According to a chapter titled Managed Care Organizations published in StatPearls, “The Health Maintenance Organization Act of 1973, an amendment of the Public Health Service Act of 1944, established the foundation for managed care organizations and their comprehensive cost-saving methods.[3] Managed care organizations are essential for providers to understand as their policies can dictate many aspects of healthcare delivery; provider networks, medication formularies, utilization management, and financial incentives influence how and where a patient receives their medical care.”
HIPAA does apply to managed care organizations (MCOs), as they qualify as covered entities under HIPAA’s regulatory framework. HIPAA defines covered entities to include health plans, healthcare providers, and healthcare clearinghouses that transmit health information electronically. Since MCOs operate as health plans or insurers-managing care through networks, utilization reviews, and payment models-they are explicitly subject to HIPAA’s Privacy, Security, and Administrative Simplification Rules.
HIPAA’s requirements specifically shape how MCOs handle care coordination. While the law permits PHI sharing among providers within a network for continuity of care, MCOs must balance transparency with privacy. For example, care managers must avoid unnecessary details when discussing cases with external specialists. Studies highlight challenges in this balance, such as delays in care due to overly restrictive interpretations of the "minimum necessary" standard or inefficiencies in obtaining patient authorizations.
A Managed Care Organization (MCO) is a type of health plan or healthcare company that utilizes managed care as its model to provide healthcare services. A SciFlo Public Health study on the US experience about managed care notes, “Although there are many definitions of managed care, generally the term describes a continuum of arrangements that integrate the financing and delivery of health care.” They achieve this by combining healthcare financing and service delivery, employing various mechanisms such as limited provider networks, utilization management, quality oversight, and financial incentives to influence both patient and provider behavior.
The concept of managed care has evolved over several decades, originating from early prepaid plans and capitation models, and now encompasses a broad range of approaches aimed at controlling costs and improving care coordination. MCOs contract with a selected group of providers-including physicians, hospitals, pharmacies, and laboratories, who are credentialed and agree to provide services at negotiated rates.
Utilization management tools like prior authorizations and case management help ensure that only necessary and evidence-based services are delivered. Financial incentives encourage patients to use network providers and motivate providers to adhere to quality and cost targets. This integrated approach helps contain costs, reduce fragmentation in care, and improve health outcomes by emphasizing preventive care and appropriate service use.
Another section of Managed Care Organizations notes, “Managed care organizations are present in many iterations, most commonly as health maintenance organizations (HMOs), preferred provider organizations (PPOs), and point of service (POS) organizations.”
Patients typically select or are assigned a PCP who coordinates care and controls access to specialists and services. Utilization management techniques-such as prior authorization, concurrent review, and case management used to ensure services are medically necessary and appropriate.
Payment models vary from retrospective fee-for-service with discounts to prospective capitation, where providers receive a fixed monthly payment per member, incentivizing efficient care delivery. A chapter on Managed Care from StatPearls notes, “The overriding concern is the intermingling of the provider's finances with the amount and type of care they offer to the patient.”
MCOs also emphasize preventive care and disease management programs to reduce costly acute episodes. Data collection and feedback loops monitor provider performance and patient outcomes, aligning financial incentives with quality and cost targets.
The following excerpt from Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research aptly outlines the way covered entities are defined under HIPAA, “Covered entities are health plans, health care clearing-houses, and health care providers who transmit information in electronic form in connection with a transaction for which HHS has developed a standard under HIPAA.” Since MCOs function as health plans by financing and managing healthcare services. This means MCOs are legally required to protect the privacy and security of protected health information (PHI).
When MCOs send emails containing PHI, they must ensure these messages are encrypted to shield the data from interception or unauthorized access during transmission. This means using secure email platforms that incorporate encryption standards such as Transport Layer Security (TLS) or Secure/Multipurpose Internet Mail Extensions (S/MIME), which transform readable data into coded formats accessible only by intended recipients. Beyond encryption, MCOs must implement robust access controls-such as strong passwords, multifactor authentication, and role-based permissions restrict email access strictly to authorized personnel.
To further comply with HIPAA, MCOs must develop clear policies governing email use, including verifying recipient identities before sending PHI and securing attachments through encryption or password protection. When third-party vendors provide email services or handle PHI on behalf of MCOs, business associate agreements (BAAs) are legally required, binding these vendors to HIPAA standards. For this reason, it is better to use HIPAA compliant email platforms like Paubox that make the process seamless.
Yes, HIPAA permits MCOs to disclose PHI without patient authorization for purposes related to treatment, payment, and healthcare operations, including care coordination and claims processing. However, disclosures beyond these purposes generally require explicit patient consent.
MCOs are required to establish formal procedures for members to file complaints, grievances, and appeals, especially regarding denied services or dissatisfaction with care.
MCOs credential and accredit all in-network providers to verify qualifications and ensure compliance with quality standards.
In the event of a data breach, MCOs must promptly investigate, conduct a risk assessment, notify affected individuals within 60 days, and report the breach to the Department of Health and Human Services (HHS). For breaches affecting 500 or more individuals, media notification is also required. MCOs must document all breach-related activities and update policies and training to prevent recurrence.
Patients enrolled in MCOs have the right to confidentiality of their healthcare information, access to high-quality healthcare services, and clear information about their prescription drug benefits and coverage options. They also have the right to file complaints, grievances, and appeals regarding coverage decisions, with timely responses provided by the MCO.