Risk Management

When Managed Care Systems Want Your Patient Records

By Joe R. McFarlane Jr, MD, JD

[Argus, August, 1994]

Complying with quality assurance provisions in managed care contracts can put ophthalmologists at risk of violating the physician-patient privilege. A typical contract provision states:

Quality of covered services: Provider shall be solely responsible for the quality of services Provider renders to enrollees, which services shall meet professionally recognized standards of medical practice. HMO’s professional review and credentialing committees shall monitor the quality of covered services rendered. Provider shall cooperate and comply with HMO’s internal quality management system and decisions of the medical director. Provider and Provider’s staff shall abide by HMO’s policies and procedures for utilization review and management, quality management and prior authorization.

Ophthalmologists may be asked to cooperate with quality assurance activities by providing copies of patient records. Does this violate the physician-patient privilege?

What the Privilege Entails

A physician has a legal and ethical duty to protect a patient’s right to confidentiality. Managed care subscribers often sign blanket authorizations to release information so the company can determine eligibility for coverage and decide whether the services provided or recommended are covered and medically necessary. A blanket authorization may not sufficiently protect against assertions that the physician-patient privilege was violated when the ophthalmologist released the patient’s records.

Patients may not be aware that their care is being reviewed retrospectively and may have legitimate objections. Furthermore, reviewing the care received before the patient was covered by the plan would fall outside the parameters of a blanket authorization. Deleting the patient’s name or otherwise attempting to conceal the person’s identity does not protect confidentiality or reduce the risk of an ophthalmologist who permits unauthorized disclosure of medical records. Regardless of the validity of the patient’s authorization, federal and state laws require specifically worded authorizations when HIV or chemical dependence information is involved.

Violation of the Privilege

Violating the physician-patient privilege subjects the ophthalmologist to civil and administrative penalties. In most states a physician may be held civilly liable for breach of confidentiality and/or invasion of privacy for disclosing patient information without the person’s authorization or as otherwise permitted by law. In addition, in most states violating the privilege is grounds for disciplinary action by the state board of medical examiners.

To guard against violating the physician-patient privilege when a managed care organization requests copies of a patient’s records, ophthalmologists should:

• Request a copy of the patient’s authorization from the insurer;
• Contact the patient directly to confirm that he or she authorizes the release of this information;
• Determine if the records requested fall within the time period when the patient was a subscriber. If not, provide only information that falls within that time frame;
• Deny requests from insurers to review the medical records of nonmember patients unless the patients consent.

Computerized Patient Records

Managed care has stimulated rapid computerization of medical records, facilitating access to information. But the downside is that unauthorized persons and groups can more easily acquire confidential information.

To ensure confidentiality of computerized patient records and to control access to personal computers and networks, ophthalmologists should institute the use of passwords in all networks and adopt the following guidelines:

• Staff should not share passwords;
• Change passwords often;
• Avoid obvious passwords such as the user’s name or the word “password.”

To ensure physical security of the computer system, install network servers in a secure room and make sure network cabling is not easily accessible. Limit supervision of the network to a single staff person. These precautions are also recommended for portable computers.