Financial Sustainability

Healthcare organizations should expect a surge in managed care audits and reviews in the COVID-19 aftermath

September 28, 2020 6:04 pm

Before COVID-19, healthcare organizations were experiencing a steady influx of audit activity from health insurance companies. Audits conducted both before and after payment coupled with HEDIS/risk adjustment reviews represented about 30% of the medical records requested in the first quarter of 2020.a

Immediately following the outbreak of the COVID-19 pandemic, many providers, including hospitals and physicians, experienced a break in payer reviews and audits.  

Now, in the second half of 2020, providers should be prepared for five trends in audits, reviews and associated information requests, which many may already be experiencing: 

  • A shift from pre-payment audits to post-payment activities
  • Continued quality/risk adjustment reviews by managed care payers through the remainder of 2020
  • An increase in medical necessity audits focused on COVID-19 cases
  • The continuation of HEDIS reviews for next year’s review period
  • Skyrocketing requests for records from plaintiff’s attorneys as lawsuits climb

Impact of COVID-19

At the start of the pandemic, although commercial and Medicaid HEDIS reviews and Medicare risk-adjustment reviews continued without interruption, CMS and most other payers suspended all other audit and review activity to allow healthcare organizations to focus on patient care. Medicare HEDIS requests for 2018 information were cancelled, and some states put a hold on payers being able to conduct any audits whatsoever. Third-party auditors also were required to stop requesting records and conducting audits in some states based on these new rules. All these actions gave many healthcare providers a brief reprieve from having to release information to payers.

Providers likely have begun to see an influx of payer requests now that the COVID-19 curve is flattening, and communities have begun reopening. Payers have begun to recast their audit and review nets with the loosening of the industry’s short-term restrictions. Payers are also keen to research COVID-19 claims and encounters as the entire industry works to determine how payment for COVID-19 treatment will be addressed in the future. Providers should gear up for a deluge of new activity.

Teams responsible for managing audit processes

Operational responsibility within provider organizations for releasing information to payers for audits and reviews is commonly spread across three areas:

  • Audit teams
  • Business office
  • Health information management (HIM)

While many organizations rely entirely on internal staff to process payer audit requests, some organizations have reduced internal staff involvement by providing payers with carefully guarded access to information.b

Proactive responses to trends

Some of the five trends listed above are related to claims, but others are not. All will affect staffing and budgets as organizations witness a new normal in administrative burden and financial risk.

Preparing audit, business office and HIM staff for the influx in payer requests for information is critical to prevent stress on revenue cycle department resources, high departmental costs and delays in payment. An important step is to bring staffing levels back up to normal as soon as these trends are seen. Organizations also can benefit from implementing an efficient technology-enabled process to manage payer information requests. There are several software systems available to track audit requests fo records, but theses systems aren’t usually used for HEDIS and risk adjustment. Release of Information (ROI) and disclosure management companies embed request tracking software as part of their services.

Such steps can help providers effectively address all medical record requests while avoiding backlogs, frustration, payer abrasion and reimbursement disruption.

Further, leaders should focus on interconnecting any information silos that might exist with respect to audits, reviews and other record requests, including lack of information sharing among the audit department, business office and HIM. Even where information sharing has already been in place as a best practice, attention should be given to any weak links as collaboration will become even more important amid the rising flood of record requests for COVID-19 cases.  Interdepartmental transparency also is the only way to provide the type of detailed data and analytics needed for operational planning and more effective managed care contracting.

Laying the foundation through managed care contracting

No discussion of payer reviews, audits and record requests is complete without addressing how such requests should be addressed in managed care contract negotiations. Many organizations do not give enough attention to the medical records section of the managed care contract for three reasons:

  • The managed care team negotiating the contracts may not be fully aware of the resource burden and financial risk for the entire organization, particularly if the audit department, business office, and HIM may not have provided preferred language to the managed care team for their sections of the contracts..
  • The healthcare organization lacks data to strengthen negotiations with payers regarding the volume and frequency of information requests by payer
  • The growing volume of managed care contracts creates a practical challenge for the organization in being able to analyze every agreement.

Beyond exploring opportunities to revisit existing contracts, providers will have increasing opportunities to address audit and review issues in managed care contracts because the number of contracts is expected to grow through the rest of 2020. By stipulating new parameters for information requests during negotiations, providers can protect themselves and their teams from future operational and financial risk.

Payer contract start dates and durations vary, and some contracts have evergreen clauses. Therefore, it is important that managed care leaders track all contracts in a central be well-informed about managed care contract terms and conditions related to information requests in a post-COVID-19 world and to remain aware of what’s happening with request volumes.

4 points for managed care leaders to consider

In assessing managed care contracts, provider’s managed care leaders should consider the following four points.

1. Interpret payer audit language. Carefully decipher the medical records section of the managed care contract terms, including payers’ rights to obtain records for the purpose of paying claims, aggregating data and analyzing records for risk adjustment.

2. Analyze release of information data. Review and analyze internal data regarding release of information, including which payers submit requests, the volume of requests, the purpose of requests, average page count and average invoice price. This knowledge strengthens the medical records section of the managed care contract by entering post COVID-19 negotiations fully informed and prepared and supporting negotiations to set limits on payer requests.

3. Use best-practice contract language. Seek out proven examples of fair and compliant language specific to the release of medical records for audits and reviews. Focus on post-payment audits during all upcoming managed care contract negotiations as pre-payment activity shifts to post-payment potential recoupment reviews.

4. Define strict boundaries for payer access to electronic health records (EHRs). Payers often propose that their ability to access to an organization’s EHR can expedite claims processing, reviews and audits. However, granting payers electronic access to data creates financial, privacy, security and information governance risks to providers and patients. One of the greatest concerns is that direct access to a broad range of patient records will increase the volume of post-payment reviews, denials and recoupments, along with potential exposure to cyberattack and breach. Managed care contract negotiations should address the potential risks involved in payer access to EHRs and include strict boundaries for its use.

Ready for the return

Given the mounting challenges hospitals and health systems face in the-COVID-19 world and beyond, it is critical for these organizations to pursue clearly defined strategies to alleviate operational, financial and privacy risks associated with releasing information to payers. As a central part of these strategies, the organizations should ensure their managed care contracts contain explicit language designed to promote payer accountability and to protect the hospital or health system from being overburdened by payer audit activities and from having to absorb all the costs of such activities.

Amid all these considerations, we offer three final points to consider regarding the new influx of requests and stipulations in post COVID-19 managed care contracts:

  1. Be vigilant in guarding against a payer tendency to request increasing volumes of records in efforts to recoup more funds.
  2. Plan for increased workload for HIM in response to inaccurate payer audits that prompt the appeal process.
  3. Watch for payer attempts to place the cost burden of producing more records on the providePa.


a. Requestor tracking, 2019, MRO Corporation internal company database; HEDIS (Health Effectiveness Data and Information Set) contains data collected by the National Committee for Quality Assurance (NCQA) from health plans and other healthcare organizations.
b. Grotto, E., “St. Luke’s Health System decides to allow carefully monitored, specific-payer access to its ehr after buy-in from all internal stakeholders,” hfm, March 2020.

Shifts in audits and reviews: what providers need to knowa

CMS recently released a communication outlining steps it has taken to lessen the burden of medical record requests during the COVID-19 pandemic: CMS Flexibilities to Fight COVID-19. Here are key points regarding which types of requests have been suspended and which have not.

Medicare Risk Adjustment Data Validation (RADV) audits. Medicare is suspending RADV audits on payers during the pandemic. RADV requests are audits CMS performs on the payers to validate the accuracy of the data the payers have submitted to receive additional compensation from Medicare.

CMS audits (government audits). CMS has allowed recovery audit contractor (RAC) and Medicare administrative contractor (MAC) review activities to resume as of Aug. 3, 2020, including prior authorization and other audits that require them to ask providers for documentation. Of note is the recent addition of total hip and knee replacements on the approved list for RACs.

Commercial and third-party audits. Commercial payers, some of whom paused payment integrity audits, have all resumed. Early COVID-19 claims are being reviewed and have an impact on large-dollar, aged accounts.

Medicare risk adjustment (MRA) reviews. MRA reviews have not been suspended at this time, and Medicare Advantage plans will be requesting char(Medicare plans). CMS released guidance for Medicare that indicates they will be using Measurement Year 2018 rates and there is no need for providers to continue to collect records. These types of requests have been suspended as payers no longer need the records. Requests will resume in 2021.

HEDIS (commercial and Medicaid plans). Plans will continue to collect records that have been previously requested, but many are not initiating new requests until 2021.

Commercial risk adjustment (CRA) reviews. CRA reviews have not been suspended and payers are still collecting records. The U.S. Department of Health & Human Services has extended the payers’ ability to submit their data until end of April 2021.


a. As of September 15, 2020.



googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );