"Managed Care" and Confidentiality (2)

"Managed Care" and Confidentiality

April 4, 1997

Insurance companies and other third party payers have required access to medical records for years asserting a need to determine that the service they are paying for is necessary and covered by the benefit. With the advent of utilization review and managed care as cost containment strategies, the number of individuals with access to medical records increased dramatically. Perhaps of greater impact, yet another entire organization (the MCO or managed care organization) with a separate computer information system now obtains and accumulates medical information. The variety of media used for storage and transmission of medical information has also increased. Providers have protested these changes as infringing upon their ability to protect the confidentiality of information revealed in treatment. Legislatures on the state and federal levels have introduced legislation to attempt to address the problem.

Providers and consumers alike worry about erosion of privilege and confidentiality in the treatment relationship. The tradition of privilege is fast becoming the myth of privilege. With existing demands from third party payers added to state mandated duties to report professional misconduct and duty to warn under Tarasoff, confidentiality is far from complete. The courts demand and obtain access to medical records for litigation. These trends threaten the privacy of the patient and provoke confusion and conflict for the provider, who must balance the needs of the patient against imperatives of reimbursement and the law.

Many third party payers allow reimbursement only for services they deem "medically necessary." The definition of this term varies from company to company and is open to interpretation by reviewers at all levels. The term generally implies an appropriate match of service to problem and that the service is no more and no less than is needed to accomplish the optimal result. This criterion may be applied to duration (length of stay or length of treatment), setting (level of care) and procedure. For example, psychotherapy provided primarily for personal growth to an individual who does not meet the diagnostic criteria for a mental disorder may be considered medically unnecessary.

Medical record keeping for clinical purposes has been widely discussed and is subject to professional ethical standards and state and federal law. Partly because they are businesses few other external standards apply specifically to managed care organizations (MCO's). While the National Committee for Quality Assurance (NCQA), which accredits managed care organizations, publishes no standards of its own, it does require establishment of "mechanisms" to assure confidentiality and assesses the extent to which the MCO complies with its own standards.

Contractual arrangements may affect aspects of execution of confidentiality policy. In clinical practice the provider has contractual obligations to the recipient that affect handling of medical information. Insurance companies also have a direct contract with the beneficiary. Managed care and utilization review organizations, however, have contractual relationships only with the insurer, employer, or provider. No contract with the recipient provides for any explicit duty regarding provision of any service except as defined by contract with the insurer, employer, and provider.

Utilization review organizations operate by determining what services will be reimbursed. Ideally (from their perspective) their reviews will result in the denial of a substantial, but variable, amount of requested benefits, with some denials reversed at each level of appeal. Without denials, there is no apparent cost saving to fund the review process, though a sentinel effect may insure that the process contains treatment costs anyway.

Managed care services vary more from company to company, but may include a panel of contracted providers selected to meet quality, utilization, and other criteria. Case managers screen first-time callers and refer them to the lowest level of care they deem adequate, usually after an initial assessment by a panel provider who requests authorization for further treatment services. This initial contact between patient and reviewer may be the only time the reviewer communicates directly with the patient. After that the reviewer depends upon the provider for information to justify continued treatment. The case manager continues to determine medical necessity and appropriate level of care at intervals until the treatment is completed. The case manager may also monitor quality of services rendered. Adverse events such as suicide, assault or serious adverse effects of treatment may prompt special scrutiny, often with requests for all records from all providers connected with the case. Professionals with the employer's employee assistance program may provide liaison with the work place and thus constitute yet another organization with a need to maintain medical information.

From the reviewer's perspective telephone access allows immediate follow up questioning when information provided raises further questions. Rapport between reviewer and provider affects this process greatly. Telephone contacts have been tape recorded both by providers and by review organizations. The usefulness of written records varies tremendously with the quality and quantity of information supplied. Actual chart notes may be requested when the provider is contentious or when the reviewer has a low level of confidence in the reliability of information provided by phone or when the reviewer suspects unnecessary or poor quality care.

Case managers and utilization reviewers must maintain records of their work for reasons similar to those that apply to health care providers. The records provide documentation of actions taken and the basis and rationale for those actions. They allow supervisors or coworkers to assume management of a case in the absence of the original reviewer. Finally they provide a longitudinal perspective on a case that may be helpful for the review organization, but may provide a unique if unintended valuable spin off for patient care. Usually the provider relies on a single interview and the patient's self report to develop the past history. The MCO, though, can maintain a more comprehensive and reliable history of treatment episodes, thus enhancing treatment effectiveness.

Request from a beneficiary for reimbursement for services provided by a non-paneled provider or by one without recognized credentials increases the likelihood that the case management process will become adversarial. This can occur when patient and provider want continued treatment, but have failed to convince the case manager or first level reviewer that medical necessity criteria have been met. The provider and patient may then appeal the adverse determination or request a higher level of review, usually by a physician. That decision as well may be appealed. Under some circumstances appeal to an outside organization that provides review services adds yet another organization with a need to receive and store medical information.

A typical managed care operation transmits and stores confidential medical information using a variety of media. Initial screening and referral are often accomplished by telephone. Case managers document information provided to them and their own activities, beginning with the first contact, usually on electronic media of some kind. This may range in scale from a notebook computer to a national network with storage in a central "mainframe" (a large computer) location in another state. Providers may mail or fax written materials for review. The managed care organization must store these records. Communication by electronic mail between provider and case manager remains the exception, but this medium may be used extensively within the review organization. Voice mail may also be used especially for updates of information on treatment progress provided to the case manager or utilization reviewer.

The managed care organization may collect or store any information recorded in the provider's medical record. Identifying data may include names of family members, especially if they are involved in treatment. Reviewers record content of all contacts relating to the case, though in varying detail. Thus, the reviewer may place information not present in the clinical records of providers in the managed care database. This can include description of nonstandard practices or procedures, hostile or threatening remarks, and even comments regarding the perceived mental or emotional state of the provider. The MCO will expect the reviewer to document actions by the provider, possibly related to resentment about some aspect of the review process, that may be damaging to the patient. In addition the case manager may record contacts with a variety of significant others, including but not limited to other providers, employee assistance professionals, family members, friends and school teachers.

Licensed professionals working as reviewers for managed care organizations may be bound by the same duty to report professional misconduct, potential dangerous behavior, and child abuse as their colleagues working in a clinical setting. Yet they may have no contractual obligation or opportunity to inform the patient of the limitations of confidentiality on initial contact.

This writer is unaware of any law or standard specifically applicable to the confidentiality of medical information in managed care. Largely the professional ethics of the reviewer and the reviewer's understanding of law applicable in a clinical setting may govern that individual's handling and recording of this information. Nevertheless, many nonprofessional clerical and administrative personnel may have access to large information systems. There may be no limit on a reviewer's access to information on cases outside their own case load. In a large managed care organization it is possible that a case manager or other employee may have access to the medical information of a friend, colleague, relative, or even, for example, his high school principal. Transfer of information between providers and significant others contacted in managing a case may not be constrained. No standard may exist regarding handling, storage and destruction of paper records by an MCO. Limitations on the security of electronic media have been discussed elsewhere.

Much has been said and written questioning the use of medical information by MCO's, but it has been rare in this writer's experience as a reviewer to encounter any reluctance by providers to supply whatever information is requested. The extent to which informed consent for release of information is obtained or to which the provider educates the patient about the review process is unknown. Occasionally, especially in an adversarial situation, providers may resort to awkward strategies, such as insisting that telephone review be conducted with the patient present in the office. Rigid application of a provider's beliefs regarding confidentiality may risk harm to the patient through unnecessary exploitation of the process to express the provider's hostility toward all of managed care.

Policy regarding confidentiality of medical information obtained in the case management process remains proprietary; that is, it is up to the individual company to shape. Thus it is an element for competitive advantage, provided the purchaser is aware and considers this important. In the future attorneys involved in medical negligence and other litigation may attempt to obtain managed care records. Contracted panel providers may have an ethical obligation to inform their patients of how clinical information will be handled by the MCO. However, the provider may not know how this information is handled. The recipient, adequately informed of the limitations of confidentiality, may choose to forgo their benefit to limit exposure of sensitive information. This may have further contractual implications for the provider. Many contracts prohibit the provider from billing for services not considered medically necessary. If the MCO is unable to determine medical necessity because no clinical information is provided, does the provider risk consequences of breach of the contract?

Confidentiality of medical information can be better protected in the MCO through implementation of policy:

  • Access can be limited to those who "need to know" through use of passwords.
  • Security of electronic media can be improved through encryption and other technical enhancements.
  • An audit trail will discourage access by unauthorized employees by recording their access and any alteration in data.
  • Recipients could be allowed to record challenges to information they deem incorrect.
  • Use of names and other identifying data can be limited.
  • Use of paper records can be limited. Policy should provide for locked storage and early destruction when records are no longer needed.

While passwords, audit trails and other technical enhancements may increase the security of personal data stored in computer information systems, each of these solutions may present new problems or disadvantages. Different passwords can be assigned for different levels of access. Many computer displays now use "screen savers" or go blank after they sit idle for a few minutes. A password must then be entered before the data screen is displayed. This provides some security for each computer workstation and lessens the opportunity for unauthorized viewing while the assigned user is away from the desk. Access to identifying data might require another level of password, available perhaps to clerical staff. Maximum security for clinical data might be assured by issuing passwords only to case managers and medical consultants assigned to a particular set of cases. Audit trail capability may provide the capability to reconstruct every change made to the record along with the date and time as well as the password of the individual who made the changes. It is presumed that this will discourage unauthorized access. However, the effectiveness of this approach depends on the frequency with which passwords are changed. The longer one individual uses the same password, the more likely it is to be discovered and used by an unauthorized individual. On the other hand, if passwords are changed frequently, it is more likely that the user will write it down to remember it, again compromising security. The system must also provide for rapid recovery if the user forgets the password. This might involve designation of a system administrator or technician with the ability, possibly connected to yet another password, to change another user's password. This would be analogous to a building manager's possession of a master key. If this process is streamlined, it may also be vulnerable to sophisticated "hackers" outside the organization gaining access or to disgruntled employees within the organization bent on revenge.

Another technical approach is encryption. Before storage or transmission the computer "scrambles" the data so as to make it unintelligible to anyone who does not possess the key required to "unscramble" the code. A similar, but less technical approach involves substitution of an identification number for the name wherever possible, accessing the name only when necessary for telephone contact.

Ultimately the natural course of change in the industry may provide the best solution. As MCO's delegate more of their activities to capitated provider groups they will no longer need to maintain detailed clinical databases. We may then revert to the old condition in which providers alone maintain records of clinical information. Without some form of improvement beneficiaries may avoid using their benefit to pay for treatment or avoid seeking treatment altogether in order to protect their privacy.


American Psychiatric Association Committee on Confidentiality: Guidelines on confidentiality. American Journal of Psychiatry 144:1523-1526, 1987

Appelbaum PS: Jaffe v Redmond: psychotherapist-patient privilege in the federal courts. Psychiatric Services 47:1033-1034, 1052, 1996

Bass A: HMO puts confidential records on-line. Boston Globe, Mar 7, 1995, p 25

Bass A: HCHP reviewing policy on records: Boston Globe, Mar 9, 1995, p 17

Broccolo BM, Fulton DK, Waller AA: The Electronic Future of Health Information: Strategies for Coping with a Brave New World; Journal of AHIMA; 64(12):38-51, 1993 Dec.


Corcoran K, Winslade WJ (1994). Eavesdropping on the 50-minute hour: managed mental health care and confidentiality. Behavioral Sciences & the Law 12:351-365, 1994

Davidson JR: Confidentiality and managed care: ethical and legal concerns. Health & Social Work 21(3):208-15, 1996

Frawley KA: Update on Confidentiality Legislation; Journal of AHIMA; 65(10):12-3, 1994 Oct.


Lazoritz M: Guarding Patient Confidentiality in a Managed Care Setting; Behavioral Health Management; 46, Sept/Oct 1994

Murphy G. Anderson EM: An Organizational Model for Data Access and Management - Work in Progress; Journal of AHIMA; 65(8):50-2, 54 1994 Aug.


Olfson M. Pincus HA: Outpatient mental health care in nonhospital settings: distribution of patients across provider groups. American Journal of Psychiatry 153:1353-1356, 1996

Sabin JE: What should we advocate for in for-profit mental health care, and how should we do it? Psychiatric Services 47:1061-1062, 1064, 1966

Sabin JE: What confidentiality standards should we advocate for in mental health care, and how should we do it? Psychiatric Services 48:35-36, 41, 1997

Smee PH: Should insurance companies have access to patients' medical records? British Medical Journal 313:287, 1996

Roback HB, Shelton M: Effects of confidentiality limitations on the psychotherapeutic process. Journal of Psychotherapy Practice and Research 4:185-193, 1995

Woodward B: The computer-based patient record and confidentiality. New England Journal of Medicine 333:1419-1422, 1995


American Health Information Management Association

Behavenet® Washington Behavioral Health Law: Medical Records/Health care Information Access and Disclosure


Records and Managed Care- Legal and Ethical Issues (5-97): Position paper of the California Coalition for Ethical Mental Health Care


Electronic Privacy Information Center

Privacy Rights Clearinghouse