Blog, Chirosecure Live Event November 8, 2022

Responding to Third Party Record Requests

Click here to download the transcript.

Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors.  We suggest you watch the video while reading the transcript.

Hi everyone. This is Michael Miscoe with Miscoe Health Law for this week’s installment of the ChiroSecure Growth Without Risk Series of Presentations. And today we’re gonna talk about responding to record requests. There’s a couple of things. Get a lot of calls, docs that get records and, they go into panic mode.

First thing, don’t panic. And if you have questions about the who, the what and the when, who’s asking what they’re asking for. And when you have to submit it or even by extension, if you have to submit it that would be the appropriate time to call and get help. There’s a couple of things relative to every record request that you have to consider and that’s what we’re gonna focus on here.

And the first one is hipaa. So if you’re a covered entity subject to hipaa, which means you submit electronic claims to insurance carriers for reimbursement either directly or indirectly. So for example, if you have a clearing house and they submit electronically to the payers, then that makes you a covered entity.

If you do electronic benefits verification through a provider portal, for example, that could make you a covered entity. And if you do electronic claim, Analysis or get electronic remits from the payer that’ll make you a covered entity. So to the extent that you are a covered entity under hipaa there’s a couple of things that you need to think about with respect to evaluating whether HIPAA will even permit you to respond to the record request.

Now, in hipaa under the High Tech Act amendments to hipaa they made a change a rather important change to what’s called the minimum necessary disclosure. when you get a request from a health plan. Prior to high tech, you were allowed to assume that the health plan was asking for no more information than was required to do whatever it is that they needed the records to do.

As a result of high tech, you can no longer assume that. So when you review the record request, the payer is obligated to tell you. What they need the records for. Are they validating whether the codes you build are supported by the documentation? Are they evaluating medical necessity or making some other coverage determination because the scope of the or purpose of the record request or the analysis that they intend to do will tell you what you need to.

So if they’re simply looking to determine whether the codes submitted are accurate, the daily notes for the visits that they’re requesting is probably enough. If, however they’re evaluating medical necessity and they, let’s say they pick particular dates for each patient while sending them just that note, which will tell them what happened on that day.

It doesn’t allow them to understand where that visit fell within the patient’s course of care for evaluating whether the visit was medically necessary or not. And in that context think about it as taking a page out of a. And then being asked to, from reading that one page alone to understand what the story’s about.

So being that, that is difficult, if not impossible, where medical necessity is an issue, sometimes you ending up end up sending them more information than they’re technically requesting, but you’re sending them notes that pertain to the date of interest in the case of a medical necessity review.

Where when they’re only doing coding, you would only send the notes that relate to that specific date that describe the services that were billed. Now, if the description of the services are billed, are in a precedent treatment order as part of a plan of care, then you may need to send that document as well.

So you have to evaluate the request very carefully if they don’t tell. What the purpose of their review is, you have to stop because that precludes you from evaluating consistent with your obligations under the minimum necessary disclosure role. Whether. You need to respond at all, number one and number two the scope of how much or how little you provide in terms of the patient’s medical records.

So that’s the first thing that has to be evaluated. The second thing, and sometimes I actually evaluate this first before we even get into HIPAA issues, is participation status. Ultimately it’s more relevant because you’re participating provider. If you have one with that particular payer, we’ll define what your obligations are relative to post payment cooperation with their post payment audit efforts, or utilization review efforts, or whatever they tend to call it.

Now when you’re not participating, meaning you have not signed a contract with that particular payer, things are a little bit different because you have not agreed. To cooperate with those efforts after the payment’s been made. There’s a number of legal doctrines that potentially apply and we need to evaluate whether it makes sense to go ahead and give them the records or.

To resist the record request. And that is a discussion that you need to have with counsel and make sure that you understand the implications. Sometimes if you’re not participating but submitting claims and they’re assigning the payments to you, if you don’t cooperate with their audit they’ll just deem the the claims overpaid because you didn’t send the records and they’ll start to recoup the money.

And there’s strategies for. Precluding that from happening. But those are things that you need to consider when you’re not participating and making a determination as to whether you want to voluntarily cooperate with their audit efforts. The, if you choose to voluntarily cooperate, One of the things you have to understand is cuz you don’t have a contract, you don’t technically have any appeal rights, so things get a little murky in that respect.

There’s also potentially a risk issues if you have the appropriate financial policies where the patient has made you their representative for What are called adverse benefit determinations. Couple of moving parts that need to be evaluated. And again, that’s why when you get a request for records, that’s the time to get help so that you can make sure that you understand your obligations and more importantly, your options.

The next thing that we would look at is what type of request it is. Is it a request? Prepayment post-payment or a HCC risk validation audit. I’ll start with the risk validation audit. This will come from a contractor that works on behalf of a Medicare Advantage plan. Those are usually commercial insurance payers, like the Blues, Cigna, Aetna, whatever.

And this contractor has been hired to collect documentation. To validate the HCC risk score, that plan reports to the government for that patient, which then determines how much the government is gonna contribute or subsidize towards that patient’s Medicare Part C plan. So think of it as like insurance company coding to Medicare for reimbursement.

And so they hire these companies to do what are called HCC risk validation audits. So they collect. Records from everybody that patient has seen looking for diagnosis information that will validate the risk score that they’ve submitted to Medicare. These record requests you don’t need to worry about cause they’re not an audit of you or your services.

They just need data. And those. Requests you can respond to without any concern. The way you know that it is a risk validation audit is, like I said, it’ll be a contractor on behalf of a Medicare Advantage payer, and you will see risk validation. In the text of the letter as the purpose of what they’re doing.

So look for that language and again, if you’re unsure call somebody, get help, and just to make sure that you understand whether this is a risk validation audit that you can send the records or it’s not. Okay. And make sure docs train your staff. Unfortunately in, in my business, many cases, the staff gets a request, sends the records, never tells the doc about it.

And this process gets started before you’ve ever had an opportunity to look at it. And make these judgements and they think they’re doing a good thing. Hey, they want the records, we have to send them. Maybe you don’t. And if we do send them, we should probably get a look at ’em. And we’ll talk about that what we do in that respect.

In just a minute. If it’s a prepay audit, this is a claim that you’ve submitted and the payer is requesting records to support the coverage of the services that you build for, you. Not send the records, but then you’re not gonna get paid either. Those type of requests usually should be responded to.

But again, remember your obligations under the minimum necessary disclosure rule. Only send the records that pertain to that data service. It may be the initial exam radiographic reports, treatment plans and maybe any precedent or. Progress exams so that the payer can understand where that patient is in the plan of care and why that service is medically necessary.

And the last one which is the most troublesome, is the post payment request. So when you look at the dates of service and their dates that have been paid these record requests are usually oriented towards. Recouping money. I’d like to tell you that it’s something that happens because they’re looking for the next chiropractor of the year award recipient, but that’s just not the case.

These are, they will come from the payers, SIU department or financial investigations provider review, whatever the name of the entity is within the organization. These folks intend to audit the records to determine compliance with their perception of their medical policies. And if they see that or think that there’s a problem they will deny the services and request recruitment of the money.

And again, in those scenarios participating status is very important. With respect to the scope of the crust what you need to include. Again, that depends on the purpose. We’ve of covered this, but make sure that you’re providing sufficient in information relative to the service or services that they’re asking for, depending on what they’re looking at.

Again, if they’re looking at coding treatment order, and the treatment notes, probably all you need if they’re looking at medical necessity or other issues. Maybe to see who the provider that actually performed the service was the service delegated. And again, payers aren’t very good at disclosing the purpose of their audit because they don’t want to be constrained.

But you can force them to do it. Some major no-nos. When, let’s assume you’ve decided that it’s appropriate to send records. Some of the biggest mistakes providers make is they look at the records, they see errors and they endeavor to just go in and fix them. Okay? That is a Title 18 crime. It’s called a False Statement related to a healthcare matter.

Please don’t do that. Had a number of cases in my career where a simple overpayment case, it was just about money, became a criminal case that cost, 15 times as much to resolve and was way scar. Over the simplest of goof ups. In one case, the provider handed a stack of records and a stack of bills to an associate and said, Go through these records and make sure that the stuff that we billed for was actually recorded in the notes.

And rather than do that, the associate took a shortcut, and this is in the paper notes days just hand wrote in the procedures in a, in a. Section of the notation. The worst part of this story is that in 99% of the cases, the procedures were documented and this addendum or this extra information that was put into the note wasn’t even necessary.

But because the notes were altered after the fact, that was pretty obvious that they were the case got referred to the Department of Justice and. It was a very long drawn out process, getting that resolved because the Justice Depart went through a series of issues. That came out of their analysis of these records.

Please don’t alter your records. If there are mistakes, missing information things of that nature. You need a better think that you need to further describe, maybe what exercises or therapies or what where manipulation was performed or things of that nature. There is a process called the addendum process where you draft a separate document.

You indicate the date that document was prepared. Note the patient, the data service, explain what the addendum is, how you know it’s true. And then you include an attestation statement. That’s the best you can do. If you have handwritten notes that are hard to read, you can provide transcriptions and a test that the transcription is accurate, but it actually has to be accurate.

You cannot add words. You. The only thing that you can do is if acronyms are used, you could spell those out, but otherwise it’s gotta be an exact transcription of what’s written on the paper. If you need to explain it beyond that, then you would do that through an addendum. The la another big no-no is ignoring the request, hoping it goes away.

It usually does not. And similarly, if you get on this, you get everything submitted and then you don’t hear anything. The next big major No-no, is calling ’em to ask ’em like, Hey, what’s going? Once you send the records, let it go. Occasionally they forget about you because something else more important is going on and they put it aside and then they forget about it.

And the longer that thing sits, the better it is for you. Because many states have look back limitations based upon the date they make a. And the date versus the data payment. So time is your friend in these cases, get your records submitted. If you need more time, call and ask them, get an extension.

But get the, assuming you have an obligation to submit the records, get ’em submitted, and then you, we just. Sit on their hands and we wait. If they’re gonna publish a result, they will. Very rarely if they don’t find what they’re looking for and shut down the audit, very rarely will you get a letter saying, Hey, everything was fine.

And the audit is closed. That almost never happens. In the meantime, you’re sitting on pins and needles for, probably 18 months. And at that point, if you haven’t heard anything, you’re probably not going to. The longest I delay I ever had was two years. And by the time they got back to us, they’re, that added about a number of additional legal defenses that precluded recovery.

And we got the issue disposed of, don’t go wrapping on their door saying, Hey, I was just wondering how the audit’s gone and, bad idea. Okay. So that’s pretty much all we have time for today. I hope that was helpful. Keep these things in mind. I certainly recommend having formal policies that you train your staff in terms of how to react.

Make sure you have. Available that you have a relationship with that can advise you. Cuz when these things come up you’re gonna need help rather immediately. So having somebody in outside compliance contact or something like that who can effectively advise you on how to handle these things and when you’re finding that somebody makes sure that they have substantial experience in post payment audit defense.

That is critical. There’s a lot of people that think they understand how to prepare records for a payer, but without that experience dealing with how payers react you’re pretty much shooting an arrow in the dark. So that’s all I have for you this time. We’ll talk to you next month and have a great day.