St. Luke’s Health System decides to allow carefully monitored, specific-payer access to its EHR after buy-in from all internal stakeholders

The push and pull between providers and payers regarding claims can be frustrating at best, and at worst, result in a denial. To increase both efficiency and payment, St. Luke’s Health System in Boise, Idaho, adopted a strategy some would deem risky: Inviting payers into their EHR system.

Cindy Andreason, director of health information management (HIM) operations at St. Luke’s, said the organization’s process of getting records to their payers was “clunky,” resulting in the payer saying they didn’t get the record they needed or that the record they received didn’t have the information they needed. Allowing payer representatives into their portal creates a more efficient process, she said. 

The internal conversation

The decision to adopt this strategy wasn’t one the health system took lightly. To some, opening the door to patient records could feel more like opening a can of worms.

“That’s kind of scary to some individuals, to allow payer access,” Andreason said.

St. Luke’s started with a comprehensive internal conversation including HIM staff, members of the revenue cycle team as well as the vice president of revenue cycle, IT, a privacy and security officer and a payer liaison. 

The risk chain

One critical decision when considering granting EHR access to payers is how much information to provide and how to provide it. Greg Ford, an associate vice president at MRO, a Pennsylvania-based disclosure management firm, recommends healthcare organizations limit payer access to their EHR to manual access by claim-specific encounter. In other words, the payer would request access to a specific document, and a staff member on the provider side would have to manually grant that access. This process would be like the process payers use to request paper records today.

St. Luke’s adopted this level of access for their payer partners, creating a template containing only the information that would have been available via the paper process. The payer must request access to a specific patient record for a specific encounter and then has access only to the elements in that template. 

A little riskier but possibly more convenient for the provider organization, payers could get automated access by claim-specific encounter. This level of access would cost the provider organization some control but could help free up the person responsible for reviewing requests, Ford said.

Moving up the risk chain, which Ford advises against, is automated access to a patient’s entire record (which opens the possibility of the payer using that record for any purpose). Some payers and their vendors can create a database of patient records, trying to mirror what the provider has in its own database. At that point, the provider has no control over what happens to the data, opening the doors for data breaches and loss of trust from patients.

“Having all that data out there is definitely risky,” he said.

Limiting access to necessary requests

There are additional reasons a provider organization would not want to allow payers to grab whatever records they want, Ford said. Payers want to access provider EHRs for three reasons, only one of which works in the provider’s favor, he said.

Claims processing. In this scenario, a payer representative is looking at a specific claim for a specific encounter and wants to ensure the information is correct. Ford said this type of review is a win-win for the payer and provider.

“If [the request] can be limited to that specific data encounter, we think that’s an area that makes sense. That’s going to get the provider paid in a more-timely manner.”

Review of a paid claim, also known as a post-payment audit. These reviews occur after a claim is paid and the payer suspects they’ve overpaid. Ford does not recommend agreeing to this type of review. 

“In those cases, they’re looking to take money back from the provider,” he said. 

Quality and risk adjustment reviews. The payer objective of a quality review is a better star rating. There’s no downside or benefit to  the organization there, Ford said. In a risk- adjustment review, payers aren’t looking to recoup from the provider but might want additional compensation from CMS. In these cases, Ford recommends strong HIM governance to ensure the organization releases only what is appropriate. Most record requests will require some work on the part of staff (making the provider’s cost of sending records higher with no return), and the more patient records that go out, the greater the risk of data leaking out.

“We don’t think it makes sense to open the floodgates for the review requests,” he said.

Results and continued monitoring

Once the system is set up with a payer, the provider’s work isn’t over, Andreason said. Periodic reviews are essential to ensure the arrangement is working as intended. St. Luke’s has been allowing payer access for less than a year and is keeping a close watch on how things are going, she said.

“Maintenance is key. After you set it up, you don’t want to stop reviewing what you’re doing,” she said. Changes to the EHR itself are something else to watch out for. An update might mean unintended changes to the way the payer views the system. 

“You have to make sure that you keep the integrity of what you established in place,” she said.

Response from payers has been positive, and the process seems to be running smoothly, but it’s too early to tell whether St. Luke’s will see denials reduced as a result of the effort, according to Andreason. The hospital is continuously monitoring the process. 

4 questions providers should ask before payer partners get EHR access

Providers should ask several questions of their payer partners when considering a plan that allows those partners EHR access, according to Greg Ford, an associate vice president at MRO.

1. What is the process for managing users on the payer side? If an employee leaves the payer organization, the provider should receive timely notification to discontinue that employee’s access.
2. Does the payer use third-party or offshore vendors or employees?
3. Who has access to the information after it is pulled out of the EHR?
4. What are the payer’s policies around security to ensure patient information is safe?