|
Richard Spinks INLS187 02/06/2002 |
A lot of people get their health insurance through their employer. For me, it's Blue Cross and Blue Shield of North Carolina (BCBSNC). Because medical information is often sensitive and highly personal, it is important to examine how the company handles such information. BCBSNC outlines their practices in their member confidentiality policy.
The policy is concerned with delineating BCBSNC's position regarding the collection, use, and dissemination of personal information relating to members. Specifically, the policy describes:
To evaluate this policy, I'm looking at the following (admittedly member-centric) criteria:
In terms of its language, the policy assumes a middle ground between the brief, direct style of the BCBSNC privacy policy (which is specific to the BCBSNC Web site and its users) and the tangled syntax of a legal contract. An example of this can be seen in the policy's statement of general purpose:
This Policy Statement on Confidentiality of Member Information ("the Policy") sets forth the manner in which Blue Cross and Blue Shield of North Carolina ("the Plan") assures that appropriate policies and procedures are in place for the Plan and those with whom it does business to protect the confidentiality of individually identifiable personal information concerning Plan Members.
However, for the most part, this pseudo-legal lingo is limited to sections of the policy where BCBSNC is defining the terms it uses throughout the policy, and the fact that the policy takes pains to define what its terms mean is notable.
Overall the language used in the policy is fairly straightforward, although you could argue (with good reason) that the reading level required might be higher than that of the average member, given BCBSNC's size and the large number of their members across their different plans. The tendency of the policy to slip into contractual sounding language in places is likely due to the fact that BCBSNC is making binding claims regarding its behavior. Another contributing factor to the language is that BCBSNC is obligated to operate within North Carolina law (the North Carolina Insurance Information and Privacy Protection Act, for example) when dealing with confidential medical information, and some stylistic elements of the laws have bled over into the policy.
The scope of the policy in describing how BCBSNC deals with personal information seems thorough, at least from my member's perspective. The scope of use is summed up below:
The Plan will use and disclose Personal Information for purposes of treatment, payment and health care operations as authorized by law, and for those other purposes for which the law does not require Member consent. In addition, consistent with the routine Member consent, the Plan uses and discloses Personal Information for the legally permitted purposes of coordination of care, quality assessment and measurement and accreditation.
In addition BCBSNC authorizes certain uses of personal information for research projects and for analyses of health care expenditures by employer groups.
While the policy does not enumerate the specifics of these uses or give examples of why, say, personal information might be properly disclosed to a third party, the policy is quick to explain what safeguards are in place to maintain the confidentiality of the information according to the different uses. These safeguards range from confidentiality agreements for employees and third parties to requirements on other organizations to document and enforce confidentiality procedures of their own. Where appropriate, BCBSNC will aggregate the data it provides to remove any information that might identify individuals.
Because the confidentiality of personal information, particularly that having to do with medical records, is very important to the members participating in the BCBSNC plan, member participation in the development and maintenance of the policy is an issue. In this regard, the policy does not provide much in the way of a mechanism for members to be involved in the ongoing development of the policy itself, at least in direct terms.
The policy does identify the Chief Privacy Official and the Privacy Committee as the entities that are responsible for reviewing and updating the policy. For example, their responsibilities include:
If feasible for the business operations of the Plan, and as permitted or required by law, developing policies regarding responses to a Member's request to limit access to, or use or disclosure of that Member's Personal Information beyond, the restrictions of this Policy.
So while the policy does address the member's intentions insofar as his or her personal information is concerned, it is unclear how a member might go from the one-time use question described above to a formal change to the policy.
Ultimately, as a member, it is important to feel that the policy is there to protect your interests rather than those of BCBSNC or of another organization, such as your employer. Generally speaking, the policy does a decent job of reassuring the member about the confidentiality of his or her personal information and the steps that BCBSNC will take to protect it. But that is not to say that the policy does not acknowledge the tension between interests:
Members have the right to expect that their legally protected privacy interests will be respected and protected by the Plan. Notwithstanding the importance of protecting these privacy interests, there are uses and disclosures of Personal Information that are appropriate and necessary in the course of the Plan's business operations.
Of course, your sense of security is only as strong as your faith in phrases like "legally protected." The North Carolina Insurance Information and Privacy Protection Act seems to provide a sound basis for the protection of personal information, and the BCBSNC policy does note these protections in several places. But while the policy is very clear on when and how disclosures are made, it is hard to not to be a bit cynical about whose interests would ultimately win out when you read statements such as the following, few as they may be:
This Policy is intended to protect the confidentiality of Members' Personal Information consistent with the Plan's need to: 1) conduct business that involves the use of certain Personal Information...
By not documenting more clearly any mechanisms available to members to make their wishes known and otherwise affect access to their information, the policy stops short of being a proactive statement aimed at the protection of your interests as a member. Nonetheless, the policy's breadth of coverage and detail in its procedures does leave you with some degree of security.
In many ways this policy is clear and well presented. It defines the terms it uses and includes detailed descriptions of its various parts, whether it is describing the physical security measures in place within BCBSNC's business operations or the different aspects of consent that are considered by the policy. The result is a policy that is complete in most respects and expressed (on the whole) clearly.
However, as a member, there are some changes that could be made that would improve member support and strengthen the confidence that members had in BCBSNC and its use of personal information. In discussing the access of members to their information, the policy alludes to "specified legal rights," which are set out in North Carolina law. While the policy notes that members can request a copy of their information, the policy does not specifically list what types of information can be obtained; it is up to the member to ascertain that through their own familiarity with the law. I would like to see the policy explicitly include both a description of what they could provide and a mechanism which would facilitate a member's accessing this information (other than the vague "written request"). This would truly demonstrate BCBSNC's respect for the importance of personal information to its members.
Another change that I would recommend takes advantage of the policy's online presence. The policy mentions "North Carolina law" and other entities that would be of interest to a member, such as the "Appeals policy and complaint process." If links were added to relevant and supporting pages, the member would have a more complete understanding not only of the policy itself but also of the context in which the policy is situated. It would also give the member a more informed position from which to participate in the policy's revision process.