[Main Page of Report | Contents of Report]


Confidentiality is a key element of mental health and substance abuse treatment.  In the course of therapy, clients reveal personal, highly sensitive information that they may not reveal to anyone else.  Clients trust that this information will be kept confidential by the clinician/therapist.  In affirming what is known as psychotherapist-patient privilege, the United States Supreme Court (Jaffe v. Redmond, 518 U.S.1 (1996)), stated not only that it is in the public interest to allow patients to access effective mental health and substance abuse treatment but also that effective psychotherapydepends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears.  In the absence of this assurance of confidentiality, many individuals with mental and emotional disorders might refuse or fail to seek treatment, going without needed services.

As the payer for this treatment, however, a third-party insurer, such as a managed care organization (MCO) or insurance company, has a right to know what the services are for which payment is being requested and whether the treatment is appropriate.  Before paying the claim, therefore, the payer requests some personal health information, such as the patient's presenting problem, health status, and/or treatment planned or received.  The amount of personal health information required to pay claims varies by payer; some require only basic information, such as the patient's diagnosis and services received, while others require more detailed information on the patient's symptoms and specific treatment goals and outcomes.  The dual, but opposing, needs for confidentiality and disclosure have created tension between providers and payers of services. 

In this report, we begin in this chapter by explaining the "minimum necessary principle" that is the topic of the study, and reviewing the purpose of the study, the relationship between managed care and privacy, the legal and regulatory context for the transfer of patient information, and the study methodology.  The chapters that follow discuss current practices of MCOs in the collection of patient health information, including why the information is collected and what information is commonly sought, variation among plans in these two areas, and the methods for collecting information.  Also discussed are stakeholder views on the information collected and models that have been proposed for standardizing and minimizing the information routinely shared with third-party payers.  The paper concludes with some possible “next steps” to encourage more privacy-sensitive approaches to health plans’ requests for personal health information.

A. The "Minimum Necessary" Principle

The Standards for Privacy of Individually Identifiable Health information (45 CFR parts 160 and 164), published by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) (PL 104-191), state that entities subject to the regulation (including MCOs) “must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)).  This language reflects both the need to accommodate the range of MCO payment and operational activities and the lack of consensus and models on which to base more specific language and the absence of policymaker consensus as to how to resolve the tradeoff between meeting this need and the patient need for confidentiality.  By itself, therefore, the new requirement is unlikely to resolve the continuing tension between providers and managed care firms regarding how much information to make available to MCOs or other third parties.

B. Purpose of the study

DHHS contracted with Mathematica Policy Research to provide information to assist the managed care and treatment communities in respecting the privacy of patients while addressing the care management needs of MCOs.  Toward this end, this report does not propose a minimum set of information that should be shared but describes (1) how patient health information is typically transferred from mental health and substance abuse providers to managed care payers and (2) what personal health information key stakeholders—including providers, consumer advocates, and managed care organizations—consider to be minimally necessary. In addition, the report identifies models of privacy-sensitive approaches to sharing personal health information.

C. Privacy Issues under Managed Care

Third-party requests for information on mental health treatment before paying for services is not a recent phenomenon.  Even under fee-for-service arrangements, insurers generally required mental health providers to disclose the patient’s diagnosis, and sometimes the treatment plan, before reimbursing for these services (Acuff et al. 1999).  However, as mental health and substance abuse treatment costs outpaced even the rising costs of care in general in the 1980s, the pressure to move to a managed care system mounted significantly.  In this new approach to cost containment, MCOs would play a more active role in monitoring and overseeing the delivery of care in order to minimize abuses and attempt to ensure that care was provided in a cost-effective manner. 

Before paying for services, MCOs must ensure that the enrollee is eligible for benefits, that the clinician is an authorized provider, and that services paid for actually took place. MCOs therefore require the enrollee’s identification number, the diagnosis, a description of the services performed and dates of service, the name of the provider, and the amount of charges.  MCOs may also need information to satisfy specific conditions of coverage; for example, if benefits are limited to a certain number of visits each year, the plan will need to know how many times the patient has been seen to date. 

In addition to paying for services, MCOs undertake a variety of other activities that depend on having health information about enrollees receiving treatment.  These activities, described below along with the patient information required for each, include utilization management, quality management, and other care management: 

most appropriate level of care, coordinate care between providers, refer the patient to other community services, and may serve as a contact person for patients between visits to a provider (Kongstvedt 1996).  Such care managers may use detailed information on the patient’s diagnosis and treatment.

Although MCOs vary widely in the extent to which they perform these functions and in their reasons for collecting patient health information, all of the MCOs we spoke with said that they reserve the right to view the full medical record of any member at any time.  Therefore, all mental health and substance abuse treatment information is potentially available to the MCO.

D. Legal and regulatory context

The federal government has established several laws and regulations intended to protect the privacy of health care information.  The best-known are the privacy regulations, mentioned earlier and established by the Secretary of Health and Human Services in 2000 pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA; PL 104-191).  Except when a patient signs an authorization for a non-routine disclosure of patient health information, the regulations require that “covered entities must…limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made,” (§ 164.514(d)(4)), although what constitutes minimum necessary information is not further clarified. 

     There are also special federal protections for substance abuse records. Specifically, medical records of patients in Federally assisted substance abuse treatment programs are subject to a Federal law restricting their use and disclosure (Public Health Service Act §543, 42 U.S.C. 290dd-2; regulation at 42 CFR part 2). Information may only be disclosed to third party payers if the patient signs an authorization. The regulation requires certain elements to be included in the authorization, including:

1. The specific name or the general description of the program or person permitted to make the disclosure;

2. The name or title of the individual or the name of the organization to which the disclosure is to be made;

3. The name of the patient;

4. The purpose of the disclosure;

5. How much and what kind of information is to be disclosed;

6. The signature of the patient and, when required for a patient who is a minor, the signature of a person authorized to give consent…or, when required for a person who is incompetent or deceased, the signature of a person authorized to sign…in lieu of the patient;

7. The date on which the consent is signed;

8. A statement that the consent is subject to revocation at any time except to the extent that the program or person which is to make the disclosure has already acted in reliance on it; and

9. The date, event or condition upon which the consent will expire if not revoked before…(§ 2.31).

Despite the additional confidentiality requirements for substance abuse records, the substance abuse provisions do not restrict information shared with payers for purposes of payment, assuming an authorization has been signed. However, a study by the National Mental Health Association (NMHA 1999) of MCO confidentiality practices found that only a minority of MCOs studied described these requirements in their internal policies and offered guidance on executing them.

State privacy laws vary considerably, with some states offering significantly greater protections than what is required by federal law.  A review of state privacy laws was beyond the scope of our project, but many respondents pointed us to the laws of the state of New Jersey and the District of Columbia, which have the most stringent laws protecting the confidentiality of mental health and substance abuse information.  According to these laws, information that can be disclosed to third parties is limited to administrative and diagnostic information, patient status (such as voluntary or involuntary), the reason for admission or continuing treatment, and the estimated duration of treatment.  In the event of a dispute between a provider and payer over the course of treatment, the third-party payer in the District of Columbia may request that another mental health professional review the record and make a determination as to the appropriate level of care (§6-2017; District of Columbia 1978).  In New Jersey, the insurer may request the review from an independent review committee (§45:14B-32; New Jersey 1985).  However, in 1991, the New Jersey courts ruled that ERISA-exempt firms (which self-insure) are also exempt from these requirements.  Since the majority of employers in New Jersey self-insure, this law does not cover most individuals with employer-sponsored insurance, and the appeals process has not been used in years.

Other states also have laws that affect what information can be shared with third-party payers.  Maryland passed a law, effective October 2000, which states that payers can request only the behavioral health information contained in a standard form developed by the State Department of Health and Mental Hygiene in consultation with key stakeholders.  Payers cannot to request additional information, although patients may choose to release information during appeals.  As in New Jersey, firms that self-insure are also exempt from these requirements.  However, according to a representative of the Maryland Psychological Association, most firms with ERISA-exempt plans use the Maryland form for simplicity.  In addition to the laws in Maryland, New Jersey, and the District of Columbia, which specifically protect mental health and substance abuse treatment information, laws in many other states have implications for the privacy of mental health and substance abuse records, including “anti-discrimination laws, adoption, foster care, mental health treatment, reproductive health, parental involvement, partner notification, and abuse and neglect” (Koyanagi 1999).

E. Methodology

The study methodology consisted of telephone interviews with a wide range of stakeholders and a comprehensive literature review.  The interviews, held with consumer advocates, health care providers and provider associations, managed care firms, and a few experts in the field, were conducted from October 2001 through May 2002 and generally lasted about 30 minutes.  Respondents were asked about the current practice of information sharing between providers and payers, why the information is collected, how it is used, and their views on what information should be shared.  Respondents were also asked to identify any models for privacy-sensitive approaches to managing care.  We also asked providers and managed care firms if they could provide us with copies of forms and telephone protocols used in utilization management and if they could provide us with the contract language that authorizes them to access patient charts for audits and quality management.  Table I.1 lists the number of respondents by type.

The comprehensive literature review (see Appendix A) was designed to document relevant information from the past five years on how managed care payers collect personal health information about consumers of mental health and substance abuse services.  Our objective was to develop an understanding of why managed care firms collect personal health information, what types of information are collected, what problems or concerns have been raised by stakeholders, and what models and solutions have been proposed by experts in the field.

We found a great deal of information on why managed care firms collect personal health information and the different ways in which they use this information.  We also found a great deal of information on the problems that have been encountered, particularly provider and patient reluctance to share information disclosed in a privileged therapist-patient relationship.  We found relatively little literature on the specific information typically requested by managed care firms in order to authorize services.  In searching for solutions and models, we found a few sources that made specific recommendations as to what information should be disclosed to the managed care firm, but the prevailing documentation involved recommendations by experts on how to maintain the confidentiality of sensitive information once it is in the possession of an MCO.  The next chapter more fully explores current practices of MCOs in the collection of patient health information.

Table I.1
Interview Participants, by Type
Type of Respondent Number
Mental health/substance abuse providersa 12
Provider associations 7
Managed care organizations
Managed behavioral health organizations (MBHOs) 3
Health maintenance organizations (HMOs) 2
Mental health consumer advocates 4
Substance abuse consumer advocates 2
Federal/state government 2
Experts in the field
Providers 2
Advocates 1

Note: At the outset of the study, we planned to conduct interviews with managed care associations and accrediting organizations. When we contacted these organizations, they did not have staff who were knowledgeable and able to discuss these issues, so we substituted additional interviews with MCOs and providers.

aMost respondents at provider associations were also providers themselves, so these are reflected in both categories