Avoiding Privacy Pitfalls in Medical Management

May 14, 2019

17 Minute Read


This paper addresses some of the common privacy concerns that arise when a provider serves the dual function of employer and provider. There are many facets to this issue, including the handling of claims data, the appropriate distribution of responsibilities among internal staff, and the disclosure obligations of the plan. This is an issue that arises frequently for healthcare plan sponsors, but can also arise for non-healthcare employers who take on some of the responsibilities of providing care, such as employing physicians or nurses for employee health programs.


This paper also provides practical advice for designing and implementing medical management programs through an independent third party, or using an entity’s own internal resources based on Aon’s experience in the healthcare employee benefits sector. First, we explain how plans may lawfully handle and disclose their members’ PHI as part of a medical management program. We then explore three principles for a successful medical management program:

1) Strong privacy policies to prevent violations of HIPAA;
2) A robust communication strategy that builds employees’ confidence and engagement in their own health management;
3) Insourcing and outsourcing the right elements of the program to reinforce proper privacy controls and employee engagement. 

Previous Flipbook
8 Ways to Maximize Negotiating Leverage for PBM Services
8 Ways to Maximize Negotiating Leverage for PBM Services

Next Flipbook
Designing Compliant Leave Policies - The Big Picture
Designing Compliant Leave Policies - The Big Picture

Hear what Aon's Rachel Arnedt and Sander VanderWerf have to say about designing compliant leave policies. T...