Ms. Gail Horlick, JD, MSW
Staff
National Committee for Vital Health Statistics ("NCVHS")
Privacy and Confidentiality Subcommittee

Re: Comments to Final Rule Regarding Standards for Privacy of Individually Identifiable Health Information

Dear Ms. Horlick and Subcommittee Members:

The Disease Management Association of America ("DMAA") appreciates the opportunity to submit the following comments concerning the final rules setting forth Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82462 (Dec. 28, 2000) for use by NCVHS in its mission to advise HHS on practical solutions to problems with the Privacy Rule. DMAA is a non-profit, voluntary membership organization that represents the disease management community. DMAA's goals include: (1) promoting high quality standards for disease management programs, support services and educational materials; and (2) educating consumers, payers, providers, accreditation bodies, legislators, and regulators on the importance of disease management in the enhancement of individual and population-based health.

DMAA appreciates the efforts of NCVHS and the Department of Health and Human Services (HHS) to address many of the industry's concerns with the Privacy Rules. It is apparent that HHS seriously considered the comments to the proposed Privacy Rules, comments to the final Privacy Rules, and suggested Guidance previously filed by DMAA and other organizations and companies with an interest in disease management. We would ask that NCVHS also consider these prior-filed public documents in addition to our comments below.

We deeply appreciate the chance to testify at the NCVHS hearings, and to provide you with the attached written comments. Please do not hesitate to call either one of us with any further questions or concerns.

Sincerely,

Victor Villagra, President

James M. Jacobson, General Counsel

Enc. (DMAA Comments for NCVHS)

Cc: Board of Directors & Government Affairs Committee, DMAA

Disease Management Association of America

Comments for the

National Committee on Vital and Health Statistics
Subcommittee on Privacy and Confidentiality

I. "Minimum Necessary".

• Regulation overview

  Under the Privacy Rules implementing portions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), covered entities must take reasonable steps to limit the use or disclosure of protected health information (PHI) to the "minimum necessary" to accomplish the intended purpose of the use or disclosure. See 42 C.F.R. §§ 164.502(b), 164.514(d). Covered entities must implement specifications regarding the minimum necessary uses and disclosures of PHI. See 42 C.F.R. § 164.514(d). This involves:

  • Identifying the persons in the covered entity's workforce who need access to PHI to carry out their duties;
  • Identifying the categories of PHI to which specified persons need access and any conditions appropriate to such access;
  • Making reasonable efforts to limit access as appropriate;
  • For routine and recurring disclosures, implementing policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure;
  • For all other disclosures, developing criteria to limit the PHI disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and
  • Reviewing requests for nonroutine or nonrecurring disclosures on an individual basis in accordance with established criteria.

Id at (d)(3). In certain situations, a covered entity may rely on a requested disclosure as the minimum necessary for the stated purpose when the information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose. Id. at (d)(3)(iii)(C). A covered entity may not use, disclose, or request an entire medical record unless the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request. Id. at (d)(5).

• DMAA position.

The guidance ("Guidance") recently issued by the Department of Health and Human Services ("HHS") states that, where the entire medical record is necessary, the covered entity's policies and procedures must state so explicitly and must justify the necessity of the entire record. See Guidance at 11. As a preliminary matter, it is unlikely that a single entity ever holds a complete medical record for any individual patient. A hospital would have one set of records, while physicians, clinical laboratories, rehabilitation agencies, and other providers would have different sets of records for the patient. This is precisely why disease managers working with patients with chronic, complex, or multiple conditions, must have unfettered access to all of the records of a patient who is enrolled in its disease management program. A disease manager must be able to gather a patient's data from a variety of sources in order to facilitate and coordinate the patient's care, improve health status, and reduce health care costs.

The Institute of Medicine ("IOM") recently released a landmark study (the "Report") of the American health care delivery system entitled, Crossing the Quality Chasm: A New Health System for the 21^st Century (National Academy of Sciences, March 1, 2001). In the Report, the IOM Committee on the Quality of Health Care observes that "[c]hronic conditions are now the leading cause of illness, disability and death." Report at 3. The Report recommends that clinicians and institutions actively collaborate and communicate to ensure an appropriate coordination of care and exchange of information. The Report states, "[e]ffective methods of communication, both among caregivers and between caregivers and patients, are critical to providing high-quality care." Id.

Comprehensive disease management programs serve as the ideal vehicle for coordinating and sharing pertinent information to enhance patient care, but disease managers need unfettered access to a broad array of medical information. Disease management programs become a central repository for the most complete medical information about participating patients because they receive information from all sources - claims agents, laboratories, pharmacies, physicians, and other providers. Disease managers use this information to coordinate appropriate patient interventions and communicate with providers responsible for the patient's care.

The Privacy Rules need to be interpreted to allow disease management programs to have access to their patients' complete medical record for all of these reasons. Disease managers also require the use of complete protected health information for all of a plan's members to identify individuals with particular diseases and stratify their disease state severity and risk. Without this information, it would be impossible to identify program participants and determine the level of care required.

Limiting the information that disease managers receive or how they may use it would seriously diminish the proven benefits of disease management programs and eliminate a promising approach to addressing many of the major issues outlined in the IOM's Report. The Privacy Rules should indicate clearly that, for disease management purposes, the use or disclosure of a patient's entire medical record is presumed to be justified and does not require individual review of each use or disclosure request. The Privacy Rules are unclear regarding whether uses and disclosures for disease management purposes can be considered "routine or recurring" and, therefore, do not necessitate individual review when they are governed by standard protocols. DMAA urges NCVHS to press HHS for clarity on these points.

In the Guidance, HHS indicated that changes to the Privacy Rules will be proposed "to increase the confidence of covered entities that they are free to engage in whatever communications are required for quick, effective, high quality health care." Guidance at 12. Those changes should make it clear that covered entities can disclose a patient's complete medical record in conjunction with a disease management program. In sum, HHS should not limit the scope of PHI that may be shared freely with disease managers.

II. Marketing.

• Regulation overview.

  Marketing involves making "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." 42 C.F.R. § 164.501. DMAA believes that, pursuant to the Privacy Rules, disease managers who encourage patients to utilize disease management services are engaging in health promotion on behalf o patients, not marketing, and urges NCVHS to seek confirmation of this interpretation from HHS. However, DMAA also believes that promoting the sale of particular drugs, devices or durable medical equipment under the guise of disease management would be marketing.

  The Privacy Rules carve out certain practices from the definition of marketing. A covered entity is not engaged in "marketing" when it:

  • Describes the participating providers or plans in a network.
  • Describes the services offered by a provider or the benefits covered by a health plan.
  • Engages in communications that are tailored to the circumstances of a particular individual and the communications are:
    • Made by a health care provider to an individual as part of the individual's treatment, and for the purpose of furthering the individual's treatment; or
    • Made by a health care provider or health plan to an individual in the course of managing the treatment of that individual, or for the purpose of directing or recommending to that individual alternative treatments, therapies, health care providers, or settings of care.

  A covered entity is not required to obtain an authorization when it uses or discloses PHI to market to an individual when the marketing communication: (1) occurs in a face-to-face encounter with the individual; (2) concerns products or services of a nominal value; or (3) concerns the health-related products and services of a covered entity or of a third party and the communication meets the conditions listed below. See 42 C.F.R. § 164.514(e). The communication must:

  • Identify the covered entity as the party making the communication;
  • If the covered entity has received or will receive direct or indirect remuneration for making the communication, prominently state that fact; and
  • Except when the communication is contained in a general communication device that the covered entity distributes
  • to a broad cross-section of individuals, contain instructions describing how the individual may opt out of receiving future communications.

  Additionally, if the covered entity uses or discloses PHI to target individuals based on their health status:

  • The covered entity must make a determination prior to making the communication that the product or service being marketed may be beneficial to the health of the type or class of individual targeted; and
  • The communication must explain why the individual has been targeted and how the product or service relates to the health of the individual.
  • The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future marketing communications are not sent such communications.
• DMAA position.

  The Guidance indicates that a covered entity is not marketing when it uses an individual's PHI to tailor a health-related communication to that individual when the communication is "[m]ade in the course of managing the individual's treatment or recommending alternative treatment." See Guidance at 23. The Privacy Rules need to clarify that disease management companies, as business associates of covered entities, are not engaged in marketing when they are making a communication about a product or service that is directly related to the patient's or population's plan of treatment. Disease management services by definition manage or support treatment and health care operations. HHS has recognized in extensive preambular discussion that all disease management activities within the DMAA definition of disease management fall within the treatment or health care operations exception. Indeed, the health care operations exception explicitly includes notification of providers and patients of alternative treatment methods as a health care operation.

  In sum, the Privacy Rules should confirm that all legitimate disease management services and related communications with providers and patients fall outside of marketing unless their primary purpose is to sell a particular product, service, drug or device. Activities that are geared primarily toward advancing sales of a particular product, service, device or drug should be classified as "marketing." DMAA, which has a broad industry membership including health plans, disease management organizations, provider groups, and individual physicians, has developed a carefully considered definition of disease management that is referenced on page 82627 of the commentary to the Privacy Rules. DMAA is continuing to refine this definition, and plans to have a new definition and definitional process in place by October.

III. Consent.

• Regulation overview.

The Privacy Rules require most health care providers to obtain a patient's written consent prior to using or disclosing PHI to carry out treatment, payment, or health care operations. See Guidance at 5. Indirect health care providers, such as pathologists or radiologists, health plans and clearinghouses do not need to obtain consent prior to using or disclosing PHI. Id. at 6. DMAA understands that HHS will be considering significant changes to or elimination of the consent requirements, on the basis of numerous detailed comments from much of the health care industry; thus, we will only comment on one narrow issue that poses a potential problem for disease management organizations.

• DMAA position.

  Allowing legitimate disease management programs to have unhindered access to protected health information (including PHI in claims forms, eligibility files and medical records from all sources, such as health plans, hospitals, physician offices, pharmacy benefits managers, laboratory services, other providers, and physician consultations) is crucial to preserving patient access to high quality disease management programs. Disease managers require this information in order to:

• Identify patients who would benefit from their programs;
• Stratify eligible patients according to risk;
• Communicate best practices information to treating physicians;
• Conduct individual and population care management activities; and
• Teach and support self-management skills.

Health care providers, no less than health plans, need to be able to share PHI with their patients' disease management programs without patient authorization or consent. Unless HHS specifically clarifies that health care providers do not require such authorization or consent, providers will almost certainly begin to refuse to provide PHI to disease managers, thereby crippling the very programs that IOM advocates as the best solution to the nation's health quality and cost needs. HHS must specifically confirm that both health plans and providers may disclose PHI to disease management organizations, as business associates of health plans and other payors, wherever necessary to carry out legitimate disease management activities. Alternatively, HHS should include disease management by name within the definition of "treatment," as the proposed Privacy Rules did, so that physicians, nurses, pharmacists, and other providers may provide PHI to disease managers whose mission is to improve patient clinical and financial outcomes through shared information, tools and supportive services..

The IOM Report emphasizes the need for providers to have access to accurate and thorough information. The Privacy Rules should not create barriers to this vital flow of information between providers, health plans, and disease managers who are working together to improve patient care.