Approximately half of the MCO policies examined for this study addressed these issues. The following language is typical of those documents and can be considered a best practice:

• " [Company X] requires that all contracted providers have appropriate policies and procedures to preserve beneficiary confidentiality. Beneficiary records maintenance and handling must comply with all state and federal laws and regulations regarding confidentiality of beneficiary records. Providers are informed of [Company X's] expectations regarding confidentiality through the provider agreement and the provider handbook."

There is further (almost universal) agreement that clinician release of sensitive consumer information be clearly documented, but practices vary. For example, some MCOs require a signed release when transferring records to a non-participating provider but do not require a release when giving records to an in-network provider.

At least one MCO has policies that state that a signed consent for release of information is needed for each "episode of care." Furthermore, it states that "without them, we cannot communicate to anyone regarding a patient." This is a best practice. In contrast, at least one MCO gives itself considerable leeway by allowing the release of clinical information without a signed release to providers, including non-participating providers, "when appropriate to facilitate the care of members." This policy is a worst practice.

Several of the MCO policy documents allow for the evaluation of network providers' procedures for assuring confidentiality during site visits conducted by the health plan. If, in the opinion of the health plan, proper confidentiality protocols are not being followed, a provider may be subject to certain disciplinary actions. For example, one company states in its policies and procedures that:

• "Provider contracts explicitly state expectations related to confidentiality. High volume providers are assessed for confidentiality practices during the bi-annual site visit. Providers who do not follow confidentiality regulations will be forwarded to the Peer Review Committee for review and corrective action."

While these site reviews may help to enhance overall consumer confidentiality, they should be conducted in such a way that site visit officials themselves do not have access to consumer-identifying information - only then can this practice be considered a best practice.

The following are additional best practices we encourage clinicians to adopt:

• First and foremost, where possible, store psychotherapy session notes separately from the rest of the consumer's record, and do not share them with MCOs.

• As outlined in the NMHA position statement on Standards for Responsible Management of Consumer Information, mark all materials containing consumer identifying information "confidential." Furthermore, use unique consumer identification numbers for files that are unrelated to other identifiers, such as a social security number.

• Any release of information must be documented, including notation of the date, circumstances of the disclosure, the specific information released, the name(s) of the individual to whom information was disclosed, and the name of the individual who disclosed the information.

• Do not permit consumer information to be removed from the office/work area or taken into restrooms or any other location outside of staff's office/work area.

"Top 10" Key Findings and Recommendations

Methodology

NMHA Standards for Responsible Management of Consumer Information (Position Statement P-34)

Maintenance of Consumer Information

Medical Records and Session Notes

Managed Care Staff Policies

Protocols For Clinicians and Their Staff

Special Populations and Circumstances