Ask the expert
Case managers trigger HIPAA concerns
Learning objective
At the completion of this educational activity, the learner will be able to:
- Identify strategies to carry out case management duties without running afoul of electronic record audits.
Editor’s note: CMM received the following question from a case manager and reached out to our experts to provide their thoughts on how others might avoid this issue in the future.
Q: I am a certified case manager working in an acute care hospital. As part of our job requirements, when working in the emergency room (ER), we are asked to problem solve throughout the day. We often get requests for information on patients seen in the ER who have since been discharged.
These requests include phone calls and actual visits from the department of children and family services (DCF) looking for information on cases that were seen in the ER. Case managers were not actually present during these patient visits; however, information is needed to complete investigations related to DCF and others.
From time to time, we also receive phone calls from patients who have been discharged and are having trouble filling prescriptions given to them due to insurance coverage for that particular medication. They sometimes require a different medication to ensure coverage from their insurance plan.
Some case managers working on the acute care floors get phone calls from physicians and other case managers with a request to look at a case, as a consult, wanting to know if criteria have been met to advance an observation case to inpatient. Often, the patient in question is not on the case manager’s assigned floor for the day. We also access patient records, which are not on our assignment for the day, when we step in to help other case managers with heavy workloads when our own work is caught up.
If asked a month later why we accessed a particular record, we cannot always remember. It is not recorded anywhere, especially if we are just looking at a case for a second opinion for meeting criteria.
As a result, we’ve encountered a problem. Recently, an electronic medical record (EMR) audit was started on a nurse case manager accused of accessing a record when she did not need to view the information. This case manager is unable to remember why she accessed this record. She does not write down every request she encounters in a day.
This case manager has demonstrated admirable integrity, even self-reporting to the corporate compliance office when she faxed a prescription to the wrong pharmacy because she felt it was the right thing to do.
As case managers, we are given extended access to all medical records, including records for our psychiatric hospital that is separate from the hospital but on the same campus. Wouldn’t our roles as professionals extend a respect to us that we do not surf medical records for entertainment? If the case manager was found to be in an EMR, there was a professional reason.
Besides trying to document every request for accessing the EMR, what can we do for self-protection?
I would think that with the level of access to EMRs that we have been given to complete our job responsibilities, there should be a level of respect and protection on situations like this.
A: "It’s unfortunate that a case manager is under investigation for alleged indiscriminate access of electronic medical records," says Stefani Daniels, RN, MSNA, CMAC, ACM, president and managing partner of Phoenix Medical Management, Inc., in Pompano Beach, Florida.
"The nature of the role requires frequent access to protected health information (PHI), and neither a care manager nor utilization review specialist, or social service counselor should fear reprisal. It will simply put up barriers for future information sharing."
The cautious case management team must avoid delaying or obstructing care and should be doing more sharing than not enough, she says.
To allow this function to occur without fear of running afoul of regulations, a hospital should clearly spell out its policies and procedures as part of the case management program plan, EMR and HIPAA policies, and policies governing access to PHI, says Daniels. (A recent blog post might be of interest: www.phoenixmed.net/the-p-in-hipaa-does-not-stand-for-privacy.html.)
Jackie Birmingham, RN, BSN, MS, CMAC, vice president emerita of clinical leadership for Curaspan Health Group in Newton, Massachusetts, agrees.
"The professional responsibility concept can only be used if it is in the case manager’s job description with a policy to back it up," she says.
Case managers should not release information directly to DCF. Instead, it should go to the medical records/health information management (HIM) department so the hospital can ensure the request complies with its record release policies, that the appropriate forms are signed, and that the release is tracked, she says.
The case manager should always step back and think about every interaction he or she has with a patient or family, whether he or she is the primary case manager or just assisting with a case to help answer questions, says Cheri Bankston, RN, MSN, director of Clinical Advisory Services at Curaspan. "When you are asked a question and give direction to a patient/family member, then that should be documented in the patient’s medical record for reference by the healthcare team, such as your example of needing help getting a prescription filled," she says.
To protect the case manager and the organization, Daniels recommends that the hospital policy be clear on the following three topics:
1.Calls from outside agencies or other providers about discharged patients should be referred to the HIM department. If HIM needs clinical assistance, it will be able to identify and contact the case manager who was working on the case and make a referral directly to that associate. Case managers should never have to access records of discharged patients unknown to them.
2.Discharged patients should be able to contact their care manager directly. It’s good policy and is a value-added service of the case management program. Hospital policy should support this effort and outline a process to confirm the caller’s identity to protect PHI. Similarly, strategies for handling calls from physicians or other providers requesting PHI should be included in the hospital policy.
3.Members of the patient’s care team are always helping each other?that’s what teamwork is all about. Often, that help requires access to a patient’s EMR even if that team member is not providing direct care. Specifically, the policy should require a brief statement in the utilization review software, case management application, revenue cycle application, or paper chart. Detailed background information justifying access to the EMR should not be necessary; a brief, signed statement is sufficient: "At the request of (insert name of physician, case manager, etc.), PHI was reviewed for admission review (or continuing stay review, second opinion, quality audit, confirm physician order, or other reason)."
Consults from coworkers or physicians with questions about whether a patient meets criteria are activities that do not require documentation in the patient’s medical record as a general rule since this pertains to billing and insurance, says Bankston. "These activities may occur at any time during or after the patient’s stay," she says. "They are more problematic when auditing and many organizations take that into consideration when reviewing this during an audit of who has accessed a patient record. These activities are classified by roles such as utilization review, and each staff member that falls into that category would need to have a role that allowed them access to that record, similar to a coder in medical records."
Record reviews regarding payment and meeting criteria aren’t usually documented in the patient’s record because they pertain to payment, says Bankston. "In both cases, hospital compliance and legal counsel should have clear guidelines for staff. It’s not reasonable to document a note every time you review a record for medical necessity."
But unless a review falls into those categories, the bottom line is if you are answering questions from a patient or giving direction to a patient or family member, you should document those conversations in the EMR.
Got a question for our experts? Submit it to Kelly Bilodeau at [email protected].