The single deadliest blow to confidentiality by all health professionals ... is their collusion with managed care.
--Bollas & Sundelson (1995, p. 130)
Managed care organizations have become one of the dominant approaches to health care delivery in the United States. This approach has important implications for the confidentiality of patients' medical records; specifically, close scrutiny suggests an inherent paradox concerning the maintenance of patient confidentiality in the age of complex managed care arrangements. Although these systems are designed to provide less expensive, quality care for patients and streamlined efficiency for health care providers, they concomitantly compromise privacy by making patients' confidential records available to a wide range of internal and external audiences. It is this important paradox and its impact on health communication that we seek to address by presenting a case study framed by an extension of Communication Boundary Management (CBM) theory (Petronio, 1991).
Managed care is a broad, and often confusing, term that refers to a multifaceted and continuously evolving system designed to provide quality health care and simultaneously contain costs (Integrated Health Care Association, 2000). Managed care organizations are responsible for the health of an enrolled group of people and, consequently, seek improvements in both the results and the cost-effectiveness of services provided. These organizations include a wide array of health insurers, medical groups, hospitals, and integrated health care systems. Management and control of spending are maintained by closely monitoring how physicians and other medical professionals care for patients; techniques include not allowing procedures to be performed, refusing physicians' permission to discuss alternative procedures, limiting coverage to care by preferred primary care physicians and hospitals, and requiring preauthorization for specialty care (American Medical Association, 1999; Integrated Health Care Association, 2000; University of California, 1999).
Managed care was designed to simplify health care systems and contain health care costs; paradoxically, it has simultaneously created an exponential increase in the number of individuals who have access to patients' files, access that may compromise the confidentiality of patients' health communication and their health care. In the managed care environment, the approach to protecting patients' confidentiality seems to be dictated by business interests rather than traditional codes of ethical conduct, which state that health care professionals will do their patients "no harm" by maintaining a "duty of silence" regarding communication of patients' private information, (Everstine et al., 1980). In the current managed care environment, instead of just the primary physician and immediate staff having access to a patient's information, as many as 17 people now have authorized access to a patient's record (Munson, 1996; Rock & Congress, 1999). Within this system, individuals, such as administrators, employers, insurance company representatives, legal experts, researchers, and police officers, have easier access to a patient's personal health data ("Association Cites Confidentiality Problems," 1999).
Even with confidentiality policies in place at health care organizations and with employees signing confidentiality agreements upon being hired, more breaches of confidentiality may be occurring simply because the number of individuals with access to confidential information increases in a managed care environment. With so many individuals accessing and communicating patients' confidential data through the widespread use of computerized records (Anderson & Brann, 2000; Pendrak & Ericson, 1998; Shalala, 1998; Weingarten, 1992), multidisciplinary health care teams (Cummings, 1993; Dodek & Dodek, 1997; Lazoritz, 1994), and primary care physicians serving as gatekeepers to specialists (Bodenheimer, Lo, & Casalino, 1999; Grumbach et al., 1999; Hickey, 1995), the risks for breaching patients' confidentiality inevitably increase. Taken further, confidentiality breaches not only occur through communication processes, they also affect the quality of patients' health communication and health care. Research has shown that patients withhold information from health care providers if they suspect that this information will be communicated to unauthorized individuals (e.g., staff that do not have an essential need to know) or other entities (e.g., employers and insurance companies) (Annas, 1992; Goldman, 1998; Gostin, 1997; Yeo, 1991). If health care providers do not have adequate and useful information, the quality of the care they provide will likely decline (Annas, 1992; Cline & McKenzie, 2000; Goldman, 1998; Parrott, Duncan, & Duggan, 2000; Yeo, 1991).
This broadening of access to patients' records in the managed care environment has led to numerous documented breaches of patient confidentiality. For example, to ascertain the necessity of and payment for treatment, managed care organizations usually obtain patients' personal health information, including symptoms, medications, and therapy notes (Sutherland & Yarbough, 1996). Specifically, it is common for a managed care representative to examine the medical records of psychiatric patients whose therapy appears to be lasting too long. During one such review, a managed care organization learned of specific patients' disclosures about non-health-related activities, including extramarital affairs (including one with a prominent public figure), homosexual activities, sexual torments, wife-beating, and violent fantasies (A. Allen, 1998; for another pertinent example, see Pendrak & Ericson, 1998). Because sharing sensitive information is expected and often demanded in a managed health care setting, it is even more essential that questions regarding who might have access to patients' personal information be revisited and clearly defined to aid patients' understanding of confidentiality issues and protect their rights of confidentiality (Hodge, Gostin, & Jacobsen, 1999). Unfortunately, as K. Allen (1998) claimed, "Many [health care providers] lose touch [with] this important concept as they seek to learn new skills, develop experience, and survive in a managed care environment" (p. 37).
In an effort to understand the communication of confidentiality in the complex managed care environment, a case study analysis, framed by CBM theory (Petronio, 1991), is presented. This theory, although previously focused primarily on interpersonal, micro-level boundaries (Petronio, 2000; for exceptions see Serovich & Greene, 1993; Serovich, Greene, & Parrott, 1992; Serovich, Kimberly, & Greene, 1998), offers unique insight into the management of privacy boundaries. The purpose of this study, then, is to review, apply, and extend CBM theory by further conceptualizing how macro-level boundaries at the group, organizational, and environmental levels affect the privacy boundary coordination of relevant parties in an actual case. From such an analysis, practical recommendations are offered for the maintenance of patients' confidential health information by patients, health care providers, and managed care organizations.
COMMUNICATION BOUNDARY MANAGEMENT THEORY
Previously, CBM theory has provided a useful framework for understanding tensions that are created when individuals are deciding whether and/or how to disclose or maintain private information during dyadic communication. These tensions emerge because there are tradeoffs involved in either withholding or disclosing private information. As Allman (1998) explained, "Individuals create metaphoric protective boundaries that they can use to manage the flow of private information" (p. 178). The metaphor of a boundary is, thus, used to identify a perimeter around private information that may or may not be permeated by sharing it with others (Petronio, 2000). People negotiate boundaries, seeking a balance between privacy and openness, distance and intimacy, and autonomy and interdependence (Greene, 2000; Petronio, 1991; Rosenfeld, 2000; Yep, 2000). CBM theory describes the evolution and enactment of these micro-level boundary rules. What this theory lacks, however, is a sufficiently complex conceptualization of communication boundary management including the macro-level forces that may affect individuals' privacy boundaries, interaction rules, and interpersonal communication about private matters. In overlooking macro-level boundaries, proponents of the theory have neglected situations, such as third-person disclosure of private or confidential information, which may occur beyond the knowledge or control of the primary interactants. Hence, although the private communication of the dyad was the genesis for CBM theory, we seek to extend the theory to include communication by other parties or interests beyond the dyad.
Boundaries are established to protect potential vulnerabilities associated with the revelation of sensitive information for both the discloser and the individual(s) (or other entities) to whom the information is being disclosed (Yep, 2000). These protective boundaries are used to direct the flow of information or other forms of communication between people (Petronio, 1991). Thus, the parties use limits to protect themselves in an interaction. As Yep (2000) summarized,
Partners coordinate the intersection of their own individual boundaries by following specific relational rules that determine the sending and receiving of disclosure information in terms of timing, amount, and context to establish an equilibrium between personal autonomy and relational intimacy. (p. 87)
Boundary perimeters are determined by developing and communicating rules that manage the tension between privacy and disclosure and minimize the risks of vulnerability (Petronio, 1991; Yep, 2000). These rules are initially predicated on participants' expectations for the interaction and later on the interaction itself. For example, in a health care setting, preexisting rules or social norms create an expectation that communication of sensitive information (e.g., information about physical and/or psychological functions) is necessary to give and receive adequate care. During the interaction, another rule or expectation is used to balance the tension between the desire for privacy and the need for disclosure, specifically, that the information a patient shares with her or his health care provider will be kept confidential. It is' through a complex matrix of interaction rules, then, that patients' confidentiality is, maintained (or in some cases breached).
Previous literature on privacy boundary management has emphasized micro-level interpersonal issues to the relative exclusion of many macro-level concerns (research by Serovich and colleagues, 1992, 1993, 1998, notwithstanding). In the traditional health care context, disclosure of patients' personal health information was considered the responsibility of both the patient and health care provider because both parties assumed joint ownership of the shared information. Rosenfeld (2000) claimed that joint responsibility forced the patient and health care provider into an "elaborate communication dance" (p. 12). However, in the case that we focus on in the present study, the primary physician and the patient had already accomplished this dance within their relationship. A problem did not arise until a third party (another physician in the managed care organization who was being sued for …