Paper Files

Storage

There is general agreement among consumer advocates, providers, and MCOs that sensitive consumer paper files must be locked in either a file cabinet or storage room. In addition, most stakeholders agree that records must be "signed out" when removed from these locations. While some MCOs' written policies went into little more detail than this, others augmented their policies with further clarification, such as the following best practices:

1. "Keep patient charts and encounter forms face down. Never leave them out where others can see them."

2. "All client files are to be kept in the locked file cabinets. No files are to be kept overnight on anyone's desk. Files in process may be stored in the locked file cabinet provided for that purpose."

3. "Documents containing confidential member information…will not be left unattended on desktops, in mailboxes, near fax machines, etc., especially overnight. Member records will be kept in locked files and only be made available to authorized staff. A key will be kept in a designated location."

Internal Paper Communications about Cases

We only found one example of a policy discussing how MCO staff should communicate with each other when collaborating on cases-a best practice:

• "Whenever possible, please use initials or case numbers (rather than patient-identifying information) to communicate on memos regarding patient problems."

This lack of detailed policies among the majority of MCOs about how staff communicate about cases is particularly disconcerting, as all denials of authorization typically involve at least two staffers. This is a highly disturbing worst practice.

Off-Site Storage

Many MCOs move paper files to off-site storage after a specified number of months or years. While this is in-and-of-itself an acceptable policy, it is critical that the utmost care is taken to ensure that confidentiality is maintained both in the off-site storage of these materials, as well as during the transfer of records from one location to another. Of the documents that NMHA reviewed, only one company specifically addressed this concern in their written policies-a best practice.

Disposal of Records

Consumer records that are no longer needed must be properly disposed of so that confidentiality can be maintained to the end. As a result, proper methods of disposal must be employed to ensure that they can not be retrieved. Several MCO policies identified the need for permanent disposal methods, a best practice. These included the following mechanisms:

• Shredding;

• Burning; and

• Sealing records and contracting with a document destruction vender (including a binding legal agreement that this vender will take appropriate precautions to guard the privacy of the information).

Electronic Files

Virtually all mental health stakeholders agree that computer files with sensitive consumer information must be protected with unique and confidential passwords and security codes that are changed regularly. These features should be tested by outside consultants to ensure that they are secure. Furthermore, many consumers and advocates agree with Standard #13 from NMHA's position statement on confidentiality that states, "There should be standards in place for electronic communications between managed care organizations, payment administrators and consumers." Unfortunately, many MCOs failed to address these issues or discussed them with little detail-a worst practice.

One example of a best practice was an MCO that addressed the following issue (although we recommend that MCOs go a little further and also take into consideration the positioning of offices and computers that will display such sensitive information):

• "Do not allow medical information on terminals to be unnecessarily visible."

Additional Consumer "Files"

At times, MCOs will store consumer information in a format other than paper or electronic. For example, it may be on audio or videotapes, or telemedicine technologies may be used. It is important that MCO policies regarding confidentiality clearly state that all relevant confidentiality policies apply to these "file" formats, as well.

Of the company policies reviewed, none specifically addressed telemedicine-a worst practice. Only one addressed audio and videotapes. The following are best practices about unique safeguards in this area:

• Only play audio or videotapes out of earshot of individuals not involved in a consumer's case.

• Ensuring that all individuals on the receiving end of a video feed are authorized to be present during the satellite link.

Transfer of Information

Consumer records must remain confidential not only when they are in temporary or long-term storage, but also when they are being moved from one authorized individual to another. This may include the use of internal and external mail, the telephone, electronic mail, or facsimile. For each method of exchanging information, unique security features must be used to ensure that the integrity of confidential consumer records is not compromised. To this end, MCO policies have included the following best practices:

Mail

• "Confidential information that is forwarded from one [Company X] office to another is placed in a sealed envelope marked "Confidential." That envelope is then placed in an interoffice envelope directed to the addressee only and again marked "Confidential." Large amounts of confidential information being transported from one location to another are sent in a sealed box that is placed inside another box. On both the inner and outer boxes, a "Confidential Notice" is displayed."

• "When mailing confidential member information, stamp the document "confidential" and use an internal privacy envelope that is stamped "confidential" across the seal of the envelope."

• "When sending copies of member records, use U.S. certified mail or courier with receipt verification capability."

Phone

• "Personnel and answering machines at provider offices shall be considered confidential, so that staff may leave confidential clinical or administrative information with the provider's staff or answering machine. Patient's answering machines shall not be considered confidential; identifying information should not be left, only phone numbers for return calls."

• "Answering services shall be considered external to the provider's office so that administrative information, such as patient name, may be left with the service, but clinical data may not be disclosed."

• "Speak softly over the phone, and try to avoid excessive use of the patient's name."

• "Never leave a detailed message with a third party when calling a member. If the member is not available, leave a generic message."

Electronic Mail

• "Transmit by internet e-mail only when absolutely necessary due to exigent circumstances and clearly mark the e-mail as confidential. In those situations, expressly prohibit forwarding the e-mail to a third party without the sender's permission."

• "When using internet e-mail, enclose all confidential information in a password protected attachment, send the password by a different route (e.g., by telephone), use the return receipt and high priority options to assure successful transmission, and instruct the recipient to delete the e-mail immediately after accessing its contents."

• "Information regarding a member's care or treatment will never be placed in the e-mail public files or over the Internet."

Facsimile

• "Documents which contain confidential information may not be distributed via facsimile unless: (1) the facsimile is protected by a Confidentiality Notice referencing that the documents being faxed are considered confidential; and (2) the employee that is faxing must confirm with the recipient that the fax to which the information is being sent is in a secure area or the fax can be protected by being picked up immediately."

• "When faxing clinical information, the following information shall be deleted from the materials: 1. Surnames of: a. patient b. family c. participant; 2. Patient address(es) 3. Patient telephone number(s) 4. Social security number(s)"

"Top 10" Key Findings and Recommendations

Methodology

NMHA Standards for Responsible Management of Consumer Information (Position Statement P-34)

Maintenance of Consumer Information

Medical Records and Session Notes

Managed Care Staff Policies

Protocols For Clinicians and Their Staff

Special Populations and Circumstances