Ever since the advent of managed care, there's been a push and pull between third-party payers and practicing psychologists. Insurance companies frequently ask for sensitive patient information to conduct their business, while psychologists typically fight against having to provide that type of information.
"If you had to boil it down to the area where information flow is most troublesome, it's the area where information goes to managed-care companies," says Russ Newman, PhD, JD, APA's executive director for practice.
The Health Insurance Portability and Accountability Act (HIPAA) privacy rule tries to address this flow of information in the minimum necessary requirement. Under this requirement, covered entities--such as managed-care companies--are barred from requesting information beyond what is minimally necessary to accomplish payment or other administrative tasks. The rule applies to psychologists as well. Psychologists' employees, for example, should only be given enough information about patients to ensure that they can adequately do their jobs. Some employees, such as a billing clerk, might not need any clinical information.
The minimum necessary requirement sounds straightforward but lurking behind the simple language is the potential for different interpretations, says Newman, adding that how a managed-care company perceives this requirement may be very different from how a psychologist does. "Minimum necessary isn't specifically defined. There are two sides looking at it in a different way."
Though the requirement doesn't solve the potential problem of too much information finding its way into the hands of managed care, Newman adds, it does give practitioners grounds for refusing to give that information in the first place.
"The net effect of this rule is the much needed reclaiming of a certain measure of confidentiality and privilege of our conversations with our patients and the records of their care," says Lance Laurence, PhD, professional affairs coordinator for the Tennessee Psychological Association and his association's HIPAA trainer. "It was never necessary to fully require disclosure of any and all information in order to conduct utilization review, for example, and the minimum necessary information rule now gives practitioners a [potential] means of containing destructive intrusions in the treatment process."
A benchmark for defining 'minimum necessary'
Because the resolution of any interpretive differences regarding the requirement will be up to HHS or the courts, Newman says, APA hasn't issued any formal guidelines on how to deal with it. However, one state law does provide a gauge for psychologists, says Newman. The New Jersey Practicing Psychology Licensing Act states that a third-party payer can request administrative and diagnostic information, the status of the patient, reason for continuing psychological services--limited to an assessment of the patient's level of functioning and distress--and a prognosis.
This provision gets at the minimum necessary information requirement by setting some parameters for what information can be disclosed for managed-care operations purposes. Psychologists in other states should look to their own state laws, or use the New Jersey law as a benchmark, says Newman. But, he adds, psychologists should recognize that in the absence of statutory language law, the definition of minimum necessary would still be open to interpretation.
Much of the battle over what constitutes the requirement can be avoided to an extent if the information in question is included as part of a practitioner's psychotherapy notes, says Newman. Under HIPAA's privacy rule, psychotherapy notes--which have typically been referred to as process notes by most in the field--can't be disclosed without patient authorization. And, managed-care companies are barred from conditioning payment on the patient's authorization, as has been done in the past. (See article on psychotherapy notes, February Monitor, page 22.)
In the end, the quandary over the definition of minimum necessary information is "still a battle, but with new words," says Newman. "It's resolvable by the same things: deciding to turn over more information to managed care in the end, a possible test case resulting in more guidance from the Department of Health and Human Services, or a court determination of the rule."
But the battle doesn't look that grim. The privacy rule requirements were created to offer more protection for patients. Managed-care companies can't refuse to pay for services if they don't get all of a patient's information. "The new HIPAA rule stops this type of draconian activity," notes Laurence.