Privacy & Managed Care 

This study is an investigation into the development of the managed care. The objective was to explore the domain in general, and specifically to give attention to the information privacy aspects of managed care. Three questions were central to the research. What is the importance of information privacy in managed care? What are possible problems with regard to privacy legislation? Which safeguards should be taken into consideration?

Managed care implies the provision of information to or by a third party with the objective of creating equilibrium between the need for and the supply of care. Managed care impinges directly on the concept of informational privacy as it makes use of personal and frequently confidential data. One difficulty with regard to privacy legislation is that such information management by a third party can damage a doctor-patient relationship of trust and threaten the protection of medical data. But managed care and protection of privacy need not be contradictory, as long as the following four conditions are met.

1
Access to medical data must be in accordance with applicable standards of professional medical secrecy. In the case of scientific research and statistics in the field of public health, specific national legislation should be complied with. In the Netherlands a stipulation to this effect has been included in the Medical Treatment Contracts Act. This stipulation has been further detailed in the Health Research Code of Conduct. This code makes a distinction between the use of non-identifiable data, identifiable but coded data, and other identifiable data set under strict conditions of usage.

2
The exchange of personal data must be in accordance with article 6, paragraph 1 subsection b of the European Privacy Directive compatible with the purpose for which the data was collected. Further processing of the data for historical, statistical or scientific purposes is not considered as incompatible, provided that there is strict functional separation between the research and the patient file and no tracing back to identified individuals is possible.

3
The processing of medical data must satisfy the requirements of the stringent regimen applicable to special data in accordance with article 8 of the European Directive.

4
As soon the rules have been determined in a concrete situation based on the above these rules should be made known and visible, and properly followed.. It is important that the legal rules are translated into the database architecture. Privacy Enhancing Technologies (PET) make a valuable contribution here.

As can be elicited from the above, there are two conceivable situations in which the needs of managed care and privacy need not be contradictory: (i) when non-identifiable data is used; (ii) in the case of scientific research or statistics.

Beyond these two situations, the general concept of managed care includes a category of applications for which especially strict restrictions apply. A judgement will thus have to be made from case to case. The Netherlands Data Protection Authority will focus on this category in its follow-up research and statements.

Citation
Hooghiemstra, mr. drs. T.F.M., Privacy & Managed Care Dutch DPA , December 1998. Background studies & Investigations 12