Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Privacy Issues in Mental Health and Substance Abuse Treatment: Information Sharing Between Providers and Managed Care Organizations: Final Report

Publication Date

I. Introduction

Confidentiality is a key element of mental health and substance abuse treatment.  In the course of therapy, clients reveal personal, highly sensitive information that they may not reveal to anyone else.  Clients trust that this information will be kept confidential by the clinician/therapist.  In affirming what is known as psychotherapist-patient privilege, the United States Supreme Court (Jaffe v. Redmond, 518 U.S.1 (1996)), stated not only that it is in the public interest to allow patients to access effective mental health and substance abuse treatment but also that effective psychotherapydepends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears.  In the absence of this assurance of confidentiality, many individuals with mental and emotional disorders might refuse or fail to seek treatment, going without needed services.

As the payer for this treatment, however, a third-party insurer, such as a managed care organization (MCO) or insurance company, has a right to know what the services are for which payment is being requested and whether the treatment is appropriate.  Before paying the claim, therefore, the payer requests some personal health information, such as the patient's presenting problem, health status, and/or treatment planned or received.  The amount of personal health information required to pay claims varies by payer; some require only basic information, such as the patient's diagnosis and services received, while others require more detailed information on the patient's symptoms and specific treatment goals and outcomes.  The dual, but opposing, needs for confidentiality and disclosure have created tension between providers and payers of services. 

In this report, we begin in this chapter by explaining the "minimum necessary principle" that is the topic of the study, and reviewing the purpose of the study, the relationship between managed care and privacy, the legal and regulatory context for the transfer of patient information, and the study methodology.  The chapters that follow discuss current practices of MCOs in the collection of patient health information, including why the information is collected and what information is commonly sought, variation among plans in these two areas, and the methods for collecting information.  Also discussed are stakeholder views on the information collected and models that have been proposed for standardizing and minimizing the information routinely shared with third-party payers.  The paper concludes with some possible “next steps” to encourage more privacy-sensitive approaches to health plans’ requests for personal health information.

A. The "Minimum Necessary" Principle

The Standards for Privacy of Individually Identifiable Health information (45 CFR parts 160 and 164), published by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (PL 104-191), state that entities subject to the regulation (including MCOs) “must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)).  This language reflects both the need to accommodate the range of MCO payment and operational activities and the lack of consensus and models on which to base more specific language and the absence of policymaker consensus as to how to resolve the tradeoff between meeting this need and the patient need for confidentiality.  By itself, therefore, the new requirement is unlikely to resolve the continuing tension between providers and managed care firms regarding how much information to make available to MCOs or other third parties.

B. Purpose of the study

DHHS contracted with Mathematica Policy Research to provide information to assist the managed care and treatment communities in respecting the privacy of patients while addressing the care management needs of MCOs.  Toward this end, this report does not propose a minimum set of information that should be shared but describes (1) how patient health information is typically transferred from mental health and substance abuse providers to managed care payers and (2) what personal health information key stakeholders—including providers, consumer advocates, and managed care organizations—consider to be minimally necessary. In addition, the report identifies models of privacy-sensitive approaches to sharing personal health information.

C. Privacy Issues under Managed Care

Third-party requests for information on mental health treatment before paying for services is not a recent phenomenon.  Even under fee-for-service arrangements, insurers generally required mental health providers to disclose the patient’s diagnosis, and sometimes the treatment plan, before reimbursing for these services (Acuff et al. 1999).  However, as mental health and substance abuse treatment costs outpaced even the rising costs of care in general in the 1980s, the pressure to move to a managed care system mounted significantly.  In this new approach to cost containment, MCOs would play a more active role in monitoring and overseeing the delivery of care in order to minimize abuses and attempt to ensure that care was provided in a cost-effective manner. 

Before paying for services, MCOs must ensure that the enrollee is eligible for benefits, that the clinician is an authorized provider, and that services paid for actually took place. MCOs therefore require the enrollee’s identification number, the diagnosis, a description of the services performed and dates of service, the name of the provider, and the amount of charges.  MCOs may also need information to satisfy specific conditions of coverage; for example, if benefits are limited to a certain number of visits each year, the plan will need to know how many times the patient has been seen to date. 

In addition to paying for services, MCOs undertake a variety of other activities that depend on having health information about enrollees receiving treatment.  These activities, described below along with the patient information required for each, include utilization management, quality management, and other care management: 

  • Utilization Management.  In order to contain costs, MCOs may establish criteria for medical necessity with regard to inpatient or outpatient treatment, and criteria for the level of care appropriate to the situation.  MCO staff review the case before payment is authorized to ensure that the proposed treatment meets the criteria.  This review process, known as pre-authorization (Kongstvedt 1996), involves the use of information on the patient’s history, diagnosis, symptoms, treatment, and progress.
  • Quality Management.  The purpose of quality management in managed behavioral health organizations is typically to prevent quality of care concerns from arising, to address these concerns if they do arise, and to respond to complaints regarding specific cases or specific providers (Kongstvedt 1996).  Quality management activities may include audits, in which MCO staff visit the facility at which care is provided to review either a sample of a provider’s charts or specific charts when a concern is raised about a specific case.  MCOs may also evaluate providers by profiling and comparing treatment outcomes practice by practice.
  • Other Care Management.  MCOs may seek to promote quality of care and continuity of care, particularly for those with high service use. Clinically trained case managers may work to direct the patient to the

most appropriate level of care, coordinate care between providers, refer the patient to other community services, and may serve as a contact person for patients between visits to a provider (Kongstvedt 1996).  Such care managers may use detailed information on the patient’s diagnosis and treatment.

Although MCOs vary widely in the extent to which they perform these functions and in their reasons for collecting patient health information, all of the MCOs we spoke with said that they reserve the right to view the full medical record of any member at any time.  Therefore, all mental health and substance abuse treatment information is potentially available to the MCO.

D. Legal and regulatory context

The federal government has established several laws and regulations intended to protect the privacy of health care information.  The best-known are the privacy regulations, mentioned earlier and established by the Secretary of Health and Human Services in 2000 pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA; PL 104-191).  Except when a patient signs an authorization for a non-routine disclosure of patient health information, the regulations require that “covered entities must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)), although what constitutes minimum necessary information is not further clarified. 

     There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:

1. The specific name or the general description of the program or person permitted to make the disclosure;

2. The name or title of the individual or the name of the organization to which the disclosure is to be made;

3. The name of the patient;

4. The purpose of the disclosure;

5. How much and what kind of information is to be disclosed;

6. The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent…or, when required for a person who is incompetent or deceased, the signature of a person authorized to sign…in lieu of the patient;

7. The date on which the consent is signed;

8. A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it; and

9. The date, event or condition upon which the consent will expire if not revoked before…(§ 2.31).

Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.

State privacy laws vary considerably, with some states offering significantly greater protections than what is required by federal law.  A review of state privacy laws was beyond the scope of our project, but many respondents pointed us to the laws of the state of New Jersey and the District of Columbia, which have the most stringent laws protecting the confidentiality of mental health and substance abuse information.  According to these laws, information that can be disclosed to third parties is limited to administrative and diagnostic information, patient status (such as voluntary or involuntary), the reason for admission or continuing treatment, and the estimated duration of treatment.  In the event of a dispute between a provider and payer over the course of treatment, the third-party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (§6-2017; District of Columbia 1978).  In New Jersey, the insurer may request the review from an independent review committee (§45:14B-32; New Jersey 1985).  However, in 1991, the New Jersey courts ruled that ERISA-exempt firms (which self-insure) are also exempt from these requirements.  Since the majority of employers in New Jersey self-insure, this law does not cover most individuals with employer-sponsored insurance, and the appeals process has not been used in years.

Other states also have laws that affect what information can be shared with third-party payers.  Maryland passed a law, effective October 2000, which states that payers can request only the behavioral health information contained in a standard form developed by the State Department of Health and Mental Hygiene in consultation with key stakeholders.  Payers cannot to request additional information, although patients may choose to release information during appeals.  As in New Jersey, firms that self-insure are also exempt from these requirements.  However, according to a representative of the Maryland Psychological Association, most firms with ERISA-exempt plans use the Maryland form for simplicity.  In addition to the laws in Maryland, New Jersey, and the District of Columbia, which specifically protect mental health and substance abuse treatment information, laws in many other states have implications for the privacy of mental health and substance abuse records, including “anti-discrimination laws, adoption, foster care, mental health treatment, reproductive health, parental involvement, partner notification, and abuse and neglect” (Koyanagi 1999).

E. Methodology

The study methodology consisted of telephone interviews with a wide range of stakeholders and a comprehensive literature review.  The interviews, held with consumer advocates, health care providers and provider associations, managed care firms, and a few experts in the field, were conducted from October 2001 through May 2002 and generally lasted about 30 minutes.  Respondents were asked about the current practice of information sharing between providers and payers, why the information is collected, how it is used, and their views on what information should be shared.  Respondents were also asked to identify any models for privacy-sensitive approaches to managing care.  We also asked providers and managed care firms if they could provide us with copies of forms and telephone protocols used in utilization management and if they could provide us with the contract language that authorizes them to access patient charts for audits and quality management.  Table I.1 lists the number of respondents by type.

The comprehensive literature review (see Appendix A) was designed to document relevant information from the past five years on how managed care payers collect personal health information about consumers of mental health and substance abuse services.  Our objective was to develop an understanding of why managed care firms collect personal health information, what types of information are collected, what problems or concerns have been raised by stakeholders, and what models and solutions have been proposed by experts in the field.

We found a great deal of information on why managed care firms collect personal health information and the different ways in which they use this information.  We also found a great deal of information on the problems that have been encountered, particularly provider and patient reluctance to share information disclosed in a privileged therapist-patient relationship.  We found relatively little literature on the specific information typically requested by managed care firms in order to authorize services.  In searching for solutions and models, we found a few sources that made specific recommendations as to what information should be disclosed to the managed care firm, but the prevailing documentation involved recommendations by experts on how to maintain the confidentiality of sensitive information once it is in the possession of an MCO.  The next chapter more fully explores current practices of MCOs in the collection of patient health information.

Table I.1
Interview Participants, by Type
Type of Respondent Number
Mental health/substance abuse providersa 12
Provider associations 7
Managed care organizations
Managed behavioral health organizations (MBHOs) 3
Health maintenance organizations (HMOs) 2
Mental health consumer advocates 4
Substance abuse consumer advocates 2
Federal/state government 2
Experts in the field
Providers 2
Advocates 1

Note: At the outset of the study, we planned to conduct interviews with managed care associations and accrediting organizations. When we contacted these organizations, they did not have staff who were knowledgeable and able to discuss these issues, so we substituted additional interviews with MCOs and providers.

aMost respondents at provider associations were also providers themselves, so these are reflected in both categories

II. Personal Health Information Collected by Mcos: Current Practice

In this chapter, we report on why MCOs collect personal health information, how they use it, what types of information are commonly collected and how this varies across plans, and the various ways in which the information is collected.

A. MCO Reasons for Collecting Data

1. Utilization Review

The most common reason for collecting personal health information is to support utilization review.  In this review, an MCO determines the medical necessity of the request and the appropriate level of care.  Typically, the client makes the initial request for treatment.  The client generally speaks to a care manager at the MCO, who discusses the nature of the problem and the symptoms and makes a referral to a provider for the minimum level of care deemed appropriate (Edwards 1997).  Once this initial authorization is exhausted, the provider must request authorization again if the patient continues to need treatment.  The process for requesting re-authorizations varies from company to company; some plans conduct reviews by telephone, usually following a prepared set of questions, while others require the provider to fax a treatment request form to the company.  The frequency of re-authorizations also varies.  Some plans require re-authorization every two to three visits, while others may authorize 10 or more outpatient sessions at a time (Hennessy and Green-Hennessy 1997). 

There are also differences in the authorization and re-authorization processes for outpatient versus inpatient treatment requests. There is some indication that MCOs may be moving away from requiring extensive information as part of utilization review for outpatient treatment.  A number of recent empirical studies have shown that intensive utilization management of outpatient cases may not be cost-effective for managed care firms.  One study found that it is 50 percent more expensive to administer managed care than fee-for-service (Meyeroff and Meyeroff 1999).  Another study found that the majority of patients receiving outpatient behavioral health treatment voluntarily terminated treatment after a limited number of sessions (Hennessy and Green-Hennessy 1997).  These authors suggested that MCO efforts to manage care do not appear to have had a significant impact on overall outpatient utilization and that MCOs might find that it is not cost-effective to intensively manage all cases.

We pursued this issue in interviews with providers and managed care firms, asking them whether they had observed a trend in MCOs requiring less patient information.  Most confirmed that some MCOs seem to be requiring less patient information for utilization review.  Magellan has recently introduced a treatment request form that requires only very basic patient information.  In addition, several plans we spoke with have instituted interactive voice response (IVR) systems, through which a provider calls an MCO and provides basic patient information—such as demographics, diagnosis, and services requested—into an automated system.  The treatment is automatically approved as long as the request meets certain basic parameters.  Case managers review a small sample of the cases from the IVR system. 

Some plans are also requiring patient information less frequently than in the past.  One plan we spoke with has, within the past year, decreased the frequency of their reviews from every 10 sessions to every 20 sessions for psychiatric treatment and from every 20 sessions to every 40 sessions for substance abuse treatment. 

One provider believes managed care firms are requesting less information partly in response to provider and patient pressure but also because plans are beginning to find that the costs of hands-on management through authorizations are not worthwhile relative to the cost of treatment because most patients only need short-term treatment.  This view is consistent with the experience of one managed care plan we spoke with, which stated that the firm has reduced the amount of patient information it collects because “99 percent of cases are managed fine” without the plan having to manage each one.  However, several providers pointed out that not all MCOs have streamlined their requests.

2. Quality Management

Although MCOs collect the patient information contained in outpatient treatment requests (OTRs) primarily for utilization review, many MCOs also use this information for quality management.  Several MCOs we spoke with use the information submitted in OTRs to identify outlier cases in which the diagnosis appears to warrant more extensive treatment than what is being received.  Examples include a patient with schizophrenia who is not on medication or a patient who is actively suicidal but for whom appropriate levels of care have not been indicated.  OTRs are also used to track patient progress.  For example, if a person with an adjustment disorder has been in treatment for several years with no apparent improvement, the MCO would want to flag the case and then call the provider for an explanation.  One MCO stated that it hopes to have to follow up on no more than 10 to 15 percent of cases. Procedures for quality management differ at one staff-model HMO, where the provider’s supervisor and other authorized personnel in the behavioral health department randomly review charts to ensure that appropriate care is received.

3. Audits

MCOs do audits primarily to make sure that clinicians are actually performing the services for which they are billing.  In addition, several providers stated that MCOs may need to review records in order to comply with accreditation requirements such as those developed by the National Committee for Quality Assurance (NCQA).

An MCO might also request a medical record because of quality-of-care concerns, whether expressed by patients, other providers, or other sources.  One MCO in our study also reviews the full record when a patient chooses to go to an out-of-network hospital.  All of the providers we spoke with stated that the MCOs include in their provider contracts the right to access the full medical record at any time.  MCOs may audit the provider’s chart system on site or they may simply ask the clinician to send in a sample of charts. 

MCO requests for complete charts can be problematic because, in practice, many therapists do not separate psychotherapy notes from the general medical record.  These notes reflect the therapist’s thoughts and opinions during treatment and may also contain information on patients’ family members who probably had not agreed to have their information disclosed to the therapist, let alone the MCO.  Once the information is in the chart, anyone at an MCO that handles the chart, including data clerks, could have access to that information.  Releasing sensitive information in charts can have serious consequences because an MCO clerk could be required to testify in court as to what he or she saw in a chart.  To illustrate the severity of this possibility, one provider used an example of a patient who was a physician being treated for substance abuse.  The physician had been writing fraudulent prescriptions and consuming the drugs himself.  If this is recorded in a file and an MCO clerk later sees it and reports it, the physician could lose his medical license and face criminal charges.

Several providers mentioned that they do not keep separate charting systems for physical and mental health care because of the administrative hassles.  Two providers said explicitly that they do not separate their notes even though they know they should because they have never been audited.  If they were to be audited, they would pull out the notes before the MCO came on site. 

4. Case Management and Care Coordination

Case Management.  MCOs may also use personal health information for case management and care coordination purposes.  MCOs may assign case managers to patients who use a high volume of services, to help them coordinate care between providers and to help them access community services.  Case managers may also be “go-to” people that can be contacted in a crisis, or between visits to the therapist.  The use of personal health information for this purpose is far less controversial, especially among consumers.  Consumer advocates we spoke with generally support the use of patient information for case management and care coordination as long as the patient approves it.  One advocate stated that patients distinguish between the sharing of information within and outside the health care system and feel comfortable with information being shared with people such as case managers or clinicians when their roles are to facilitate or participate in treatment.

Care Coordination.  It is often beneficial to the patient for information to be shared by the mental health/substance abuse provider and the primary care provider, particularly information that could prevent drug interactions (Simmons 1997).  Plans we spoke with generally ask the patient to sign an authorization for treatment information to be shared with the primary care provider.  MCOs do not so much collect this information as facilitate communication between providers.  Such care coordination is especially common when the mental health/substance abuse provider and the primary care physician work in the same clinic in a staff-model HMO.  In some cases, the providers may be able to share records electronically, further streamlining the process.

One mental health care provider we spoke with works with an MCO that automatically shares treatment information with the patient’s primary care provider.  She feels this is unnecessary, as some of her patients may have no relationship with their primary care provider, so the information is being shared with a stranger.  She would rather that the decision to share information with a primary care physician be made on a case-by-case basis.  Most providers we spoke with, however, said that in their experience, patients do sign an authorization for this information to be shared.

B. Information Collected by MCOs for Outpatient Treatment

Most of the providers we spoke with agreed that there is a great deal of variation in the amount of patient information requested by MCOs for outpatient authorizations.  The one exception, a provider who works only with Medicaid managed care firms in her state, has not observed much variation among the plans.  The other providers agreed that there is variation from company to company, and even within companies, depending on the type of contract an MCO has with an employer and on state laws that may restrict the types of patient information that can be shared with managed care firms.

To determine what information is shared between providers and payers, we asked both if they would be willing to share copies of their outpatient treatment request forms and telephone review protocols.  We collected a total of 10 forms and one telephone protocol.  From these, we were able to identify a number of topics that are fairly standard in treatment authorizations and others that vary considerably from company to company.  The documents we collected include:

The Maryland Uniform Treatment Plan Form.This form is used to collect the only patient health information that insurers can routinely collect in Maryland, per state law. The form went into effect in October 2000. Self-insured(ERISA-exempt) plans are exempt from this requirement (Appendix B).

· The Magellan Treatment Request Form. Magellan is a national managed behavioral health care organization with an enrollment of approximately 70 million people.  Magellan adopted the form in August 2000 (Appendix C).

· The ValueOptions Outpatient Treatment Report.  ValueOptions is a national managed behavioral health care organization that manages services for over 23 million people.  The ValueOptions Outpatient Treatment Report is available on the firm’s website at www.valueoptions.com/provider/forms.htm.

· Two forms used by other national managed care firms but not publicly available.

· Five forms from small or local managed care firms.  Two of these plans serve primarily Medicaid populations.

· One telephone protocol used in at least one market by a large managed behavioral health care organization.

We created a list of the information that was requested by the managed care plans and recorded the frequency with which each item occurs in all the forms or protocols we reviewed (Appendix D). Items that occur in at least six of the forms or protocols are identified in Table II.1.  Information on whether the item is requested in a categorical format (usually checklists or yes/no questions), in narrative form, or in both is also included in the table.

While we found wide variation in both the amount of information collected and the processes for collecting that information, we also found some similarities across plans.  All plans ask for administrative data, including the patient’s name, date of birth, social security or insurance identification number, and identifying information for the practitioner.  Most plans ask for the DSM-IV diagnosis code, including axis five, the Global Assessment of Functioning.  Treatment information, including the requested procedures or types of services, the frequency and duration of treatment, and expected outcomes are also fairly standard.  Most plans also ask about the patient’s current medications and compliance with the regimen.  Finally, many plans ask for information about the practitioner’s coordination with the primary care provider and about the patient’s involvement in other community services.

C. Degree of Variation in Ttypes of Information Collected

1. Variation By Type of Plan

Some respondents believe that the information requested varies by the type of plan.  We reviewed whether the types of information requested varies by whether an MCO does or does not carve out behavioral health (Appendix E).  While our data are limited, with only four examples from MCOs and seven from MBHOs, there do not seem to be any differences in the types of patient information requested by the two types of MCOs.

Table II.1
Patient Health Information Commonly Requested in Outpatient Treatment Authorization, by Type of Response 
Total Examined—11
Requested Informationa Categorical Narrative Both
Demographic/Administrative Information
Patient’s name   11  
Patient’s date of birth   10  
Patient’s social security/insurance ID number   10  
Practitioner’s name, address, phone   11  
Practitioner’s license and/or ID number   10  
Initial authorization or continuing 6 1  
Length of treatment/start and end dates   8  
Diagnosis
DSM-IV diagnosis code 11    
Current Global Assessment of Functioning (GAF) 10    
Highest GAF in past year 8    
Patient History
Previous MH/SA treatment 2 4 2
History of substance abuse 2 5 1
Presenting Problems
Symptoms 7 2 2
Duration and severity of symptoms 6 1  
Risk assessment suicide/homicide 5   3
Current substance abuse 5 1 3
Family/social relationships 4 2 2
Job/school performance 4 2 2
Obsessions/compulsions 4   2
Treatment Information
Requested procedures/types of services 8 1 2
Frequency/duration of treatment 4 7  
Expected treatment outcomes 4 5  
Member notified/concurs with goals? 5 1  
Medications
Current medications 2 8  
Dosage/frequency 1 7  
Compliance 3 3  
Care Coordination
Communication with PCP 6 1  
Patient receiving other community services 4 3 2

aItems are included in table if they were listed in 6 of 11 examples studied


We also reviewed whether local MCOs request different types of patient health information from the national firms for which we had information (Appendix F).  Two providers noted that, in their experience, local MCOs tend to ask for less detailed information than do national firms.  One said that the likely reason for this is that the local MCOs are more familiar with her clinic and have a closer working relationship with the providers.  Again, this analysis is limited because we have examples only from five national managed care firms and six local firms.  However, there do not seem to be any differences in the types of patient information requested by local or national MCOs.  However, beyond these forms, MCOs request follow-up information on certain cases in an informal manner, and it is possible that less follow-up information is requested if a provider develops a strong working relationship with an MCO.  Stronger working relationships could, in turn, be easier for providers to develop with local MCOs.

Two of the outpatient treatment request forms we examined were geared specifically toward substance abuse treatment.  There were too few of these forms to do a separate analysis, but in comparing them to the others, we found that the only difference is that these two forms do not ask about the patient’s risk of suicide or homicide.  Otherwise, information requested in these forms does not differ from information requested for general behavioral health.  In addition, two of the forms we looked at were from Medicaid managed care plans.  These forms ask for the same types of patient information as commercial managed care plans.

2. Plan-to-Plan Variation

Information on patient history varies considerably from plan to plan.  Three plans do not ask for any information on the patient’s history or previous treatment.  Several plans ask whether the patient has received treatment for mental health and/or substance abuse; some plans provide the clinician with a checklist of treatment types (i.e. outpatient, partial hospitalization or inpatient), asking the clinician to indicate which ones the patient had received.  Three plans ask whether the patient has other family members also receiving treatment; two simply require a yes/no response, while the third asks the provider to provide descriptive information about personal and family history relating to mental health and substance abuse disorders.

Information collected on a patient’s current status and presenting problems also varies greatly by plan.  Three of the outpatient treatment forms we examined asked the provider to explain the patient’s current problems and to describe the plan for addressing each one.  Other plans provide a checklist of symptoms and ask the provider to indicate which ones the patient has experienced, and in some cases, to also indicate the severity and duration of the symptoms.  Some plans also include a separate checklist for level of functioning in such areas as family and social relationships, work/school performance, physical health, sexual functioning, legal problems, financial situation, and activities of daily living. 

There is a great deal of variation among plans in the lists of symptoms they ask providers about.  The Magellan Treatment Request Form (Appendix C) is the shortest list used by the plans we studied.  Magellan simply lists four symptoms: self-injurious behavior, suicidal ideation, homicidal ideation, and substance use problems; the form also requests information on the severity of each (mild, moderate, severe).  The Maryland Uniform Treatment Plan (Appendix B), which requests the most detailed information of the forms we studied, includes a checklist of 56 symptoms.  It also asks the provider to rate the patient’s level of functioning (mild, moderate, severe) in six areas: family relations, job/school, finances, physical health, legal, friends/social.  The ValueOptions Report lists 24 symptoms and asks for information on their duration.  It also includes a checklist for level of functioning in 12 areas and asks the provider to rate the severity level on a scale of one to five and to estimate the severity level of each at discharge.  A comprehensive list of the symptoms requested by all plans is included in Appendix D along with the number of plans requesting information on each.

Plans also vary considerably in their questions regarding the level of risk of harm to self or others.  Three plans do not ask for any information on this topic.  Notably, both of the forms geared specifically towards substance abuse do not ask for information on this topic.  However, the majority of the plans request information on the patient’s risk of suicide and homicide, asking the provider to indicate whether the patient has exhibited ideation, a plan, or intent with or without means.  Two plans request information on other risk behaviors as well, including items such as self-injury, fire setting, family violence, and psychosis.  These two plans also ask the clinician to record any additional risk behaviors. 

D. How Data are Collected

1. Outpatient Utilization Review

Providers generally request treatment authorization by telephone or by submitting a written form.  However, as mentioned in Chapter I, several MCOs have recently implemented interactive voice response (IVR) systems for outpatient treatment authorizations.  The provider calls into an MCO and supplies basic patient information—including the patient name, social security number, diagnosis, and services requested—to an automated system.  How the system is used varies from company to company.  For two of the MCOs we spoke with, the system automatically gives the provider an authorization number for the services; the only reason for a denial would be if the member or provider is not eligible.  Master’s level case managers then pull reports off the system and review them retrospectively to ensure that services are being used appropriately.  The case managers therefore only need to review a limited number of cases, not every case.  (A third MCO requires the provider to supply clinical information to the system, and the approval is granted within five days.)  Compared with standard treatment request forms, the IVR system provides somewhat more privacy.  Because there is no need for a data clerk to enter information into a database, the systems eliminate the need for an additional person to see patient information. 

Despite the growing popularity of IVR systems, most providers requested authorizations for services by completing paper treatment request forms or by speaking to a case manager over the telephone.  The providers we interviewed differ somewhat in terms of whether they prefer sharing information over the telephone or in writing.  Two providers believe that phone conversations are more intrusive.  One said that a form allows providers to clearly state only the necessary information, whereas in a telephone conversation, the case manager might be more likely to ask for additional information.  Another provider believes that clinicians might be more likely to reveal more information than they intend to when they are on the telephone.  However, a third provider prefers telephone conversations because she feels she has more control over what she says, telling case managers what she thinks they need to know without revealing anything she feels is irrelevant.

Another concern that providers raised regarding telephone reviews is that the MCO staff taking the calls may not be sufficiently trained in mental health and substance abuse treatment, making them less-than-responsive, in the providers’ eyes, to requests for authorization.  A number of providers said that it is frustrating to give information to a clerical staff person who simply reads from a script and enters the information into a computer.  One provider described a situation in which a patient was actively suicidal and under supervision until an ambulance came, during which time the MCO staff member was reading through a set of questions on the patient’s hygiene that were not relevant to the case.  However, at some plans, the case managers are master’s-level clinicians who are knowledgeable about treatment.  One substance abuse provider at an inpatient clinic has interacted with case managers who are already familiar with the clients before they enter her facility and take an active interest in the treatment.

Several providers expressed concern regarding the treatment request forms, notably about the security of faxing this highly sensitive information.  One provider noted that an MCO she works with asks that forms be faxed without a cover page.  Another provider recalled a case in which an MCO had given out the wrong fax number, so information was inadvertently sent to a private residence.  Still another provider mentioned that she always calls the MCOs after she faxes forms to make sure that they are properly received.

A few providers mentioned that MCOs are increasingly accepting records electronically.  A representative of a large national managed behavioral health organization that has a number of Medicaid managed care contracts said that, in some states, doctors work with electronic medical records that feed directly into the managed care plan’s system.  Several providers we spoke with have strong concerns about the security of transmitting confidential patient information in this manner.  One provider said that her attorneys have advised her not to transmit records electronically until greater security measures are in place.  Another stated that patients should be informed if their medical records are being transmitted in this manner.

2. Clarifications

Once a provider submits a treatment authorization request, an MCO case manager may call the provider to ask for further clarification.  A great deal more information may be shared as a result.  It is not clear how often this occurs, as providers and MCOs were not able to give precise figures.  As mentioned in Chapter I, one MCO said that it hopes to have to follow up only on 10 to 15 percent of outpatient cases.

3. Appeals

If a request for treatment is denied, the patient and clinician have the right to appeal.  The appeals process varies from plan to plan.  The initial appeal may take the form of a telephone conversation between the clinician and a doctor on staff at the MCO.  If the two are unable to reach an agreement on the course of treatment, the case will go to a second round of appeals.  At this stage, plans generally invite the clinician to submit the patient’s full medical record.  In general, to pursue their appeal, providers need to submit it. 

One provider stated that, in lieu of releasing the entire record in the second round of appeals, he can sometimes prepare a summary of additional information that the plan needs.   However, other providers we spoke with said that, in their experience, plans always require the full record in order to review the case.  One provider mentioned that when he calls an MCO, he usually speaks with a clerical person, not a psychiatrist or psychologist.  Since that person does not know what information will be required for the appeal, the provider is simply told to send everything.

4. Inpatient Authorizations

We did not review the process for inpatient authorizations systematically, but some providers in the study have worked with both inpatient and outpatient treatment requests and said the two are very different.  Inpatient authorizations are much more intrusive, probably reflecting the fact that most of the costs in behavioral health are incurred on the inpatient side.  Processes for inpatient reviews vary considerably from plan to plan but, in general, consist of telephone discussions between hospital staff and MCO case managers.  Reviews occur frequently, sometimes every day or every couple of days.  The questions are usually open-ended and may be tailored to the specifics of the case.  In some cases, the MCO case managers are very familiar with the patient’s history and may suggest treatment strategies.  At one MCO, case managers may even visit the facility in person to meet with the patient and providers.  If an MCO issues a denial, there is an appeals process similar to that for outpatient treatment: a first round with a doctor-to-doctor review and a second round in which the MCO may request the full medical record.  One MCO said that inpatient cases reach the second round of appeals more frequently (about one to five percent of the time) than outpatient cases do.

III. Stakeholder Views on What Constitutes 0 Necessary" Information for MCO Operations

In this chapter, we report on what the provider associations, clinicians, consumer advocates, and managed care plans we interviewed see as “minimum necessary” information.  In addition, we identify which items of personal health information are especially controversial.  We observed that in many cases, respondents’ views on privacy have been shaped by their experience with and views on managed care more generally.

A. Provider Associations, Clinicians, and Advocates

The provider association representatives, clinicians, and consumer advocates we interviewed agreed that many MCOs request more personal health information than they need to manage care.  There was less than full agreement, however, on just how much information MCOs do need.  We begin by discussing the views that allow for the least information to be shared.  Many of the consumer advocates we spoke with were not comfortable with being specific about what they believe would be acceptable to share with MCOs.  The issue has not typically been a pivotal one for them, and they often said they did not hear about it much from their membership.

1. Administrative Data Only for Most Cases

One view is that for routine cases requiring outpatient treatment, health plans should not need more than the basic administrative data that was required for fee-for-service medicine, such as patient identification information; clinician identification information; procedure code; charges; and dates, type, and location of service.  Three of the provider association representatives support this view, as does a privacy expert who is a clinician.  Some of the justification we heard for this view follows.

Effective treatment depends upon complete trust between the patient and provider, and strict confidentiality is essential to that trust.  Therefore, “compromising,” whereby the provider gives up some personal health information to health plans, if not all that the health plans might wish for, is not in the best interest of the patient and therefore conflicts with the ethical standards of the professions.  Since HHS intends HIPAA regulations to be consistent with professional standards, the idea of providing only administrative data is consistent with the “minimum necessary” information clause in the regulations.  This view was expressed by a provider association representative who, among all of our provider association respondents, has been one of the most active in lobbying on privacy issues.

A second line of reasoning expressed by some provider respondents is that health plans would need extremely detailed clinical information, much more than is currently requested, in order to second-guess clinical judgment about a case.  According to one clinician, “particularly in psychotherapy, there are always going to be differences of opinion regarding the necessity of treatment.  MCOs may say they need hundreds of items of information on a patient to authorize treatment, but there is no scientific basis for their requests.”  Such second-guessing is neither a realistic nor an appropriate goal for health plans on a routine basis, it is argued.  Therefore, health plans should not routinely request more than the basic administrative information noted above.

Two provider association respondents that subscribe to the “administrative information only” view said that, in reality, managed care plans only or primarily use the information they collect to find ways to deny claims.  Because the information is not therefore being collected in the patient’s interest, it should not be shared with health plans at all.

Also, several providers of addiction services stated that, given the nature of addiction, patients would not be seeking treatment unless they really needed it; therefore pre-authorization is wholly inappropriate.  One such provider deals exclusively with Medicaid patients in a program that has no pre-authorization requirement for addiction services.

2. Names Removed

One advocate and one provider association representative raised the issue of giving only ID numbers, rather than patient names, to a plan.

 

Table IV.1lists the information shared under each approach, by the type of information requested.

1. Maryland Uniform Treatment Plan Form

The Maryland Uniform Treatment Plan Form, which is reproduced in Appendix B, was mandated by the state legislature (Title 15, subtitle 10B of the Insurance Article and COMAR 31.10.21) in response to providers’ complaints about the administrative burden of having to complete many different forms for different MCOs.  A committee comprising MCOs and provider representatives, led by the Maryland Department of Health and Mental Hygiene, developed the form, which was implemented in October 2000.  A provider we spoke with in Maryland said the form has considerably reduced the amount of personal health information he must send to MCOs.  This provider always talks with his patients about what information will be sent to their insurer and reports that he “has never had a patient tell him not to send the information, although some have been anxious about it.  Now that the Maryland treatment form is in place, patients are much less concerned.”  One respondent noted, however, that the form is not as sensitive to the information needs for substance abuse treatment as for mental health treatment.  Some revisions might therefore be warranted if it were to be more widely adopted for both types of treatment.

Table IV.1 
Comparison of Personal Health Information Shared via Three Approaches Viewed
as Privacy-sensitive Outpatient Treatment Requiring Pre-authorization
Type of Information Magellan TRF Maryland Uniform Treatment Plan Form APA Guidelines
Patient Information First name 
Date of birth 
Membership number 
Is patient on mental health or chemical dependency long-term or short-term disability?
First name 
Date of birth 
Membership and group number 
Relationship to insured
Name 
Date of birth 
Address 
Insurance information/ID number, 
Patient’s status (voluntary, involuntary)
Diagnosis Dx code-Axis I and II 
Axis III: 
Does patient have a general medical condition potentially relevant to understanding or managing the Axis I or II conditions (yes/no)

Axis IV:
Severity of psychosocial stresses (none, mild, moderate, or severe)

Axis V: GAF score (highest past year, at first session, current)

Dx code Axis I-IV

Axis V: GAF score (current, highest in past year)

Axis I or “v” code

Axis II or III if relevant

Axis IV or level of distress (none, mild, moderate, or severe)

Axis V: GAF (current, highest in past year) or functional status (impairment: none, mild, moderate, or severe)

Previous Treatment Number of times provider has seen the patient to date, by CPT code

First date seen (this episode)

Past two years:

Outpatient, partial hospital, residential treatment center, substance abuse intensive outpatient, other [all yes/no/unknown]

Medical Hx

Psychiatric meds (list, including name and dose)

Compliance (yes/no)

Side effects (yes/no)

Comments

Allergies

Date first seen for current episode

 
Current Medications Type, if any: anti-psychotic, hypnotic, anti-anxiety, etc. List of psychiatric meds, with name and dose, in past two years

Has patient been evaluated for medication (yes/no)

Does patient follow medication regimen (yes/no)

Comments (e.g., lab results, side effects)

On psychiatric medications (yes/no)
Communicated with PCP or other relevant health care practitioners about treatment Yes/no Yes/no  
Symptoms/Risk Assessment Rate the following symptoms as mild, moderate, or severe: 
self-injurious behavior

suicidal ideation

homocidal ideation

substance abuse problems

Rate a list of symptoms that apply as mild, moderate, or severe and indicate if it is a target or treatment; list of 56 symptoms in the following categories:

social functioning/behavior

cognitive/memory/attention

mood/affect disturbance

somatic disturbances

anxiety

perceptual disturbance

substance use

Risk assessment:

suicidality: ideation, plan, prior attempts (if known)

other risk behavior

comments

Other assessment info (e.g., psych testing)

Risk or relapse into chronic/acute symptoms: high, moderate, low, comments

Level of distress (none, mild, moderate, or severe) or Axis IV rating
Other Services Client Receives   Other psychiatric, medical, or community support services client receives

(type, e.g., group therapy, supportive housing)

 
Functional Assessment Axis V: GAF score (highest past year, at first session, current) Degree of illness-related impairment (none, mild, moderate, severe) by category:

family relations

job/school

financial

physical health

legal

friends/social

Functional status (impairment: none, mild, moderate, severe) or Axis V (GAF: current, highest in past year)
Planned Treatment Number of sessions requested, by CPT code

Duration for requested sessions

Proposed treatment modality, with frequency and CPT code for each:

individual

group

family

medication

conjoint

other

Estimated discharge date

Expected number of visits

Treatment plan discussed with patient, guardian, or other legal representative (if applicable) or parent of a minor (yes/no)

Are additional health services required (yes/no, or referred to:)

CPT codes, including recommended/expected frequency
Expected Treatment Outcomes   Check all that apply:

reduction in symptoms and discharge from active treatment

return to highest GAF and discharge from active treatment

transfer to self help/other supports and discharge from active treatment

ongoing supportive counseling to maintain stabilization of symptoms

ongoing medication management to maintain stabilization of symptoms

Prognosis: the estimated minimum duration of treatment for which authorization is sought

Estimated GAF at treatment’s completion

Additional Information   For first reviews, state additional information that may help clarify the need for this outpatient treatment

For subsequent reviews, briefly state what progress has been made

If no progress, indicate reasons and whether treatment plan is being

revised to address targeted symptoms

 

As shown in Table IV.1, the Maryland Outpatient Treatment Plan Form requests more information than the other two approaches, including previous treatment in the past two years, current medications, symptoms, functional assessment, and planned treatment. 

2. Magellan Outpatient Treatment Request Form

Magellan’s Outpatient Treatment Request Form, reproduced with permission in Appendix C, was implemented in October 2001.  The form, which replaces a request for a narrative description of the treatment plan, was developed partly in response to provider complaints about information requests but primarily because Magellan found it was not cost-effective to manage every case.  One provider commented that “the Magellan form is back to the old style, where the MCO just required minimal information and trusted the clinician to make the right treatment decisions.”

The Magellan form requests more information than the APA guidelines, including current medications, the number of times the provider has seen the patient to date, and whether any of the following symptoms are mild, moderate, or severe: self-injurious behavior, suicidal ideation, homicidal ideation, and substance abuse problems.  However, the form includes considerably less information than the Maryland Outpatient Treatment Plan Form on, for example, symptoms, planned treatment, and expected treatment outcomes.

3. APA Guidelines

The APA adopted Minimum Necessary Guidelines for Third-Party Payers for Psychiatric Treatment in December 2001 (reproduced in Appendix G).  The guidelines “are based on the cumulative professional experience of APA members with respect to current practice and the necessity of privacy for effective psychiatric care.”  The guidelines are also based on the principle that third-party payers should not ask for more information to approve psychiatric treatment than they would in order to approve treatment for physical health.  Finally, the guidelines are founded on the current HCFA 1500 claim form and the protocol for disclosures to third-party payers as specified in the District of Columbia and state of New Jersey third-party mental-health privacy statutes (see Table IV.2).

The APA guidelines suggest restricting information sharing to a greater degree than either the Maryland or Magellan forms.  For example, there would be no sharing of information on previous treatment or on whether treatment has been coordinated with a person’s primary care provider; and there would be only a yes/no question on whether the patient is on medications, for example.  

4. Understanding the Three Approaches in Context

While it is clear that the three approaches described above vary in how much information is shared, the context in which they are used or intended to be used must also be considered in order to understand the implications for consumers’ privacy.  The Maryland Outpatient Treatment Plan Form is designed to provide all information that an MCO or other insurer needs to make a decision about approving or denying treatment.  Although a denial can be appealed, this would require much more extensive information, probably the full medical record.  One provider who was involved in the development of the Maryland form stated that, because only 0.5% of outpatient treatment requests are denied, appeals would be relatively rare.

Table IV.2 
Privacy Laws of New Jersey and the District of Columbia: 
Disclosure to Third-party Payers
District of Columbia New Jersey
“Information limited to:

Administrative information

name, age, sex, address, identifying numbers, dates and character of sessions (individual or group) and fees

Diagnostic information

therapeutic characterization of the type found in the Diagnostic and Statistical Manual of Mental Disorder, or any comparable professionally recognized diagnostic manual

The status of the client (voluntary or involuntary)

The reason for admission or continuing treatment

A prognosis limited to the estimated time during which treatment might continue

If the 3rd-party payor questions the client’s entitlement to or the amount of payment benefits, they may, pursuant to a valid authorization, request an independent review of the client’s record of mental health information by a mental health professional or professionals. Mental health information disclosed for the purpose of review shall not be disclosed to the 3rd-party payor.

Section 6-2017. District of Columbia Mental Health Information Act

“Information limited to:

Administrative information

Diagnostic information

The status of the patient (voluntary or involuntary, inpatient or outpatient

The reason for continuing psychological services, limited to an assessment of the patient’s current level of functioning and level of distress (both described by the terms mild, moderate, severe, or extreme.

If the third-party payor has reasonable cause to believe that the psychological treatment in question may be neither usual, customary nor reasonable, the third-party payor may request, and compensate reasonably for, an independent review of the psychological treatment by an independent professional review committee.

The State Board of Psychological Examiners shall, within 10 days of the notification, inform the treating psychologist of two or more members of the independent professional review committee who shall be known as “:reviewers” and who shall conduct the review.

New Jersey Permanent Statutes: Title 45: Professions and Occupations Title 45:14-32. Disclosure to Third Party Payor

On the other hand, the Magellan Treatment Request Form, which requests less information, is designed to provide all the information an MCO needs to approve most cases.  All the study MCOs that use forms or interactive voice response systems follow up on some cases for more information, typically through calls from the case manager to the provider, before approving or denying payment for treatment.  In Maryland, although payers are supposed to request only the information in the form, one provider told us that plans sometimes look for more but back down when reminded that this is not allowed.  Providers can, however, submit additional information during the appeals process.

Under the APA guidelines, if an MCO or other insurer cannot make a decision based on the information allowed by the guidelines, then the case should be referred for review to a qualified psychiatrist who is independent of the insurer, whose cost will be borne by the insurer, and who would be given access to the clinical information necessary for assessing the need for treatment.  This approach is similar to the provisions of the DC and New Jersey privacy laws (see Chapter I).  We could not identify any information that would suggest either the benefits or costs of this approach based on the DC and New Jersey experiences. 

The benefits of the DC and New Jersey laws—and by extension the APA guidelines—are unclear in part because the extent to which MCOs and providers know about and follow the laws is not clear.  For instance, one Maryland provider noted that managed care firms based outside the state are particularly unfamiliar with the Maryland restrictions on information that can be shared.  As a result, it is up to providers to inform the MCO when it makes a noncompliant request.  One might suspect that the same could be the case in DC and New Jersey, but the laws there are substantially older than the Maryland requirement to use the Uniform Treatment Plan Form.  One respondent suggested providers may routinely give MCOs what they ask for even if the request is noncompliant.  Another provider believes that MCOs do back down if confronted with an objection based on the law.

The cost of the independent review process envisioned in the APA guidelines is also unclear.  The corresponding provision in the New Jersey law was used for five years in the late 1980s and early 1990s, prior to managed care.  However, those we interviewed did not know of readily available information on the cost of reviews during that time, and since then, the review process has largely not been used.  In DC, the costs of reviews are borne by the MCOs; systematically tracking down whether any DC MCOs used the provision and how much it cost was beyond the scope of this study.

B. Use of ASAM Criteria as a Basis for Determining Necessary Information for Substance Abuse Treatment

Thus far, we have described three approaches to collecting information viewed as minimally necessary for MCOs, but we have not discussed exactly how MCOs use the information to make decisions about the appropriateness of care or how they should do so.  In fact, MCOs often have specific protocols or guidelines in place to assist case managers in making decisions about appropriateness, but the protocols are proprietary.  One MCO in particular emphasized that “like its competitors, [it] has well-defined and empirically derived level-of-care guidelines for mental health and substance abuse.  The guidelines are updated each year.  Internal quality improvement committees are charged with an annual review of psychiatric literature and [the MCO] also conducts panels of experts.”  If such guidelines are not publicly available, it is impossible for an outsider to understand why the various kinds of personal health information are needed.

With regard to level of care, there is more consensus in the field of substance abuse treatment than in the field of mental health.  More specifically, the American Society of Addiction Medicine, which represents providers of addiction medicine, developed criteria for placing patients in various levels of care.  While the criteria themselves do not pertain to privacy, they represent a provider consensus on appropriate care for addiction and are available to the public.  As such, they provide a foundation for outlining what information is necessary for managing care.  Indeed, one MCO we spoke with uses these criteria as the basis for its information requests and said that the American Managed Behavioral Health Association, which represents managed behavioral health care organizations, had endorsed the criteria (we could not confirm this).  Please note that the most adamant of our provider representatives would probably argue that regardless of the extent to which MCOs use clinically sound criteria to justify their information requests, collecting personal health information beyond administrative data is inappropriate in that any information-sharing will inhibit effective treatment.

V. Potential Next Steps

Confidentiality is clearly essential to effective mental health and substance abuse treatment.  Our review of the status of privacy-sensitive approaches to collecting personal health information for managed care suggests there are steps that the Department of Health and Human Services (HHS) could take to advance current information-sharing practices so that they are more privacy-sensitive.  First, we review the option and possible consequences of “doing nothing.” We then discuss what HHS might consider if it decides to develop or facilitate the development of a standard set of minimum necessary information.  Finally, we discuss how the information in this report might be used by the health plan community to further privacy-sensitive approaches to collecting the minimum amount of personal health information needed to manage care.

A. Possible Consequences of No Action

The general trend in the managed care industry towards collecting less data to manage mental health and substance abuse outpatient services may mean that, absent any action, health plans that still collect very detailed personal health information will eventually begin to collect less information.  Furthermore, the consumer advocates and managed care groups in our study did not view the issue of how much information is shared by providers with payers as a high priority item at the time of our study. 

However, the APA’s release of its Minimum Necessary Guidelines for Third-Party Payers in December 2001 shows that the issue remains a significant concern for providers.  Also, the absence of a national standard for what constitutes the “minimum necessary” information that providers should be sharing with MCOs has resulted in very different privacy protections for consumers depending on their health plan.  In addition, our interviews with providers suggest that clinicians vary widely in how specific they are with their patients about what information is transferred to MCOs.  This variation exists because from a legal perspective, many mental health providers rely on a general patient consent as a basis for transferring personal health information to a payer for purposes of payment and health plan operations. 

We are left with a somewhat troubling picture in which many consumers receiving mental health services are consenting to the transfer of personal health information only in general terms and perhaps months prior to these services and before the record even exists.  At the same time, health plans that work toward similar care management goals request vastly different amounts of personal health information.  This picture seems inconsistent with the HIPAA emphasis on ensuring consumer awareness of and control over the flow of personal health information.  We are not aware of any legal action to date that has challenged either the current practices surrounding informed consent or the appropriateness of MCOs’ information requirements.  However, it seems to us that such legal challenges could arise if no action is taken to better standardize or limit personal health information collection for managed care.

B. Developing a National Standard for What Constitutes "Minimum Necessary" Information

One way to increase the use of privacy-sensitive approaches to the sharing of personal health information is to develop a national standard for what constitutes “minimum necessary” information.  Such a standard could both help consumers understand what information MCOs need and why and eliminate the wide, plan-to-plan differences in the information that is collected.  Moreover, the minimum necessary information set could be implemented through a common treatment request form.  This would reduce the burden, still faced by providers in most states, of responding to many different types of health plan requests.  However, developing a nationally applicable “minimum necessary” set of information is not an easy task. 

For purposes of discussion, we will assume that if a nationally applicable minimum necessary information set were to be developed, HHS would lead the effort.  Clearly, given the differences of opinion among stakeholders, some party that is viewed as neutral and outside of the managed care, advocacy, and provider communities must lead the effort so that the stakeholders can view the outcome as legitimate. 

1. Role of Scientific or Other Research Results in Considering What Information Is Needed

One important consideration in developing a minimum necessary information set is what role scientific or other research results can play in helping to define what information is needed to manage care.  Unfortunately, the research is sufficient to serve only as an aid to, not a primary basis for, establishing a set of minimum necessary information.  That said, the criteria for patient placement for substance-related disorders developed by the American Society for Addiction Medicine (see Chapter IV) provide more support for identifying the information needed to managed substance abuse care than anything that is readily available to support the information needed to manage mental health care.  More specifically, the ASAM criteria could be a source against which proposals for minimum necessary information might be reviewed to rule out irrelevant information related to substance abuse disorders.  But because the criteria are very detailed, they may not help to isolate the most important pieces of information to collect. 

Our understanding is that there is no similar set of criteria for mental health treatment, and that, in fact, there is little consensus among mental health care providers with regard to what and how much treatment is necessary under many circumstances.  Despite this lack of consensus, managed care plans or other interested parties (such as researchers) could develop a series of examples of how personal health information can be used in conjunction with information from research studies to perform evidence-based quality and utilization checks.  This exercise may point to specific data elements that are critical to many types of well-supported checks. 

2. Role of Consensus

A second critical consideration is whether HHS might be able to establish a set of minimally necessary information that can be shared between providers and payers.  HHS might establish this set of information, with relevant stakeholders providing input during the process.  Alternatively, HHS might choose to convene a set of experts to reach a consensus on what information should be considered minimally necessary, as was done in Maryland in the development of the Uniform Treatment Plan Form, and adopt this consensus as the official minimally necessary set of information.

Insight into Constructive Participation by Stakeholders.  Providers do not agree on whether personal health information should support routine care management by MCOs.  Some do not even view compromise on this issue as an appropriate option.  This group—a subset of the providers who hold the “administrative data only” view described in Chapter III—would not be expected to participate constructively in an effort to generate a set of minimum necessary information by consensus.  As noted in Chapter III, other providers hold less extreme views, finding it acceptable to share certain information beyond administrative data with MCOs.  Still others acknowledge privately that the sharing of information that supports utilization and quality management overall benefits the consumer by avoiding fraudulent and unnecessary treatment and offering some protections regarding quality of care.  Because they agree with providing some personal health information to MCOs for the purpose of care management, these two groups of providers might be expected to contribute to the effort to develop a minimum necessary information set by consensus.

On the other side of the equation are the MCOs, which may or may not buy into the idea that a common set of minimally necessary information would benefit them.  The extent of their participation may depend on the extent to which they view the specifics of how they use personal health information as proprietary—a component of their corporate strategy that allows them to keep costs lower than their competitor.  However, one health plan respondent we spoke with supported the concept of a single set of minimum necessary information collected through a standardized form, and in fact told us of some overtures he had made to advance the concept.  A nationally applicable form that captures the minimum necessary information set could benefit MCOs and providers alike by reducing the burden on both parties.  For instance, such a form could reduce provider errors, since providers would become accustomed to responding to the items on the form.  This could, in turn, help to reduce the need for MCO follow-up, which taxes both MCO staff and providers.  The burden of responding to follow-up could also be lessened for providers if MCO follow-up were voluntarily or otherwise restricted as a result of a carefully considered process to identify the minimally necessary information for managing care.  Moreover, the routine completion of a standardized form should simplify the administrative burden on providers; in addition, to the extent that the form would be less extensive or require less narrative than many current forms, it would reduce providers’ workload.  The resulting lower burden on providers could enhance their relationship with MCOs.  Finally, the development of a standard set of minimum necessary information would offer plans a way to ensure that they are abiding by the “minimum necessary” information principle articulated in HIPAA.

HHS’ Role.  While providers and MCOs, as well as consumer advocates, must participate in development of a standard set of minimum necessary information, HHS has at least two options for defining its role in the effort.  One option is for the agency to act as a facilitator, convening representatives from the various stakeholders and securing a commitment to developing a group product, which HHS could decide to adopt or help disseminate.  Based on our interview with a respondent who was heavily involved in Maryland’s development of its Uniform Treatment Plan Form, a legislative mandate or deadline for producing such a product may be a prerequisite to the success of this type of strategy.  Alternatively, HHS could consult with representatives of the provider, advocacy, and managed care communities, using the resulting information to establish guidelines for what constitutes minimum necessary information under its own authority. 

Some Potential for Unintended Consequences.  A standardized set of minimum necessary information could inadvertently increase the amount of personal health information collected by those plans that now collect the least information.  However, as discussed in Chapter IV, the amount of data collected routinely must be interpreted in the context of how much follow-up information a plan collects.  If, as in Maryland, the standardized set represents all of the information a plan may collect outside a formal appeals process, then more personal health information may be collected routinely.  However, the net effect of this approach may be the same or better for the consumer than if less information is collected routinely and follow-up is open-ended—that is, if free-form discussions between case managers and providers lead to the sharing of more personal details for some cases.

3. Need for or Desirability of Legislation

Legislation that requires the development of a minimum necessary set of information could help HHS achieve a consensus or near-consensus-based product that also explains information sharing to consumers and allows MCOs to manage care.  As noted above, a respondent heavily involved Maryland’s development of its Uniform Treatment Plan form by consensus of relevant stakeholder groups believed this effort would probably not have been possible without the legislation that required its development. 

On the other hand, raising the issue with Congress could possibly lead lawmakers to establish a minimum necessary information set that may be different from what would be achieved through an HHS-led process involving a balanced set of stakeholders.  For example, the provider community could prevail on Congress to adopt the DC or New Jersey models or the APA guidelines.

C. How the Health Plan Community Can Use this Report to Advance the Privacy-Sensitive Collection of Minimum Necessary Information

The gulf between the APA’s minimum necessary guidelines and typical MCO information requests is clearly wide.  Although the MCO representatives we spoke with do not believe the information set out in the APA guidelines will allow them to manage care effectively, the health plan trade associations had not focused on articulating a response to the guidelines at the time of our study.  It may be that these organizations do not believe they need to attend to this issue.  If they view the patients’ general consent as a sound legal basis for MCOs to continue requesting information as they now do, then the trade associations may see little reason to be concerned with providers’ views of what is minimally necessary.  However, these organizations may not have focused on this issue simply because of other priorities.  In that case, the information in this report on the large gap between the APA’s guidelines and current MCO practice may draw their attention to the issue.  Also, given the public backlash toward managed care in recent years, the managed care industry could benefit from better conveying the value of care management to the public by explaining in more specific terms why the personal health information they collect benefits consumers.

Also, the report could help health plans review their information-collection routines.  More specifically, they can use the report to identify what information is collected under several privacy-sensitive approaches, what information is especially controversial with providers and why, and whether the items they collect are similar to or different from most of the other organizations whose forms and protocols we were able to obtain.

References

Acuff, Catherine, Patricia Bricklin, Samuel Knapp, Bruce Bennett, Mathilda Canter, Stanley Moldawsky, and Randy Phelps. “Considerations for Ethical Practice in Managed Care” Professional Psychology: Research and Practice, vol. 30, no. 6, 1999, pp. 563-575.

American Society of Addiction Medicine.  “Patient Placement Criteria for the Treatment of Substance-Related Disorders.”  2nd Edition.  Chevy Chase, MD: ASAM, 1996.

District of Columbia Mental Health Act of 1978, §6-2017.  Available at [www.psa-uny.org/jr/docs/dcmhact.htm].  November 27, 2001.

Edwards, Berryman. “Managed Care and Confidentiality.”  Available at [http://www.behavenet.com/hbe/papers/mdcarcon497.htm].  April 4, 1997.

Hennessy, Kevin, and Sharon Green-Hennessy.  “An Economic and Clinical Rationale for Changing Utilization Review Practices for Outpatient Psychotherapy.”  Journal of Mental Health Administration, vol. 24, no. 3, Summer 1997, pp. 340-349.

Jaffee v. Redmond, No. 95-266 (518 U.S. 1) United States Supreme Court. June 13, 1996. Available at [http://apsa.org/pubinfo/jr-opin.htm] as of September 5, 2002.

Kongstvedt, Peter.  The Managed Care Handbook.  Gaithersburg, MD: Aspen Press, 1996.

Koyanagi, Chris.  “Medical Records Confidentiality in the Modern Delivery of Health Care.” Testimony before the Subcommittee on Health and the Environment.  U.S. House of Representatives, Committee on Commerce, Washington, DC, May 27, 1999.

Legal Action Center. “Confidentiality and Communication.”  New York: LAC, 2000.

McDaniel, Charlotte, and Judith Erlen.  “Ethics and Mental Health Service Delivery Under Managed Care.”  Issues in Mental Health Nursing, vol. 17, 1996, pp. 11-20.

Meyeroff, Wendy, and Richard Meyeroff.  “Behavior’s Problem.”  Healthcare Informatics, vol. 16, no. 3, March 1999, pp. 59-61 and 64-65.

National Mental Health Association.  “Best (& Worst) Practices in Private Sector Managed Mental Health Care Part II: Confidentiality.”  Washington, DC: NMHA, July 1999.

New Jersey Permanent Statutes, 45: 14B-32, 1985.  Available at [www.psa-uny.org/jr/docs/njstatute.htm].  Accessed November 27, 2001.

Simmons, Janice.  “Who Needs to Know?”  Healthplan, vol. 38, no. 4, July-August 1997, 
pp. 56-60.

Appendixes

Appendix A: Literature Review of Privacy Issues in Managed Care for Mental Health and Substance Abuse Treatment

Introduction

This literature review is designed to document relevant information from the past five years on the ways in which managed care payers require personal health information from consumers of mental health and substance abuse services. In particular, we focused on gaining an understanding of why managed care firms collect personal health information, what types of information are collected, what problems or concerns have been raised by stakeholders, and what models and solutions have been proposed by experts in the field. In identifying relevant literature, we searched databases of technical and medical literature, as well as policy and management literature.

In preparing this review, we found a great deal of information on why managed care firms collect personal health information and the different ways in which they use this information. We also found a great deal of documentation of the problems that have been encountered, particularly from providers and patients who are reluctant to share information that was disclosed within a privileged therapist-patient relationship. We found relatively little information in the published literature about what specific information managed care firms typically require in order to authorize services. In searching for solutions and models, we found a few sources that made specific recommendations as to what information should be disclosed to the managed care firm, but, more commonly, experts stated recommendations for maintaining the confidentiality of sensitive information once it is in the possession of the managed care organization.

This literature review does not reflect recent changes that we believe are underway. Managed care firms are moving away from tightly managed systems to products that give consumers and providers more autonomy (Draper, et al., 2002). Managed care firms are finding that intensive case management is often not cost-effective, particularly for outpatient care, and are beginning to streamline their requests for personal health information. In addition, the privacy regulations issued by the Secretary of Health and Human Services will go into effect in 2003, and this may affect how managed care firms collect and use individually-identifiable information. However, because these changes are so recent, we have not found published literature that documents these changes. Therefore, this literature review focuses on presenting background on why managed care plans collect personal health information, federal and state laws which are designed to protect patient privacy, some of the problems that have been identified with the transfer of this information, and some proposals that have been put forward to limit the types of information disclosed to payers and measures for ensuring the security of this information once it is disclosed.

Background

Confidentiality is one of the basic principles of mental health and substance abuse treatment. In the course of therapy, clients reveal personal, highly sensitive information about themselves that they may not reveal to anyone else. Clients trust that the information they reveal in the course of treatment will be kept confidential by the clinician, subject to the patient-doctor privilege. However, when clients request reimbursement from a third-party payer, the payer has a right to know that the services being requested are appropriate. To pursue that knowledge, the payer may request that the clinician provide information about the client's symptoms, diagnosis, treatment and progress.

A. Federal and State Requirements

Several federal laws and regulations have been established in order to help protect the privacy of health care information. The best-known are the privacy regulations established by the Secretary of Health and Human Services in 2000 in response to a requirement in HIPAA legislation (PL 104-191) that Congress must develop a federal law to protect the privacy of health care information by August 1999 or the Secretary must issue regulations within six months. The regulations state that "a covered health care provider must obtain the individual's consent …prior to using or disclosing protected health information to carry out treatment, payment or health care operations" (45 CFR 164.506(a)(1)). The regulations require that the PHI shared between the provider and the insurer must be the "minimum necessary" to accomplish the objectives, without further clarification of what constitutes the minimum necessary information.

A second federal law Gramm-Leach-Bliley Act (Pub. L. no. 106-102(1999), 15 U.S.C. § 6801 et. seq.) was enacted to project the privacy of financial information, but applies to health plans as well as (Hirsh 2001). The Act requires that health plans distribute a notice to enrollees detailing the types of information disclosed to third parties and the types of third parties who might receive this information. The notice must give clients the opportunity to opt out of information disclosures by informing the company in writing. Health plans were required to implement these practices by July 2001.

There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:

  • The specific name or the general description of the program or person permitted to make the disclosure;
  • The name or title of the individual or the name of the organization to which the disclosure is to be made;
  • The name of the patient;
  • The purpose of the disclosure;
  • How much and what kind of information is to be disclosed;
  • The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent…or, when required for a person who is incompetent or deceased, the signature of a person authorized to sign…in lieu of the patient;
  • The date on which the consent is signed;
  • A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it; and
  • The date, event or condition upon which the consent will expire if not revoked before…(§ 2.31).

Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.

State laws can vary considerably, with some states offering significantly greater protections than what is required by federal law. A review of state privacy laws was beyond the scope of our project, but many respondents we interviewed pointed us to the laws of the state of New Jersey and the District of Columbia as containing the most stringent privacy protections. Both have laws which state that information that can be disclosed to third parties is limited to administrative and diagnostic information, the status of the patient, the reason for admission or continuing treatment and the estimated time that treatment might continue. In the event of a dispute between a provider and payer over the course of treatment, the third party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (DC 1978). In New Jersey, the insurer may request the review from an independent review committee (NJ 1985).

B. History of Information Exchange

The practice of third-party insurers demanding information on mental health treatment before paying for services is not a recent phenomenon. Even under fee-for-service arrangements, insurers generally required mental health providers to share the patient's diagnosis, and sometimes even the treatment plan, before reimbursing for these services (Acuff et al., 1999). Mental health providers sometimes maintained two sets of records for each patient: one for clinical use and one for billing purposes only (McDaniel and Erlen, 1996). This allowed the clinicians to share the information that the payers needed, while respecting the client's right to confidentiality of sensitive information shared within the therapy session. However, several of the providers we spoke with said that they did not maintain separate records, due to the administrative burden of keeping such records.

C. Rise in Managed Care

In the 1980s, health care costs in general began to rise, and mental health and substance abuse costs rose even faster. From 1986 to 1988, spending on all health care rose 13%, but mental health care costs rose 20% and substance abuse care costs rose 32% (Hennessy and Green-Hennessy, 1997). As a result, there was increasing pressure to move from a fee-for-service system to a managed care system, which would seek to contain costs by playing a more active role in monitoring and overseeing the care provided, to minimize abuses and attempt to ensure that the most cost-effective care is being provided. Managed care firms undertake a variety of activities, including determining the most cost-effective level of care appropriate to the situation, profiling physician service use and designing disease management programs for chronically ill clients (McDaniel and Erlen, 1996). All of these activities require the MCOs to collect a great deal of personal health information about clients

D. Utilization Review Process

The most common purpose for MCOs to collect personal information on clients is for utilization review. This is a process where the MCO determines the client's need, the medical necessity of the request, and the appropriate level of care. Utilization review processes vary from company to company, but generally consist of a request from the client for an initial authorization and then subsequent requests from the provider for additional authorizations. During the initial request, the client generally speaks to a care manager, who discusses the nature of the problem and the symptoms, and makes a referral to a provider for the lowest level of care deemed appropriate (Edwards, 1997).

Once the initial authorization is exhausted, the provider will request subsequent authorizations. MCOs vary considerably in the types of information requested during these authorizations. The MCO care manager might ask the provider to share information on the patient's history, diagnosis, symptoms, treatment plan and progress, and may attempt to determine the patient's level of functioning by asking about danger to self and others, or ability to return to work (Lazarus and Sharfstein, 2000). The frequency of the authorizations also varies from company to company; some will require re-authorizations every two to three visits, while others may approve up to ten outpatient sessions at a time (Hennessy and Green-Hennessy, 1997).

The literature suggests that the resources required for intensive utilization management can exceed the cost savings from managing the care. The administrative costs in managed care are significant: managed care is fifty percent more expensive to administer than fee-for service (Meyeroff and Meyeroff, 1999). In a 1998 study of the utilization review process at United Behavioral Health, Koike and colleagues found that utilization management was used on over fifty percent of cases, and included activities beyond simply approving care, including telephone assessments, discharge reviews, discharge follow-ups, and closing summaries (Koike et al., 2000).

Privacy issues may become less of a concern if MCOs voluntarily choose to limit the amount of personal health information they collect. Several providers and behavioral health care firms mentioned in our interviews that they have observed a trend toward MCOs requesting less detailed information within the last few years. MCOs expected to recover the costs incurred in these processes through reduced utilization. However, there is some evidence that review processes may not result in a significant decrease in utilization, particularly for outpatient care. Hennessy and Green-Hennessy noted that, in a nationally representative study of individuals undergoing outpatient behavioral health treatment, 72% had seven or fewer sessions, and 85% had fourteen or fewer sessions (1997). This was the same for both fee-for-service and managed care, indicating that most patients voluntarily terminated treatment after a small number of sessions and that MCO efforts to limit utilization do not appear to have had a significant effect. Another study examining individuals covered by United Behavioral Health who had terminated outpatient mental health treatment found that only 5% of persons surveyed indicated that their treatment was discontinued due to a denial of care from the MBHO; and only 3% of the participants' providers had noted the denial as the cause of the discontinuation in the medical file. The majority of patients and their providers indicated that treatment was discontinued because treatment goals were met or because the patient voluntarily discontinued treatment (Cuffel et al., 2000). Since the utilization review process can be very expensive, and may not result in significant decreases in utilization, MCOs may begin to change their administrative processes to be more cost-effective, and curtail intensive management of outpatient behavioral health care.

Other privacy issues

Many concerns were reviewed in the literature regarding privacy and confidentiality of mental health and substance abuse records. While these issues were beyond the scope of the study, we discuss them briefly below. The HIPAA privacy regulations may help to address some of these issues.

A. Lack of Consumer Awareness

Despite the federal and state laws designed to protect patient confidentiality, there are numerous problems associated with the ways patient information is disclosed to managed care firms today. The first is that consumers are often unaware of the significance of the consent forms that they sign upon enrollment (Davidson and Davidson, 1995). Because insurers often require that consumers sign consent forms as a condition of enrolling in the plan, or of paying the claims, clients may feel that they have no choice but to sign them. If consent forms are linked to other forms, such as authorizations for treatment, clients may not read or comprehend the forms as clearly as they should. Finally, they may be unaware of the number of people who may have access to the medical and psychiatric records.

B. Number of People With Access to Records

In a large managed care firm, more than one hundred people may have access to an individual's medical record. In the early 1980s, when most people were still enrolled in fee-for-service, one study found that up to 100 people had access to an individual's inpatient medical record (Siegler 1982). As payment and delivery systems have grown more complex, the number of personnel with access to the medical file is expected to be much higher. In addition, as managed behavioral health care firms merge and consolidate, they become responsible for maintaining records on more and more clients. Magellan Behavioral Health manages care for more than 62 million people, and Value Options manages care for more than 20 million people. Although these firms have implemented measures to ensure the security of their information systems, some experts have questioned whether any system that has so much sensitive data on so many people can adequately protect it (Pomerantz, 1999).

C. Risks of Disclosure of Personal Health Information

Personal health information, in the wrong hands, could have disastrous consequences for an individual's future. As Jay Pomerantz points out, the wealth of information contained in the computer files of the major MBHO's could have significant value to private detectives, opposing parties in lawsuits, political opponents, and blackmailers, just to name a few (Pomerantz, 1999). For these reasons, the privacy of behavioral healthcare information is extremely important, yet many consumers are concerned that their medical records are not as secure as they should be. According to a 1993 survey conducted by Louis Harris and Associates, 27% of the public believe their personal health data (not specific to behavioral health) has been disclosed improperly, and of those, 31% said they were harmed or embarrassed by the disclosure; 15% said that the unauthorized disclosure was made by a health plan. Eleven percent said that they or a family member had paid for care out of pocket rather than submit a claim and risk having to disclose information about the condition (Louis Harris and Associates, 1993).

Unauthorized disclosures can result in harm in a variety of ways. Many people with a history of mental health or substance abuse treatment find it difficult to obtain life insurance because insurance companies share client information with the Medical Information Bureau (MIB), a membership organization of over 600 insurance companies (California Health Care Foundation and Consumers Union, 1999). When insurers are underwriting policies, they can contact the MIB to find out if the applicant has a pre-existing condition or has ever been denied coverage (Rybowski, 1998). Although the MIB requires an individual's consent before releasing information, in practice, many people do not realize that their personal information is exchanged by insurance companies in this way. Additionally, more than one third of Fortune 500 companies report checking medical records before making decisions about who to hire and promote (NMHA, 1999). Inappropriate use of health care information can have serious adverse consequences for a person's life.

D. Interference with Treatment

Concern over health care privacy can have adverse effects on the treatment process. It can create conflict-of-interest concerns for providers, who want to advocate for their patients, but know that if the patient does not authorize disclosure, the treatment may not be approved by the MCO, and the provider may not be paid. In one example, two psychiatrists in North Carolina refused to disclose medical records to Blue Cross Blue Shield when the patients had requested confidentiality. BCBSNC refused to compensate the providers for the care of these patients (Grinfeld, 2001). The conflict between provider and patient interests, and can harm the therapeutic relationship.

Knowing that confidentiality is not guaranteed can make individuals less likely to seek mental health treatment. In a 1998 study, participants who were informed that treatment information might have to be provided to an insurer in order to receive reimbursement reported less willingness to seek psychotherapy (Kremer and Gesten, 1998). Once in treatment, patients may undertake a variety of activities to protect their privacy which can sabotage their treatment, including regularly changing doctors to avoid having a record of all of their care with one provider, withholding information from their provider, or lying about their circumstances or symptoms (Goldman, 1998). The Louis Harris and Associates study found that seven percent of respondents had chosen not to seek care for fear of jeopardizing their career or other life opportunities (Louis Harris and Associates, 1993). These activities can result in patients receiving poor quality care, with potentially serious medical conditions going undiagnosed or untreated (Goldman, 1998).

Individuals who are especially concerned with the stigma of mental health treatment and the risks of disclosure may turn to other treatment methods that may have a different set of risks. Web sites offering counseling services online, in real time, are growing in popularity. The number of providers offering counseling through these sites is expected to grow from approximately 300 today to more than 5,000 by 2005 (Amig, 2001). Patients are attracted to receiving therapy in their own surroundings, with the anonymity that the Internet offers. However, the web sites can have their own security concerns. If a website does not accept health insurance, they may not be governed by the HHS privacy regulations, yet participants must provide their name, address and credit card number for billing purposes. Thus, the individuals, in an attempt to gain greater privacy, may be providing private companies with a great deal of personal information about themselves without considering that these firms may be more vulnerable to hackers or inappropriate disclosures than insurance companies governed by federal privacy regulations.

Suggested Proposals/Models

In an attempt to resolve the conflicts between the information needs of MCOs and the privacy needs of mental health and substance abuse patients, numerous stakeholders have developed recommendations defining which types of patient information should be shared with the MCO and guidelines for how MCO should handle the information once they receive it. Several providers have also developed models for alternative review systems that would minimize the amount of personal patient information that providers would need to share with MCOs. Details of these proposals are described below.

A. Models for Disclosure of Personal Health Information

Several managed care entities have developed models for determining what types of mental health information should be included in the medical record. The American Managed Behavioral Healthcare Association (AMBHA), an association that represents nine (including the largest) managed behavioral healthcare organizations has developed a set of guidelines; it recommends that the following mental health information be included: diagnosis, mental status, psychiatric history, treatment goals and objectives, progress, medications, types and frequencies of treatment, and summary and progress notes (AMBHA, 1999). However, AMBHA states that detailed psychotherapy notes should be separated from the general medical file. Patients should be required to sign a consent for health information to be disclosed to the MCO for purposes of treatment, payment and health care operations at the time of enrollment and periodically (i.e., every 12 months) thereafter; if the patient refuses to sign, he or she can be terminated from the health plan. Patients should have the right to inspect and copy their medical record, and to request corrections and amendments as necessary.

Harvard Pilgrim Health Care (HPHC), an MCO based in Boston, Massachusetts, has developed a new set of confidentiality policies after consulting with patient advocacy groups and conducting focus groups of HPHC members. Mental health treatment information that is included in the patient's medical record is limited to the date of the mental health visit, the name of the clinician, an encrypted diagnosis code, and current mental health medications (Simmons, 1997). This information can be segregated from the general health record upon the patient's request. Harvard Pilgrim strongly recommends that providers share with patients the necessity of sharing current medication information with other providers, to prevent adverse drug interactions, but if the patient refuses to have such information included in the general medical file, the information will not be released. Furthermore, detailed psychotherapy notes are to be separated from the rest of the mental health record.

Technical guidance made available by, the Substance Abuse and Mental Health Services Administration (SAMHSA) suggests that alcohol and drug treatment centers disclose to third party payers only the results of the initial evaluation and diagnosis, a summary of the treatment plan, the patient's attendance, progress and compliance, and the discharge plan (SAMHSA, 1996a).

B. Models for Handling of Personal Health Information by the MCO

In addition to concerns about the amount of sensitive information being shared with the MCO, many consumer advocates have expressed concern about the security of the information once it is in the possession of the managed care firm. Numerous advocacy groups have developed guidelines and recommendations to ensure that such personal information is restricted to those who have reason to access the information, and that it is not accessed by those outside the company without the client's consent.

Several organizations noted the importance of the MCO developing written confidentiality policies, stating the specific measures that would be undertaken to protect confidential patient information (NMHA, 1999, SAMHSA, 1996a). The Joint Commission on Healthcare Organizations (JCAHO) and the National Committee on Quality Assurance (NCQA), in their 1998 joint report on protecting patient privacy in a managed care setting, stressed the importance of designating and training staff who will be responsible for ensuring that the MCO's policies are being carried out (JCAHO & NCQA, 1998). According to these guidelines, the MCO should voluntarily conduct periodic audits to ensure that its confidentiality policies are being carried out appropriately (JCAHO& NCQA, 1998).

Several experts have recommended that, to the extent possible, the use of individually identifiable data should be replaced with aggregated data that doesn't identify a particular member. All entries into managed care data systems should be coded with a unique identifier number, which is not linked to the individual's name, address, or social security number (Davidson & Davidson, 1998). This unique identifier can be used in lieu of the person's name when communicating personal health information to limit exposure of the client's identity (SAMHSA, 1996b). MCOs using behavioral healthcare utilization information for activities such as provider monitoring and profiling can report the results in aggregated form, without revealing the identity of the patients whose records are being discussed (NMHA, 1999).

Just as all electronic medical records can be password protected, all paper files can be kept in a locked file or safe, with records only being available to staff with legitimate need to access them (Edwards, 1997). Data can be destroyed as soon as it is no longer needed. For example, payment data can be destroyed once the services in question have been completed and paid for (Davidson & Davidson, 1995).

MCO confidentiality policies can ensure that only staff members who have a specific need to access confidential information are able to do so. JCAHO and NCOA recommended that patient records should be password protected, and user access controls should be implemented so that staff can only view the level of data necessary to do their job (JCAHO & NCQA, 1998). For example, a claims specialist may be able to view the patient's diagnosis and the clinician's charge, but not see their medication history (Berman, 2001). In other cases, specific staff may be allowed to make changes or additions to certain parts of the file, but not others. Transaction logs can also be implemented to provide a record of who accessed confidential data and when the access occurred (JCAHO & NCQA, 1998). MCOs can maintain a detailed log of who made changes to the database and when the alterations took place (Edwards, 1997).

There are also a number of measures MCOs can undertake to prevent unauthorized access to records, from individuals inside and outside of the company. While we did not undertake a thorough study of this topic, we did uncover a number of commonly used technological measures that companies can use to protect their data from unauthorized users. Biometric scanning, including fingerprint or voiceprint, is available to ensure that the person accessing the data, and making changes to the data, is authorized to do so (Berman, 2001). Data can be encrypted and firewalls can be installed to prevent outside hackers from gaining access to confidential patient information (SAMHSA, 1996b). MCOs can implement up-to-date technologies to ensure the security of patient information when transferring data over the Internet and over internal computer networks, (Campbell, 1996).

Providers can help to protect their client's privacy when working with MCOs. Davidson & Davidson recommend that providers refuse MCO contracts that include non-disclosure clauses, which limit the providers' ability to discuss limitations imposed by MCOs and should refuse to comply with MCO requests when the requests clearly conflict with the patient's best interest (Davidson & Davidson, 1998).

Patient advocates believe that managed care clients should be fully informed of who has access to information about their mental health and substance abuse treatment and how this information will be used. The NMHA recommends that when consumers sign the consent authorization upon joining the health plan, the authorization should include detailed information about the plan's confidentiality policies, and how the data is protected (NMHA, 1999). Because consumers may not always anticipate their health care needs or recall signing the original consent form when they begin mental health or substance abuse treatment years after joining the health plan, MCOs should establish a mechanism for requiring updated consent forms whenever particularly sensitive diagnoses are entered into the database or when health care usage suddenly increases substantially (JCAHO & NCQA, 1998).

Advocates maintain that when clients' health information is shared with third parties, clients have the right to know what information was shared, who will have access to the data, how it will be stored and who is legally responsible for protecting the security of the information (Davidson & Davidson, 1995). Clients can be allowed to view the transaction logs so that they can identify specifically which staff have had access to their information (JCAHO & NCQA, 1998). Advocates argue that clients should be informed if the MCO is sold (Davidson & Davidson, 1998) or if their records are subpoenaed by county or government officials (SAMHSA 1996). JCAHO and NCOA state that MCOs must not sell personal health information collected from clients nor disclose any confidential data to third parties, such as employers, without the client's written consent (1998).

C. Models for Alternative Review Systems

In contrast to the previous models, which proposed ways MCOs might protect patient information after they collect it, several providers have put forward models for reforming the payment review system that would minimize the physician's obligation to disclose treatment information in order to receive payment.

Kevin Corcoran and William Winslade propose that the patient-therapist privilege, which currently protects the confidentiality of information disclosed by the patient in the course of treatment, be extended to include the managed care payer. The managed care plan would have access to patient data needed to authorize services, but would have the same ethical obligation as the provider to protect the data (Corcoran & Winslade, 1994). Whenever possible, the client, rather than the provider, should disclose the information to the managed care representative directly. The authors argue that this will help to create a stronger relationship between the client and the MCO, giving the client a greater understanding of why the payer needs certain information and how the information is to be used. This would also give the insurer a legal and ethical liability for maintaining client confidentiality.

The American Psychoanalytic Association, a membership organization of therapists conducting psychoanalysis, advocates for the adoption of a peer-review model for third-party reviews. In a peer-review model, when a payer requests an external review before paying a claim, the patient is referred to a second therapist who evaluates the patient and issues a recommendation as to whether continued treatment is justified or not (American Psychoanalytic Association, 1999). The reviewing clinician is under the same patient-therapist privilege as the treating therapist. In this model, the managed care company accepts the reviewer's assessment of whether or not to continue treatment, and no confidential patient information is disclosed to the insurer in order to secure payment.

Jay Pomerantz and colleagues (1998) designed a new behavioral health managed care system when their program was about to be carved-out to a managed behavioral health care organization. To prevent this, the mental health clinicians designed a new type of program to control behavioral health care costs that also resulted in less information being transferred to the third party insurer. Under this system, behavioral health clinicians have merged into Professional Affiliation Groups (PAGs), with a psychiatrist designated as the leader. While each clinician retains responsibility for his or her own patients, the head psychiatrist approves all inpatient stays and all outpatient treatment over six visits. In the event of a dispute between the head psychiatrist and the treating clinician, the case is reviewed by all clinicians in the PAG. Because level of care determinations are made within the PAG, all sensitive patient information is retained within the PAG, where all clinicians are held to the patient-therapist privilege. The only clinical information relayed to the managed care organization is the patient's diagnosis, date and type of session, short-term treatment goals, and Global Assessment of Functioning.

Conclusion

This literature review demonstrates that the need of patients for confidentiality of their personal health information conflicts with the need of managed care firms to ensure that the services they are paying for are appropriate. Although a few models and guidelines have been proposed to resolve these conflicts, there is a clear need for a stronger consensus on what health information is minimally necessary for payers to authorize treatment and otherwise manage care and how that information can best be handled to protect the privacy and dignity of mental health and substance abuse patients.

References

Acuff, Catherine, Patricia Bricklin, Samuel Knapp, Bruce Bennett, Mathilda Canter, Stanley Moldawsky, Randy Phelps. "Considerations for Ethical Practice in Managed Care" Professional Psychology: Research and Practice, vol. 30, no. 6, pp. 563-575, 1999.

American Health Line. "Privacy: Kids' Mental Health Records Posted Online" National Journal, November 8, 2001.

American Psychiatric Association. Summary of the Final Standards of Privacy for Individually Identifiable Health Information. Available at [www.psych.org]. Accessed October, 2001.

American Psychoanalytical Association."External Review of Psychoanalysis" American Psychoanalyst, vol. 34, no. 2, 1999.

American Managed Behavioral Healthcare Association (AMBHA). "Statement of Confidentiality" 2001.http://www.ambha.org/publicpolicy/confidentiality.htm.

Amig, Stacey. "HIPAA, Online Counseling Raise Serious Issues" Behavioral Health Management, May 1, 2001.

Anderson, David, Jeffrey Berlant, Donna Mauch and William Maloney. "Managed Behavioral Health Care Services" in The Managed Care Handbook, Kongstvedt (ed.) Gaithersburg, MD: Aspen Press, 1996.

Behavioral Health Services, Inc. "Outpatient Mental Health Request Form #X-13458" Obtained October 30, 2001.

Berman, William, "Confidentiality in Behavioral Health Care" The Echo Group, May 16, 2001,http://echoman.com/knowledgesource/confidentiality.htm .

California Health Care Foundation and Consumers Union. "Promoting Health Protecting Privacy: A Primer" January 1999.http://www.chcf.org.

Campbell, Leslie. "How Secure is the Internet for Healthcare Applications?" Radiology Management, vol. 18, no. 1, pp. 28-32, January-February, 1996.

Choy, Angela, Zoe Hudson, Joy Pritts, Janlori Goldman. Exposed Online: Why the New Federal Privacy Regulation Doesn't Offer Much Protection to Internet Users. Georgetown University Health Privacy Project, November 2001. Available at [ www.healthprivacy.org] . Accessed December 7, 2001.

Clifford, Ruth "Confidentiality of Records and Managed Care: Legal and Ethical Issues" California Coalition for Ethical Mental Health Care, April 3, 1999. http://www.ccemhc.org/confid.html .

Corcoran, Kevin, William Winslade "Eavesdropping on the 50-Minute Hour: Managed Mental Health Care and Confidentiality" Behavioral Health Sciences and the Law, vol. 12: 351-365, 1994.

Cuffel, Brian, Joyce McCulloch, Rebecca Wade, Lavina Tam, Regina Brown-Mitchell, William Goldman. "Patients' and Providers' Perceptions of Outpatient Treatment Termination in a Managed Behavioral Health Organization" Psychiatric Services, vol. 51, no. 4, pp. 469-473, April 2000.

Davidson, Jeannette and Tim Davidson. "Confidentiality and Managed Care: Ethical and Legal Concerns" in Humane Managed Care?, edited by Gerald Schamess and Anita Lightburn. Washington, DC: NASW Press, 1998.

Davidson, Tim and Jeannette Davidson. "Cost-Containment, Computers and Confidentiality" Clinical Social Work Journal, vol. 23, no. 4, pp. 453-464, Winter 1995.

District of Columbia Mental Health Act of 1978, §6-2017, available at [ www.psa-uny.org/jr/docs/dcmhact.htm ]. Accessed November 27, 2001.

Draper, Debra, Robert Hurley, Cara Lesser, Bradley Strunk. "The Changing Face of Managed Care" Health Affairs, vol. 21, no. 1, pp. 11-23, January-February, 2002.

Edwards, Berryman. "Managed Care and Confidentiality" April 4, 1997. http://www.behavenet.com/hbe/papers/mdcarcon497.htm .

Goldman, Janlori "Protecting Privacy to Improve Health Care" Health Affairs, vol. 17, no. 6, January/February 1998, 47-60.

Grinfeld, Michael Jonathan. "Patient Privacy Battle Hinges on Competing Interests" Psychiatric Times, vol. 14, no. 1, January 2001.

Hennessy, Kevin and Sharon Green-Hennessy. "An Economic and Clinical Rationale for Changing Utilization Review Practices for Outpatient Psychotherapy" Journal of Mental Health Administration, vol. 24, no. 3, pp. 340-349, Summer 1997.

Joint Commission on Accreditation of Health Care Organizations (JCAHO) and National Committee for Quality Assurance (NCQA). "Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment" November 10, 1998.http://www.jcaho.org .

Koike, Alan, Ruth Klap, Jurgen Unutzer. "Utilization Management in a Large Managed Behavioral Health Organization" Psychiatric Services, vol. 51, no. 5, pp. 621-626, May 2000.

Kongstvedt, Peter. The Managed Care Handbook, Gaithersburg, MD: Aspen Press, 1996.

Kremer, Thomas and Ellis Gesten. "Confidentiality Limits of Managed Care and Clients' Willingness to Self-Disclose" Professional Psychology: Research and Practice, vol. 29, no. 6, pp. 553-558, December 1998.

Koyanagi, Chris. "Medical Records Confidentiality in the Modern Delivery of Health Care." Testimony before the Subcommittee on Health and the Environment. U.S. House of Representatives, Committee on Commerce, Washington, DC, May 27, 1999.

Larsen, David. "Confidentiality and Privacy of Health Information" Testimony before the Subcommittee on Privacy and Confidentiality, National Committee on Vital Health Statistics, advisory panel to the Secretary of Health and Human Services, Washington, DC, February 3, 1997.

Lazarus, Jeremy and Steven Sharfstein. "Ethics in Managed Care" Psychiatric Clinics of North America, vol. 23, no. 2, pp. 269-284, June 2000.

Legal Action Center. "Confidentiality and Communication", New York: LAC, 2000.

Louis Harris and Associates. Health Care Information Privacy, New York: Harris, 1993.

Magellan Behavioral Health (a). "Policy and Standards" July 31, 2000.

Magellan Behavioral Health (b). "Magellan Behavioral Health Improves Treatment Request Process" Aug. 11,2000.http://www.magellanhealth.com/corporate/news_room/current_releases/pr_000811_01.htm.

Massachusetts Behavioral Health Partnership. Massachusetts Behavioral Health Partnership Provider Agreement, April 2001.

McDaniel, Charlotte and Judith Erlen. "Ethics and Mental Health Service Delivery Under Managed Care" Issues in Mental Health Nursing, vol. 17, pp. 11-20, 1996.

Meyeroff, Wendy and Richard Meyeroff. "Behavior's Problem" Healthcare Informatics, vol. 16, no. 3, pp. 59-61, 64-65, March 1999.

National Mental Health Association. "Best (& Worst) Practices in Private Sector Managed Mental Health Care Part II: Confidentiality" Washington, DC: July 1999.

New Jersey Permanent Statutes, 45:14B-32, 1985. Available at [ www.psa-uny.org/jr/docs/njstatute.htm ]. Accessed November 27, 2001.

Pomerantz, Jay. "Behavioral Health Matters - Is Confidentiality Still Protected Under Managed Behavioral Health Care?" Drug Benefit Trends, vol. 11, no. 2, pp. 56-57, 1999.

Pomerantz, Jay. "The Professional Affilation Group: A Case Study in Behavioral Health Management" in Humane Managed Care? Edited by Gerald Schamess and Anita Lightburn. Washington, DC: NASW Press, 1998.

Roback, Howard and Mary Shelton. "Effects of Confidentiality Limitations on the Psychotherapeutic Process" Journal of Psychotherapy Practice and Research, vol. 4, no. 3, pp. 185-193, Summer 1995.

Rodriguez, Alex. "Management of Quality, Utilization and Risk" in Managed Mental Health Care, edited by Judith Feldman and Richard Fitzpatrick. Washington, DC: American Psychiatric Press, 1992.

Rybowski, Lise. "Protecting the Confidentiality of Health Information" Washington, DC: July 1998. National Health Policy Forum, George Washington University.

Siegler, M. "Sounding Boards. Confidentiality in Medicine-a Decrepit Concept." New England Journal of Medicine. Vol. 307, pp. 1518-1521, 1982.

Simmons, Janice. "Who Needs to Know?" Healthplan, vol. 38, no. 4, pp. 56-60, July-August, 1997.

State of Massachusetts. "Section 11.20: Confidentiality" Contract Between State Of Massachusetts and Value Options, 2001.

Substance Abuse and Mental Health Services Administration (SAMHSA) "Checklist for Monitoring Alcohol and Other Drug Confidentiality Compliance Appendix B Managed Care and Client Confidentiality" Technical Assistance Series No. 18, 1996(a).http://www.treatment.org/taps/tap18/tap18appendxb.html .

Substance Abuse and Mental Health Services Administration (SAMHSA). "Contracting for Managed Substance Abuse and Mental Health Services: A Guide for Public Purchasers" Technical Assistance Series no. 22, 1996(b). http://www.treatment.org/taps/tap22/tap22toc.htm .

U.S. Department of Health and Human Services. Administrative Simplification. At [http://aspe.hhs.gov/admnsimp/Index.shtml] as of September 17, 2002.

U.S. Department of Health and Human Services. Mental Health: A Report of the Surgeon General. Rockville, MD: U.S. Department of Health and Human Services, Substance Abuse and Mental Health Services Administration, Center for Mental Health Services, National Institutes of Health, National Institute of Mental Health, 1999.

Appendix B: Maryland Uniform Treatment Plan Form

app_b_01

app_b_02

app_b_03

Appendix C: Magellan Treatment Request Form

app_c_01

Appendix D Summary of All Patient Health Information Requested in Outpatient Treatment Request Forms

Summary of All Patient Health Information Requested in Outpatient Treatment Request Forms

Summary of All Patient Health Information Requested in Outpatient Treatment Request Forms
  Categorical Narrative Both
Demographic/administrative information
Patient’s Name   11  
Patient’s Date of Birth   10  
Patient’s SSN   10  
Patient’s Age   2  
Patient’s Gender   2  
Marital Status 1    
# Dependents 1    
Occupation   2  
Primary Language   1  
Living Arrangements 1    
CYFD Custody (Y/N), Social Worker Name and Phone   1  
JPPO/APPO (Y/N), Probation Officer Name and Phone   1  
Guardian Name and Phone (Minor)   1  
Waiver Status (Enrolled/Waiting List), and Waiver Type 1    
Patient on Long or Short Term Disability 2    
Patient Receiving Worker’s Compensation 1    
Insured’s Name, Address, SSN, Employer   2  
Patient’s Relationship to Insured   2  
Initial Authorization or Continuing 6 1  
Treatment Start/End Dates   8  
Treatment Court Ordered? 1    
Practitioner’s Name, Address, Phone   11  
Practitioner’s ID number and/or License Number   10  
Patient History
Previous MH/SA Treatment? With Same Provider? 2 4 2
Overall efficacy of treatment to date   3 1
History of Substance Abuse 2 5 1
Medical History   3  
Allergies   1  
Diagnosis
DSM-IV Diagnosis 11    
Global Assessment of Functioning (GAF) 10    
Highest GAF in Past Year 8    
Lowest GAF in Past Year 1    
Expected GAF at Discharge 1    
Any Change in Initial Diagnosis 2    
Current/Presenting Problems
Symptoms      
Socially isolated 1    
Unstable/intense relationships 2    
Perfectionist/controlling/rigid 1    
Distrustful/suspicious 1    
Nonconforming to laws/norms 1    
Threatening 1    
Assaultive 1    
Tantrums 1    
Self-mutilating 2   1
Implusive 3   1
Oppositional/defiant 3   1
Work/school inhibition 1    
Agitation 1    
Motor retardation 1    
Hyperactive 3    
Mania     1
Disorganized 1    
Impaired attention/concentration 3   1
Memory impairment 3    
Concrete Thinking 1    
Disorientation to time, place, person or situation 1   1
Impaired judgment 3   1
Lack of insight 1   1
Circumstantiality/tangentiality 1    
Flight of ideas/racing thoughts 1   2
Distorted idiosyncratic thinking 2    
Depressed mood 4   1
Decreased energy 1   1
Withdrawn behavior     1
Dysphoric     1
Apathetic     1
Euthymic     1
Hostile     1
Fearful     1
Restricted     1
Tearfulness     2
Grief 1    
Elated mood 3    
Labile mood 1   2
Low self-esteem/excessive 1    
Hopelessness/Helplessness 2   1
Worthlessness 1   2
Guilt 1   1
Irritability/Inappropriate anger 3   2
Loss of interest/anhedonia 2    
Pain 1   1
Avoidant behavior 1    
Phobia 3   1
Obsessions/compulsions 4   2
Panic attacks 4   1
Somatization 4   1
Generalized anxiety 4   1
Separation anxiety 1    
Hallucinations 3   2
Delusions 3   2
Paranoia 3   1
Ideas of reference 1    
Flashbacks 1    
Depersonalization/dissociation 2   1
Concomitant Medical Condition 1   1
Emotional/Physical/Sexual trauma victim 2   1
Emotional/Physical/Sexual trauma perpetrator 1    
Appetite disturbance 2    
Bizarre behavior 1   1
Conduct problems 1    
Gender issues 1    
Bizarre ideation 1    
Independent living problems 1    
Poor self-care skills 1   1
Dementia     1
ADHD     1
Speech – slow, pressured, monotone, soft, loud, normal     1
Appearance – unkempt, disheveled, unclean, appropriate     1
Substance abuse
Current Substance Abuse 5 1 3
Type of Substance Being Used 1 2  
Continued substance use in spite of knowledge of effects 1    
Mood swings 2    
Inability to control/decrease substance use 2    
Persistent desire for substance/preoccupation 2    
Daily use/morning use/solitary use/secretive use 1    
IV use 1    
Medicinal use 1    
Rapid intake 1    
Excessive consumption/binge 1    
Tolerance of substance 2    
Protecting supply 1    
Passing out/blackouts 1    
Withdrawal 2    
Family history of addiction 1 2 1
Duration and Severity of Symptoms 6 1  
Risk Assessment
Suicide/Homicide 5   3
Family Violence     1
Self-Injury 1   2
Fire Setting     1
High Impulsivity/Aggression     1
Psychosis     1
Non-Compliance with Treatment     1
Lack of Social Support     1
Other Risk Behaviors   2 1
Psychological Testing   1  
Risk of Relapse   1  
Level of Functioning
Relationships – Marriage, Family, Friends 4 2 2
Job/School Performance 4 2 2
Hobbies/Interests/Activities 1    
Physical Health 4 1  
Financial 3    
Activities of Daily Living 2    
Eating Habits 2   1
Weight Loss/Gain and Current Weight 1 1 1
Sleeping Habits 4   1
Sexual Functioning 4   1
Legal Problems 2 1  
Psychiatric/Emotional Problems 1 1  
Behavioral Problems 1 1  
Cognitive Impairment 1 1  
Treatment Information
Requested Procedures/Types of Services 8 1 2
Dates of Treatment, Frequency and Duration 4 7  
Location of Treatment (Office, Clinic, School, Home) 1    
Treatment Approach 1    
Expected Treatment Outcomes/Goals 4 5  
Member Notified/Concurs With Goals? 5 1  
Progress in Treatment 2 3  
Obstacles to Progress   1  
Current Medications 2 8  
Medication Dosage/Frequency 1 7  
Side Effects 3   1
Prescribing Clinician’s Name   3  
Medication Start Date     1
Current Medication Compliance 3 3  
Medication Results in Improvement 1    
Communication with PCP 6 1  
Family/Guardian Involvement and Progress in Treatment 1 2  
Other Family Members in Treatment 1 1  
Patient Receiving Other Treatment or Community Services 4 3 2
Discharge Criteria   2  
Barriers to Discharge (Including Plans to Address)   2  
Living Situation After Discharge   1  
Aftercare Plan   1  
Support Group 1    

Appendix E: Personal Health Information Requested by MCOs and MBHOs

Patient Health Information Commonly Requested in Outpatient Treatment Request Forms, 
By Type of Response. MCOs Only - 
Total Examined – 4
Requested Information(1) Categorical Narrative Both
Demographic/Administrative Information
Patient’s Name   4  
Patient’s Date of Birth   4  
Patient’s Social Security/Insurance ID number   4  
Practitioner’s Name, Address, Phone   4  
Practitioner’s License and/or ID number   4  
Initial Authorization or Continuing 4    
Length of Treatment/Start and End Dates   2  
Diagnosis
DSM-IV Diagnosis Code 4    
Current Global Assessment of Functioning (GAF) 4    
Highest GAF in past year 3    
Patient History
Previous MH/SA Treatment 2 2 1
History of Substance Abuse   2  
Level of Functioning
Symptoms 1 1 2
Duration and Severity of Symptoms 2 1  
Risk Assessment Suicide/Homicide     2
Current Substance Abuse 1   2
Family/Social Relationships 1 1 1
Job/School Performance 1 1 1
Obsessions/Compulsions 1   1
Treatment Information      
Requested Procedures/Types of Services 3   1
Frequency/Duration of Treatment 2 2  
Expected Treatment Outcomes 1 3  
Member Notified/Concurs with Goals? 2 1  
Medications
Current Medications 1 3  
Dosage/Frequency   3  
Compliance 1 1  
Care Coordination
Communication with PCP 3    
Patient Receiving Other Community Services   3  
Patient Health Information Commonly Requested in Outpatient Treatment Request Forms, 
By Type of Response MBHOs Only -
Total Examined – 7
Requested Information(2) Categorical Narrative Both
Demographic/Administrative Information
Patient’s Name   7  
Patient’s Date of Birth   6  
Patient’s Social Security/Insurance ID number   6  
Practitioner’s Name, Address, Phone   7  
Practitioner’s License and/or ID number   6  
Initial Authorization or Continuing 2 1  
Length of Treatment/Start and End Dates   6  
Diagnosis
DSM-IV Diagnosis Code 7    
Current Global Assessment of Functioning (GAF) 6    
Highest GAF in past year 5    
Patient History
Previous MH/SA Treatment   2 1
History of Substance Abuse 2 3 1
Presenting Problems
Symptoms 5 1 1
Duration and Severity of Symptoms 4    
Risk Assessment Suicide/Homicide 5   1
Current Substance Abuse 4 1 1
Family/Social Relationships 3 1 1
Job/School Performance 3 1 1
Obsessions/Compulsions 3   1
Treatment Information
Requested Procedures/Types of Services 5 1 1
Frequency/Duration of Treatment 2 5  
Expected Treatment Outcomes 3 2  
Member Notified/Concurs with Goals? 3    
Medications
Current Medications 1 5  
Dosage/Frequency 1 4  
Compliance 2 2  
Care Coordination
Communication with PCP 3 1  
Patient Receiving Other Community Services 3 2  

(1) Elements were included in table if they were listed in six of the eleven examples studied.
(2) Elements were included in table if they were listed in six of the eleven examples studied.

Appendix F: Personal Health Information Requested by Local and National MCOS

Patient Health Information
Commonly Requested in Outpatient Treatment Request Forms, 
By Type of Response Local Managed Care Firms Only -
Total Examined – 6
Requested Information(1) Categorical Narrative Both
Demographic/Administrative Information
Patient’s Name   6  
Patient’s Date of Birth   6  
Patient’s Social Security/Insurance ID number   6  
Practitioner’s Name, Address, Phone   6  
Practitioner’s License and/or ID number   6  
Initial Authorization or Continuing 5    
Length of Treatment/Start and End Dates   4  
Diagnosis
DSM-IV Diagnosis Code 6    
Current Global Assessment of Functioning (GAF) 5    
Highest GAF in past year 4    
Patient History
Previous MH/SA Treatment 1 3 1
History of Substance Abuse   3 1
Presenting Problems
Symptoms 3 1 2
Duration and Severity of Symptoms 2    
Risk Assessment Suicide/Homicide 1   2
Current Substance Abuse 2 1 2
Family/Social Relationships 2 1 1
Job/School Performance 2 1 1
Obsessions/Compulsions 1   2
Treatment Information
Requested Procedures/Types of Services 4   2
Frequency/Duration of Treatment 1 5  
Expected Treatment Outcomes 2 3  
Member Notified/Concurs with Goals? 3 1  
Medications
Current Medications   5  
Dosage/Frequency   3  
Compliance 1 1  
Care Coordination
Communication with PCP 4    
Patient Receiving Other Community Services 2 2 2
Patient Health Information Commonly Requested in Outpatient Treatment Request Forms,
By Type of Response National Managed Care Firms Only -
Total Examined – 5
Requested Information(2) Categorical Narrative Both
Demographic/Administrative Information      
Patient’s Name   5  
Patient’s Date of Birth   4  
Patient’s Social Security/Insurance ID number   4  
Practitioner’s Name, Address, Phone   5  
Practitioner’s License and/or ID number   4  
Initial Authorization or Continuing 1 1  
Length of Treatment/Start and End Dates   4  
Diagnosis
DSM-IV Diagnosis Code 5    
Current Global Assessment of Functioning (GAF) 5    
Highest GAF in past year 4    
Patient History
Previous MH/SA Treatment 1 1 1
History of Substance Abuse 2 2  
Presenting Problems
Symptoms 4 1  
Duration and Severity of Symptoms 4 1  
Risk Assessment Suicide/Homicide 4   1
Current Substance Abuse 3   1
Family/Social Relationships 2 1 1
Job/School Performance 2 1 1
Obsessions/Compulsions 3    
Treatment Information
Requested Procedures/Types of Services 4 1  
Frequency/Duration of Treatment 3 2  
Expected Treatment Outcomes 2 2  
Member Notified/Concurs with Goals? 2    
Medications
Current Medications 2 3  
Dosage/Frequency 1 4  
Compliance 2 2  
Care Coordination
Communication with PCP 2 1  
Patient Receiving Other Community Services 2 1  

(1) Elements were included in table if they were listed in six of the eleven examples studied. 
(2) Elements were included in table if they were listed in six of the eleven examples studied.

Appendix G: American Psychiatric Association Minimum Necessary Guidelines for Third Party Payers for Psychiatric Treatment

The following American Psychiatric Association position statement has been developed in response to the HHS final Privacy Rule's provision that health-care "providers" (health-care professionals and facilities) disclose only the "minimum necessary" information for a given purpose. The Final Rule clarifies that "providers" may make their own determination about what is the "minimum necessary" information for a specific purpose, and also invites "professional organizations, working with their members, to assess the effects of the standards and develop policies and procedures to come into compliance with them." (p. 82472) The Rule also states that this standard is "intended to reflect and be consistent with, not override, professional judgment and standards." (p 82544)

The following guidelines are based on the cumulative professional experience of APA members with respect to current practice and the necessity of privacy for effective psychiatric care. These guidelines are based on the principle that standards for "minimum necessary" disclosure of psychiatric information to third-party payers should not exceed standards generally accepted in other medical specialties.

These guidelines address the specific delimited set of information that is necessary to process a typical claim, and therefore constitutes the minimum necessary information that may be disclosed to third party payers under the HHS Privacy Rule.

This is not a policy position about how much/what information should be documented in the record about mental-health treatment and psychotherapy. Documentation guidelines, consistent with the HHS Privacy Rule, regarding general mental-health treatment records and psychotherapy notes will be addressed in a separate document. Material in psychotherapy notes, as defined in the HIPAA Privacy Rule, is not disclosed to third-party payers.

The purpose of this document is to specify the particular items of information that the APA believes fall within the "minimum necessary" criteria for routine processing of typical insurance claims for psychiatric treatment. Psychiatrists should also familiarize themselves with applicable state statutes, which may impose additional and/or different requirements with regard to the protection of confidentiality and privacy.

The APA's guidelines for "minimum necessary" are in three parts:

1. outpatient treatment that has been authorized for payment,

2. outpatient treatment requiring pre-authorization, and

3. inpatient treatment.

#1: Outpatient treatment that has been pre-authorized for payment (including sessions that do not require any pre-authorization by payer).

The first part of the "minimum necessary" guidelines for third-party payers, which follows below, concerns outpatient treatment that has been pre-authorized for payment or outpatient treatment that is not subject to pre-authorization.

Minimum necessary information:

The following information is deemed the "minimum necessary" information that is needed by, and may therefore be disclosed to, third party payers in order for them to process a routine claim for outpatient psychiatric services that are not subject to additional pre-authorization. The guideline is based on the current HCFA 1500 claim form (attached) and the protocol for disclosures to third party payers mandated in the Washington DC and New Jersey third-party mental-health privacy statutes (attached). These statutes place explicit limits on disclosure to payers of information related to mental health treatment. The restriction on disclosure to payers in these statutes has been endorsed by the U.S. Surgeon General in his Report on Mental Health (December 1999, Chapter 7).

Patient's name, address, date of birth, insurance information/ID number.

Patient's diagnosis by DSM or ICD code

Date(s), type and location of service

Procedure code - CPT code

Charges

Clinician's name, ID number (i.e. SSN or EIN, and/or clinician's provider number)

Clinician's address

If a payer cannot make a determination based on the above information, it may then request the provider to disclose additional information, limited to the following:

Patient's status (i.e. voluntary, involuntary,

Functional status (impairment described as none, mild, moderate or severe)

Level of distress (described as none, mild, moderate or severe)

Prognosis - the estimated minimum duration of the treatment for which the claim has been submitted.

#2: Outpatient treatment that requires authorization for payment.

The second part of the "minimum necessary" guidelines for third-party payers, which follows below, concerns outpatient treatment that requires authorization for payment of outpatient treatment. This includes prospective or retrospective reviews for this purpose.

Minimum necessary information:

The following information is deemed the "minimum necessary" information that is needed by, and may therefore be disclosed to, third party payers in order for them to authorize payment for outpatient psychiatric services. The guideline is based on the HCFA 1500 Claim Form, the Washington DC and NJ peer review laws, and page 1 of the APA Outpatient Treatment Report Form (12/98, attached). Consistent with the Rule's "minimum necessary" provision, clinical information disclosed to payers for pre-authorization purposes will be used/disclosed by only those individuals who perform the review. The only information disclosed to payers' administrative personnel should be administrative billing information on the HCFA 1500 claim form.

Administrative billing information:

Patient's name, address, date of birth, insurance information/ID number.

Clinician's name, ID number (i.e. SSN or EIN, and/or clinician's provider number) and address

Patient's diagnosis by DSM or ICD code - Axis I or "v" code; Axis II or III if relevant

Date(s), type and location of service - current and planned

Procedure code-CPT code

Charges

Clinical information for authorization of benefits:

Treatment planned - CPT code(s), including recommended/expected frequency

Currently on psychiatric medications? Y/N

Patient's status (i.e. voluntary, involuntary)

Functional status (impairment: none, mild, moderate or severe) or Axis V (GAF)

Current

Highest in past year

Estimated GAF at treatment's completion (would address treatment goal)

Level of distress (none, mild, moderate or severe) or Axis IV rating

Prognosis - the estimated minimum duration of the treatment for which authorization is sought

#3: Minimum necessary information for inpatient psychiatric treatment.

The third part of the "minimum necessary" guidelines for third-party payers, which follows below, concerns inpatient treatment that requires authorization for payment.

Minimum necessary information:

The following information is deemed the "minimum necessary" information that is needed by, and may therefore be disclosed to, third party payers in order for them to authorize payment for inpatient psychiatric services. Consistent with the Rule's "minimum necessary" provision, clinical information disclosed to payers for pre-authorization purposes will be used/disclosed by only those individuals who perform the review. The only information disclosed to payers' administrative personnel should be administrative billing information on the HCFA 1500 claim form.

Administrative Billing Information

Patient's name, address, date of birth, insurance information/ID number.

Patient's diagnosis by DSM or ICD code - Axis I or "v" code; Axis II or III if relevant

Clinician's name, ID number (i.e. SSN or EIN, and/or provider number) and address

Date(s), type and location of service - current and planned

Procedure code - E&M code(s) or (CPT code for ECT)

Charges

Clinical Information for Review

Patient's status (i.e. voluntary, involuntary)

Functional status (impairment: none, mild, moderate or severe) or Axis V:

Current

Highest in past year

Estimated GAF at discharge

Level of distress (none, mild, moderate or severe) or Axis IV:

Current Risk Factors

At risk for harm to self Y/N

At risk for harm to others Y/N

Currently on psychiatric medications Y/N

At risk for medical complications Y/N

Other--specify

Treatment planned: E&M code(s) or (CPT code for ECT), including recommended/expected frequency and duration

Response to treatment, patient's progress, or revision in treatment plan (for authorization of additional treatment). Describe briefly:

Inpatient treatment goal(s)

Prognosis - the estimated minimum duration of inpatient treatment for which authorization is sought

Procedure for requesting additional information:

The preceding guidelines should be sufficient in providing the necessary information to the insurer in almost every case for the purposes previously described. In rare cases, following disclosure of the above information, if the third-party payer 1) questions the patient's entitlement to benefits, or the amount of payment requested, or 2) has reasonable cause to believe the treatment in question may be neither usual, customary or reasonable, the APA recommends the following procedure:

The disputed question/issue should be referred for an independent review by a qualified psychiatrist who is independent of the insurer, whose cost will be borne by the insurer. This reviewer will be given access to the clinical information necessary for the review. However, only the reviewer's determination, (and no additional clinical information) shall be disclosed by the treating psychiatrist or the reviewer to the insurer for this purpose. Current privacy statutes in New Jersey and the District of Columbia provide a long-standing, workable model for such a procedure.

Attachments:

HCFA 1500 claim form

Washington DC and New Jersey statutes

Outpatient Treatment Report Form, page 1 - APA (12/98)

References:

Hennessy & Hennessy, An Economic and clinical rationale for changing utilization review practices for outpatient psychotherapy. ISSN:0092-8623;v24(3), 340)

The Surgeon General's Report on Mental Health (Chapter 7) December 1999

Washington DC and New Jersey Mental-Health privacy statutes