Case managers should be involved in their organization's Health Insurance Portability and Accountability (HIPAA) compliance initiatives, but in many cases, they're left out of the planning, Linda Reeder, RN, MBA, FACHE, RNCm, has found.
'What I am seeing that concerns me is that certain key disciplines, including case management, are not being involved in their organization's HiPAA steering committee or being actively involved in one of the work groups,' says Reeder, president of Envision Consulting, a Seattle e-health and clinical information technology consulting firm.
Less than a year remains for organizations to comply with the first of the regulations that go into effect under HIPAA, and efforts at meeting the deadline should be well under way at all covered entities, which include providers, payers, and health care information clearinghouses.
Case managers, quality managers, and educators often are not involved when their organization's processes are being evaluated to comply with HIPAA, but because of the sheer number of people with whom they interface, case managers have a lot of valuable information to offer, Reeder says.
Case managers should make an effort within their organizations to be involved in HIPAA planning, particularly efforts to comply with the privacy standards and in work groups that analyze the business procedures related to key transactions, Reeder says.
'Since case managers deal with and coordinate services for external parties, they need to be at the table and dealing with the operative issues. Case managers have a real understanding of work flow and could be an important factor in the organization's compliance plan,' Reeder says.
HIPAA offers opportunities for case managers to expand their roles in their organizations. For instance, case managers are in a good position to assume the role of their organization's privacy officer, Reeder suggests.
'Because a good part of HIPAA is education, and case managers are skilled in that area, they are in a unique position and have a real opportunity to play a central role,' Reeder says.
Case managers have the educational background; they know the parties involved; and they have a lot of expertise on how the system works. Being a privacy officer in your organization could be a career step.
'Case managers should position themselves and their organizations as being a leader in privacy and e-health. They can be emphasizing to the parties they interface with what their organization is doing to protect client privacy,' Reeder says.
Another reason case managers should be involved with their organization's HIPAA task force is to make sure their needs and daily functions are met when the security regulations are enacted. Under the security regulations, access is limited to 'need to know,' and, based on your job or your role in the company, you may not be able to access certain information. ('Need to know' means whether a certain piece of information is needed for the purpose for which the release is generated.)
'Case managers should work closely with the security officer to make sure they don't get more than they need but that they do have access to all the information they need,' says Beth Hjort, HIA, AHIM, practice manager for health information management for the American Health Information Management Association in Chicago.
'The spirit of HIPAA is that the patient remain in control of his or her protected or individually identifiable health information,' Hjort says.
At present, HIPAA regulations fall into three categories: privacy, security, and transaction and code set standardization.
* The privacy regulations are scheduled to go into effect April 2003. They mandate changes in the way individually identifiable health information is handled and disclosed. The U.S. Department of Health and Human Services issued proposed changes to the HIPAA privacy regulations on March 27, 2002.
The proposed changes in the HIPAA privacy regulations have strengthened the marketing requirements. Now, patients must sign a specific authorization to have their health care information used in external marketing programs.
The changes also give entities an additional year to revise contracts with business associates. The result will be that, instead of having to renew all contracts and make them compliant with HIPAA before April 2003, organizations can add HIPAA language over time as the contracts expire.
* The security standards protect the confidentiality of health care data that are stored or transmitted and require covered entities to develop a security plan. The final standards are expected this summer, but experts don't expect them to be significantly different from the proposed regulations.
At present, because the deadline for complying with the HIPAA privacy regulations is earlier than the transaction standards deadline, many organizations are concentrating on their privacy compliance efforts.
* The transaction standards set out standardized ways that patient health, administrative, and financial data can be transmitted. The effective date of these regulations has been postponed until Oct. 16, 2003, if covered entities apply for the extension and show a good-faith effort at compliance to date.
