Appendix A
Literature Review of Privacy Issues
in Managed Care for Mental Health and Substance Abuse Treatment

[Main Page of Report | Contents of Report]


This literature review is designed to document relevant information from the past five years on the ways in which managed care payers require personal health information from consumers of mental health and substance abuse services. In particular, we focused on gaining an understanding of why managed care firms collect personal health information, what types of information are collected, what problems or concerns have been raised by stakeholders, and what models and solutions have been proposed by experts in the field. In identifying relevant literature, we searched databases of technical and medical literature, as well as policy and management literature.

In preparing this review, we found a great deal of information on why managed care firms collect personal health information and the different ways in which they use this information. We also found a great deal of documentation of the problems that have been encountered, particularly from providers and patients who are reluctant to share information that was disclosed within a privileged therapist-patient relationship. We found relatively little information in the published literature about what specific information managed care firms typically require in order to authorize services. In searching for solutions and models, we found a few sources that made specific recommendations as to what information should be disclosed to the managed care firm, but, more commonly, experts stated recommendations for maintaining the confidentiality of sensitive information once it is in the possession of the managed care organization.

This literature review does not reflect recent changes that we believe are underway. Managed care firms are moving away from tightly managed systems to products that give consumers and providers more autonomy (Draper, et al., 2002). Managed care firms are finding that intensive case management is often not cost-effective, particularly for outpatient care, and are beginning to streamline their requests for personal health information. In addition, the privacy regulations issued by the Secretary of Health and Human Services will go into effect in 2003, and this may affect how managed care firms collect and use individually-identifiable information. However, because these changes are so recent, we have not found published literature that documents these changes. Therefore, this literature review focuses on presenting background on why managed care plans collect personal health information, federal and state laws which are designed to protect patient privacy, some of the problems that have been identified with the transfer of this information, and some proposals that have been put forward to limit the types of information disclosed to payers and measures for ensuring the security of this information once it is disclosed.


Confidentiality is one of the basic principles of mental health and substance abuse treatment. In the course of therapy, clients reveal personal, highly sensitive information about themselves that they may not reveal to anyone else. Clients trust that the information they reveal in the course of treatment will be kept confidential by the clinician, subject to the patient-doctor privilege. However, when clients request reimbursement from a third-party payer, the payer has a right to know that the services being requested are appropriate. To pursue that knowledge, the payer may request that the clinician provide information about the client's symptoms, diagnosis, treatment and progress.

A. Federal and State Requirements

Several federal laws and regulations have been established in order to help protect the privacy of health care information. The best-known are the privacy regulations established by the Secretary of Health and Human Services in 2000 in response to a requirement in HIPAA legislation (PL 104-191) that Congress must develop a federal law to protect the privacy of health care information by August 1999 or the Secretary must issue regulations within six months. The regulations state that "a covered health care provider must obtain the individual's consent …prior to using or disclosing protected health information to carry out treatment, payment or health care operations" (45 CFR 164.506(a)(1)). The regulations require that the PHI shared between the provider and the insurer must be the "minimum necessary" to accomplish the objectives, without further clarification of what constitutes the minimum necessary information.

A second federal law Gramm-Leach-Bliley Act (Pub. L. no. 106-102(1999), 15 U.S.C. § 6801 et. seq.) was enacted to project the privacy of financial information, but applies to health plans as well as (Hirsh 2001). The Act requires that health plans distribute a notice to enrollees detailing the types of information disclosed to third parties and the types of third parties who might receive this information. The notice must give clients the opportunity to opt out of information disclosures by informing the company in writing. Health plans were required to implement these practices by July 2001.

There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:

Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.

State laws can vary considerably, with some states offering significantly greater protections than what is required by federal law. A review of state privacy laws was beyond the scope of our project, but many respondents we interviewed pointed us to the laws of the state of New Jersey and the District of Columbia as containing the most stringent privacy protections. Both have laws which state that information that can be disclosed to third parties is limited to administrative and diagnostic information, the status of the patient, the reason for admission or continuing treatment and the estimated time that treatment might continue. In the event of a dispute between a provider and payer over the course of treatment, the third party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (DC 1978). In New Jersey, the insurer may request the review from an independent review committee (NJ 1985).

B. History of Information Exchange

The practice of third-party insurers demanding information on mental health treatment before paying for services is not a recent phenomenon. Even under fee-for-service arrangements, insurers generally required mental health providers to share the patient's diagnosis, and sometimes even the treatment plan, before reimbursing for these services (Acuff et al., 1999). Mental health providers sometimes maintained two sets of records for each patient: one for clinical use and one for billing purposes only (McDaniel and Erlen, 1996). This allowed the clinicians to share the information that the payers needed, while respecting the client's right to confidentiality of sensitive information shared within the therapy session. However, several of the providers we spoke with said that they did not maintain separate records, due to the administrative burden of keeping such records.

C. Rise in Managed Care

In the 1980s, health care costs in general began to rise, and mental health and substance abuse costs rose even faster. From 1986 to 1988, spending on all health care rose 13%, but mental health care costs rose 20% and substance abuse care costs rose 32% (Hennessy and Green-Hennessy, 1997). As a result, there was increasing pressure to move from a fee-for-service system to a managed care system, which would seek to contain costs by playing a more active role in monitoring and overseeing the care provided, to minimize abuses and attempt to ensure that the most cost-effective care is being provided. Managed care firms undertake a variety of activities, including determining the most cost-effective level of care appropriate to the situation, profiling physician service use and designing disease management programs for chronically ill clients (McDaniel and Erlen, 1996). All of these activities require the MCOs to collect a great deal of personal health information about clients.

D. Utilization Review Process

The most common purpose for MCOs to collect personal information on clients is for utilization review. This is a process where the MCO determines the client's need, the medical necessity of the request, and the appropriate level of care. Utilization review processes vary from company to company, but generally consist of a request from the client for an initial authorization and then subsequent requests from the provider for additional authorizations. During the initial request, the client generally speaks to a care manager, who discusses the nature of the problem and the symptoms, and makes a referral to a provider for the lowest level of care deemed appropriate (Edwards, 1997).

Once the initial authorization is exhausted, the provider will request subsequent authorizations. MCOs vary considerably in the types of information requested during these authorizations. The MCO care manager might ask the provider to share information on the patient's history, diagnosis, symptoms, treatment plan and progress, and may attempt to determine the patient's level of functioning by asking about danger to self and others, or ability to return to work (Lazarus and Sharfstein, 2000). The frequency of the authorizations also varies from company to company; some will require re-authorizations every two to three visits, while others may approve up to ten outpatient sessions at a time (Hennessy and Green-Hennessy, 1997).

The literature suggests that the resources required for intensive utilization management can exceed the cost savings from managing the care. The administrative costs in managed care are significant: managed care is fifty percent more expensive to administer than fee-for service (Meyeroff and Meyeroff, 1999). In a 1998 study of the utilization review process at United Behavioral Health, Koike and colleagues found that utilization management was used on over fifty percent of cases, and included activities beyond simply approving care, including telephone assessments, discharge reviews, discharge follow-ups, and closing summaries (Koike et al., 2000).

Privacy issues may become less of a concern if MCOs voluntarily choose to limit the amount of personal health information they collect. Several providers and behavioral health care firms mentioned in our interviews that they have observed a trend toward MCOs requesting less detailed information within the last few years. MCOs expected to recover the costs incurred in these processes through reduced utilization. However, there is some evidence that review processes may not result in a significant decrease in utilization, particularly for outpatient care. Hennessy and Green-Hennessy noted that, in a nationally representative study of individuals undergoing outpatient behavioral health treatment, 72% had seven or fewer sessions, and 85% had fourteen or fewer sessions (1997). This was the same for both fee-for-service and managed care, indicating that most patients voluntarily terminated treatment after a small number of sessions and that MCO efforts to limit utilization do not appear to have had a significant effect. Another study examining individuals covered by United Behavioral Health who had terminated outpatient mental health treatment found that only 5% of persons surveyed indicated that their treatment was discontinued due to a denial of care from the MBHO; and only 3% of the participants' providers had noted the denial as the cause of the discontinuation in the medical file. The majority of patients and their providers indicated that treatment was discontinued because treatment goals were met or because the patient voluntarily discontinued treatment (Cuffel et al., 2000). Since the utilization review process can be very expensive, and may not result in significant decreases in utilization, MCOs may begin to change their administrative processes to be more cost-effective, and curtail intensive management of outpatient behavioral health care.

Current Practices in Disclosure of Personal Health Information

The collection of personal health information is vital to many managed care activities. According to a study of MCO confidentiality policies, the National Mental Health Association found that all eight MCOs participating in the study reserved the right to access the full medical record (including psychotherapy notes) at any time for any enrollee (NMHA, 1999). MCOs collect personal health information from clients for a variety of purposes, including determining medical necessity, care authorizations, quality assurance purposes, provider screening and profiling, accreditation and certification, disease management activities, and outcomes research (Larsen, 1997). Most MCOs require consent authorizations to be signed at the time of enrollment, allowing the insurer access to medical records for a wide range of activities. The MCO may require the authorization to be signed in order to be enrolled in the plan, or in order to receive treatment or reimbursement (California Health Care Foundation & Consumers Union, 1999). In addition, providers signing contracts with MCOs must often agree to allow company officials access to medical records for audits, quality review, and certification purposes (MBHP, 2001).

When signing authorizations at the time of enrollment in an MCO, many clients are not aware of the scope of the authorization, the number of people who may have access to their records, or how their personal health information might be used. Because the form is generally signed at the time of enrollment, usually only the employed individual sees and signs the form, and may not even discuss the consequences with dependents covered under the same policy (Lazarus and Sharfstein, 2001). Patients may also sign blanket authorizations at the reception desk at the provider's office, and because the consent forms are tied to administrative functions that the physicians are not directly involved in, patients and providers may not ever discuss the implications of signing the authorization (JCAHO & NCQA, 1998). Because many providers are accustomed to working in a fee-for-service setting where insurers require much less patient information, many may still tend to act "as-if" all the information divulged to the therapist will remain completely confidential (Davidson and Davidson, 1995).

Other privacy issues

Many concerns were reviewed in the literature regarding privacy and confidentiality of mental health and substance abuse records. While these issues were beyond the scope of the study, we discuss them briefly below. The HIPAA privacy regulations may help to address some of these issues.

A. Lack of Consumer Awareness

Despite the federal and state laws designed to protect patient confidentiality, there are numerous problems associated with the ways patient information is disclosed to managed care firms today. The first is that consumers are often unaware of the significance of the consent forms that they sign upon enrollment (Davidson and Davidson, 1995). Because insurers often require that consumers sign consent forms as a condition of enrolling in the plan, or of paying the claims, clients may feel that they have no choice but to sign them. If consent forms are linked to other forms, such as authorizations for treatment, clients may not read or comprehend the forms as clearly as they should. Finally, they may be unaware of the number of people who may have access to the medical and psychiatric records.

B. Number of People With Access to Records

In a large managed care firm, more than one hundred people may have access to an individual's medical record. In the early 1980s, when most people were still enrolled in fee-for-service, one study found that up to 100 people had access to an individual's inpatient medical record (Siegler 1982). As payment and delivery systems have grown more complex, the number of personnel with access to the medical file is expected to be much higher. In addition, as managed behavioral health care firms merge and consolidate, they become responsible for maintaining records on more and more clients. Magellan Behavioral Health manages care for more than 62 million people, and Value Options manages care for more than 20 million people. Although these firms have implemented measures to ensure the security of their information systems, some experts have questioned whether any system that has so much sensitive data on so many people can adequately protect it (Pomerantz, 1999).

C. Risks of Disclosure of Personal Health Information

Personal health information, in the wrong hands, could have disastrous consequences for an individual's future. As Jay Pomerantz points out, the wealth of information contained in the computer files of the major MBHO's could have significant value to private detectives, opposing parties in lawsuits, political opponents, and blackmailers, just to name a few (Pomerantz, 1999). For these reasons, the privacy of behavioral healthcare information is extremely important, yet many consumers are concerned that their medical records are not as secure as they should be. According to a 1993 survey conducted by Louis Harris and Associates, 27% of the public believe their personal health data (not specific to behavioral health) has been disclosed improperly, and of those, 31% said they were harmed or embarrassed by the disclosure; 15% said that the unauthorized disclosure was made by a health plan. Eleven percent said that they or a family member had paid for care out of pocket rather than submit a claim and risk having to disclose information about the condition (Louis Harris and Associates, 1993).

Unauthorized disclosures can result in harm in a variety of ways. Many people with a history of mental health or substance abuse treatment find it difficult to obtain life insurance because insurance companies share client information with the Medical Information Bureau (MIB), a membership organization of over 600 insurance companies (California Health Care Foundation and Consumers Union, 1999). When insurers are underwriting policies, they can contact the MIB to find out if the applicant has a pre-existing condition or has ever been denied coverage (Rybowski, 1998). Although the MIB requires an individual's consent before releasing information, in practice, many people do not realize that their personal information is exchanged by insurance companies in this way. Additionally, more than one third of Fortune 500 companies report checking medical records before making decisions about who to hire and promote (NMHA, 1999). Inappropriate use of health care information can have serious adverse consequences for a person's life.

D. Interference with Treatment

Concern over health care privacy can have adverse effects on the treatment process. It can create conflict-of-interest concerns for providers, who want to advocate for their patients, but know that if the patient does not authorize disclosure, the treatment may not be approved by the MCO, and the provider may not be paid. In one example, two psychiatrists in North Carolina refused to disclose medical records to Blue Cross Blue Shield when the patients had requested confidentiality. BCBSNC refused to compensate the providers for the care of these patients (Grinfeld, 2001). The conflict between provider and patient interests, and can harm the therapeutic relationship.

Knowing that confidentiality is not guaranteed can make individuals less likely to seek mental health treatment. In a 1998 study, participants who were informed that treatment information might have to be provided to an insurer in order to receive reimbursement reported less willingness to seek psychotherapy (Kremer and Gesten, 1998). Once in treatment, patients may undertake a variety of activities to protect their privacy which can sabotage their treatment, including regularly changing doctors to avoid having a record of all of their care with one provider, withholding information from their provider, or lying about their circumstances or symptoms (Goldman, 1998). The Louis Harris and Associates study found that seven percent of respondents had chosen not to seek care for fear of jeopardizing their career or other life opportunities (Louis Harris and Associates, 1993). These activities can result in patients receiving poor quality care, with potentially serious medical conditions going undiagnosed or untreated (Goldman, 1998).

Individuals who are especially concerned with the stigma of mental health treatment and the risks of disclosure may turn to other treatment methods that may have a different set of risks. Web sites offering counseling services online, in real time, are growing in popularity. The number of providers offering counseling through these sites is expected to grow from approximately 300 today to more than 5,000 by 2005 (Amig, 2001). Patients are attracted to receiving therapy in their own surroundings, with the anonymity that the Internet offers. However, the web sites can have their own security concerns. If a website does not accept health insurance, they may not be governed by the HHS privacy regulations, yet participants must provide their name, address and credit card number for billing purposes. Thus, the individuals, in an attempt to gain greater privacy, may be providing private companies with a great deal of personal information about themselves without considering that these firms may be more vulnerable to hackers or inappropriate disclosures than insurance companies governed by federal privacy regulations.

Suggested Proposals/Models

In an attempt to resolve the conflicts between the information needs of MCOs and the privacy needs of mental health and substance abuse patients, numerous stakeholders have developed recommendations defining which types of patient information should be shared with the MCO and guidelines for how MCO should handle the information once they receive it. Several providers have also developed models for alternative review systems that would minimize the amount of personal patient information that providers would need to share with MCOs. Details of these proposals are described below.

A. Models for Disclosure of Personal Health Information

Several managed care entities have developed models for determining what types of mental health information should be included in the medical record. The American Managed Behavioral Healthcare Association (AMBHA), an association that represents nine (including the largest) managed behavioral healthcare organizations has developed a set of guidelines; it recommends that the following mental health information be included: diagnosis, mental status, psychiatric history, treatment goals and objectives, progress, medications, types and frequencies of treatment, and summary and progress notes (AMBHA, 1999). However, AMBHA states that detailed psychotherapy notes should be separated from the general medical file. Patients should be required to sign a consent for health information to be disclosed to the MCO for purposes of treatment, payment and health care operations at the time of enrollment and periodically (i.e., every 12 months) thereafter; if the patient refuses to sign, he or she can be terminated from the health plan. Patients should have the right to inspect and copy their medical record, and to request corrections and amendments as necessary.

Harvard Pilgrim Health Care (HPHC), an MCO based in Boston, Massachusetts, has developed a new set of confidentiality policies after consulting with patient advocacy groups and conducting focus groups of HPHC members. Mental health treatment information that is included in the patient's medical record is limited to the date of the mental health visit, the name of the clinician, an encrypted diagnosis code, and current mental health medications (Simmons, 1997). This information can be segregated from the general health record upon the patient's request. Harvard Pilgrim strongly recommends that providers share with patients the necessity of sharing current medication information with other providers, to prevent adverse drug interactions, but if the patient refuses to have such information included in the general medical file, the information will not be released. Furthermore, detailed psychotherapy notes are to be separated from the rest of the mental health record.

Technical guidance made available by, the Substance Abuse and Mental Health Services Administration (SAMHSA) suggests that alcohol and drug treatment centers disclose to third party payers only the results of the initial evaluation and diagnosis, a summary of the treatment plan, the patient's attendance, progress and compliance, and the discharge plan (SAMHSA, 1996a).

B. Models for Handling of Personal Health Information by the MCO

In addition to concerns about the amount of sensitive information being shared with the MCO, many consumer advocates have expressed concern about the security of the information once it is in the possession of the managed care firm. Numerous advocacy groups have developed guidelines and recommendations to ensure that such personal information is restricted to those who have reason to access the information, and that it is not accessed by those outside the company without the client's consent.

Several organizations noted the importance of the MCO developing written confidentiality policies, stating the specific measures that would be undertaken to protect confidential patient information (NMHA, 1999, SAMHSA, 1996a). The Joint Commission on Healthcare Organizations (JCAHO) and the National Committee on Quality Assurance (NCQA), in their 1998 joint report on protecting patient privacy in a managed care setting, stressed the importance of designating and training staff who will be responsible for ensuring that the MCO's policies are being carried out (JCAHO & NCQA, 1998). According to these guidelines, the MCO should voluntarily conduct periodic audits to ensure that its confidentiality policies are being carried out appropriately (JCAHO& NCQA, 1998).

Several experts have recommended that, to the extent possible, the use of individually identifiable data should be replaced with aggregated data that doesn't identify a particular member. All entries into managed care data systems should be coded with a unique identifier number, which is not linked to the individual's name, address, or social security number (Davidson & Davidson, 1998). This unique identifier can be used in lieu of the person's name when communicating personal health information to limit exposure of the client's identity (SAMHSA, 1996b). MCOs using behavioral healthcare utilization information for activities such as provider monitoring and profiling can report the results in aggregated form, without revealing the identity of the patients whose records are being discussed (NMHA, 1999).

Just as all electronic medical records can be password protected, all paper files can be kept in a locked file or safe, with records only being available to staff with legitimate need to access them (Edwards, 1997). Data can be destroyed as soon as it is no longer needed. For example, payment data can be destroyed once the services in question have been completed and paid for (Davidson & Davidson, 1995).

MCO confidentiality policies can ensure that only staff members who have a specific need to access confidential information are able to do so. JCAHO and NCOA recommended that patient records should be password protected, and user access controls should be implemented so that staff can only view the level of data necessary to do their job (JCAHO & NCQA, 1998). For example, a claims specialist may be able to view the patient's diagnosis and the clinician's charge, but not see their medication history (Berman, 2001). In other cases, specific staff may be allowed to make changes or additions to certain parts of the file, but not others. Transaction logs can also be implemented to provide a record of who accessed confidential data and when the access occurred (JCAHO & NCQA, 1998). MCOs can maintain a detailed log of who made changes to the database and when the alterations took place (Edwards, 1997).

There are also a number of measures MCOs can undertake to prevent unauthorized access to records, from individuals inside and outside of the company. While we did not undertake a thorough study of this topic, we did uncover a number of commonly used technological measures that companies can use to protect their data from unauthorized users. Biometric scanning, including fingerprint or voiceprint, is available to ensure that the person accessing the data, and making changes to the data, is authorized to do so (Berman, 2001). Data can be encrypted and firewalls can be installed to prevent outside hackers from gaining access to confidential patient information (SAMHSA, 1996b). MCOs can implement up-to-date technologies to ensure the security of patient information when transferring data over the Internet and over internal computer networks, (Campbell, 1996).

Providers can help to protect their client's privacy when working with MCOs. Davidson & Davidson recommend that providers refuse MCO contracts that include non-disclosure clauses, which limit the providers' ability to discuss limitations imposed by MCOs and should refuse to comply with MCO requests when the requests clearly conflict with the patient's best interest (Davidson & Davidson, 1998).

Patient advocates believe that managed care clients should be fully informed of who has access to information about their mental health and substance abuse treatment and how this information will be used. The NMHA recommends that when consumers sign the consent authorization upon joining the health plan, the authorization should include detailed information about the plan's confidentiality policies, and how the data is protected (NMHA, 1999). Because consumers may not always anticipate their health care needs or recall signing the original consent form when they begin mental health or substance abuse treatment years after joining the health plan, MCOs should establish a mechanism for requiring updated consent forms whenever particularly sensitive diagnoses are entered into the database or when health care usage suddenly increases substantially (JCAHO & NCQA, 1998).

Advocates maintain that when clients' health information is shared with third parties, clients have the right to know what information was shared, who will have access to the data, how it will be stored and who is legally responsible for protecting the security of the information (Davidson & Davidson, 1995). Clients can be allowed to view the transaction logs so that they can identify specifically which staff have had access to their information (JCAHO & NCQA, 1998). Advocates argue that clients should be informed if the MCO is sold (Davidson & Davidson, 1998) or if their records are subpoenaed by county or government officials (SAMHSA 1996). JCAHO and NCOA state that MCOs must not sell personal health information collected from clients nor disclose any confidential data to third parties, such as employers, without the client's written consent (1998).

C. Models for Alternative Review Systems

In contrast to the previous models, which proposed ways MCOs might protect patient information after they collect it, several providers have put forward models for reforming the payment review system that would minimize the physician's obligation to disclose treatment information in order to receive payment.

Kevin Corcoran and William Winslade propose that the patient-therapist privilege, which currently protects the confidentiality of information disclosed by the patient in the course of treatment, be extended to include the managed care payer. The managed care plan would have access to patient data needed to authorize services, but would have the same ethical obligation as the provider to protect the data (Corcoran & Winslade, 1994). Whenever possible, the client, rather than the provider, should disclose the information to the managed care representative directly. The authors argue that this will help to create a stronger relationship between the client and the MCO, giving the client a greater understanding of why the payer needs certain information and how the information is to be used. This would also give the insurer a legal and ethical liability for maintaining client confidentiality.

The American Psychoanalytic Association, a membership organization of therapists conducting psychoanalysis, advocates for the adoption of a peer-review model for third-party reviews. In a peer-review model, when a payer requests an external review before paying a claim, the patient is referred to a second therapist who evaluates the patient and issues a recommendation as to whether continued treatment is justified or not (American Psychoanalytic Association, 1999). The reviewing clinician is under the same patient-therapist privilege as the treating therapist. In this model, the managed care company accepts the reviewer's assessment of whether or not to continue treatment, and no confidential patient information is disclosed to the insurer in order to secure payment.

Jay Pomerantz and colleagues (1998) designed a new behavioral health managed care system when their program was about to be carved-out to a managed behavioral health care organization. To prevent this, the mental health clinicians designed a new type of program to control behavioral health care costs that also resulted in less information being transferred to the third party insurer. Under this system, behavioral health clinicians have merged into Professional Affiliation Groups (PAGs), with a psychiatrist designated as the leader. While each clinician retains responsibility for his or her own patients, the head psychiatrist approves all inpatient stays and all outpatient treatment over six visits. In the event of a dispute between the head psychiatrist and the treating clinician, the case is reviewed by all clinicians in the PAG. Because level of care determinations are made within the PAG, all sensitive patient information is retained within the PAG, where all clinicians are held to the patient-therapist privilege. The only clinical information relayed to the managed care organization is the patient's diagnosis, date and type of session, short-term treatment goals, and Global Assessment of Functioning.


This literature review demonstrates that the need of patients for confidentiality of their personal health information conflicts with the need of managed care firms to ensure that the services they are paying for are appropriate. Although a few models and guidelines have been proposed to resolve these conflicts, there is a clear need for a stronger consensus on what health information is minimally necessary for payers to authorize treatment and otherwise manage care and how that information can best be handled to protect the privacy and dignity of mental health and substance abuse patients.


Acuff, Catherine, Patricia Bricklin, Samuel Knapp, Bruce Bennett, Mathilda Canter, Stanley Moldawsky, Randy Phelps. "Considerations for Ethical Practice in Managed Care" Professional Psychology: Research and Practice, vol. 30, no. 6, pp. 563-575, 1999.

American Health Line. "Privacy: Kids' Mental Health Records Posted Online" National Journal, November 8, 2001.

American Psychiatric Association. Summary of the Final Standards of Privacy for Individually Identifiable Health Information. Available at []. Accessed October, 2001.

American Psychoanalytical Association."External Review of Psychoanalysis" American Psychoanalyst, vol. 34, no. 2, 1999.

American Managed Behavioral Healthcare Association (AMBHA). "Statement of Confidentiality" 2001.

Amig, Stacey. "HIPAA, Online Counseling Raise Serious Issues" Behavioral Health Management, May 1, 2001.

Anderson, David, Jeffrey Berlant, Donna Mauch and William Maloney. "Managed Behavioral Health Care Services" in The Managed Care Handbook, Kongstvedt (ed.) Gaithersburg, MD: Aspen Press, 1996.

Behavioral Health Services, Inc. "Outpatient Mental Health Request Form #X-13458" Obtained October 30, 2001.

Berman, William, "Confidentiality in Behavioral Health Care" The Echo Group, May 16, 2001, .

California Health Care Foundation and Consumers Union. "Promoting Health Protecting Privacy: A Primer" January 1999.

Campbell, Leslie. "How Secure is the Internet for Healthcare Applications?" Radiology Management, vol. 18, no. 1, pp. 28-32, January-February, 1996.

Choy, Angela, Zoe Hudson, Joy Pritts, Janlori Goldman. Exposed Online: Why the New Federal Privacy Regulation Doesn't Offer Much Protection to Internet Users. Georgetown University Health Privacy Project, November 2001. Available at [] . Accessed December 7, 2001.

Clifford, Ruth "Confidentiality of Records and Managed Care: Legal and Ethical Issues" California Coalition for Ethical Mental Health Care, April 3, 1999. .

Corcoran, Kevin, William Winslade "Eavesdropping on the 50-Minute Hour: Managed Mental Health Care and Confidentiality" Behavioral Health Sciences and the Law, vol. 12: 351-365, 1994.

Cuffel, Brian, Joyce McCulloch, Rebecca Wade, Lavina Tam, Regina Brown-Mitchell, William Goldman. "Patients' and Providers' Perceptions of Outpatient Treatment Termination in a Managed Behavioral Health Organization" Psychiatric Services, vol. 51, no. 4, pp. 469-473, April 2000.

Davidson, Jeannette and Tim Davidson. "Confidentiality and Managed Care: Ethical and Legal Concerns" in Humane Managed Care?, edited by Gerald Schamess and Anita Lightburn. Washington, DC: NASW Press, 1998.

Davidson, Tim and Jeannette Davidson. "Cost-Containment, Computers and Confidentiality" Clinical Social Work Journal, vol. 23, no. 4, pp. 453-464, Winter 1995.

District of Columbia Mental Health Act of 1978, §6-2017, available at [ ]. Accessed November 27, 2001.

Draper, Debra, Robert Hurley, Cara Lesser, Bradley Strunk. "The Changing Face of Managed Care" Health Affairs, vol. 21, no. 1, pp. 11-23, January-February, 2002.

Edwards, Berryman. "Managed Care and Confidentiality" April 4, 1997. .

Goldman, Janlori "Protecting Privacy to Improve Health Care" Health Affairs, vol. 17, no. 6, January/February 1998, 47-60.

Grinfeld, Michael Jonathan. "Patient Privacy Battle Hinges on Competing Interests" Psychiatric Times, vol. 14, no. 1, January 2001.

Hennessy, Kevin and Sharon Green-Hennessy. "An Economic and Clinical Rationale for Changing Utilization Review Practices for Outpatient Psychotherapy" Journal of Mental Health Administration, vol. 24, no. 3, pp. 340-349, Summer 1997.

Joint Commission on Accreditation of Health Care Organizations (JCAHO) and National Committee for Quality Assurance (NCQA). "Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment" November 10, 1998. .

Koike, Alan, Ruth Klap, Jurgen Unutzer. "Utilization Management in a Large Managed Behavioral Health Organization" Psychiatric Services, vol. 51, no. 5, pp. 621-626, May 2000.

Kongstvedt, Peter. The Managed Care Handbook, Gaithersburg, MD: Aspen Press, 1996.

Kremer, Thomas and Ellis Gesten. "Confidentiality Limits of Managed Care and Clients' Willingness to Self-Disclose" Professional Psychology: Research and Practice, vol. 29, no. 6, pp. 553-558, December 1998.

Koyanagi, Chris. "Medical Records Confidentiality in the Modern Delivery of Health Care." Testimony before the Subcommittee on Health and the Environment. U.S. House of Representatives, Committee on Commerce, Washington, DC, May 27, 1999.

Larsen, David. "Confidentiality and Privacy of Health Information" Testimony before the Subcommittee on Privacy and Confidentiality, National Committee on Vital Health Statistics, advisory panel to the Secretary of Health and Human Services, Washington, DC, February 3, 1997.

Lazarus, Jeremy and Steven Sharfstein. "Ethics in Managed Care" Psychiatric Clinics of North America, vol. 23, no. 2, pp. 269-284, June 2000.

Legal Action Center. "Confidentiality and Communication", New York: LAC, 2000.

Louis Harris and Associates. Health Care Information Privacy, New York: Harris, 1993.

Magellan Behavioral Health (a). "Policy and Standards" July 31, 2000.

Magellan Behavioral Health (b). "Magellan Behavioral Health Improves Treatment Request Process" Aug. 11,2000.

Massachusetts Behavioral Health Partnership. Massachusetts Behavioral Health Partnership Provider Agreement, April 2001.

McDaniel, Charlotte and Judith Erlen. "Ethics and Mental Health Service Delivery Under Managed Care" Issues in Mental Health Nursing, vol. 17, pp. 11-20, 1996.

Meyeroff, Wendy and Richard Meyeroff. "Behavior's Problem" Healthcare Informatics, vol. 16, no. 3, pp. 59-61, 64-65, March 1999.

National Mental Health Association. "Best (& Worst) Practices in Private Sector Managed Mental Health Care Part II: Confidentiality" Washington, DC: July 1999.

New Jersey Permanent Statutes, 45:14B-32, 1985. Available at [ ]. Accessed November 27, 2001.

Pomerantz, Jay. "Behavioral Health Matters - Is Confidentiality Still Protected Under Managed Behavioral Health Care?" Drug Benefit Trends, vol. 11, no. 2, pp. 56-57, 1999.

Pomerantz, Jay. "The Professional Affilation Group: A Case Study in Behavioral Health Management" in Humane Managed Care? Edited by Gerald Schamess and Anita Lightburn. Washington, DC: NASW Press, 1998.

Roback, Howard and Mary Shelton. "Effects of Confidentiality Limitations on the Psychotherapeutic Process" Journal of Psychotherapy Practice and Research, vol. 4, no. 3, pp. 185-193, Summer 1995.

Rodriguez, Alex. "Management of Quality, Utilization and Risk" in Managed Mental Health Care, edited by Judith Feldman and Richard Fitzpatrick. Washington, DC: American Psychiatric Press, 1992.

Rybowski, Lise. "Protecting the Confidentiality of Health Information" Washington, DC: July 1998. National Health Policy Forum, George Washington University.

Siegler, M. "Sounding Boards. Confidentiality in Medicine-a Decrepit Concept." New England Journal of Medicine. Vol. 307, pp. 1518-1521, 1982.

Simmons, Janice. "Who Needs to Know?" Healthplan, vol. 38, no. 4, pp. 56-60, July-August, 1997.

State of Massachusetts. "Section 11.20: Confidentiality" Contract Between State Of Massachusetts and Value Options, 2001.

Substance Abuse and Mental Health Services Administration (SAMHSA) "Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance Appendix B Managed Care and Client Confidentiality" Technical Assistance Series No. 18, 1996(a). .

Substance Abuse and Mental Health Services Administration (SAMHSA). "Contracting for Managed Substance Abuse and Mental Health Services: A Guide for Public Purchasers" Technical Assistance Series no. 22, 1996(b). .

U.S. Department of Health and Human Services. Administrative Simplification. At [] as of September 17, 2002.

U.S. Department of Health and Human Services. Mental Health: A Report of the Surgeon General. Rockville, MD: U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration, Center for Mental Health Services, National Institutes of Health, National Institute of Mental Health, 1999.