HIPAA Consent or Authorization

[Guest caserlaw]

Should enrollment forms for self-insured group medical plans be amended to include a signature by the employee for consent or authorization to use medical information or should this be a case by case request or is the consent or authorization necessary for a health plan or just a medical provider?

[Steve72]

A health plan MAY ask for consent, but is not required to do so. An authorization, however, must be obtained if the plan intends to use protected health information for something other than treatment, payment or health care operations. You should review your plan and the flow of data to determine if an authorization will be necessary.

Note that a signature on an enrollment form will be insufficient to meet the requirements of either a consent or an authorization.

[Guest caserlaw]

We only use health information for underwriting and processing claims so I do not feel like we need to get consent but if we incorporate disease management or similar programs it seems we might need consent and it just seemed easier to include it with the enrollment materials.

[Steve72]

I'm not sure what you mean by "disease management", however, it is important to remember that consent and authorization are entirely different concepts.

It is possible to condition enrollment on the execution of an authorization form, however, the authorization still must be given in accordance with the regulations. A signature on an enrollment form will almost assuredly be insufficient.

[Jbentz]

Remember that the regs say "MAY" obtain a consent. i would be very careful about this, becauase if you get it for one, you MUST get if for all. If not, you must abide by what the consent says and the fact that a handful did not sign it.

[Guest caserlaw]

So am I correct in understanding that since medical data is used only for the operation of the plan in claims processing and underwriting, that a consent or authorization is not required? We just need to produce an updated Privacy Notice, Privacy Policies and Procedures manual and training regarding privacy policy? I have read the regs and they seem to affect providers more than plan sponsors. Second question, anyone have any suggestions for small TPA's for EDI transactions when the claims processing system is HIPAA compliant but of course not completely in that a clearinghouse is still needed and a solution for eligibility and claims status. I have talked to several vendors and so many are cost prohibitive with no ROI. Thanks.

[Guest melittahauser]

Hi caserlaw,

I just read you question reagarding small TPA's and EDI. I was curious as to why they need EDI linkage. There are other opportunities out there for small companies to either fax their claims, mail them to a cost containment company or even use the internet to submit claims for repricing.

Have a great day,

Melitta

[Guest caserlaw]

It is my understanding that you must be able to receive claims electronically and this includes all claims not just out-of-network claims to be re-priced. We have looked at solutions for HIPAA transactions for eligibility, claims status, etc. and most vendors charge PEPM with a minimum amount that has no return on investment. The challenge of receiving claims electronically would certainly pay for itself by displacing workers but that is not the optimum solution. All of the options we have explored are so costly that we can only picture laying off employees to pay the cost and there goes customer service. I am curious as to how other small TPA's are handling this. Of course, all the claims processing software packages claim to be HIPAA compliant but it seems they aren't without other 3rd parties to complete the picture.

[jeanine]

You don't need consent (under HIPAA) for payment, treatment, or healthcare operations. I believe HHS addressed disease management in a FAQ or some other material. Anyway, our analysis of their opinion was that disease management was allowable as treatment. You can still do many things under HIPAA besides underwriting and payment. Quality Assurance programs are still allowable as long as you have a direct relationship with the patient's whose data you are using. As a health plan, you would satisfy that relationship with your enrollees.