Commonwealth Care Alliance Logo
Commonwealth Care Alliance Logo Back to the home page Members page Providers page About Us page Helpful links and other resources page Pharmacy Program Information
Commonwealth Care Alliance Logo Commonwealth Care Alliance Logo Commonwealth Care Alliance Logo

Provider Resources

Provider Manual Policies Provider Directory Provider Network Pharmacy Program FAQs

Provider Communication

News & Updates Newsletters Contact Us

Provider Manual

Member Confidentiality & Security

Go back to table of contents

This section outlines Commonwealth Care Alliance's compliance and member confidentiality standards and identifies the appropriate steps for our providers if a security incident involving Commonwealth Care Alliance members is experienced. A security incident is defined as any event that poses a threat to a computer or physical environment that could compromise data confidentiality, integrity, availability, and authentication.

Member Confidentiality

Commonwealth Care Alliance is required under Federal and state laws to protect confidential member and provider information from unauthorized disclosure. Many of these requirements are common to our affiliated providers. Providers are to comply with Commonwealth Care Alliance contractual obligations, such as requests for information necessitated by government contracting requirements.

Confidentiality Standards

Commonwealth Care Alliance's contracted providers are expected to treat and maintain all member information in a confidential manner in accordance with Commonwealth Care Alliance's provider contracts and confidentiality policies, and with federal and state laws. Commonwealth Care Alliance safeguards this information by requiring a contractual agreement, a confidentiality form, and/or a business associate's agreement to be signed. The following individuals are to sign a form attesting to the confidentiality of member and other information:

  • All Commonwealth Care Alliance employees, including temporary employees
  • All students, interns, and volunteers
  • All providers and vendors that may encounter confidential information during the course of providing services to Commonwealth Care Alliance
  • All delegated entities of Commonwealth Care Alliance

Medical Record Confidentiality and Security

All medical records and patient information obtained from providers are protected from any unauthorized use or re-disclosure. Except as provided by law and mentioned herein, protected health information (PHI) is never used or disclosed for purposes unrelated to Commonwealth Care Alliance's business without specific member authorization.

In regards to meeting Commonwealth Care Alliance's confidentiality requirements for medical records, providers must:

  • Maintain medical records in an area that is protected against loss, destruction, tampering, and unauthorized use or access
  • Maintain billing information in a secure location in locked files
  • Adhere to the confidential requirements of centralized enrollee record (CER) documentation

Additional Commonwealth Care Alliance requirements for medical records are:

  • Inactive records will be stored in a secure location to prevent unauthorized access; however, records must be stored in a manner as to provide for prompt retrieval of member information as needed
  • To retain records for 10 years from the date of the last entry in the record; or for medical records of disenrolled members, 10 years after the date of disenrollment

Authorization for Disclosure of PHI

Member Notification of Privacy Practices

When members enroll in a Commonwealth Care Alliance plan, they are provided with Commonwealth Care Alliance's Notice of Privacy Practices that describes certain uses and disclosures of member information that are necessary for the provision and administration of services and benefits.

Please refer to the list below to determine when a member's authorization is or is not required prior to the use or disclosure of PHI.

MEMBER AUTHORIZATION IS NOT REQUIRED:

For treatment

  • Consulting with other physicians about a member's treatment or providing information to physicians

For payment

  • Submitting and paying claims
  • Conducting medical necessity or utilization reviews

For health care operations

  • To provide customer support to members
  • To auditors for quality reviews
  • To conduct quality assessment and improvement activities
  • For credentialing activities or to resolve internal grievances
  • For medical reviews or legal services

To the member for PHI regarding that member

Required by law or court-ordered

For public health purposes

  • To control disease, injury or disability
  • To report abuse or neglect

For health oversight purposes

For compliance or fraud investigations

MEMBER AUTHORIZATION IS REQUIRED:

For requests from legislators, advocates, and attorneys

For use or disclosures of psychotherapy and/or mental health notes except to carry out treatment, payment or health care operations

For law enforcement activities

  • Identifying or locating a suspect/fugitive
  • Identifying or locating a material witness or missing person

For specialized government functions

  • Military and veteran activities
  • National security and intelligence activities

For research purposes

For deceased individuals

  • To coroners and medical examiners in order to identify a deceased person or cause of death
  • To funeral directors

KEY POINTS REGARDING THE USE & DISCLOSRE OF MEMBER INFORMATION

Third Party Disclosures

  • Unless permitted or required by law, member information may not be disclosed to outside third parties without member authorization
  • Upon enrollment, a member authorizes that his/her information can be shared with Medicare, MassHealth and that his/her primary care physician may share information with Commonwealth Care Alliance
  • A member's legal guardian has the right to access the member's PHI. A copy of the legal guardian's documents is to be maintained by Commonwealth Care Alliance
  • Other than a legal guardian, a member can authorize another individual to access that member's PHI for a specified period of time either in writing or orally while the other individual is on the phone with the member services staff at the same time

Sensitive Diagnoses-Additional Authorization

  • Extra precautions are taken to protect sensitive member health information such as behavioral health, HIV/AIDS status, and substance abuse treatment
  • Providers are to receive special authorization to release sensitive information such as HIV/AIDS and substance abuse diagnoses and treatment. Provider may include a special section in the overall Authorization Release Form or separate Authorization Form

Provider Communication

  • Information shared by contracted providers through various means, such as fax and e-mail, is to be sent in the most secure manner possible
  • Member PHI may be left for members on a voicemail system, however, the information should be general. If the member wishes to have specific information such as lab test results left in a voicemail, the provider should have written documentation indicating the member's wishes

Medical Record Requests by External Entity

  • Member requests for records: Commonwealth Care Alliance agrees to give access to, and a copy of, member medical records upon request. Commonwealth Care Alliance encourages contracted providers to appropriately amend member's records in accordance with applicable Federal and state laws
  • If an external entity such as an attorney requests to see a member's medical record, the contracted provider is to have the member sign an Authorization Form allowing the attorney to have access to that information

Security Incident Procedures & Reporting

A security incident is defined as any event that poses a threat to a computer or physical environment that could compromise data confidentiality, integrity, availability, and authentication.

Required Action in Case of a Security Incident

1. Providers are required to report the incident to the Commonwealth Care Alliance Compliance Officer and the Commonwealth Care Alliance Security Officer immediately.

  • During business hours (Monday-Friday, 8 a.m.-6 p.m.), call (617) 426-0600
  • After business hours, call 1-866-610-2273 and ask for the on-call administrator
  • Send an email to securityincident@commonwealthcare.org with the details of the security incident

2. Providers are encouraged to file a police report if necessary (i.e. theft of a laptop). The reporting provider with the assistance of the Compliance Officer and the Security Officer will document what occurred utilizing the Information Security Incident Report form

3. After the breach has been reported and documented, the Compliance Officer and the Security Officer will work with Executive Management, General Counsel, and/or Human Resources as necessary to determine next steps. Commonwealth Care Alliance will then work with the reporting provider on required actions either performed by the provider and/or Commonwealth Care Alliance.

Go back to table of contents

Last Updated 1/1/12