Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors. We suggest you watch the video while reading the transcript.
Hi everyone, this is Michael Miscoe with Miscoe Health Law, and we have yet another three part series for you. Some of these topics are a little long to address in 10 minutes, and also it is a way to get, keep you coming back so that you catch all of this. And I hope you would tune into these videos routinely anyway.
But here we go. We’re gonna talk about, investigations and record requests. This is a, an area where we see consistently where providers who are not anticipating ever getting a record request, they get one and they make some common mistakes that make things a little bit more problematic on the backside.
Click here for the best Chiropractic Malpractice Insurance
So hopefully. With a little bit of education we’ll get you sorted out and you won’t make those mistakes. So we’re gonna start with some basic HIPAA considerations in this first video. In the second video we’re gonna deal with how you respond to written requests. And in the third video we’re gonna talk about, law enforcement requests and requests for onsite audits by commercial payers. So that’s the structure of what we’re gonna do. So let’s get started with the first part. Now, when you get a record request, the first thing that you have to deal with, other than hopefully a getting being made aware that records have been requested from your practice and it’s something that you should make sure your staff.
Get a Quick Quote and See What You Can Save
Understands that they always have to tell you about it. Not that it’s a requirement of law, but it’s something that you want to know. Too many times, providers had absolutely no idea their record request was received. The staff decided to air, quote, handle it on their own and not bother you with it.
Only to find that they handled it improperly and it compromised. Our defense on the backside. So you know, when you respond to a record request and then an adverse finding comes down and your response to that is, oh, I didn’t know anything about this request, and we didn’t send the right records, or, we would’ve sent more because we misunderstood.
Those become questionable defense strategies. Even though they’re legitimate payers tend to. Look at you a little weird like you’re not in control of your own practice ’cause you’re not. So we’re gonna first look at how do we re, evaluate these requests to determine, our liability or our obligation to respond.
We’re gonna look at the HIPAA issues that are to these requests. How to develop appropriate policies and procedures so that everyone understands what we’re gonna do, how we’re gonna do it, when we’re gonna engage counsel if that’s appropriate. And and how we’re gonna respond.
And then hopefully with that information you’ll be able to train your staff so that you don’t get caught. In a situation where something occurs that you don’t handle properly, and it just makes things a little bit more difficult than it should have been. So let’s start with hipaa. Okay. In every record request there is gonna be some reference to hipaa extolling how you are permitted.
To based upon a patient’s provision or a provision in the patient’s benefit contract that they have authorized the insurance company to obtain records. And that’s fine and it does exist, and I don’t care. Long story short, HIPAA creates the authority to disclose records and you don’t need the patient’s authorization in an insurance contract.
When a patient. Signs your acknowledgement of notice of privacy practices. And if you don’t know what that is you probably need some HIPAA training. But when they sign your acknowledgement of notice of privacy practices, you are automatically authorized under the HIPAA regulations to do three kinds of disclosure.
Disclosure for treatment, which means you can disclose the patient’s records to another healthcare provider. And that disclosure is not subject to the what’s called the minimum necessary disclosure rule. And then you’re also permitted to do disclosures for payment. That’s submission of claims. And finally, healthcare operations, which, in, in its simplest form is audits.
Okay? Whether they be utilization audits, quality audits, coding audits, any kind of post-payment review or even pre-payment review where they request records. Those disclosures are permitted by hipaa, but just because those disclosures are permitted by hipaa, and again, the payment. Healthcare operations disclosures are subject to the minimum necessary disclosure rule, which I’ll explain in a minute.
But just because you’re authorized to disclose that doesn’t mean that you necessarily have a legal duty to disclose. For example, when you are non-participating with a payer, the obligation meaning a legal duty, you gotta do it. To respond to their record request usually is contractual. So in your participating provider agreement, there’s gonna be a provision that authorizes them to do post payment audit and recoup money if they find an error, blah, blah, blah.
But also is that if they make a request a reasonable request, you have an obligation as a matter of your contract to respond. And provide them the information that they’re requesting. And if you don’t, it’s a breach. And then you look to the contract to see what the provisions are as a remedy for that breach.
Usually payers will just deem the services not covered and demand all the money back. And that may or may not be an authorized response. But understand that the obligation to submit records is contractual. If you get a record request from a payer that you do not participate with. There is no contractual duty to send the records.
And from that perspective, you need to look at is it in your best interest to produce the records or isn’t it? And that is a discussion you should have with counsel so that you can understand the risks and benefits, the risks and benefits of disclosure. And the defenses that can be applied in the event you decide not to disclose.
There are ways to get those audits shut down, but. Be sure to have that discussion with counsel and have counsel manage that process for you. You just don’t wanna blow it off. Okay? That can lead to bad things. Now with Medicare, you have a statutory obligation to disclose. I. Same thing with Medicaid.
Those disc, whether you participate or not, the obligation to comply with those record requests is statutory. When you’re dealing with auto and work comp payers, you’re usually submitting the records with the payment. And any payer, whether you participate or not, that requests records prior to making payments.
So they’re asking for information during the claims adjudication process, the simple. Re result is if you don’t send the records, they’re not gonna pay the claim. So even where you don’t have an obligation to submit the records, if you don’t like your non-par, you don’t send the records as part of a prepayment review.
They’re just not gonna pay the claim. And of course, you can balance bill the patient. That’s your call, but. Just understand those are the kind of record requests. Now, there is a type of record request that you’re gonna get and the letter will say that a certain company, like for example, OX or somebody like that, is a independent contractor for X, Y, Z insurance company, let’s say a blues payer.
Or somebody else that offers a Medicare Advantage or Medicare Part C benefit program. And if you read the request carefully, they’ll say that they’re a third party contractor and all the HIPAA stuff, and then they will gimme one second. They will indicate that they are collecting information for what’s called a risk validation audit.
Okay. And when you see that, understand that those are record requests that A, you have to comply with, you have to submit those records. B it is not an audit of you. Basically they are collecting information to validate that the what’s called hierarchal condition classification score, that, that part C plan submits to CMS.
HCC score then determines how much CMS contributes or subsidizes that Medicare Part C plan for providing Medicare Part C coverage to that particular beneficiary. Basically, the sicker the patient is, the more money that CMS gives. So as they do these validation audits, they collect records from every provider that the patient sees.
And they’re looking for evidence of unreported diagnoses that may or may not impact the HCC risk score. So those kind of audits, you don’t need to worry about anything else. That’s a record request. You certainly want to evaluate. Whether you have a legal duty to disclose where you don’t, whether it’s in your interest to disclose or not understanding the potential risks and benefits and where you have a duty to disclose, then we get into, or even if you don’t have a duty and you decide to disclose, you have to evaluate your obligations under hipaa, most specifically, the minimum necessary disclosure rule.
Prior to the high tech changes of hipaa it used to be that when a payer made a request, it was presumed that the request met the requirements of the minimum necessary disclosure rule. And essentially what that rule means is that when you get a request whether it’s for payment, healthcare operations, or a request pursuant to an authorization, you have to limit the data set or limit the amount of PHI.
That you disclose to the minimum amount that is necessary for them to achieve the purpose of their request. Okay. Now to, to illustrate how this works let’s say for example, an insurance company got a complaint and a patient said, Hey, I got this EOB for a service and I didn’t get a service on that date.
What would be the minimum necessary disclosure that you would do to demonstrate that the patient was there on that date? And I’m thinking like your sign in sheet, if you have one, or if the patient signed in electronically, a printout of their sign in date time. Yes. They were here. You take a thumbprint, you got a picture, whatever it’s.
So that would be the minimum amount of information that you would need for that purpose to prove that the patient was there. Now, let’s say that the payer is concerned about certain code pairings that you’re reporting. Say you bill a lot of manipulation and manual therapy rather recklessly and you get a request because they wanna look at that.
Then for that to validate a, that services were performed and whether you’re 59 modifier on your manual therapy was justified, which it probably won’t be. But you would send the treatment notes for the dates of service that they asked for. Now, let’s say they throw medical necessity on the table or something generic like compliance with our policies and procedures.
Now maybe we need, even though they give you maybe they select specific dates of service, but now maybe you need to go back and provide the original plan of care, the treatment order, maybe progressive valves leading up to the date of service in question, in which case you need to disclose more information than they, than it appears they’re asking for in order to meet the purpose of that request.
Okay. Where it gets tricky is they don’t tell you what they’re looking for because they don’t want to be hemmed into a particular issue. And payers get really squirrely when you object to their record request because it is not precise enough to allow you to meet your obligations under the minimum necessary disclosure rule.
And in that scenario when you push back most times, payers won’t tell you. And then you get into there’s provisions in the contract that require compliance with state and federal law. I can’t comply with this law in which. The minimum necessary disclosure rule specifically, and therefore, I can’t, you are precluding me from responding to your request.
Thereby you can’t declare a breach. And this gets all, very technical in terms of contract law. But it is an important thing because understand that a knowing disclosure of hipaa. Fines start at $50,000. So this is something you don’t wanna mess around with. And oftentimes while we are trying to work this out, it does give you time, to start gathering records.
Now, it doesn’t give you time to go redocument. That would be a federal crime. That’s not what you’re supposed to do. You’d never ever, in the of, never, ever.
Produce addendums, to explain certain things with full disclosure that these re the addendums were created after the fact and why we’re creating them and all of that, while we’re working out the, these HIPAA issues, to the extent that we have a look at the records and identify some potential problems and get those mitigated prior to the actual submission having that time can be useful.
When you get a request one, who’s it from? What’s your legal duty to respond? Two. Are they providing a purpose for the request that allows you to meet their, your obligations under the minimum necessary disclosure rule in a scenario where you either A, have to comply, or B, don’t have to comply, but decide to anyway.
And if that’s true, then you prepare the records. And oftentimes if you need more time, you can ask them. Say, Hey, we’re preparing our records. There’s some things that we’d like to explain to you through properly created addendums. And, usually they will give you that time. They will not give you six months or a year, so you cannot, piddle twi around with this. But you need to allocate resources to get this done quickly. And the fact that you’re busy, they don’t care. This is something you, especially if you’re contracted, you’ve obligated yourself to do. Finally, one last point. If you get a record request that says, complete chart stop, that’s absolutely not gonna be permitted under hipaa.
Unless they disclose a purpose, that makes that very clear. So that’s it for this time. Next time we’re gonna talk about written requests and how you prepare those records. And then finally in the third installment, we’ll talk about law enforcement. So that’s all we have time for today.
See you next time.
Click here for the best Chiropractic Malpractice Insurance
Get a Quick Quote and See What You Can Save