse. Instead, HHS references many disease management activities in its definition of health care operations and recognized that virtually all activities carried out as part of legitimate disease management programs should be exempt from the consent and authorization requirements under either the treatment or health care operations exceptions.


Under the Privacy Rule, treatment includes:

· Provision, coordination and management of health care and related services by one or more health care providers, including the coordination or management of health care by a health care provider with a third party.

· Consultations between health care providers relating to a patient.

· Referral of a patient for health care from one health care provider to another.

In the final Privacy Rule, HHS essentially determined that disease management activities that focused on a specific individual would fall within the treatment definition, even though the term has been removed from that definition. Accordingly, in order to utilize the treatment exception for disease management purposes, the purpose of the use or disclosure would have to be focused on a specific individual rather than population-based activities.

Health Care Operations

The Privacy Rule defines health care operations to include the following activities, provided such activities are related to covered functions of the covered entity:

· Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines (provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities).

· Population-based activities relating to improving health or reducing health care costs.

· Protocol development.

· Case management and care coordination.

· Contacting of health care providers and patients with information about treatment alternatives.

· Related functions that do not include treatment.

Disease management activities that are population-based would fall within the health care operations exception which is quite broad and includes activities related to improving health, coordinating care, reducing health care costs, communicating treatment alternatives and outcomes evaluation. The purposes for which a participating physician would be accessing a patient’s PHI in connection with a disease management program would presumably fall within the ambit of this exception and not require patient consent or authorization.

HIPAA’s security regulations (Security Rule) imposes additional requirements on a covered entity with respect to the use and disclosure of protected health information in electronic form. The Security Rule provides that a covered entity must:

· Ensure the confidentiality, integrity and availability of all electronic protected health information (EPHI) that the covered entity receives, creates, transmits or maintains.

· Protect against any reasonably anticipated hazards or threats to the integrity or security of such information, as well as any reasonably anticipated uses or disclosures of such information that are not permitted or required under the rule.

Specifically, a covered entity must implement certain administrative, physical and technical safeguards to protect EPHI. As the information that would be accessed by participating physicians under a web-based disease management program would constitute EPHI, the parties involved would also have to ensure that such program, as well as the parties’ utilizing such program, as applicable, comply with the requirements under the Security Rule.

State Law Requirements

States often-times have more stringent patient confidentiality, privacy and consent laws that could impact any disease management program utilized by physicians. For example, some states may require a form of consent of the patient prior to any use or disclosure of the patient’s health information even when such information is being utilized or disclosed to the patient’s treating physician or medical team. Organizations adopting and implementing disease management programs need to comply with these requirements before providing physicians with access to such patient information. Because states vary in their consent requirements, there typically is no “one-size fits all” consent document that can be utilized in obtaining patient authorization. Compounding this issue is that many jurisdictions also have more stringent requirements when it comes to using or disclosing certain types or classes of highly sensitive health information.

Pennsylvania, for example, provides much greater protections over the use and disclosure of mental health, drug and alcohol and HIV information. Specifically, with respect to drug and alcohol information, patient records prepared or obtained pursuant to the Drug and Alcohol Abuse Control Act may be disclosed only with patient consent and, even then, only to a limited number of recipients, such as medical personnel. Accordingly, if a disease management program permits access to a patient’s entire medical record, this type of sensitive information may be at risk of being disclosed without the proper patient authorization. Disease management programs should be designed to permit access only to that content of health information that may be disclosed. Physicians and other providers utilizing or licensing any disease management program for care management and treatment should ensure that such program is designed to permit access only to that information for which consent has or can be obtained in advance, or for which no consent is required.

Disease management programs can be an invaluable tool for assisting physicians and other providers with care management and treatment of patients. Their use, however, is not without risk. Organizations that license such programs and physicians who utilize them need to be fully aware of the challenges presented and ensure that any use or disclosure of patient information complies with both federal and state law.

John W. Jones, Esq., is a member of the Health Care Services Group at Pepper Hamilton LLP in Philadelphia, Pa.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.