The general trend in the managed care industry towards collecting less data to manage mental health and substance abuse outpatient services may mean that, absent any action, health plans that still collect very detailed personal health information will eventually begin to collect less information. Furthermore, the consumer advocates and managed care groups in our study did not view the issue of how much information is shared by providers with payers as a high priority item at the time of our study.
However, the APA’s release of its Minimum Necessary Guidelines for Third-Party Payers in December 2001 shows that the issue remains a significant concern for providers. Also, the absence of a national standard for what constitutes the “minimum necessary” information that providers should be sharing with MCOs has resulted in very different privacy protections for consumers depending on their health plan. In addition, our interviews with providers suggest that clinicians vary widely in how specific they are with their patients about what information is transferred to MCOs. This variation exists because from a legal perspective, many mental health providers rely on a general patient consent as a basis for transferring personal health information to a payer for purposes of payment and health plan operations.
We are left with a somewhat troubling picture in which many consumers receiving mental health services are consenting to the transfer of personal health information only in general terms and perhaps months prior to these services and before the record even exists. At the same time, health plans that work toward similar care management goals request vastly different amounts of personal health information. This picture seems inconsistent with the HIPAA emphasis on ensuring consumer awareness of and control over the flow of personal health information. We are not aware of any legal action to date that has challenged either the current practices surrounding informed consent or the appropriateness of MCOs’ information requirements. However, it seems to us that such legal challenges could arise if no action is taken to better standardize or limit personal health information collection for managed care.