In addition to concerns about the amount of sensitive information being shared with the MCO, many consumer advocates have expressed concern about the security of the information once it is in the possession of the managed care firm. Numerous advocacy groups have developed guidelines and recommendations to ensure that such personal information is restricted to those who have reason to access the information, and that it is not accessed by those outside the company without the client's consent.
Several organizations noted the importance of the MCO developing written confidentiality policies, stating the specific measures that would be undertaken to protect confidential patient information (NMHA, 1999, SAMHSA, 1996a). The Joint Commission on Healthcare Organizations (JCAHO) and the National Committee on Quality Assurance (NCQA), in their 1998 joint report on protecting patient privacy in a managed care setting, stressed the importance of designating and training staff who will be responsible for ensuring that the MCO's policies are being carried out (JCAHO & NCQA, 1998). According to these guidelines, the MCO should voluntarily conduct periodic audits to ensure that its confidentiality policies are being carried out appropriately (JCAHO& NCQA, 1998).
Several experts have recommended that, to the extent possible, the use of individually identifiable data should be replaced with aggregated data that doesn't identify a particular member. All entries into managed care data systems should be coded with a unique identifier number, which is not linked to the individual's name, address, or social security number (Davidson & Davidson, 1998). This unique identifier can be used in lieu of the person's name when communicating personal health information to limit exposure of the client's identity (SAMHSA, 1996b). MCOs using behavioral healthcare utilization information for activities such as provider monitoring and profiling can report the results in aggregated form, without revealing the identity of the patients whose records are being discussed (NMHA, 1999).
Just as all electronic medical records can be password protected, all paper files can be kept in a locked file or safe, with records only being available to staff with legitimate need to access them (Edwards, 1997). Data can be destroyed as soon as it is no longer needed. For example, payment data can be destroyed once the services in question have been completed and paid for (Davidson & Davidson, 1995).
MCO confidentiality policies can ensure that only staff members who have a specific need to access confidential information are able to do so. JCAHO and NCOA recommended that patient records should be password protected, and user access controls should be implemented so that staff can only view the level of data necessary to do their job (JCAHO & NCQA, 1998). For example, a claims specialist may be able to view the patient's diagnosis and the clinician's charge, but not see their medication history (Berman, 2001). In other cases, specific staff may be allowed to make changes or additions to certain parts of the file, but not others. Transaction logs can also be implemented to provide a record of who accessed confidential data and when the access occurred (JCAHO & NCQA, 1998). MCOs can maintain a detailed log of who made changes to the database and when the alterations took place (Edwards, 1997).
There are also a number of measures MCOs can undertake to prevent unauthorized access to records, from individuals inside and outside of the company. While we did not undertake a thorough study of this topic, we did uncover a number of commonly used technological measures that companies can use to protect their data from unauthorized users. Biometric scanning, including fingerprint or voiceprint, is available to ensure that the person accessing the data, and making changes to the data, is authorized to do so (Berman, 2001). Data can be encrypted and firewalls can be installed to prevent outside hackers from gaining access to confidential patient information (SAMHSA, 1996b). MCOs can implement up-to-date technologies to ensure the security of patient information when transferring data over the Internet and over internal computer networks, (Campbell, 1996).
Providers can help to protect their client's privacy when working with MCOs. Davidson & Davidson recommend that providers refuse MCO contracts that include non-disclosure clauses, which limit the providers' ability to discuss limitations imposed by MCOs and should refuse to comply with MCO requests when the requests clearly conflict with the patient's best interest (Davidson & Davidson, 1998).
Patient advocates believe that managed care clients should be fully informed of who has access to information about their mental health and substance abuse treatment and how this information will be used. The NMHA recommends that when consumers sign the consent authorization upon joining the health plan, the authorization should include detailed information about the plan's confidentiality policies, and how the data is protected (NMHA, 1999). Because consumers may not always anticipate their health care needs or recall signing the original consent form when they begin mental health or substance abuse treatment years after joining the health plan, MCOs should establish a mechanism for requiring updated consent forms whenever particularly sensitive diagnoses are entered into the database or when health care usage suddenly increases substantially (JCAHO & NCQA, 1998).
Advocates maintain that when clients' health information is shared with third parties, clients have the right to know what information was shared, who will have access to the data, how it will be stored and who is legally responsible for protecting the security of the information (Davidson & Davidson, 1995). Clients can be allowed to view the transaction logs so that they can identify specifically which staff have had access to their information (JCAHO & NCQA, 1998). Advocates argue that clients should be informed if the MCO is sold (Davidson & Davidson, 1998) or if their records are subpoenaed by county or government officials (SAMHSA 1996). JCAHO and NCOA state that MCOs must not sell personal health information collected from clients nor disclose any confidential data to third parties, such as employers, without the client's written consent (1998).