Confidentiality in managed care is not a misnomer, but it is in question. Confidentiality usually involves keeping private any information learned from or about the patient. It can sometimes be ethically breached, and in some cases must be — suspected child or elder abuse, gunshot or other suspicious wounds, communicable diseases, and workers' compensation cases.
Some managed care issues concerning confidentiality are new. First, people in private organizations, not just government, may newly discover and use information not meant for them. Second, the computerized patient record — which despite its initials does not need to be revived so much as to be buttressed with RAM (random access memory) — makes an order-of-magnitude difference in information access and the potential for breach. Third, some physicians are required by contractual agreement to keep information from the patient about therapeutic options, or about their health plan.
Many patients recognize that a distant episode of depression requiring hospitalization, once recorded under their "Past Medical History," may brand them for life with an employer or insurer. A terminated pregnancy may not be volunteered in the "Review of Systems," or in the "Past Surgical History." Notice of a single episode of later-in-life syphilis or several youthful homosexual encounters may never make it to the doctor, much less into the medical record.
To gain access to managed care, prospective utilization review asks patients to be forthcoming about their physical and mental problems. To avoid embarrassment and maintain privacy, some patients avoid making a necessary appointment with utilization review. Others, cowed by the process, minimize their symptoms.
To intrude into a person's privacy, the state must show a compelling interest, writes Galveston attorney William Winslade. To learn confidential information — information that was once private — the state must show logical reasons. Private companies, however, have no right to such data, yet may seek it.
For example, in the case of John Doe v. Southeastern Pennsylvania Transit Authority 1994 WL 683382 U.S. Dist. Ct., (E.D.Pa.), a patient's employer was found liable for inappropriately using knowledge gained by evaluating an employee's prescription, written for treatment of HIV disease. The employer had allegedly received the prescription information from Rite Aid Corp., a pharmacy chain. Another lawsuit, this one filed against Rite Aid, was settled out of court in favor of the employee.
How many times has a doctor had to see a patient and not had the records? Were they checked out to the hospital four months ago? Or were they here just yesterday, only to be moved on to the department in charge of quality improvement?
Computerized patient records are supposed to change that trail, and with luck, they will. Complex patients can have records three feet thick. Even three inches is impossible to review in a 20-minute office visit that may begin, "I just have a cough ... and need some prescriptions refilled." Wouldn't mouse clicking and 17-inch (or even 10-inch) monitors be easier?
They probably would be easier for everyone. But federal protection of electronic information is largely nonexistent. Scores of people and institutions can now know whatever doctors know about the patient, whether or not doctors or the patient approve.
There are programming-based tools for protecting information. Encryption is one; read/write limitations are another. There are also responsibility-based tools, such as passwords and audit trails.
Yet all have problems. Passwords, for example, can be copied, lost, stolen or just happened on. Their existence can allow users to be distant or remote. Users may hurry off to the next patient and become remote, forgetting that they've logged in, allowing ready access to anyone who walks by.
Gag rules take many forms, but most prohibit physicians from discussing diagnostic, therapeutic or consultative options not covered by the patient's managed care organization. Many prohibit discussion of the plan's referral procedures, including financial incentives and utilization penalties for physicians.
At least five states (Colorado, Maryland, Massachusetts, Oregon and Tennessee) have passed laws limiting or quashing gag rules. And legislation pending in the House of Representatives would outlaw gags in contracts and fine managed care organizations that fired or refused to pay a physician who spoke with a patient about the risks and benefits of tests, referrals or treatment.
Disclosure and trust are the foundation of any potentially therapeutic relationship in health care. Neither exists if the doctor cannot speak about the quality, relevant outcomes and experience of the health plan. There is little debate about these points.
What there is debate about is what constitutes a gag. Does it include "anti-disparagement" clauses, in which the physician promises not to malign the managed care organi- zation with patients or colleagues? Do physicians know how different plans work well enough to explain them?
There is also little recognition of implied gags — our collective reluctance to write something in the chart because of the patient's shame or confidence, or feared unemployment or divorce. Sometimes an implied gag is made explicit by a quivering lower lip or patient request or both.
What is a doctor to do when a patient asks to keep something off the record? It's easy to say that under most circumstances, private information linking patient and condition should not be revealed without a patient's specific permission. But, knowing as we do that perfect confidentiality is hard to assure, when are we justified in omitting pertinent information from a patient's medical files?
Most physicians have acceded to such requests concerning, say, an HIV test taken because of the statistically small risk of transmission in an episode of unprotected heterosexual sex that the patient wants to keep secret. But the waters rapidly become murkier if one moves on to the suppression of more clinically significant notations.