Last month I had the privilege of presenting the first installment of MRO’s 2019 PHI Disclosure Management Webinar Series to healthcare professionals across the country about the rising tide of payer requests for medical records. Judging by the attendance and feedback, it is a topic that garnered a lot of attention. Based on the high level of interest, MRO plans to continue to provide content on this topic. Here is an overview of “The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense” presentation.

Payer Audits vs. Reviews

First, we covered the difference between audits and reviews as it is important to make the distinction and not group them together in the same category. DRG audits (post-payment audits) are not the provider’s friend. As payers attempt to review records for paid claims to recoup payment from the provider, audits occur throughout the year. Payers review the record to make sure the claim and record information match, so they can determine if the claim has been overpaid and recoup funds if necessary. These audits are typically time sensitive and due within 30 to 45 days of the date on the request letter.

The other category, reviews, includes HEDIS (Health Effectiveness Data and Information Set) and Risk Adjustment (Medicare Advantage, Medicaid, and commercial) requests. Review requests are seasonal projects that do benefit payers, but providers are not subject to negative financial impact and requests should be prioritized accordingly. The payer may impose an unrealistic time frame of 10 to 15 days when in reality there’s a broader time frame. Because HEDIS and Risk Adjustment reviews are seasonal, providers have more than 30 to 45 days to produce records.

Payer Requests for Medical Records: Deep Dive into Trends, Issues and Statistics

Next, we examined the current environment, trends, issues and statistics related to rising payer requests for medical records. It is common that audits (year round) and reviews (seasonal) overlap, causing a burden on HIM departments. HEDIS and commercial Risk Adjustment projects overlap with HEDIS, running from January through early May, and commercial Risk Adjustment running from September through mid-April. In addition, Medicare Risk Adjustment projects are beginning earlier every year. MRO has already seen requests come in during April 2019.

In recent years, healthcare organizations have experienced a steady increase in DRG/post-payment audits and HEDIS/Risk Adjustment reviews. According to MRO statistics from 2017 to 2018, overall payer requests increased 70 percent due to a significant upsurge in core categories—DRG audits up 52 percent, HEDIS reviews up 62 percent, and Risk Adjustment reviews up 80 percent.

Handling Large Audit and Review Projects: Recommended ROI Workflows

The growing trend of payer requests for medical records may seem overwhelming at times, but there are solutions to lessen the burden on HIM departments. The presentation also provided the following recommended Release of Information (ROI) workflows for handling large review projects:

• Build stronger relationships with payers and health plans to better manage the surge in medical ROI. Establish project due dates instead of 30-day completion.
• To offset the cost burden associated with producing these high-volume review requests for records, ensure the health plans will compensate for the records provided in a timely manner.
• Ask your ROI vendor to work directly with the health plan to coordinate disclosure management instead of using internal staff or engaging a third-party vendor. Establish project due dates, rates and electronic delivery.
• Use your ROI vendor’s remote services capabilities to process these large review projects so that HIM labor resources can focus on the daily workload.

Managed Care Contracts: Medical Record Language

Understanding the medical records section of the managed care agreements also plays an important role in how payers request medical records. An organization’s managed care agreement governs the payer/provider relationship and includes a medical records section that specifies the payer cost to audit a healthcare provider. Unfortunately, the medical records section is often a low priority because the managed care team may not understand the burden on HIM or the financial risk for the entire organization. The presentation provided details of recommended language for managed care contracts to ensure optimal outcomes for provider organizations. You can learn more by downloading the slides.

Payer Access to EMRs

The last topic covered the emerging concerns around payer requests for direct access to EMRs. Payers want access to medical records for the aforementioned reasons (post-payment audits, HEDIS, Risk Adjustment) and for initial claims processing. Payers are making a variety of proposals as to the types of access they would like to be granted. These levels of access and aggregation of records have different levels of associated risk. Here are four areas of concern for providers and patients:

• Financial—Direct, automated access to a wide band of patient records will facilitate the growing trend of post-payment audits, denials and recoupments.
• Privacy and Consent—Unlike the healthcare community, payers have not earned patients’ trust to serve as custodians of their most personal and private information. Learning of payer aggregation and storage of these records by payers is not a practice patients would approve, and learning of it after the fact could lead to strong patient dissatisfaction.
• Information Governance (IG)—Automated sharing of full patient records with payers, and aggregating those records for permanent use, raises multiple legal and IG concerns. These include managing distributed health records, meeting HIPAA requirements for minimum use and correction of errors, and inadvertently sharing encounters for which the payer was not the guarantor.
• Security—Automated access to health data by payers increases a provider’s exposure to cyberattack, and the aggregation and storage of that data in the payer’s IT system widens the potential exposure to large-scale breach.

The presentation included recommendations for payer access to EMRs. For those details, please complete the form below.