Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Privacy Issues in Mental Health and Substance Abuse Treatment: Information Sharing Between Providers and Managed Care Organizations: Final Report

Publication Date

Effective psychotherapydepends upon an atmosphere of confidence and trust in which the patient is willing to make a frank and complete disclosure of facts, emotions, memories, and fears.
Jaffe vs. Redmond, US Supreme Court, 1996

Confidentiality is a key element of mental health and substance abuse treatment.  In the absence of assured confidentiality, many patients with mental disorders or substance abuse problems might refuse or fail to seek treatment.  As the payers of treatment, however, managed care organizations (MCOs) and insurance companies need to know the services for which payment is being requested and whether the treatment is appropriate.  The dual, but opposing, needs for confidentiality and disclosure have created tension between providers and payers of services.  MCOs are the greatest source of tension for providers because, compared with other insurers, they tend to collect more personal health information on a routine basis in their effort to control costs and protect quality.

This report clarifies the sources of the tension between providers and payers with regard to what personal information should be shared for patients receiving mental health or substance abuse treatment.  It also provides information to support a more consistent application of privacy-sensitive approaches to collecting personal health information in the future.  It does not attempt to resolve the tension between providers and payers or specify what information should be shared.  The report was developed by researchers at Mathematica Policy Research (MPR) under a contract with the Department of Health and Human Services, Office of the Assistant Secretary for Planning and Evaluation (HHS-OASPE).  The study on which the report is based was conducted during the period September 2001October 2002.  It included a comprehensive literature review (see Appendix A) and discussions with 32 individuals in the mental health and substance abuse fields.  Those interviewed included clinicians, patient advocates, experts on privacy issues, and representatives of provider associations, managed care trade associations, managed behavioral health organizations, and HMOs.


Information Currently Collected by MCOs

 MCOs collect personal information about enrollees receiving mental health and substance abuse services for several reasons.  Information is collected to support utilization review.  In this review, the MCO determines the medical necessity of the request for services and approves the appropriate level of care.  Often utilization review is the driver of requests for personal health information, but the information is also used for quality management.  MCOs access medical records during audits, to ensure providers are actually performing the services for which they are billing.  They also request full medical records to investigate specific quality-of-care concerns, and to respond to patient and clinician appeals for reconsideration of an MCO decision to deny care.

Outpatient Treatment Authorizations.  We found wide variation in the information collected by MCOs for authorizing outpatient treatment, although there are some common elements.  To analyze this issue, we collected and reviewed 11 forms used by a varied group of MCOs ranging from large national managed behavioral health companies to commercial HMOs to MCOs that primarily serve the Medicaid population.  All 11 forms collect administrative data, including the patients name, date of birth, social security or insurance identification number, and identifying information for the practitioner.  Other elements common to most of the forms include:

· A coded diagnosis including a number, known as the Global Assessment of Functioning score, that represents the functional level of the patient

· Treatment information, including the requested procedures or types of services, the frequency and duration of treatment, and expected outcomes

· The patients current medications and compliance with the regimen

· Information about the practitioners coordination with the primary care provider and about the patients involvement in other community services

Elements that vary widely across the forms include patient history, symptoms or presenting problems, and the level of risk of harm to self or others.  The questions on these topics vary in nature and in terms of whether they require an open-ended versus a closed-ended response (i.e., narrative versus check-box-type response).

In some cases, information about clients beyond what is provided on the forms is shared by clinicians over the telephone when MCO staff call to seek clarification on the forms submitted by the clinician.  We were not able to obtain information on how often such clarification is needed, although one MCO noted that it hopes in the future to follow up on no more than 10 to 15 percent of cases.

Inpatient Authorizations.  While we did not review the process for inpatient authorizations in depth, respondents described them as much more intrusive, probably reflecting the fact that most of the costs in behavioral health are incurred on the inpatient side.  The process for authorizing inpatient treatment varies considerably from plan to plan but, in general, consists of telephone discussions between hospital staff and MCO case managers.  Reviews of treatment requests occur frequently, sometimes every day or every couple of days.  The questions asked by MCO case managers are usually open ended and may be tailored to the specifics of the case. 

Appeals and Audits.  MCOs also collect information on patients who are appealing a denial of treatment if the request for reconsideration was not able to be resolved through a telephone call between the clinician and the reviewing MCO doctor.  In this case, the plan often reviews the full medical record of the patient.  Such full-scale appeals are rare for outpatient cases, we were told, but somewhat more common (e.g., one to five percent of cases) for inpatient cases where more money is at stake.  Appeals are obviously voluntary, so before a patient initiates an appeal, he or she, along with the clinician, has presumably weighed the need to reveal a great deal of personal information against the desire to persuade the MCO that it incorrectly denied a service.

MCOs also review full medical records as part of routine and nonroutine audits.  The typical purpose of an audit is to ensure that clinicians are actually performing the services for which they are billing.  MCOs also occasionally request a medical record because of a quality-of-care concern, whether expressed by patients, other providers, or other sources.

MCO requests for complete medical records can be problematic from a privacy perspective because many therapists do not, we were told, separate their notes from the general medical record.  These notes reflect the therapists thoughts and opinions during treatment and may also contain information on patients family members who may not have agreed to have their information disclosed to the therapist, let alone the MCO.

Views of Providers, Consumer Advocates, and Managed Care Organizations on What Information Is Minimally Necessary for Managing Care

 The provider association representatives, clinicians, and consumer advocates we interviewed agreed that many MCOs request more personal health information than they need to manage care.  There was less than full agreement, however, on just how much information MCOs do need.

Administrative Data Should Suffice for Most Cases.  One view is that for routine cases requiring outpatient treatment, health plans should not need more than the basic administrative data that was required in fee-for-service medicine, such as patient and clinical identification information; procedure code; charges; and dates, type, and location of service. 

Some Additional Summary Information Is Justified.  Many respondents, including clinicians and patient advocates in the mental health and substance abuse fields, believe that it is acceptable for managed care plans to routinely collect additional summary information.  Some noted that an MCOs ability to hold providers accountable both financially and from a quality perspective is an advantage for consumers.

The specific types of information mentioned by respondents as acceptable vary.  Some believe that it is reasonable for payers to request and for providers to share summary information about the problem, goals, treatment plan, and progress.  Another respondent (a provider) believes it is acceptable to share with MCOs the same items typically required in indemnity insurance.  In her experience, these items include a summary of a few lines to describe a patients condition, history, and prognosis; something about the initial contact with the patient; whether the provider previously treated the patient; whether the client is on medication; how often the provider sees the patient; and what the provider recommends (for example, continuing treatment twice a month for three months).  Finally, an expert from the advocacy community would not comment on what information is acceptable but said that the test should be whether MCOs require similar information to pre-approve physical health services.

Controversial Items.  Most of the respondents who believe that some sharing with MCOs beyond basic administrative information is acceptable nevertheless feel that many MCOs request more information than they need.  Certain items in particular are viewed as troublesome:

· Past Substance Abuse.  Some providers object to the routine inclusion of information on patients past substance abuse.  Successful treatment for a substance disorder in the past may have no bearing on a current request for mental health treatment, we were told.

· Physical and Sexual Abuse.  Many providers strongly object to providing information about sexual abuse in particular not only because of its extreme sensitivity but also because they feel it is not relevant to approving treatment. 

· Medications.  Providers also disagreed with MCO requests both for medication history and for the specific names of medications that have been prescribed.  One provider objects mainly to requests for an extensive history, which is viewed as irrelevant.  Others believe that information on medications is used by the MCOs to try to second-guess clinical judgment, a goal that they think is unwise and/or impossible.  However, one MCO representative commented, Youd be shocked at how often the wrong medicine is prescribed.  A person with depression should be prescribed an anti-depressant, but I have seen patients on anti-anxiety medications and anti-manic medications.

· Risk of Suicide.  A few providers stated that they believe that occasional wishes to die are common among most people and that this information may have nothing to do with the treatment.  In other words, if the risk of suicide is low, it may not be necessary to share the information with third parties.  One provider suggested that plans might instead ask if the provider has assessed the risk of suicide as moderate or higher, thereby informing insurers as to some patients risk of suicide without stigmatizing persons with a low risk of suicide.

Existing Privacy-Sensitive Approaches to Collecting Personal Health Information Under Managed Care

We identified several approaches to collecting personal health information under managed care, any of which could, if adopted more widely, reduce the amount of unnecessary personal health information that is shared by providers and MCOs.  The three approaches discussed below were each cited by at least one provider respondent as being privacy-sensitive ways to collect personal health information needed to manage care.  MPR does not endorse any of these approaches; we simply describe them to further the discussion about how to reach a more privacy-sensitive state in managed care for mental health and substance abuse.

Maryland Uniform Treatment Plan Form.  The Maryland Uniform Treatment Plan Form (see Appendix B) was mandated by the state legislature in response to providers complaints about the administrative burden of having to complete many different forms for different MCOs.  A committee comprising MCOs and provider representatives, led by the Maryland Department of Health and Mental Hygiene, developed the form, which was implemented in October 2000.  A provider we spoke with in Maryland said the form has considerably reduced the amount of personal health information he must send to MCOs, and that patients who tend to be anxious about whether he would be providing information to MCOs are now much less worried.

Magellan Outpatient Treatment Request Form.  Magellans Outpatient Treatment Request Form, reproduced with permission in Appendix C, was implemented in October 2001.  The form, which replaces a request for a narrative description of the treatment plan, was developed partly in response to provider complaints about information requests but primarily because Magellan found that it was not cost-effective to manage every case.  One provider said, The Magellan form is back to the old style, where the MCO just required minimal information and trusted the clinician to make the right treatment decisions.

APA Guidelines.   The American Psychiatric Association adopted the Minimum Necessary Guidelines for Third-Party Payers for Psychiatric Treatment in December 2001 (see Appendix G).  According to the APA, the guidelines are based on the cumulative professional experience of APA members with respect to current practice and the necessity of privacy for effective psychiatric care.  They also reflect the principle that standards for minimum necessary disclosure of psychiatric information to third-party payers should not exceed standards generally accepted in other medical specialties.  Finally, they are founded on the current HCFA 1500 claim form and the protocol for disclosures to third-party payers as specified in the District of Columbia and state of New Jersey third-party mental health privacy statutes.

Of the three privacy-sensitive approaches, the APA guidelines allow for the least information to be shared with MCOs.  In fact, the gulf between the APA guidelines and current MCO practice is clearly wide. 

Potential next Steps

Confidentiality is essential to effective mental health and substance abuse treatment.  Our review of the status of privacy-sensitive approaches to collecting personal health information for managed care suggests that the Department of Health and Human Services (HHS) could take steps to advance current information-sharing practices so that they are more privacy-sensitive.

Consequences of No Action 

MCOs have been reducing the data they collect routinely to manage mental health and substance abuse outpatient services.  This trend may mean that, absent any action, health plans that still collect very detailed personal health information will eventually begin to collect less information.  Furthermore, the consumer advocates and managed care groups in our study did not view the issue of how much information is shared by providers with payers as a high priority item at the time of the interviews. 

However, the APAs recent release of its Minimum Necessary Guidelines shows that the issue remains a significant concern for providers.  Also, the absence of a national standard for what constitutes the minimum necessary information has resulted in very different privacy protections for consumers depending on their health plan.  In addition, our interviews with providers suggest that clinicians vary widely in how specific they are with their patients about what information is transferred to MCOs.  This variation exists because, from a legal perspective, many mental health treatment providers rely on general patient consent as a basis for transferring personal health information to a payer for purposes of payment and health plan operations. 

We are therefore left with a somewhat troubling picture.  Many consumers of mental health services are consenting to the transfer of personal health information only in general terms and perhaps months prior to using these services, while health plans that work toward similar care management goals request vastly different amounts of personal health information.  This picture seems inconsistent with the emphasis on ensuring consumer awareness of and control over the flow of personal health information called for in the health information privacy regulations under the Health Insurance Portability and Accountability Act (HIPAA).  We are not aware of any legal action to date that has challenged either the current practices surrounding informed consent or the appropriateness of MCOs information requirements.  However, it seems to us that such legal challenges could arise if no action is taken to better standardize or limit personal health information collection for managed care.

Developing a National Standard for What Constitutes Minimum Necessary Information 

One way to increase the use of privacy-sensitive approaches to the sharing of personal health information is to develop a national standard for what constitutes minimum necessary information.  Such a standard could help consumers understand what information MCOs need and why while eliminating the wide, plan-to-plan differences in the information that is collected.  Moreover, the minimum necessary information set could be implemented through a common treatment request form.  This change would reduce the burden, still faced by providers in most states, of responding to many different types of health plan requests.  However, developing a nationally applicable minimum necessary set of information is not an easy task. 

For purposes of discussion, we will assume that if a nationally applicable minimum necessary information set were to be developed, HHS would lead the effort.  Clearly, given the differences of opinion among stakeholders, some party viewed as neutral and outside of the managed care, advocacy, and provider communities must lead the effort in order for the stakeholders to view the outcome as legitimate. 

There are several important considerations for HHS if it decides to develop a national standard:  the role of research in defining what information is needed, the role of consensus, the desirability of legislation, and the potential for unintended consequences.

· Role of Scientific or Other Research Results in Considering What Information Is Needed.  Unfortunately, the research is sufficient to serve only as an aid to, not a primary basis for, establishing a set of minimum necessary information.  However, this research could be used in two ways.  First, criteria for patient placement developed by the American Society for Addiction Medicine could be used as one tool to rule out information not very relevant to managed care for substance-related disorders.  But the high level of detail in these criteria suggests they may not be useful in isolating the most important data elements.  Second, managed care plans or other interested parties (such as researchers) could develop a series of examples of how personal health information can be used in conjunction with information from research studies to perform evidence-based quality and utilization checks.  This exercise may point to specific data elements that are critical to many types of well-supported checks.

· Role of ConsensusWhile providers, MCOs, and consumer advocates would be expected to participate in developing a standard set of minimum necessary information, HHS has at least two options for defining its role in the effort.  One option is for the agency to act as a facilitator, convening representatives from the various stakeholders and securing a commitment to developing a group product, which HHS could decide to adopt or help disseminate.  According to a respondent who was heavily involved in Marylands development of its Uniform Treatment Plan Form, a legislative mandate or deadline for producing such a product may be a prerequisite to the success of this type of strategy.  Alternatively, HHS could consult with representatives of the provider, advocacy, and managed care communities, using their input to establish guidelines for what constitutes minimum necessary information under its own authority. 

· Need for, or Desirability of, LegislationLegislation that requires the development of a minimum necessary set of information could help HHS achieve a consensus- or near-consensus-based product that also explains information sharing to consumers while allowing MCOs to manage care.  As noted, a respondent heavily involved Marylands development of its Uniform Treatment Plan Form by consensus of relevant stakeholder groups believes this effort would probably not have been possible without the supporting legislation.  On the other hand, raising the issue with Congress could lead lawmakers to establish a minimum necessary information set that may be different from what would be achieved through an HHS-led process. 

· Possibility of Unintended ConsequencesA standard set of minimum necessary information could inadvertently increase the amount of personal health information collected by those plans that now collect the least information.  However, the amount of data collected routinely must be interpreted in the context of how much follow-up data a plan collects.  If, as in Maryland, the standard set represents all of the information a plan can collect outside a formal appeals process, then more personal health information may be collected routinely.  However, the net effect of this approach may be the same or better for the consumer than if less information is collected routinely and follow-up is open-endedthat is, if free-form discussions between case managers and providers lead to the sharing of more personal details for some cases.

How the Health Plan Community Can Use This Report to Advance the Privacy-Sensitive Collection of Minimum Necessary Information

We found a wide gap between the APAs minimum necessary guidelines and typical MCO information requests.  Although the MCO representatives we spoke with do not believe the information set out in the APA guidelines will allow them to manage care effectively, the health plan trade associations had not focused on articulating a response to the guidelines at the time of our study.  It may be that these organizations do not believe they need to attend to this issue.  If they view the patients general consent as a sound legal basis for MCOs to continue requesting information as they now do, then the trade associations may see little reason to be concerned with providers views of what is minimally necessary.  However, these organizations may not have focused on this issue simply because of other priorities.  In that case, the information in this report on the large gap between the APAs guidelines and current MCO practice may draw their attention to the issue.  Also, given the public backlash toward managed care, the industry would do well to better convey the value of care management to the public by explaining in more specific terms why the personal health information it collects benefits consumers.

Also, the report could help health plans review their information-collection routines.  More specifically, they can use the report to identify what information is collected under several privacy-sensitive approaches, what information is especially controversial with providers and why, and whether the items they collect are similar to or different from most of the other organizations whose forms and protocols we were able to obtain.