How to refine medical record sharing to mitigate risk and improve productivity

May 28, 2019 2:33 pm

An uptick in the volume of payer requests for medical records is expected to continue through 2019 and beyond, leaving hospital health information management (HIM) departments and managed care teams burdened with extra tasks. However, including certain language in managed care contracts can help providers mitigate financial, privacy and security risks associated with these requests.

The increase in medical record requests is due to DRG/post-payment audits and Healthcare Effectiveness Data and Information Set (HEDIS)/Risk Adjustment reviews as well as contract negotiators not realizing the mounting resource burden of taking on the sole cost and workload responsibility for providing payers with medical records.  

Guidelines for managed care contract language

The following guidelines can help HIM departments and managed care teams refine medical records language as a good defense against audits. 

  • Conduct a comprehensive review of each contract as it pertains to submission of supportive documentation including historical volume and charges to the insurance company. (This review does not include continuity of care requests currently provided to the insurance company at no charge.) 

  • Identify favorable contractual language to include in insurance company negotiations. Payers have historically paid for records. Clarity in this section of the contract eliminates doubt about the cost responsibility.  

  • Develop a summary of risks associated with allowing third-party access to hospital electronic health records (EHR). 

In addition to introducing language that contractually obligates health systems to charge below cost amounts required for the release of medical records, some health plans are attempting to negotiate direct access to hospital EHR. This direct-access approach potentially increases compliance risk and erodes payment for health systems by creating more opportunities for payers to review paid claims and recoup payment. 

Risks and setting priorities

When assessing managed care contracts, the medical records section is not always a priority for health system managed care teams. It usually appears at the bottom of the list. One reason may be that the managed care team may not realize the impact on HIM processes or the financial risks.  

It is a normal practice for health plans to receive copies of records from providers at no cost for the purpose of payment on initial claims. However, we have seen contract language that states “no charge” for all types of medical record copies, including those for typically chargeable requests, including audits and reviews.  

If no fee is charged, there is no incentive for payers to limit the number of requests, creating more work for HIM professionals. To avoid the medical record copy costs from falling on providers, contract language should state that payers will be charged a fee to receive records to audit a paid claim. 

Without strong language in managed care contracts to hold the payer accountable, providers face the following risks:  

  • Potential for payers to request higher volumes of records and recoup more funds 

  • Additional work for HIM if payer audits are not accurate, forcing providers to pursue the appeal process, creating more work for everyone involved 

  • The cost burden of producing more records

The difference between audits and reviews

The fact that payer medical record requests vary in purpose can create confusion regarding the difference between audits and reviews. Typically, the purpose of post-payment audits is to confirm correct claim coding and sequencing to determine if the correct payment was made to the provider. The health plan’s intention is to recoup funds on overpaid claims. Though HEDIS and risk adjustment reviews that measure provider performance and claim validity do benefit payers, there is no potential negative financial impact to providers.  

Risks from payer requests to directly access EHRs

Some payers are approaching providers with requests to have direct access to their EHR systems to reduce staff and cost burdens related to medical record requests. However, granting payers access to patient data comes with its own set of inherent risks to both providers and their patients.   

Financial. Direct, automated access to a wide band of patient records will facilitate the growing trend of post-payment reviews, denials and recoupments. 

Privacy and consent. Patient consent to share health records automatically for the purpose of providing care should not be assumed to extend to payers for payment purposes. It is unlikely that the aggregation and storage of these records by payers is a practice that patients would approve of in advance. Learning it after the fact could lead to strong patient dissatisfaction. 

Information governance. Automated sharing of full patient records with payers, and aggregating those records for permanent use, raises multiple legal and information governance concerns. These include managing a distributed health record, meeting HIPAA requirements for minimum use and correction of errors and inadvertently sharing encounters for which the payer was not the guarantor.  

Security. Automated access to health data by payers increases providers’ exposures to cyberattacks, and the aggregation and storage of that data in payers’ IT systems widens potential exposures to large-scale breaches. 

Bringing awareness to those negotiating managed care contracts and offering ways to mitigate financial, privacy and security risks may help providers handle medical record requests more efficiently and mitigate compliance risk inherent in allowing payers direct access to EHR information.  


Legal disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.


googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text1' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text2' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text3' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text4' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text5' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text6' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-text7' ); } );
googletag.cmd.push( function () { googletag.display( 'hfma-gpt-leaderboard' ); } );