"Managed Care" and Confidentiality

Revised Version

As published in Behavioral Health Management Volume 15, Number 6, November / December 1995, p. 25.

Dr. Edwards provides psychiatric and substance abuse review services to Ethix Northwest and Weyerhaeuser and has served in the past as medical consultant to Preferred Health Care and Value Behavioral Health. He earned his medical degree from University of Virginia. He is certified in "Psychiatry with Added Qualifications in Addiction Psychiatry" by the American Board of Psychiatry and Neurology and in addiction medicine by the American Society of Addiction Medicine. Dr. Edwards has provided forensic evaluation services and has testified as a psychiatric expert witness in a variety of civil cases. He maintains an active office practice and is associated with the medical staffs of Swedish, Providence, Overlake, and CPC Fairfax hospitals. Dr. Edwards' first experience with computers was through a summer job with NASA in 1968. He accrued limited work experience in the computer industry before earning his medical degree.

"Managed Care" and Confidentiality

Insurance companies and other third party payers have accessed medical records for years, asserting a need to determine that the service they are paying for is necessary and covered by the benefit. With the advent of utilization review and managed care as cost containment strategies, the number of individuals with access increased dramatically. This indicates, perhaps more importantly, that yet another entire organization (the MCO) - complete with a computer information system - now accumulates and stores personal medical data.

Furthermore, medical records are demanded by the courts for litigation. These trends threaten the privacy of the patient and provoke confusion and conflict for the provider, who must balance the needs of the patient against imperatives of reimbursement and the law.

Providers, for their part, have protested these changes as infringing upon their ability to protect the confidentiality of information revealed in treatment. Providers and consumers alike worry about erosion of privilege in the treatment relationship.

The problem has many roots. To begin with, many third party payers allow reimbursement only for services they deem "medically necessary." The definition of this term varies from company to company and is open to interpretation by reviewers at all levels. The term generally implies an appropriate match of service to need, and that the service is no more and no less than is needed to achieve the optimal result. This criterion may be applied to duration (length of stay or length of treatment), setting (level of care) and procedure.

For example, psychotherapy provided primarily for personal growth to an individual who does not meet the diagnostic criteria for a mental disorder may be considered not medically necessary.

Second, though medical record-keeping for clinical purposes has been widely discussed and is subject to professional ethical standards and state and federal law, MCOs present a special problem. Partly because they are businesses, few other external standards apply specifically to MCOs. Even the National Committee for Quality Assurance (NCQA), which accredits MCOs, assesses only the extent to which the MCO complies with its own standards regarding confidentiality. NCQA publishes no standards of its own in this area.

Contractual arrangements may affect aspects of execution of confidentiality policy, as well. In clinical practice, the provider has contractual obligations to the recipient that affect handling of medical information. Insurance companies also have a direct contract with the beneficiary. Managed care and utilization review organizations, however, have contractual relationships only with the insurer, employer, or provider. No contract with the recipient provides for any explicit duty regarding provision of any service except as defined by contract with the insurer, employer, and provider.

Utilization review organizations operate by determining what services are reimbursed. Ideally their reviews will result in the denial of a substantial, but variable, number of requested benefits, with some denials reversed at each level of appeal. Without denials, there is no apparent cost savings to fund the review process (though the "sentinel effect" may in itself act to reduce costs). In any event, information exchange is at the heart of the system.

Managed care services vary more from company to company, but may include a panel of contracted providers selected to meet quality, utilization, and other criteria. Case managers screen first-time callers and refer them to the lowest level of care they deem adequate, usually after an initial assessment by a panel provider who requests authorization for further treatment services. This initial contact between patient and reviewer may be the only time the reviewer communicates directly with the patient. After that, the reviewer depends upon the provider for information to justify continued treatment.

The case manager, where involved, continues to determine medical necessity and appropriate level of care at intervals until the treatment is completed. The case manager may also monitor quality of services rendered. Adverse events such as suicide, assault or serious adverse effects of treatment may prompt special scrutiny, often with requests for all records from all providers connected with the case. Professionals with the employer's employee assistance program may serve as liaisons with the workplace and thus constitute yet another organization with a need to maintain medical information.

From the reviewer's perspective, telephone access allows immediate follow up questioning when information provided raises further questions. (The usefulness of written records varies tremendously with the quality and quantity of information supplied.) Rapport between reviewer and provider affects this process greatly. Telephone contacts are common, and have been tape recorded both by providers and by review organizations. Actual chart notes may be requested when the provider is contentious or when the reviewer has a low level of confidence in the reliability of information provided by phone.

Case managers and utilization reviewers must maintain records of their work for reasons similar to those that apply to health care providers. The records provide documentation of actions taken and the basis and rationale for those actions. They allow supervisors or coworkers to assume management of a case in the absence of the original reviewer. Finally, they provide a longitudinal perspective on a case that may be helpful for the review organization, but may provide a unique, if unintended, valuable spin off for patient care. Though the provider usually relies on a single interview and the patient's self report to develop the patient's history, the MCO can, and often does, seek to maintain a more comprehensive and reliable history of treatment episodes, thus enhancing treatment effectiveness.

A request from a beneficiary for reimbursement for services provided by a non-paneled provider or by one without recognized credentials increases the likelihood that the case management process will become adversarial. This can occur when patient and provider want continued treatment, but have failed to convince the case manager or first level reviewer that medical necessity criteria have been met. The provider and patient may then appeal the adverse determination or request a higher level of review, usually by a physician. That decision as well may be appealed. Under some circumstances appeal to an outside organization that provides review services adds yet another organization with a need to receive and store medical information.

A typical managed care operation transmits and stores confidential medical information using a variety of media. Initial screening and referral are often by accomplished, as already noted, by telephone. Case managers usually document this information, as well as their own activities in response to it, beginning with the first contact, on electronic media of some kind. This may range in scale from a notebook computer to a national network with storage in a central "mainframe" (or a large computer) location in another state. Communication by electronic mail between provider and case manager remains the exception, but this medium may be used extensively within the review organization.

Providers may mail or fax written materials for review. The MCO must store these records, as well. Voice mail may also be used, especially for updates of information on treatment progress provided to the case manager or utilization reviewer.

The MCO may collect or store any information recorded in the provider's medical record. Identifying data may include names of family members, especially if they are involved in treatment. Reviewers record content of all contacts relating to the case, though in varying detail. In other words, the reviewer may place information not present in the clinical records of providers in the managed care database. This can include families' descriptions of nonstandard practices or procedures, hostile or threatening remarks, and even comments regarding the perceived mental or emotional state of the provider. In addition, the case manager may record contacts with a variety of significant others, including, but not limited to, other providers, employee assistance professionals, and the patient's friends and school teachers.

Licensed professionals working as reviewers for MCOs may be bound by the same duty as their colleagues working in a clinical setting to report professional misconduct, potential dangerous behavior, and child abuse. Yet they may have no contractual obligation or opportunity to inform the patient, or initial contact, of the limitations of confidentiality.

As I have indicated, I am unaware of any law or standard specifically applicable to the confidentiality of medical information in managed care. Largely, the professional ethics of the reviewer and the reviewer's understanding of law applicable in a clinical setting may govern that individual's handling and recording of this information. However, many nonprofessional clerical and administrative personnel may have access to large information systems. There may be no limit on a reviewer's access to information on cases outside their own case load. In a large MCO, it is possible that a case manager or other employee may have access to the medical information of a friend, colleague, relative, or even, for example, his high school principal. Transfer of information between providers and significant others contacted in managing a case may not be constrained. No standard that I am aware of exists regarding handling, storage and destruction of paper records by an MCO. This compounds the limitations on the security of electronic media already discussed.

There are also burgeoning legal concerns. In the future, attorneys involved in medical negligence and other litigation may attempt to obtain managed care records. Contracted panel providers may have an ethical obligation to inform their patients of how clinical information will be handled by the MCO - but the provider may not know how this information is handled. A further concern is that the recipient, adequately informed of the limitations of confidentiality, may choose to forgo their benefit to limit exposure of sensitive information. This may have further contractual implications for the provider. Many contracts prohibit the provider from billing for services not considered medically necessary. If the MCO is unable to determine medical necessity because no clinical information is provided, does the provider risk consequences of breach of the contract?

Policy regarding confidentiality of medical information obtained in the case management process remains proprietary - that is, it is up to the individual company to shape. In light of this, confidentiality of medical information can be better protected by the MCO by considering the following

  • Access can be limited to those who "need to know" through use of passwords.
  • Security of electronic media can be improved through technical enhancements that should be inquired about.
  • A built in audit trail will discourage access by unauthorized employees by recording their access and any alteration in data.
  • Recipients could be allowed to record challenges to information they deem incorrect.
  • Use of names and other identifying data can be limited to situations where they are necessary.
  • Use of paper records can be limited. Policy should provide for locked storage and early destruction when records are no longer needed.

While passwords, audit trails and other technical enhancements may increase the security of personal data stored in computer information systems, each of these solutions presents further decisions. For example, different passwords can be assigned for different levels of access. Many computer displays now use "screen savers" or go blank after they sit idle for a few minutes, and a password must then be entered before the data screen is displayed. This provides some security for each computer workstation and lessens the opportunity for unauthorized viewing while the assigned user is away from the desk. Access to identifying data might require another level of password, available perhaps to clerical staff. Maximum security for clinical data might be assured by issuing passwords only to case managers and medical consultants assigned to a particular set of cases.

Audit trail capability may provide the ability to reconstruct every change made to the record, along with the date and time as well as the password of the individual who made the changes. It is presumed that this will discourage unauthorized access. However, the effectiveness of this approach depends on the frequency with which passwords are changed. The longer one individual uses the same password, the more likely it is to be discovered and used by an unauthorized individual. On the other hand, if passwords are changed frequently, it is more likely that the user will write them down to remember them, again compromising security.

The system must also provide for rapid recovery if the user forgets the password. This might involve designation of a system administrator or technician with the ability, possibly connected to yet another password, to change another user's password. This would be analogous to a building manager's possession of a master key. Be aware, however, that this system may be vulnerable to sophisticated "hackers" outside the organization gaining access or to disgruntled employees within the organization bent on revenge.

Another technical approach is encryption. Before storage or transmission the computer "scrambles" the data so as to make it unintelligible to anyone who does not possess the key required to "unscramble" the code. A similar, but less technical, strategy is to substitute an identification number for the name wherever possible, accessing the name only when necessary for telepone contact.

Ultimately the natural course of change in the industry may provide the best solution. As MCOs delegate more of their activities to capitated provider groups, they will no longer need to maintain detailed clinical databases. We may then revert to the old condition in which providers alone maintain records of clinical information. In the meantime, however, without some form of improvement beneficiaries may avoid using their benefit to pay for treatment, or avoid seeking treatment altogether, simply in order to protect their privacy.


Broccolo BM, Fulton DK, Waller AA; The Electronic Future of Health Information: Strategies for Coping with a Brave New World; Journal of AHIMA; 64(12):38-51, 1993 Dec.


Corcoran K, Winslade WJ (1994). Eavesdropping on the 50-minute hour: managed mental health care and confidentiality. Behavioral Sciences & the Law 12:351-365

Frawley KA; Update on Confidentiality Legislation; Journal of AHIMA; 65(10):12-3, 1994 Oct.


Lazoritz M; Guarding Patient Confidentiality in a Managed Care Setting; Behavioral Health Management; 46, Sept/Oct 1994

Murphy G. Anderson EM; An Organizational Model for Data Access and Management - Work in Progress; Journal of AHIMA; 65(8):50-2, 54 1994 Aug.



"Your Health Information Belongs to You" American Health Information Management Association; 919 N. Michigan Ave.; Chicago, IL 60611-1683 ($1)

Privacy Rights Clearinghouse

Center for Public Interest Law