Appendix B—Managed Care and Client Confidentiality

As managed care plans proliferate across the country, alcohol and other drug (AOD) treatment providers and single State agencies have become increasingly concerned about the impact of these plans on client confidentiality. Managed care plans vary from State to State and from program to program, yet all require some communication between a client's AOD treatment provider and his or her managed care plan.

Some managed care plans require client information from treatment programs to perform "gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths of stay. Other managed care programs, such as health maintenance organizations (HMOs) that provide primary health care and AOD treatment services either directly or through network providers, require information to coordinate care as well as to perform gate-keeping functions.

Depending on the purpose of the communication and the role of the managed care provider, different issues relating to confidentiality arise. This appendix addresses the ways in which AOD treatment programs, under the Federal confidentiality law and regulations, may communicate with managed care providers while still protecting clients' confidentiality rights. Also discussed are the confidentiality issues that programs have to consider as they explore ways to restructure the delivery of AOD treatment in a managed care environment. This appendix provides answers for the eight most frequently asked questions about managed care and client confidentiality.

1. What is the overall relationship between the Federal confidentiality law and regulations (42 U.S.C. Sec. 290dd-2; 42 C.F.R. Part 2) and managed care plans?

The Federal confidentiality law and regulations prohibit Federally assisted AOD programs from disclosing any records or other information about any patient except under certain specified conditions. Programs that are covered by the regulations are those that, in whole or in part, provide AOD diagnosis, treatment, or referral for treatment. Thus, programs that are covered by the regulations cannot disclose any "patient-identifying information" (i.e., any information that would identify a client as having an AOD problem or receiving AOD services) to managed care plans unless the specific conditions laid out in the regulations are met.

With the advent of managed care, many health care providers that have not traditionally fallen under the Federal confidentiality regulations now meet the definition of a program that must follow the regulations. For example, some for-profit AOD treatment programs have only accepted payment from insurance companies or patients themselves. These programs do not receive Federal assistance of any kind, either directly or indirectly, and, unless required to do so by the State where they do business, have not had to follow the Federal regulations. Increasingly, however, many of these programs have joined managed care networks, such as HMOs, that do receive some Federal funding. Consequently, these treatment programs now indirectly receive Federal funds and must follow the regulations.

Similarly, many managed care organizations, such as HMOs, that have not traditionally had to follow the regulations are now providing the type of service and receiving the type of Federal assistance that bring them under the regulations. Many of these plans, typically HMOs, are beginning to provide AOD treatment directly or are performing assessments and diagnoses and referring patients for treatment. In addition, because plans that have historically accepted only privately insured patients are, in growing numbers, becoming part of Medicaid managed care and received Federally assisted Medicaid payments, they are now receiving Federal assistance. Thus, they too have to follow the regulations whenever they make a disclosure that involves patient-identifying information.

2. What exceptions to the confidentiality law and regulations apply when a treatment program wishes to communicate with a managed care entity?

Depending on the purpose of the disclosure and the relationship between the treatment program and the managed care entity, several options, or "exceptions," under the Federal confidentiality regulations may enable programs to disclose client information to managed care providers. These options include written consent, a qualified service organization agreement (QSOA), audit or evaluation, internal communications, and medical emergency.

(a) Proper consent

Treatment programs may make a disclosure to a managed care provider if the client signs a valid consent form. The consent form must comply with the requirements of § 2.31 of the Federal confidentiality regulations and must be accompanied by the notice prohibiting redisclosure that is required by § 2.32.

To protect their clients' rights, programs are advised to consult with their clients' managed care providers whenever possible to ascertain how they intend to use the information. Despite the prohibition on redisclosure, managed care providers frequently redisclose to third parties (e.g., insurance companies, other health care providers, government agencies) information that identifies the client as having received AOD services.

If the program learns that the managed care provider will be redisclosing information, then it may decide to draft the original consent form in such a way that permits the redisclosure by the managed care agent. This helps ensure that the client is truly making an informed decision about whether to consent to the disclosure. Programs also have the option of drafting a consent form that allows for three-way communication (e.g., a situation in which the treatment program, the managed care provider, and another health care provider need to discuss and coordinate the client's care), as long as the purpose for the disclosure and the nature of the information to be disclosed are the same.

(b) Qualified service organization agreement

A treatment program may enter into a QSOA with a managed care provider if the managed care provider renders the type of service that qualifies it as a "service organization." Under § 2.11 of the regulations, a "qualified service organization" (QSO) is a person or agency that provides services to the program, such as legal, medical, accounting, laboratory analyses, or other professional services.

To become a QSO, an organization must agree in writing to (1) follow the Federal rules in handling the information it receives from the AOD program and (2) challenge in court any unauthorized attempt to obtain that information, as a covered AOD program must also do. Once the agreement is signed, the treatment program may freely communicate information from patient records to the QSO without patient consent—but only the information that is needed by the QSO in order to provide services to the program.

Thus, if a managed care program provides a service that qualifies it as a service organization, as defined in § 2.11, and if it is willing to sign a QSOA, then the treatment program may give the managed care provider the information it needs to perform its services without the client's consent. It is therefore crucial to look at the type of service being provided by a managed care entity to determine whether it is, in fact, a QSO. The following examples, depicting the most frequent managed care functions, illustrate the point:

1. The ABC insurance company, a third-party payer, uses a managed care provider to determine whether it should pay for treatment. The managed care provider requires specific information from the program in order to make its determinations.
   A treatment program cannot enter into a QSOA with a managed care provider in this situation. Reimbursement for treatment is not a "service" being provided to the treatment program within the above definition of a service organization. Thus, to make disclosures to a managed care company for the purpose of receiving authorization and reimbursement for treatment, a program has to obtain the patient's written consent, as discussed above.

2. An HMO managed care provider requires all its members who need AOD treatment services to come to its facility to be assessed. If a member is assessed as needing treatment, then he or she will either be seen at the HMO or referred to an outside treatment provider, depending on the diagnosis.

An HMO that conducts assessments for an AOD program is providing a service. However, the HMO cannot sign a QSOA with the program it is assisting if it is also a "program" that falls under the Federal confidentiality regulations. This is because the U.S. Department of Health and Human Services (DHHS), the agency empowered to interpret and enforce the Federal confidentiality law and regulations, has ruled that a program that falls under the Federal confidentiality regulations may not be considered a "service organization" except in limited circumstances. In 1978, DHHS issued an opinion letter stating that a QSOA could only be signed between two programs covered by the regulations if one program (the "service organization") was providing a service other than an AOD service (Legal Opinion No. 78-27, issued December 6, 1978, by the Office of the General Counsel, Public Health Division, DHHS).

Thus, if this HMO is covered by the regulations (i.e., if it receives Federal assistance and it provides AOD diagnosis, treatment, or referral for treatment), then it cannot be considered a QSO because it is performing an AOD treatment service—that is, conducting assessments—for the treatment program.

If the HMO does not fall under the regulations (i.e., if it receives no Federal assistance of any kind), then the outside treatment program and the HMO can enter into a QSOA.

3. Individuals enrolled in the ABC managed care program can receive treatment from any certified AOD treatment programs but must be seen by the physicians in the managed care program's network for primary health care services. This might occur in three ways:

• if the managed care provider has physicians on staff;

• if the managed care provider has a preferred provider list of physicians and allows its patients to receive health care services from physicians on that list without the managed care provider's approval; or

• if the managed care provider has a contractual relationship with the physicians in its network, but patients cannot be seen by those physicians without a referral from the managed care plan.

Medical services are clearly the type of services that can qualify an organization as a QSO. In the first example, because the managed care provider is itself rendering medical services to treatment program clients, it can be considered a "service organization." Thus, a QSOA can be signed between the treatment program and the managed care provider for the provision of health care services to the treatment program's clients. The treatment program should make sure that the QSOA specifies the nature of the service to be provided by the managed care program, so it can limit how the managed care program can use client information.

In the second two examples, the managed care providers do not provide primary health care services directly; instead, they contract out for those services. Because treatment providers in the second example do not need to involve the managed care provider when referring clients for health care services, they have no need for a QSOA with the managed care provider. Instead, they can sign QSOAs with the treating health care providers. Should the health care providers need to give information to the managed care provider in order to get reimbursed for services rendered, under the terms of the QSOA, they cannot not reveal any information they received from the treatment providers that would identify referred clients as having AOD problems or receiving AOD services.

In the third example, the managed care provider is providing a service to the treatment program, that is, referral for primary care services for its clients. Therefore, the treatment program can sign a QSOA with the managed care provider for the provision of referral services. Should the need exist, the treatment program can also sign QSOAs with the health care providers who are actually treating its clients. However, as in the second example, neither the managed care provider nor the physicians would be allowed to share AOD patient-identifying information received from the treatment programs with each other. Instead, they would have to use one of the three methods described in the preceding paragraph.

(c) Internal communications

In some circumstances, HMOs and other managed care providers directly provide AOD treatment, and thus the treatment program and the managed care provider are one entity. The Federal regulations do permit AOD records to be shared between program personnel or with "an entity that has direct administrative control over the program" if the communication occurs "between or among personnel having a need for the information in connection with their duties that arise out of the provision of diagnosis, treatment, or referral for treatment of alcohol or drug abuse" (§ 2.12(c)(3)).

Disclosures between an AOD unit and other parts of a managed care program are authorized without patient consent if those disclosures are necessary to provide the AOD services. These might include communications to the managed care provider's central-billing or record-keeping departments or laboratory.

(d) Medical emergency

In certain circumstances, disclosures may also be made by treatment providers to their clients' managed care providers to the extent necessary to meet a bona fide "medical emergency" affecting the patient or any other person (§ 2.51). The medical emergency exception authorizes a program to disclose patient-identifying information to "medical personnel" who "have a need for information about a patient for the purpose of treating a condition which poses an immediate threat to the health of any individual and which requires immediate medical intervention" (§ 2.51(a)).

Thus, if a managed care program provides direct health care services, it can clearly be seen as "medical personnel" and can receive information from a treatment program when a client's condition poses an immediate threat to his or her health or that of others and requires immediate medical intervention.

The same is not true, however, if the managed care provider does not directly provide health care services but rather merely pays for the emergency care. If a managed care provider allows clients to receive emergency care at an emergency room but requires notification within a specified period of time, then the managed care provider is acting as a third-party payer and not a treatment provider and cannot receive information from a treatment program under the medical emergency exception.

However, medical personnel who treat the client for the emergency can contact the managed care provider for the purpose of getting reimbursed for the services rendered, even if that communication reveals that the client has an AOD problem. The restrictions on disclosures under the Federal confidentiality regulations do not apply to medical personnel who receive information from treatment programs for the purpose of treating a medical emergency (§ 2.12(d)(2)).

(e)Audit and evaluation

Federal, State, or local government agencies that provide financial assistance to a program and managed care providers that are third-party payers covering patients in the program may examine patient records for the purpose of performing an audit or evaluation of the program (§ 2.53). This "audit-and-evaluation" exception is a narrow one, designed only to permit financial and programmatic evaluation of a program's functions.

If a managed care provider wishes to see patient records to preauthorize or pay for treatment, then it may not do so without obtaining the client's consent. Such a review is not for determining how the program is functioning financially or otherwise and thus does not fit within the audit-and-evaluation exception.

Any managed care organization or agency that conducts an audit or evaluation must agree in writing that it will redisclose patient-identifying information only (1) back to the program, (2) pursuant to a court order to investigate or prosecute the program (not a patient), or (3) to a government agency that is overseeing a Medicare or Medicaid audit or evaluation (§ 2.53(c), (d)).

3. In general, what kinds of records should AOD providers be willing to share with a managed care entity if the appropriate exceptions are in effect?

Managed care organizations request information for many different reasons. As noted above, managed care plans sometime require client information from treatment programs to perform "gatekeeping" functions—preapproving treatment plans and monitoring admissions and lengths of stay. At other times, managed care programs require information to coordinate care or to document that the patient's treatment is reimbursable.

Managed care entities appear to be requesting ever greater amounts of information about clients both before they approve treatment and as treatment progresses. Some managed care plans ask to see clients' entire files, sometimes dating back years. Whenever information is shared with insurance carriers and managed care entities, significant dangers arise to patient privacy. Many managed care plans, especially those that are part of private insurance companies, routinely share information through vast computerized networks.

For these reasons, AOD programs making disclosures to managed care entities should try to negotiate a more limited disclosure because the regulations limit even consented disclosures to only that information necessary to meet the intended purpose (§ 2.13(a)). Programs can often convince insurance companies to be satisfied with less information than they initially sought.

For example, determinations of eligibility for third-party payments often can be made without extensive disclosure of the patient's clinical record. Restricting disclosure to reasonably necessary information means that the program should communicate only the minimum amount of information required to show that the patient has received treatment and that such treatment is reimbursable. If the managed care entity asks for more detail, then the treatment program should question the necessity of divulging further information and, if necessary, appeal the request for additional information within the plan or to the State insurance department. Some States now regulate the actions of managed care entities. Of course, if a managed care plan insists on additional documentation before approving admission or processing a claim, its action is in accordance with State law, and the patient consents, then the program may have little choice but to comply.

4. If a client who is covered by a managed care payer is mandated into AOD treatment, must the managed care company pay for the service that is mandated?

This is a complicated question. If an insurance company or a managed care plan provides coverage that includes reimbursement for AOD treatment that is "medically necessary," then its decision to reimburse should be based on whether the treatment being mandated meets that criterion and not on the referral source. If a managed care plan takes the position that any care mandated by court is not, by definition, medically necessary, then that decision most likely violates the terms and conditions of its contract with the member and should be appealed.

Some managed care plans, however, will not explicitly state that they will not reimburse for mandated services but set up procedures that virtually ensure that result. For example, some managed care plans will not accept the assessment of intermediate sanctions programs or other assessors who are outside of the managed care network. Yet, at the same time, the managed care plan will not come to court or jail to perform its own assessments, creating a "Catch 22" in which offenders cannot be diverted or released unless they have a program to go to but cannot be assessed and treated unless they have been diverted or released.

Practices such as these threaten to disrupt tremendously the criminal justice system and family courts because these systems increasingly rely on AOD treatment both to rehabilitate offenders and to reduce unnecessary reliance on incarceration. Barring State legislation or regulation that requires managed care plans to pay for court-mandated services, patients should be advised to appeal any denial of reimbursement for such services and, if unsuccessful, file complaints with their State health and/or insurance department.

5. When clients are mandated into AOD, who/what determines which records are to be made available to the managed care provider? The mandating agency (i.e., court) or the AOD program?

Courts mandating individuals into treatment generally will not have any interest in directing what records should be made available to managed care providers. Courts will often, however, have an interest in receiving periodic reports from the AOD program about the progress of the individual mandated into treatment. In such a situation, the program should get the client's consent to disclose the information requested to the court. This usually includes information about the client's prognosis, attendance or lack of attendance at treatment sessions, and his or her cooperation with the treatment program.

If a managed care plan is reimbursing an AOD program for services rendered to clients mandated into treatment, then that managed care plan will have the same interest in obtaining information about those mandated clients as they have in nonmandated clients. As noted above, this may involve the managed care plan asking for more information than the program believes is necessary to accomplish the disclosure's purpose. The program should then question the necessity of making such an extensive disclosure and try to negotiate a more limited disclosure with the managed care company. This may include the initial evaluation and diagnosis; a summary of the treatment plan; the patient's attendance, progress, and compliance; and the discharge plan.

6. What disclosures are permitted by the confidentiality law and regulations when an AOD program contacts a managed care company to certify the client's eligibility?

If the managed care provider requires an AOD program to get preauthorization before providing treatment, the program must obtain the client's consent before contacting the managed care provider. The Federal confidentiality regulations define the term "patient" as "any individual who has applied for or been given diagnosis or treatment for alcohol or drug abuse" (§ 2.11). Thus, once the client applies to the program for services, he or she is protected by the Federal confidentiality law, and information that would identify the client as an alcohol or drug abuser cannot be divulged by the program without his or her consent. Because calling a managed care plan to ask whether John Smith has coverage for AOD treatment is a disclosure that John Smith has applied for such services, Mr. Smith's consent is required before the program can make the call.

7. As AOD programs form networks to provide a range of services to clients of managed care entities, how do the components of the network share information? When and how do the networks share information with the managed care entity?

As AOD programs explore ways to restructure the service of the services so that they can adapt to the managed care environment, many are beginning to form networks. These networks are being configured in different ways. Depending on how these networks are designed, different options under the Federal regulations will enable the components to share information.

For example, some AOD programs are coming together and setting up whole new programs that offer a full range of treatment services. These programs are not maintaining their own unique identities but rather are merging and creating a new identity. The different components of this new program can discuss patient-identifying information with each other following the internal communications provisions set out in the Federal regulations and explained in question 2.

Thus, if one component is responsible for the initial intake and referral to the appropriate service component, and if the different parts of the agency meet periodically to discuss a patient's progress and decide that a different approach may be warranted, and if this information is given to the billing department so that the program can get paid by the managed care plan, then all of these disclosures are permitted under the internal communications option described in the Federal regulations because the recipients in each case need the information to provide the AOD service.

Other programs are forming more loosely connected networks. They are not giving up their own separate identities but rather are working together to develop the kind of comprehensive service package that is attractive to managed care entities. Because these are all separate programs, the internal communication option is not available to such a network. Nor can these programs sign QSOAs with each other, because, as noted above, two programs that are covered by the regulations cannot sign a QSOA for the purpose of providing an AOD service.

Thus, the only option available to such a network is the use of consent forms. Rather than each program having to draft its own consent form before it can disclose information to the other network members, however, the regulations do allow for the signing of multiparty consent forms. The key to such a form is making sure that it authorizes each party listed on the form to disclose the information specified to all the other parties on the form. For example, a patient can sign a consent form that states "the following treatment programs are authorized to disclose to and communicate with one another" the following specified information "for the purpose of coordinating my care and providing my treatment."

If the network is using a multiparty consent form, it must make sure that the same kind and amount of information will be shared, for the same common purpose, among all those authorized to receive and/or disclose that information.

When and how the various types of networks can share information with the managed care entity is discussed in question 2.

8. What are some of the other consumer rights that patients of AOD programs should know regarding managed care?

Besides the confidentiality protections afforded to patients in AOD programs, some States have passed legislation regulating managed care practices and containing numerous consumer protections. Depending on the legislation, the following protections exist for patients regarding managed care:

• plans must use nationally recognized assessment criteria and must disclose the criteria, standards, procedures, and methods used in making determinations;

• managed care plans are prohibited from offering incentives to their employees to increase the number of adverse determinations;

• initial decisions and decisions on appeal must be made by reviewers who have an expertise in the field they are reviewing;

• plans must make decisions within certain specified times;

• plans must ensure timely telephone access to review agents and timely access to care;

• plans must provide complete information about their health plan, including information about the package of benefits, choice of provider, and limits on service and out-of-pocket costs, including copayments; and

• plans must specify the process by which patients are notified of adverse determinations and the process by which patients can file grievances and appeal adverse determinations; in some States, patients have a right to an independent review.

Back to Top