The Privacy Mindset with Third Party Record Reviewers
As HIM professionals we expect others we encounter in our personal and professional lives to share our same high level of commitment and dedication to our professional career. We also expect that from our team at the office, including external third-party auditors and record reviewers.
External reviewers must share your organization’s commitment to protecting patient privacy and keeping medical records secure. But as the Department of Health and Human Service’s Health Information Privacy Website reveals, many external reviewers (especially payers) have experienced massive breaches, affecting 500 individuals or more. Their risks are the same – but what about their safeguards?
As an HIM professional, how can you ensure external reviewers maintain good privacy and security practices over the information they are given—whether paper or electronic? What types of procedures should you have in place? How can you achieve agreement and compliance with your privacy policies? This article explores these issues and provides HIM professionals with practical ways to extend the privacy mindset to their external, third party reviewers.
Subhead: Establish Your Policies
The volume of records being requested is on the rise. And the contagion of external auditors and this party records reviewers has placed increased pressure on HIM staff and the release of information (ROI) process. Policies and procedures must be established to secure these records and ensure a consistent, mutual commitment to patient privacy. As HIM professionals work to establish these policies, they should understand three important industry drivers:
– Reviewers prefer remote record review versus onsite.
– Reviewers are trying to avoid reimbursing for records.
– HIPAA applies to reviewers too.
MRA works with numerous HIM departments across the New England states that produce thousands of medical record copies for external, third party reviewers. Seventy-five percent of external, third party reviews are conducted off-site, primarily for insurance company and other payer audits.
The fact that these reviewers prefer remote record review is good news for HIM departments struggling to find space for external auditors, but wreaks havoc on department workloads due to the effort involved in producing the records and ensuring PHI privacy. Your policies and procedures must address remote record review and should include requirements for:
- Proof of authenticity from the auditing body
- List of requested records
- Copy of business associate agreement with payer, or relevant third party
- Proof that reviewer is employee or independent contractor of auditor
- Signed agreement to abide by all HIPAA policies and procedures of provider organization
- System access controls and audit logs for any technology utilized to facilitate the remote review
- Internet (IP) address, e-mail address, telephone and physical location from which records will be viewed
HIM professionals are encouraged utilize e-delivery technology within their ROI system or that of third party ROI providers to give electronic access to only that portion of the patient record requested by the reviewer.
If reviewers are coming on site, the HIM department should have a checklist of items required upon arrival at the facility, a designated location for record review and a staff member assigned to support/assist reviewers. In addition, if the facility’s EMR does not support an appropriate level of system access controls the HIM department should assign a resource to monitor the reviewer to ensure only the requested patient records are accessed.
Finally, whether access to the record is provided via onsite review, remote EMR access, or remote access via e-delivery, only the minimum necessary information should be sent to reviewers in accordance with HIPAA regulations. The minimum necessary information represents just those pertinent documents required to conduct the review. With remote access and record review requirements shored up, HIM professionals can turn their attention to another area of increasing concern—record reimbursement.
Some reviewers are trying to avoid reimbursing providers, or their ROI companies, for copies of records based on the argument that these reviews are covered by the payer/provider reimbursement contract. While certain payer contracts may provide for retrospective record requests, more often they limit the non-reimbursable request language to additional documentation necessary for claims adjudication. It is easy for an HIM professional to confuse reimbursable, retrospective record requests with the non-reimbursable requests for additional documentation at time of claims submission and payment.
HIM professionals are encouraged to check requests carefully. Any retrospective reviewers, even those working as, or requested by, a legal acting agent, are obligated to reimburse for reasonable and expected record charges. Bottom line: if the case has been reimbursed and the review is retrospective, a fee should be charged in accordance with state record reproduction rules unless the payer/provider reimbursement contract explicitly states otherwise.
To avoid any risk of the reviewer claiming records should be provided at no charge, the HIM department should request the following two items:
- Proof that requestor is “legal acting agent” of the medical insurer.
- A copy of the contract between provider and insurer which states that medical records are to be released to the insurer at “no charge” for the purpose of retrospective reviews or audits.
If they are unable to provide this documentation, then records should not be provided until payment is received.
Often, HIM departments will find that the contractual language does not provide for a release of the records to the payer or a third party, but simply that the records will be made available for review. In situations where the reviewer would prefer to perform a remote review, the HIM department can negotiate for reimbursement given the operational efficiencies and cost savings the reviewer will realize if they provide access to the records remotely.
Finally, if possible, HIM professionals should work with the Managed Care Contractor at the hospital to ensure that there are record rates in the record review policy and managed care contract for each insurer. Customary charges average $10 – $25 per chart. Per page charges with a maximum $40 fee per chart are also typical. Rates should be part of annual negotiations with all insurers and providers’ contract officers/managed care directors. HIM professionals should work with contracting departments on HIPAA language, policy development and enforcement.
The ROI team that processes a third-party audit request, should review the request letter and confirm the requestor is a representative of the insurance company or insured. If the reviewer is not an employee of the payer, they must have a business associate agreement (BAA) in place with the payer and show proof of this agreement.
In addition, the patient consent forms allowing records to be shared as part of treatment, payment and operations must be signed by the patient (or patient representative) and such authorization documented within the release of information or tracking software.
HIM Professionals and the ROI team should work with third party auditor to provide access as defined within the managed care contract while still protecting the privacy of PHI. By following these steps, compliance will be met by all.
Amy Derlink, RHIA, CHA
MRA Vice President of Disclosure Management