Medical Management Programs: Do You Need to Get Authorization from Everyone?
16 November 2016
Self-funded medical plans implementing medical management programs often engage third-party administrators. Some plan sponsors believe or have been advised that they need to obtain written patient consent in order to allow third parties to access protected health information (PHI). Getting written consent from everyone would be a huge pain in the neck, but is it really required? Fortunately, no. But it’s worth going through why.
HIPAA’s Privacy Rule prohibits health plans and providers from disclosing PHI to third parties unless they have written authorization from the patient. However, there is an exception to the rule when the disclosure is for the purpose of treatment, payment or healthcare operations. While the Privacy Rule defines what “treatment” and “healthcare operations” include (see 45 C.F.R. Part 164.501), it does not specifically mention medical or disease management.
So the Privacy Rule itself doesn’t answer the question. But the Department of Health and Human Services (HHS) did address the issue of medical management programs in its preamble to the original final Privacy Rule regulations in 2000. While HHS did not provide a single definition of a disease management program, it instead included common functions of disease management programs within the definitions of treatment and healthcare operations. Disease management activities that focus on a particular individual fall under the definition of treatment, while population-based activities to improve healthcare or reduce healthcare costs fall under the healthcare operations exception. 
Based on this clearly stated HHS position, health plans can implement medical management programs where providers, plans, and third-party administrators share PHI without seeking written consent from participants. But don’t forget that plans must have Business Associate Agreements with third parties before releasing PHI to them.
Having appropriate access to PHI is essential for an effective medical management program. Having clarity on when and with whom plans can share that information is a critical success factor.
To explore this topic in more depth read our white paper, “Avoiding Pitfalls in Medical Management: When the Employer is the Provider.”
 http://archive.hhs.gov/ocr/part4.pdf, page 82627