Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

THE CONFIDENTIAL CHALLENGE

Reprints

Keeping employee medical information confidential is becoming a growing challenge for employers.

Benefit managers say that medical information is distributed strictly on a need-to-know basis within their companies. Case managers, for instance, may be the only ones to know the identity of a particular claimant.

But medical information rarely stays strictly within the company. The growing use of data bases, more frequent cost-benefit analyses of medical data, and the proliferation of third-party administrators and health maintenance organizations all have led to the wider distribution of employee medical records and the greater possibility that information could fall into the wrong hands.

At the same time, fear of being subject to a patchwork of state laws governing the confidentiality of medical records is leading some benefit managers to call for the establishment of federal standards.

Employers are already keenly aware of the need to keep medical information confidential, observers say. Large employers in particular "are pretty careful about this stuff, and I think they also have some pretty experienced and knowledgeable human resources people who treat any information they come into contact with confidentially by course," said John Hickey, principal with Kwasha Lipton L.L.C. in Fort Lee, N.J. "It's the nature of the human resources function," he added.

Employers are increasingly adopting different procedures to maintain confidentiality, though, said Richard Gisonny, a principal with benefits consultant Towers Perrin in Valhalla, N.Y. They also are becoming more diligent about obtaining employee permission to release medical data, he said.

Many companies are also setting up "Chinese walls" to make sure confidential information is not accidentally exposed, said Wendy Green Sibley, a technical consultant with Towers Perrin in Valhalla.

At First Chicago Corp., for instance, "managers are not given any access whatsoever to employees' medical records," said Robert L. Bonin, assistant vp, health plans. Records are stored electronically on an independent, separate network, with the data encrypted.

Older records that are still on paper are kept in fireproof, padlocked cabinets in a securely locked area within the medical unit, Mr. Bonin said. "Only doctors, nurses and psychologists have access to records."

Even beneficiary designations are kept confidential, except for benefits staff.

"We take this very seriously, and we've never had a complaint about confidentiality," Mr. Bonin said.

Other employers say the issue of confidentiality has a high priority at their company, as well. "It's of great concern, of course," said Roger Krantz, health plan administrator for Duluth, Minn.-based Minnesota Power & Light Co., which has a self-insured, self-administered plan.

"We have always told our people when they visit their physician they should be assured...that it's confidential between them and the doctor," Mr. Krantz said.

"If anyone ever hears of anything being said, I want to know immediately and (the person divulging information) won't be around very long. If there was a breach of confidentiality internally in our department, that person would be terminated," he said.

"We cannot get, nor do we want to get, information about individual patients," said Helen Darling, manager of health care strategies and programs at Stamford, Conn.-based Xerox Corp.

Xerox's programs are handled by Prudential Insurance Co. under an administrative services only contract, she noted. "They don't give us information."

While Xerox may get a list of cases that cost more than $100,000 during a particular quarter, for instance, it does not receive any specific details, she said. "In terms of my getting hold of or being able to access records, I never would ask, but I would be turned down if I did ask," said Ms. Darling.

"The company has no desire, need, or interest for particular information on all our employees," said Jim Margerum, human resources benefits strategist for Arizona Public Service Co.

Arizona Public Service, a Phoenix-based utility, has health care plans that are self-insured and self-administered.

"We do things very consistently with most other organizations and respect that privacy and do whatever we can to maintain that," Mr. Margerum said.

As for outside the company, "I think clients rely pretty heavily on whomever is the claims payer to ensure that their confidentiality is treated with due respect," said Kwasha Lipton's Mr. Hickey.

"I think it's there where the most potential exists for some confidential information about various ailments or whatever coming to the front."

However, "most large insurance carriers and TPAs are very careful about that stuff," Mr. Hickey added.

"We've never had any employers, plan sponsors or employees complain," said Robert Parker, president of Columbus, Ohio-based Harrington Services Corp., a TPA.

Claims are sent to Harrington directly by the employee, and "the employer does not typically have any involvement with those," he explained.

"Employers get various types of reports, but the reports are not identified specifically" as to the individuals involved, he said.

Furthermore, individual information is handled "only by people who have a need to access that information," said Mr. Parker.

Despite such policies, others say the issue of confidentiality is of concern. And many who believe the issue is now under control worry that may not hold true in the future.

"The system as it exists today in my opinion, is ripe for abuse because there are so many different sources of confidential information in use and it's by name of employee and by name of dependents," said Jack Doerr, group benefits practices leader for Sedgwick Noble Lowndes in Chicago. While progress has been made in this area in recent years, "I think there's quite a ways to go."

"I think that the administrators' distribution of information has to be more sensitive than it is, and that employers receiving that information in the distribution have to be even more sensitive than they are right now," said Mr. Doerr.

More of the claims data should have employee's names removed, he suggested.

But utilization review, whether it is for an HMO or a traditional indemnity plan, provides more people with access to confidential information and therefore more opportunities for its misuse, according to Dr. Stephen Rosenberg, director of clinical services for Cooper & Lybrand's human resources advisory group in New York.

You hear all sorts of anecdotal "horror stories" involving clerical employees in hospitals or insurance companies announcing, "I know that name. That's my next door neighbor Mary, and it looks like she's a nut," Dr. Rosenberg said.

More large employers are becoming actively involved in case management, and there is an increasing awareness that a small proportion of people account for a large percentage of health care expenditures. Specific medical histories are necessary to adequately analyze those high-cost cases.

Furthermore, there is a need at the employer level to bring information from separate vendors together into a single data base, and to do that "you need to know individual specifics," said Suresh Malhotra, managing director with William M. Mercer Inc. in Chicago.

"It's an issue that I don't believe employers have faced up to now" because good standards have not been developed as to how employers can deal with the issue of confidentiality, "yet get the information that is necessary to manage the plans effectively," Mr. Malhotra said.

Some observers worry that even following rules could cause problems.

Employers may keep the information confidential in the sense that they do not disclose it to a third party, and insurers may not disclose it to those who do not have the proper authorization, "but that doesn't mean someone isn't going to be adversely treated by the insurer or that employer," said Mark A. Rothstein, director of the Health Law and Policy Institute at the University of Houston.

Observers also point to the greater use of data bases.

"I think a lot of us are getting a little bit concerned about confidentiality based on some of the data bases that are being developed to assess health care within the states," said Minnesota Power's Mr. Krantz.

The concern about individuals' files becoming public "has everyone seeking to find the best safeguards possible," he said.

"As we become more immersed within the data bases and information, it's a little bit like the credit card companies," where it seems everyone has your name and credit information, he said. "There has to be a factor of privacy for the individual, and we have to have some way to assure personal information is not available to everyone who may want to sell them a medical gimmick cure all for all their problems."

Mr. Krantz said he is bothered by calls he has already received at home from people seeking to sell him health care-related products.

A bill introduced in the U.S. Senate by Sen. Robert F. Bennett, R-Utah, in October would establish uniform, comprehensive federal rules governing the use and disclosure of identifiable health information about individuals.

The proposed Medical Records Confidentiality Act, co-sponsored by Sen. Patrick Leahy, D-Vt., would replace the patchwork of conflicting confidentiality laws that now exists in 34 states, according to Sen. Bennett's office. The bill, which is now in the Senate Labor and Human Resources Committee, is expected to have some modifications, according to a spokesman for Sen. Bennett.

Among its provisions, the bill specifies the responsibilities of those who collect, use and maintain health information about individuals and defines individuals' rights with respect to health information. It also sets limits on how health information can be used and disclosed.

The bill has come under fire from some critics, however, who say it does not go far enough to insure patient confidentiality.

And some observers say they see no need for such federal legislation.

First Chicago's Mr. Bonin, for instance, said he has a "general philosophical objection to legislation from Washington that's designed to cure an abuse that may exist in a tiny fraction of cases and suddenly the whole world has to comply with this legislation."

The probability of a significant problem right now is small, acknowledges Dr. Don E. Detmer, senior vp at the University of Virginia in Charlottesville.

"The technology, however, continues to move forward," he said.

"If we don't do it fairly soon, it will become more difficult to try to handle later, and there will be more potential for abuse as more of these data are developed in digital form." Dr. Detmer sees a need for federal standards and describes Sen. Bennett's proposal as basically an "excellent bill."

Without necessarily endorsing Sen. Bennett's bill, other observers agree there is a need for federal standards. "You wouldn't want 50 different confidentiality approaches," said Fred Hamacher, vp-compensation and benefits for Dayton-Hudson Corp. in Minneapolis.

"There should be a national standard, and it should be for the right reasons, too," he said.