Best (& Worst) Practices In Private Sector
Managed Mental Healthcare

Part II: Confidentiality
July 1999

"Top 10" Key Findings and Recommendations

The following is a list of the most prominent worst practices identified in this study. NMHA encourages MCOs to rectify these items in their policies. We also recommend that legislators, employers, and accrediting bodies include requirements for MCOs based on these findings in their own efforts to ensure that consumers are guaranteed the meaningful privacy protections they deserve.

  1. Requiring access to the full medical record and psychotherapy session notes-not just the diagnosis, objectives and treatment plan.

  2. Failing to provide up-front information about confidentiality protocols to consumers when they join a new health plan or request such information later. Information provided should include the nature and extent of information that can be disclosed, who has the authority to disclose information, to whom the information will be disclosed, and for what purposes the information is needed.

  3. Failing to provide release forms that include a statement indicating that consent may be withdrawn at any time, as well as the date or condition upon which consent will expire if it is not withdrawn.

  4. Failing to maintain and monitor explicit written policies for paper files, including storage, internal documents, off-site storage, and disposal of records (e.g. marking them confidential, avoiding use of consumer-identifiers, locking files with limited access, noting releases, etc.)

  5. Failing to implement special protections for electronic, audio and video files containing sensitive medical information.

  6. Failing to comply with strict policies concerning the transfer of information between providers and MCOs through mail, phone, e-mail and facsimile.

  7. Failing to require MCO staff privacy training or to implement appropriate disciplinary responses to breaches, including termination and legal repercussions.

  8. Failing to require providers and their staff to undergo privacy training.

  9. Failing to ensure that minors 12 years of age or older are responsible for consent and that parents or other legal guardians are appointed to make decisions concerning the release of information for consumers who are under 12 years old or are legally incompetent.

  10. Failing to ensure that family members of adult consumers cannot access information without the consumer's consent.
spacer Introduction

"Top 10" Key Findings and Recommendations

Methodology

NMHA Standards for Responsible Management of Consumer Information (Position Statement P-34)

Maintenance of Consumer Information

Medical Records and Session Notes

Managed Care Staff Policies

Protocols For Clinicians and Their Staff

Special Populations and Circumstances

Additional Resources