Recommendations for members who have received Inovalon audit requests for Anthem BCBS and other companies.

Note: This information is current as of Nov. 11, 2014 and does not constitute legal advice. Please also see the disclaimer at the end of this article.

As discussed in a previous PracticeUpdate article, some members have received letters from Inovalon requesting “full chart” patient records as part of an audit. Inovalon is conducting these audits on behalf of various health insurers — primarily Blue Cross Blue Shield (BCBS) companies such as Anthem/WellPoint Blue Cross companies in California, Ohio, Georgia, Connecticut and other states; BCBS of Minnesota (BCBSMN); and Independence BCBS. Emblem Health in New York is also involved. 

The APA Practice Organization (APAPO) is working with state associations to assess these audits, starting with communications to Anthem and BCBSMN explaining our concerns. How you should respond depends on which insurance company is directing the audit, and how you keep your therapy records. 

The audits are being driven by risk adjustment provisions of the Affordable Care Act (ACA), and are new to us and to health insurers. Passage of the ACA means a larger segment of the population has entered the market, many of whom were previously uninsurable. 

Regulators have set up a Risk Adjustment Program to keep insurance plans with unhealthy patient populations competitive with those plans with healthier populations for whom care is less expensive. Funds from plans with healthier populations are transferred to plans with less healthy populations. The primary purpose of these audits is to annually and randomly “spot check” that patients’ health status and diagnoses are accurately reported, and to keep premiums low and competitive.

Our recommendations are based on two main concerns raised by these audit requests: 

  • Patient consent/notification requirements. The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule provisions allow for the release of patient information for audits. However, more stringent state confidentiality laws (not pre-empted by HIPAA) may require prior patient consent in most states affected by the audits; California requires a special notice to the psychologist and patient.
  • The HIPAA minimum necessary rule. HIPAA stipulates that psychologists only release the “minimum necessary” information for the purpose of the request. 

    Members who keep separate psychotherapy notes as defined by HIPAA can just produce their separate clinical record. Members who keep a very lean single record with no sensitive details of therapy can also just produce that record.

    Anthem and BCBSMN have confirmed with us that they are not requesting psychotherapy notes in this audit. We will verify with other auditing insurers that they likewise recognize that HIPAA protects psychotherapy notes from health insurers’ requests.

    For members who keep a “combined record” that contains basic clinical information as well as extensive detail from therapy sessions, the issue of what to produce is more difficult. For a risk adjustment audit focused on verifying the patient’s diagnosis and condition, a combined chart with extensive notes and details from therapy is arguably much more than what the company needs (or wants).

    Anthem has told us that it will let members extract just the information that is needed, as detailed below. BCBSMN has indicated that it will get back to us on this issue.


We expect that other insurers that sell insurance through the health insurance exchanges created by the ACA will begin conducting risk adjustment audits. The annual audits required by ACA may significantly increase the frequency of audits for members and the need to prepare for them. 

We recommend that members who currently keep a combined record strongly consider:

  • Keeping the details of therapy in separate psychotherapy notes.
  • If the nature of your practice does not require you to record those details of therapy sessions, just omitting them from your record and keeping a lean record.

Because risk management audits focus on accuracy of diagnosis, members should also be mindful that the clinical record supports the diagnosis listed.

These recordkeeping approaches will simplify your task should you face further audit requests in the future. APAPO will provide more details on these recordkeeping considerations in future issues of PracticeUpdate.

We will continue to provide updates on these audits in future issues of the PracticeUpdate e-newsletter, in the Insurance Advocacy section of APAPO’s Practice Central website, and to state psychological association leaders as it becomes available. 

Note: This article is provided for informational purposes and does not constitute legal advice. The information should not be used as a substitute for obtaining legal consultation prior to making decisions regarding individual circumstances.


Click the tabs below for information for members based on the insurance company directing the audit.

Anthem audits

Anthem is working collaboratively with APAPO and the California Psychological Association to address the concerns raised in our Sept. 5 letter (PDF, 104KB). Anthem has clarified that it is not seeking psychotherapy notes in this audit and that patients and psychologists will be sent the required notice under California law. 

Our current recommendations for members are as follows:

Members in California

Step 1: We recommend that members in California respond after receiving notice from Anthem, as required under California Civil Code 56.104.

In California, Anthem must send the psychologist and patient the request/notice required by California Civil Code 56.104 when outpatient psychotherapy records are sought. Anthem states that it will send patients that notice, and will do so 30 days after receiving the records as allowed by law.

Anthem has clarified its intent to send that notice to the psychologist as well. We believe that psychologists cannot release the records until they receive the notice specified by 56.104.

Should a patient object to you producing their records in response to the audit, we recommend that you respect that objection and contact APAPO Legal and Regulatory Affairs staff.

Step 2: Once the 56.104 notice issue is resolved, determine what records to provide to Inovalon. 

For members who keep separate psychotherapy notes as defined by HIPAA, we recommend you just produce your separate clinical record. Similarly, members who keep a single lean clinical record with no sensitive therapy details can provide that record.

For members who keep a combined record (as described at the start of this article) Anthem has stated that the minimum amount of protected health information necessary to appropriately establish a member’s health status and risk score is: 

  • Clinical documentation (admission, discharge notes, or progress notes).
  • Medication prescription and monitoring.
  • Modalities and frequencies of treatment furnished.
  • Results of clinical tests.
  • Summary of the following: 
    • Diagnosis.
    • Functional status.
    • Treatment plan.
    • Symptoms.
    • Prognosis.
    • Progress to date.

This is compatible with HIPAA’s exclusion of psychotherapy notes. Psychologists can include this information in the clinical record because this is the type of information that is appropriate for sharing with insurers or other providers.

Anthem has confirmed that psychologists keeping “combined records” are to exclude or remove sensitive information from the submission.  Based on this stance, we suggest that members extract the relevant information from a combined record in a way that provides a copy of the actual record text (rather than summarizing the record) because audits are typically based on original records. 

Members in Ohio, Connecticut and Georgia

Step 1. Determine whether you have consent before releasing information for this audit. 

We believe that consent for this audit is covered if you used language from the psychotherapist agreement in the APAPO/Trust HIPAA for Psychologists product or from The Trust website. Those documents include language designed to provide consent for releasing patient information in response to a broad array of insurance company requests that are relevant to the psychological services you provided to the patient. The key part of that language says:

You should also be aware that your contract with your health insurance company requires that I provide it with information relevant to the services that I provide to you. I am required to provide a clinical diagnosis. Sometimes I am required to provide additional clinical information such as treatment plans or summaries, or copies of your entire clinical record... By signing this agreement, you agree that I can provide requested information to your carrier. 

If you have had your patients sign this or similar consent language that allows release of records to insurers for any purpose (for example, not limited to situations where you are seeking payment/reimbursement), then you can proceed to the next step of determining what records to provide.

Should a patient object to you producing their records in response to the audit, we recommend that you respect that objection and contact APAPO Legal and Regulatory Affairs staff even if the patient previously signed a consent form that covers the release.

Step 2:  Determine what records to provide

For members who keep separate psychotherapy notes as defined by HIPAA, we recommend you just produce your separate clinical record. Similarly, members who keep a single lean clinical record with no sensitive therapy details can provide that record.

For members who keep a combined record, please see the “combined records” instructions for California above.

Members in Other States

Anthem has just advised us that it is also conducting risk adjustment audits in New York (Empire BCBS), Wisconsin, Virginia, Colorado, Missouri, Indiana, New Hampshire, Maine, Nevada and Kentucky. We expect that members in most or all of these states can respond to these requests as described above for Ohio and Connecticut, because of similar state consent requirements. We will confirm that with those state psychological associations so that members can appropriately respond. We recommend that members hold off on responding until we confirm this information.

BCBSMN

On a call with BCBS of Minnesota on Oct. 3, company representatives indicated that their Inovalon audits are risk adjustment audits under the ACA. We had advised members who keep a combined record to wait for clarification as to what information to provide. They have since informed us that they will follow the instructions as given by Anthem/Wellpoint in California.

Our recommendation: Minnesota has a consent requirement like Ohio, Connecticut and Georgia. If you have had your patients sign general consent language (See Anthem instructions for Ohio, Connecticut and Georgia), you can move ahead with determining what information to provide. If you keep a separate clinical record or a "lean" clinical record as described above, you can go ahead and send that record. If you have a combined record, the minimum amount of protected information necessary to appropriately establish a member's health status and risk score is:

  • Clinical documentation (admission, discharge notes, or progress notes).
  • Medication prescription and monitoring.
  • Modalities and frequencies of treatment furnished.
  • Results of clinical tests.
  • Summary of the following: 
    • Diagnosis.
    • Functional status.
    • Treatment plan.
    • Symptoms.
    • Prognosis.
    • Progress to date.
This is compatible with HIPAA's exclusion of psychotherapy notes. Psychologists can include this information in the clinical record because this is the type of information that is appropriate for sharing with insurers or other providers.
Anthem has confirmed that psychologists keeping "combined records" are to exclude or remove sensitive information from the submission. Based on this stance, we suggest that members extract the relevant information from a combined record in a way that provides a copy of the actual record text (rather than summarizing the record) because audits are typically based on original records.

Independence BCBS in Pa.

The Pennsylvania Psychological Association has sent an inquiry to this company in consultation with APAPO. We will provide updates as we hear back from this company about the purpose of this audit.

Other audits

We recently have heard about risk adjustment audits in North Carolina by Cigna. We expect that the analysis will be similar to that for the Anthem audits, and will be working with the North Carolina Psychological Association to clarify that. We also will be working with the New York Psychological Association regarding the Inovalon audits for Emblem Health in New York.

We also have communicated with the Ohio Psychological Association and Ohio psychologists about Santé Analytics audits of psychological and neuropsychological testing on behalf of Anthem BCBS. These appear to be traditional managed care audits focused on the necessity of particular testing, rather than aimed at the broader issue of risk adjustment. Accordingly, you should follow our prior recommendations about responding to managed care audits (PDF, 649KB).