In the last few years, the number of providers that have received records requests from third-party companies hired by health plans, including Anthem Blue Cross, Blue Cross/Blue Shield, and Aetna, has skyrocketed.
Note: You may have read my articles about Equiclaim’s 90837 CPT code provider profiles, which included a threat of records review (if you missed those articles, please find them here: http://theinsurancemaze.com/2065/equiclaim2/).
The latest requests are coming from third-party companies including Inovalon and Episource. These firms are hired by health plans to do a variety of administrative projects, the latest being to carry out risk adjustment audits under the Affordable Care Act (ACA).
The good news for providers and patients is that risk adjustment requests are NOT for determining the medical necessity of treatment, session approval, care review, or recouping money. Instead, it’s more of a way for the health plan to get a snapshot of the level of severity of the illnesses of their members.
In my experience, many of these third-party agencies are quite disorganized. They may call for information (to verify your fax or address) several times, even if you have already responded, and they may call to say that they never received records, even when you already sent them. So, be sure to keep copies of everything you send to them, and document, document, document each interaction.
So, if you get a records request, what should you do?
Unfortunately, there is no single correct answer, but here are 10 tips you should consider before responding to a records request.
1. Call the requesting agency and/or the health plan and ask what they REALLY need. Inovalon and Anthem representatives have told providers various things, from “all we need is progress notes and any information related to diagnosis and prognosis” to “all we need is a treatment summary including diagnosis.” Document your call, who you spoke to, and what they said. You don’t want to release more information than necessary..
2. Check what your professional ethics codes and state laws say about releasing records..
3. It’s a good idea to notify your patient. Even if the records request document states that HIPAA doesn’t require patient notification prior to release, don’t be fooled. Many ethics codes and state laws require patient permission to release records. While federal laws (like HIPAA) usually supersede state law, this is not the case if state confidentiality laws are stricter, so it is recommended that you follow the stricter of the two just to ensure you are protected. In either case, you may need a patient’s written consent to release their records to a company other than the insurance plan.
4. Ask your patient how they feel about the request. After all, it is their record. Explain the purpose of the records request to them in the most objective way possible. Document the conversation in their chart and get a written release, signed by the patient, if they approve it. If your patient doesn’t want you to release records, you could inform the plan that you are reluctant or unwilling to go against your patient’s wishes (if this is your situation, contact me if you want a sample refusal letter).
5. Make sure you have received a release, and that it complies with state laws. While state laws vary, below is an example from California Civil Code 56.104 (a) (1) through (4) of what is required from a valid release: the specific information requested, the specific intended use, the length of time the information will be kept before being disposed of, a statement that the information will not be used for any purpose other than its intended use and when the records will be returned or destroyed, a statement that the entity will destroy or return the information before or immediately after the time has expired.
6. If uncomfortable with what is being requested, get clarification, or ask for a new release. The Inovalon records request I received asked for SOAP notes and summaries related to surgical procedures, consultations, pathology, laboratory, and discharge — none of which I had. Also, I don’t keep my notes in SOAP format. Accordingly, I asked for a new written request, specifically requesting the items they wanted that related to my records.
7. If you keep separate “process notes,” called psychotherapy notesby HIPAA, don’t release them. You must keep progress notes, which can include session start and stop time, treatment type and frequency, diagnosis, treatment plan, symptoms, prognosis, and progress. However, process notes — which include your thoughts about the treatment, analysis of the case — are optional. Process notes should be kept separate from the rest of a patient’s file and are afforded greater privacy.
8. If you feel the release was adequate, and you release records, remember to only give the minimum information necessary to fulfill the request. Releasing more is a HIPAA Privacy violation.
9. If you do release records, and you are unable/unwilling to make the copies yourself, you can contact the requesting party and they may send someone out to make the copies. Also, while this is not advertised, you can sometimes get reimbursement for your time spent complying with the request. For more information on reproducing patient records and charging for it, access Attorney Jennifer Searfoss’ online training, Medical Records: Avoid HIPAA Violations Copying Fee” on Nov 18, 2018 – https://healthcare.trainingleader.com/product/med-rec-fee1-r02/
10. No matter what you do, be sure to respond in some way to the request. This is especially important if you are a network provider. You may have signed a contract that requires you to cooperate with the insurance company concerning administrative requests for information. Promptly respond to the carrier’s request, clarify the nature and the purpose of the information being requested, and document your contacts and actions.
This valuable content was written by Barbara Griswold, LMFT, a practice consultant and the author of Navigating the Insurance Maze: The Therapist’s Complete Guide to Working with Insurance — And Whether You Should, now in the newly-updated seventh edition (www.theinsurancemaze.com).