Patient Privacy - The New Threats

You may not think much about medical records requests. Why should you? That’s why you have staff, after all.

And what’s to know, anyway?

More than you might think.

For starters, the HIPAA privacy regulations are loaded with nuances; you need to deal properly with them or risk or even (in extreme cases) jail time.

Also, new kinds of record requests have created novel challenges for practices just trying to keep up. Self-insured employers, for example, are becoming increasingly assertive about asking for take-backs and claims documentation. More and more health plans are auditing records for risk adjustment purposes or pay-for-performance programs. Medicare’s new “recovery audit contractors” are gearing up for a national assault. And while patients have always requested their records - when, say, they transfer to other practices or see specialists -don’t be surprised if some begin asking you for clinical data to include in their Web-based personal health records.

A more complicated task than in previous years? Yes. But not insurmountable. First, relax. You probably won’t go to jail: No physician has ever done time for a HIPAA violation and, indeed, enforcement, while likely to get a little tougher in coming years, has been pretty light thus far.

Next, check out our guide to fielding record requests in a litigious, privacy-obsessed society.

Attorneys

Unless you’re in a specialty that invites med-mal suits, such as OB/GYN or neurosurgery, you probably hear from malpractice attorneys rarely, if at all. But likely, you are pinged for record requests from lawyers for auto insurers and for people who have been injured on the job.

Such requests are fairly simple to process: Require the petitioner to submit the request in writing, accompanied by a signed patient consent form.

HIPAA allows the disclosure of patient records without specific patient permission only for purposes of treatment, payment, and operations (although this “TPO” exclusion has some tricky aspects we’ll discuss later). But if you have your patients sign a HIPAA privacy notice, you’re generally covered when you share records with payers and with other providers for purposes of patient care. Almost all other requesters must get the patient’s permission to view that patient’s records. If a request comes in without a patient consent form, says internist Greg Hood of Lexington, Ky., send it back without even indicating whether the person referred to is your patient.

A malpractice attorney may request records as part of pretrial discovery or before a suit is filed. In the latter situation, the lawyer is doing this because he may not yet know if he has a case or he may not know whether to include you among the defendants.

Normally, signed patient consent forms accompany these requests, says Steven Kern, a healthcare attorney in Bridgewater, N.J. If so, you must yield the records within 30 days in most states. However, some legal requests arrive with a subpoena signed by the attorney. Such a subpoena might just ask for records or it might also require you to appear at a deposition.

Take a good look at the subpoena before just handing over your patient’s records, though. Who signed it? Lee Johnson, an attorney and malpractice expert in Mount Kisco, N.Y., says the only true subpoenas are those signed by judges; subpoenas signed by attorneys don’t have the force of law. But a lawyer could easily get a judge to sign a subpoena if a physician doesn’t comply with his request, she notes.

Kern and Johnson agree that if you do receive a subpoena, then get legal advice. Kern suggests you consult your own lawyer first. If you have no liability, he says, going straight to your med-mal carrier will just lead to a higher malpractice premium. Johnson, on the other hand, advises that you contact your insurance company immediately. While there’s a chance your insurance rate might rise, she says, not notifying the insurer could result in a denial of coverage if you are sued.

What should you do if a codefendant’s lawyer asks you for patient records? Don’t share them if the suit has not yet been filed, says Johnson. Without your patient’s permission, it would be a HIPAA violation to show the records to another physician’s attorney before a suit is filed. After the complaint has been made, you’re allowed to send the records to your own lawyer and your malpractice carrier without the patient’s consent. But revealing them to codefendants would violate HIPAA and might compromise your legal position, she says.

Health plans

Health plans can audit your records at any time under the terms of their contracts with you. They also have patient consent by virtue of the forms that their members sign when they join the plan - and you have your HIPAA privacy notice.

In most cases, plans will examine claims data to determine whether they have a reason to audit your records. But some carriers want to see a random sample of charts at regular intervals. Aside from quality improvement efforts, the plans that do this are usually Medicare HMOs that are trying to establish the severity of your case mix so they can get higher payment rates from CMS.

“Frequently, the Medicare HMOs will send somebody to audit 30 or 50 charts,” says internist Kenneth Kubitschek, who belongs to a 12-doctor practice in Asheville, N.C. “That’s becoming more frequent. Apparently, what they’re interested in is ensuring they have the proper case mix - making sure that they’ve captured all the diagnoses that are appropriate. If we just submit a code for diabetes, but they find out that a patient has CHF, they’re very interested in that.”

Bear some caveats in mind when plans ask to see records. First, regardless of what your contract with the carrier says, an insurer has no right to view records of patients who are not plan members, says Margaret Davino, a New York attorney and HIPAA expert. Showing them those records means a HIPAA violation. However, plans can look at - and you can send them - records of former members related to services provided while they were members of that health plan, points out Ron Sterling, a consultant in Silver Spring, Md., who specializes in HIPAA issues.

Second, plans will often ask to see the entire chart, even though the patient has been a member only for a limited period. “Say a patient has been with a doctor for five years and has been with three different insurers during that period,” says Cindy Dunn, an MGMA consultant in Boca Raton, Fla. “If Blue Cross Blue Shield wants to audit the chart, unless the practice is very stringent in pulling just the records that have to do with the Blues, they usually get access to the entire chart, which isn’t legal.”

To prevent it from happening, Dunn says, your staff should always check on the effective dates of the patient’s coverage and then pull records that fall within those dates. That may be hard to do, because of course everyone working at your practice is busy, but failing to do so is a HIPAA violation.

An increasing number of plans are auditing records for quality improvement or pay-for-performance programs, and in some cases, for public scorecards. There’s no HIPAA violation here, and you probably want to cooperate to get bonuses or attract new business - even if it’s a burden on your staff.

Technology can really help streamline these requests. Before family physician Frank Belsito’s practice in Grand Rapids, Mich., went paperless, gathering such information took awhile. “If the plans were doing a chart review for some parameter of P4P, they used to give us three or four weeks’ notice about when they were coming in and the list of the patients whose charts they needed to review. We pulled the charts and they reviewed them,” he says.

Two factors have changed this process, Belsito says. First, the group now has an electronic medical record, which makes it easier to pull the data. And second, some plans, including Blue Cross Blue Shield of Michigan and Priority Health, allow practices to enter the performance data themselves on plan Web sites. Belsito’s group does this for all patients, because it has found that the P4P rewards more than compensate for the staff time required.

Similarly, family physician Jeffrey Pearson of San Marcos, Calif., says that the Sharp Community IPA, which handles most of his HMO business, recently asked him and other doctors to submit data on individual patients and authorize the IPA to contact those who were out of compliance. “There’s $2 million sitting on the table that could come to our IPA if they could prove that diabetic patients were hitting the targets for HbA1c, for example. If they don’t have that data, they won’t get it. So we all signed permission forms to allow them to get the labs and get that data. Because it will help us in the long run, and it’s good healthcare.”

Many health plans also audit charts to gather HEDIS data for the National Committee on Quality Assurance. This normally happens just once a year, and only some plans want to see patient records, says NCQA spokesperson Jeff Van Ness.

NCQA also has physician recognition programs that have bestowed public recognition on more than 12,000 physicians for excellence in diabetes, cardiac, back-pain care, office processes, and the use of electronic medical records. Both NCQA and Bridges to Excellence, an employer coalition that uses NCQA measures, audit about 5 percent of charts on which physicians report in the measured areas.

Employers

As more and more employers become self-insured, an increasing number ask to see patient records. In most cases, they want to determine whether they’re paying for redundant or medically unnecessary tests and procedures. Normally, employers go through the third-party administrators or insurance companies that manage their plans. But some employers are also using collection agencies to demand take-backs - or alternatively, to examine patient records.

You may not even know whether a certain patient is in a fully insured or a self-insured employer plan. All you or your staff see is the insurance card from Aetna, United, or some other carrier. “Then physicians get a nasty surprise when they receive a request through third-party agents representing the employer to recoup dollars or get information,” says Susanne Madden, a New York consultant and former health-plan executive.

These employer-initiated requests, notes Madden, typically occur long after the date of service. “If an employer is no longer with an insurance company and has switched to a different administrator, they may do an audit that goes back two or three years, and that’s where you’re seeing certain things like this occur. In that case, the employer might ask a collection company to go to a practice and take back this money.”

Believe it or not, self-insured employers have the same right as any other payer to examine records, says Margaret Davino. “Even if you don’t have a signed patient authorization, under HIPAA [a self-insured employer] can ask to see the records for payment purposes.” Of course, you don’t have to surrender the records, and there’s usually no direct contract between a practice and an employer. But Madden says that some network contracts have a clause requiring physicians to provide records to self-insured employers.

How about the right of patients to shield their medical records from their employers’ scrutiny under HIPAA? Davino explains that an employer should erect an internal information barrier “so that access to the records is by people who don’t have any decision-making ability or knowledge in terms of employment.”

That might be a bit difficult, however, in companies that have established human resources departments, as such departments usually handle benefits as well as employment issues. Privacy boundaries can blur. “There’s a huge hole in the HIPAA protections in terms of how that could be utilized by an employer,” says Gerald DeLoss, a Minneapolis healthcare attorney. While the employer has the right to see patient records, he adds, “it certainly leaves the door open to have the information affect hiring decisions, although it’s proscribed.”

Bottom line: You may have to hand over the records to an employer or its agent, but still, do what you can take to protect your patient, says DeLoss. “To be protective of the patient, I’d ask the patient for authorization before releasing the records.” That also can cover you under HIPAA if the employer breaches the information barrier, adds Madden.

Medicare

There’s no indication that Medicare carriers are increasing the number of audits they do. And the HHS Office of the Inspector General reported a substantial drop in the amount of money recovered in its fight against Medicare/Medicaid fraud and abuse: It netted only $2.2 billion in the first half of 2008, compared with $2.9 billion in the first six months of 2007.

Nevertheless, CMS recently added a new weapon in its effort to identify overpayments in the Medicare program. Known as “recovery audit contractors,” or RACs, these private companies are paid on a contingency basis. That is, they get a certain percentage (currently 20 percent) of whatever overpayments they recover for CMS.

Following a successful pilot program in which the RACs recovered over $900 million during a three-year period, CMS announced in October that it had contracted with four RACs that would roll out their collection efforts across the country during 2009. (Complaints from some unsuccessful RAC bidders may delay things a bit.) Some observers believe that the RACs will focus mainly on hospitals. That view is supported by the fact that in the pilot program, 85 percent of the money recovered came from hospitals.

But Melanie Combs-Dyer, a senior technical advisor for CMS, says that physician practices can expect to be audited by the RACs, as well. The RACs initially focused on hospitals, she says, because their average charges are much higher than those of physicians, and so yield higher contingency fees. Also, E&M claims - the bread and butter of primary care-were excluded from the RACs’ purview in the pilot, but are now fair game for the bounty hunters.

David Glaser, a Minneapolis attorney who helps doctors facing Medicare and Medicaid audits, says that RACs aren’t any more threatening to physicians than Medicare carriers are. The fact that RACS are paid on a contingency basis might make them more discriminating in what they audit, he says. Also, the RACs are limited to Medicare fee-for-service and can’t go back farther in your records than Oct. 1, 2007. On the other hand, they have the same audit rights as Medicare carriers, and, like the intermediaries, can extrapolate from overpayments in one batch of claims to all of a practice’s Medicare claims for a certain period.

Combs-Dyer confirms that RACs can extrapolate from audited claims to a larger universe. But she also points out that CMS has imposed limitations on the number of records that can be reviewed by RACs and how often they can audit a practice. These limits are calibrated to the size of a practice: For example, if a RAC audits a soloist, it can review only 10 medical records once every 45 days; in a group with 16-plus doctors, it can look at 50 records every 45 days.

“We think that by establishing these limits, we can minimize the burden on the provider community and be more fair by having a larger number of records for a larger provider,” says Combs-Dyer.

Patients

Patients’ requests for their own records comprise the vast majority of record queries. Aside from the reasons already listed, patients ask for records when they’re leaving your practice, when they’re relocating for the winter or summer, when they need to share records with other providers, or when they want to add data to their personal health records.

Sometimes, patients ask doctors not to put certain facts in their medical record, or not to release particular records. They might do this because of the sensitive nature of the information, or because they’re afraid their employer might see it (which is not an inconsequential concern, as we’ve seen). Some patients are worried that they might not be able to get insurance because of something in their record.

Of course, you can’t exclude a pertinent medical fact from the patient’s record. To do so would expose you to liability if another physician made a medical decision based on that record without knowing about the omission, says DeLoss. Also, as internist Ken Kubitschek observes, it’s hard to treat a patient without documenting everything relevant to the patient’s condition.

Still, not everything that a patient tells you has to go in the record, Kubitschek adds, especially if the information is not clinical in nature. In his own EMR, he says, he has the equivalent of “sticky notes” that he uses to remind himself of certain facts about patients. If a patient tells him about a marital problem, for example, he can write that on a sticky note without including it in the permanent medical record.

Family physician Frank Belsito takes a slightly different approach. Everything that’s medically relevant goes in the record, he says, but he honors patients’ written requests not to release certain information. Attorney Margaret Davino thinks that’s a good idea, but notes that outside parties’ consent forms might not allow such selectivity.

Now, not later

No matter what kind of record request your office is dealing with, what will usually keep you out of trouble is preparation. As consultant Cindy Dunn points out, staff training and written policies are essential. That said, make sure your staff doesn’t err on the side of too much caution either: “Practices are truly paranoid about HIPAA,” Dunn notes, adding that better staff and patient education about the privacy statute could prevent a lot of problems.

So what’s the take-home? Record requests are not a big threat to your practice, but their importance shouldn’t be minimized either. Be prepared, and you’ll be all right.

Ken Terry is a freelance journalist with years of experience in healthcare technology coverage. He can be reached via physicianspractice@cmpmedica.com.

This article originally appeared in the March 2009 issue of Physicians Practice.