The role of consent in chronic care management

Patient consent is required for Chronic Care Management (CCM) to ensure active engagement in healthcare decisions, especially in managing chronic conditions.

CCM operates on a one-time consent model due to its continuous nature of care. Patients only need to give their informed consent for CCM services once, unless there's a change in their billing practitioner or they wish to withdraw from CCM services. However, patient consent is still required to meet the requirements of HIPAA's Privacy Rule and the Centers for Medicare & Medicaid Services (CMS) guidance related to CMM.

HIPAA and patient consent

The Privacy Rule creates a federal baseline for protecting the privacy of personally identifiable health information. It does not generally require patient consent to use or disclose protected health information (PHI) for routine healthcare operations, treatment, or payment because such disclosures are integral to providing healthcare services. For instance, a doctor may share PHI with another healthcare provider for treatment purposes or submit PHI to an insurance company for payment without the patient's explicit consent.

The Privacy Rule requires patient authorization for uses and disclosures not related to treatment, payment, or healthcare operations. This includes marketing, selling PHI, or sharing data with third parties not involved in patient care.

The Rule also supports patient autonomy by giving patients the right to be informed about their privacy rights and how their information may be used through the Notice of Privacy Practices (NPP). While the HIPAA Privacy Rule does not mandate patient consent for routine uses and disclosures, it upholds the principle of patient autonomy by ensuring patients have rights to access their PHI, request amendments, and specify their preferences for how they receive communications about their health information.

See also: What is a Notice of Privacy Practices?

See also: How does HIPAA differentiate between consent and authorization?

CMS guidance on the role of patient consent for CCM

CMS guidance requires that consent for CCM is a patient-centered process, acknowledging the patient's right to be informed about and in control of their healthcare services. This consent process is a regulatory formality and a necessary aspect of the patient-practitioner relationship in managing chronic conditions under CCM. The main provisions of the guidelines are: 

1. Initial consent requirement: Healthcare providers must obtain the patient's consent before starting CCM services. This requirement helps ensure that patients actively participate in healthcare decisions.
2. Verbal or written consent: The consent may be verbal or written. CMS does not mandate a specific format for this consent. Still, it does require that the consent is documented in the patient's medical records.
3. Patient information: During the consent process, patients should be informed about the CCM services that will be provided, including comprehensive care management, transitional care management, coordination with home and community-based clinical service providers, and access to care.
4. Cost sharing: Patients must be informed about any cost-sharing responsibilities they may have. CCM services are typically subject to copayments, coinsurance, and deductibles under Medicare Part B.
5. Only one practitioner: Patients must be informed that only one practitioner can furnish and be paid for CCM services during a calendar month. This helps prevent duplication of services and billing.
6. Right to revoke consent: Patients should be advised that they have the right to stop CCM services at any time (effective at the end of the calendar month) and that they can revoke their consent at any point.
7. Documentation of consent: The healthcare provider must document the consent in the patient's medical records, including the date of consent, that the elements of CCM were explained to the patient, and whether the patient accepted or declined the services.
8. Changing practitioners: If a patient decides to change practitioners, the new practitioner must obtain and document a new consent before providing CCM services.

See also: HIPAA Compliant Email: The Definitive Guide