Click here to download the transcript.
Disclaimer: The following is an actual transcript. We do our best to make sure the transcript is as accurate as possible, however, it may contain spelling or grammatical errors.
Welcome everybody to this edition of ChiroSecure’s Growth Without Risk Program. My name is Michael Miscoe with Miscoe Health Law. And today we’re going to talk about something we’ve talked about in the past. Uh, I checked my records not since 2019, and I think from some questions I’ve gotten recently, it’s probably time to redo this again, uh, but how to deal with record requests. Um, there’s a number of issues when you get a request for records, uh, that you have to consider, and this should be a process for which you should have a policy and that policy should address a number of things. The first being, uh, the HIPAA issues that you have to consider, uh, when getting a record requests and essentially, um, with the patient’s acknowledgement of your notice of privacy practices, you are allowed to disclose, uh, information, uh, for purposes of treatment payment or healthcare operations.
Uh, treatment requests would be a request from another provider, a healthcare provider, um, and you don’t need any special authorization for that payment. Uh, those disclosures, meaning, uh, information necessary to secure a payment from a insurance company, minimally, that would be the information on your CMS 1500 form. Obviously you don’t need a, uh, an authorization from the patient every time you send a bill, uh, in healthcare operations, which is where, um, you normally see requests, uh, for, uh, post-payment related audits. Now, a payment requests could be a prepayment requests for records, uh, meaning they request the records, uh, to evaluate the appropriateness of payment before they make a payment in disclosure. In that respect of information, relative to the service you’re trying to get paid for is certainly permissible on the post-payment side. However, uh, is where you have to be a little bit, uh, cautious under HIPAA, because HIPAA has, uh, a component to the rule known as the minimum necessary disclosure rule.
And with the changes in the high-tech act, um, healthcare information technology and something, uh, act, uh, some years ago, they made a change to the minimum necessary disclosure rule where previous to hi-tech, you were permitted to, uh, rely on a insurance company’s request as meeting your requirements under the minimum necessary disclosure rule, which means when you get a request you’re obligated to provide the minimum amount of, uh, protected health information necessary to serve the purposes of the request. So when an insurance company pre high-tech asks for the entire record, you could presume they need it, needed it for their purposes after hi-tech, you can no longer assume that. So the purpose of the record requests has to be disclosed in their, and it often isn’t, um, what happens is, uh, payers traditionally request over disclosure, um, maybe because they’re on a fishing expedition, they don’t know necessarily what they’re looking for, uh, and they’ll request things like the complete chart.
And if you think about that, uh, in your experience with a patient, it’s not always the case. And in many cases, it’s very unlikely to be the case that your entire history with this patient has involved services that were billed to this particular insurance company. So when you get a complete chart request at a minimum, you got to remove anything that does not pertain to billings to that particular carrier. So if there was a prior personal injury case maintenance services for cash, uh, all of that information would obviously have to be, uh, removed, uh, because it couldn’t possibly pertain necessarily to billings to that particular carrier. Um, beyond that, think about the purpose of the request as being, maybe they’re looking at coding, in which case the treatment notes would be the only thing you need to disclose, uh, for specific services that they’re actually auditing.
Um, otherwise it, it may, if medical necessity is on the table, then possibly more expansive disclosure when they don’t disclose the purpose of their request, technically there should be some, uh, resistance to just giving up everything you have, uh, and requesting more information about the purpose of their audit. And it’s one of the techniques that we use to slow the process down. Uh, now of course we don’t want the care, the carrier to get nuts about this, but if we can make a legitimate objection, um, you know, or at least raise the issue, this is the presumed purpose of your request. And therefore we’re disclosing this information. We reserve the right to amend, uh, the disclosure, if it turns out you’re looking for something else, uh, but at least, uh, you give yourself the ability to provide something more. In many cases, payers want you to sign a, a, an affidavit if you will, or an attestation that you’ve disclosed everything, rarely do we do that.
Uh, we instead provide a, a different type of an attestation. We we’ve disclosed what we believe is consistent with the purpose of your request. Um, uh, consistent with our obligations under the minimum necessary disclosure rule. If, if this disclosures insufficient, depending on what your actual purpose is, we reserve the right to get you more information. And that’s how we handle that problem. Now, in many cases, I’ll get calls, uh, from, uh, providers because they get requests, uh, from usually a third party auditor on behalf of a Medicare part C plan or a Medicare advantage plan. And it’s, uh, the purpose of the request is so that they’re, they’re doing a risk validation and essentially what those requests are. They need your information to validate the risk adjustment score that the part C plan has submitted to Medicare for that patient, those requests have nothing to do with you.
Uh, and you can submit your record information to them because it has, uh, like I said, it’s not an audit of the compensability of your services, but they’re looking for diagnostic information in order to validate the risk adjustment score that the Medicare part C plan submitted to Medicare, which is part of how they get paid, uh, or it impacts the amount that they get paid to provide coverage to that particular insured. So if you get a risk adjustment audit, uh, you see language that says risk adjustment, or HCC risk validation, um, those requests you can, uh, respond to without, uh, much in the way of concern. The other issue that you need to consider when you get a record request is your participating status, because this implicates, and, and maybe I should have addressed this first, whether you have to respond at all now, certainly when you’re a participating provider, you’re participating provider contract usually includes language that obligates you to cooperate with their, a utilization review, post-payment review quality analysis, whatever they want to call it, but basically their post payment audit process.
And that’s fine. And, and, and you have a contractual duty to respond to that request consistent with your obligations under the minimum necessary disclosure rule of HIPAA. The more interesting scenario is, is when you are nonparticipating with a particular carrier in those circumstances, you should probably call and get assistance, uh, early on, because there are defenses that can be raised that would mitigate, um, your need to submit any records at all. And, and essentially not to get through, you know, the, the rather complicated legal doctrines that, that influence this issue, but fundamentally absent a contract, you usually have no legal duty whatsoever, uh, to comply with those requests. Now that doesn’t mean I’m suggesting that you ignore them, uh, because when you do, oftentimes those payers will just deem those payments to have been an error and start recouping. So you do need to respond.
It’s just how you respond. Um, uh, with some early intervention, usually those audits can be put to bed, um, with, uh, minimal blowback. Uh, there potentially is, uh, some negative consequences that can occur that can occur if we decide not to cooperate with their, their post-payment request, but at least you can establish a legal basis for why you’re not obligated to, as far as HIPAA is concerned, just because you’re permitted to disclose under HIPAA HIPAA creates no legal duty to disclose except to the patient. Um, so when a carrier is doing a post-payment analysis or attempting to do that, uh, oftentimes submitting the records, you know, compromises some of your legal rights, and we need to, you know, you need to, with a competent legal counsel evaluate whether it’s in your best interest to disclose or to resist disclosure. Now, when, um, you’re participating, here’s a couple and you have an obligation or a legal duty to disclose by virtue of your participating provider agreement, there are a couple of things that you need to consider as you build, uh, your package of information to disclose.
The first thing you have to consider is what to include. Now, in some cases, um, the payroll payer will be auditing specific dates of service because of a particular billing pattern. Uh, so in their sample, they’ve identified, um, uh, you know, let’s say they’re evaluating claims as their sampling unit. So they’ll identify specific dates of service for specific patients. And in many cases, the provider will provide that individual soap note or treatment note, because those are the dates they ask for. If medical necessity is, is, is, uh, an issue or the reason why you’re billing certain codes, how that’s justified, oftentimes in order to explain that, uh, it makes good sense to provide the initial, uh, uh, evaluation treatment plan treatment order. That tough documentation may be interim progress evaluation so that they can see the purpose of the treatment that’s being performed on the encounter that they’re evaluating.
Sending one soap note out of the middle of a course of care is like giving you a page out of a book and asking you to understand what the whole story is about a very difficult, and you have to evaluate those requests carefully to see if it makes sense to include more than the date of service that they’re asking for. Uh, in some cases, uh, it makes sense for the provider to prepare summaries explaining, um, or providing additional information. If your records are a little weak relative to explaining the specific nature of the therapies performed, uh, location, let’s say it’s electric stem, where the pads were applied, what frequency ramp time duration, the purpose of the electric stem. Oftentimes, uh, I find that the providers, uh, EMR programs do not fully describe that in the, in the context of a treatment order, in which case you can supplement, uh, your, uh, information with a summary that explains that, uh, oftentimes that’s necessary for rehabilitative exercise, you know, where you define sets, reps, weight level of contact, things of that nature, um, you know, to substantiate specifically what was being done.
So the payer can evaluate the appropriateness of that treatment as it was performed relative to the patient’s conditions. Um, those, that information is prepared in a summary or an addendum, if you will, uh, which includes a signature attestation validating that that information is accurate. Uh, and that is done in lieu of modifying the original record, which you should never do. Um, the, the process of creating addendums is fully disclosing that this was prepared in response to their request, which meanings, the date, that that information was prepared is fully disclosed, uh, and that its purpose is designed to further explain, uh, what the contemporaneous record contemporaneous meaning the record that you created at the time the service was performed, uh, to provide more information than was disclosed originally. Um, the payer can, uh, accept, reject that information. Um, they’re obligated to consider it. Some auditors will say, well, that was prepared after the fact, therefore we’re not going to consider it.
Those are issues that, that get fought out, uh, ultimately in the end, but assuming the information is true and accurate, consistent with the attestation that would be sent with it, um, then, uh, they should consider it because I mean, ultimately what you did and why you did it. It is what it is. Um, the purpose of these audits is to find out whether the services were actually compensable or not. Uh, sometimes the credibility of that information can be challenged, but if it’s something, you know, to be true, uh, and you need to provide supplemental information to your original records, that is the way you do it, get help with preparation of those. So you do it the right way, because if you do it the wrong way, you can turn a simple post-payment audit into a criminal case, seeing that happen a number of times, uh, and it is very difficult, expensive, and time consuming to get that horse back in the barn. Um, so, uh, be very, very cautious.
I do want to emphasize this issue of alteration of records, because it, it is especially problematic. A provider gets a request recognizes there are potential defects, even errors or omissions in the record. And the natural reaction is to fix the record. Uh, if you use an EMR, you want to go back in and edit the record and make it all right. Uh, so that in your mind, you’re giving the payer accurate information. The only thing that’s inaccurate about what you would be supplying when you alter the records is when the information was created. And that is trust me a really big deal. And if they figure it out, uh, which they are likely to do, uh, by any manner of ways, uh, if, if for no other reason, if your EMR program has audit, tracking, uh, they can track metadata in your EMR system when they suspect that that’s, uh, an issue, um, especially where the alteration is somewhat consistent.
Um, and, uh, not so much. Patient-specific, um, you’re likely to get caught, please, please, please, please, please do not ever do that. Um, you know, your natural reaction to fix the records needs to be overwritten by common sense, recognizing you don’t want to risk criminal liability over, over an issue. That’s just about money. Um, there’s a better way to do that. Get help, uh, with respect to, uh, supplementing your records with, uh, addendums or, you know, treatment summaries, if you think medical necessity isn’t well explained, uh, in your records, you know, providing, uh, how you know, information about how the treatment actually influenced the conditions, uh, that the patient presented with, but there is a much better way to do that, uh, than trying to fix, uh, the records that you already have. Uh, as I mentioned, that can lead to criminal liability, um, you know, all kinds of things, obstruction charges, and whatnot that are very, very difficult to defend, uh, from a legal perspective.
So hopefully that gives you, you know, some, uh, idea of the things that you should consider. Anytime you get a record request, it’s not a risk adjustment audit. I certainly recommend getting assistance. Um, you know, with that, that process of preparing the records, because if done correctly and completely, you know, it gives you the opportunity to sidestep issues, you know, where you have a legal duty to, uh, produce the records I E when you’re contracted, or if it’s Medicare or a government program, when you’re not contracted, then, uh, there’s some additional things that you should discuss with counsel, you know, and evaluate the risks and benefits of doing a disclosure or resisting the disclosure. Um, so that’s all we have time for today. Um, next week, um, Dr. Uh, Sherry McAllister’s up, and I’m sure she’ll have something, uh, equally or more, uh, important to, to pass on. I appreciate your time today, and we’ll see you next time.