Clinicians, treatment facilities, and especially consumers are concerned that confidentiality be protected when mental health treatment is provided. Automated record keeping, advancements in information system technology, and the growing need for communication among multiple parties under complex administrative arrangements such as managed care have rendered this a difficult task.

Unfortunately, most states do not have confidentiality laws that specifically address the release of information by third-party payers. However, many states have laws with provisions concerning utilization review (UR), which is the process whereby requested benefits are authorized as both (1) being covered by the plan; and (2) meeting clinical and administrative criteria for payment. Some of these states outline in detail the required procedures for protecting confidentiality, while others simply require that only information necessary for UR may be requested. The current laws of New Jersey and the District of Columbia expressly prohibit the release of consumer-specific information to MCOs, including therapy session notes.

As the extent of confidentiality protection varies across the country, NMHA recommends the following Standards for all managed care delivery programs. Our goal is to provide consumers with maximum protection of privacy without disrupting their care or imposing unreasonable burdens on administrators and clinicians.

Standard #1: When consumers join a new health plan or begin treatment with a new clinician, the plan and/or the clinician should inform them of the applicable confidentiality protocols. Many consumers may not be aware that in signing up for a particular plan, they may have already consented to the organization's information management policies-including disclosure of highly personal information.

Standard #2: If a health plan does not state in its policies that it has the right to specified consumer data, consumers and/or their parents/guardians must sign a release form for sensitive information to be shared. Such forms should include a statement that consent may be withdrawn at any time, as well as the date or condition upon which consent will expire if it is not withdrawn.

Standard #3: Consumers should receive information upon demand from the plan about how confidentiality of information is protected. This information must be provided in a reader-friendly format.

Standard #4: Consumers have the right to be informed of:

• the type(s) of information that will be disclosed (nature and extent);
  
• who has the authority to disclose information;
  
• to whom the information will be disclosed; and
  
• for what purpose(s) the information is needed.
  

Standard #5: MCOs should have explicit written protocols for managing consumer confidentiality throughout the referral, UR, case management, appeals, billing, client reporting, and other processes.

Standard #6: All persons who have access to consumer information, including clinicians and their administrative staff, as well as personnel in the MCO, should be required to read the confidentiality protocols and sign a statement that they agree to abide by them. The statement should reflect that they agree not to discuss any sensitive information outside of the organization.

Standard #7: Staff members of both MCOs and clinicians' offices should receive training on what constitutes confidential information and what the restrictions are for dealing with such information.

Standard #8: When information is released, it must be documented, including notation of the date, the circumstances of the disclosure, the specific information released, the name(s) of the individual to whom information was disclosed, and the name(s) of the individual(s) who disclosed the information.

Standard #9: While a managed care private or public sector client has the right to expect detailed information on the services provided to its beneficiaries, this information must always be provided in aggregate, without consumer-identifying data.

Standard #10: Paper files must be stored in locked file cabinets, and computer files must include password protections.

Standard #11: All materials containing consumer-identifying information must be marked "confidential."

Standard #12: Consumer ID numbers for files must be unique and unrelated to other identifiers, such as social security numbers.

Standard #13: There should be standards in place for electronic communications between managed care organizations, payment administrators and consumers. Health and Human Services is in the process of developing some guidelines.

The following situations require special consideration to ensure that consumers' best interests are protected by balancing the need for information with privacy rights:

Standard #14 - Medical Emergencies: Information may be disclosed to health care personnel for the purpose of treating a condition that poses an immediate threat to the health of the consumer.

Standard #15 - Minors: The signatures of both the minor and a parent/guardian are required on the disclosure consent form unless state law authorizes treatment without parental consent.

Standard #16 - Consumers Who Are Legally Incompetent: A legal guardian must be appointed to make decisions concerning the release of confidential information for consumers who are legally incompetent.

Standard #17 - Child Abuse and Neglect: All states require the reporting of suspected child abuse or neglect, without mandatory consumer or parent/guardian consent. Information requested as a follow-up to this initial report requires consent. If the information requested is for use in a criminal investigation or prosecution of a consumer, written consent is insufficient; a court order is needed.

Standard #18 - Custody Disputes: For evaluations of children for custody decisions, clinicians must explain to each parent that confidentiality is waived.

Standard #19 - Court Orders: The courts may authorize disclosure of confidential information where there exists good cause, as delineated in the federal rules' procedures. Such court orders only authorize disclosure of information that would otherwise be forbidden by the rules, but do not compel disclosure. For court orders authorizing disclosure for other than criminal purposes, the consumer must receive formal notice of the request and an opportunity to respond. The judge must weigh the need for disclosure against the potential harm to the consumer or to the clinician-consumer relationship and its impact on the treatment process. The order must: (1) limit disclosure to information essential to the purpose, and (2) provide protection against future public scrutiny.

Standard #20 - Substance Abuse: According to federal regulation, consumers seeking treatment for alcohol or drug abuse should not be made more vulnerable by their record than those who have the same problem but have not sought treatment. Information may be released to payers, legal counsel, family/friends, the criminal justice system, central registries, and any other interested parties only with proper consent.

"Top 10" Key Findings and Recommendations

Methodology

NMHA Standards for Responsible Management of Consumer Information (Position Statement P-34)

Maintenance of Consumer Information

Medical Records and Session Notes

Managed Care Staff Policies

Protocols For Clinicians and Their Staff

Special Populations and Circumstances