Update on risk adjustment audits
By Legal & Regulatory Affairs staff
Since we last reported on the new risk adjustment (RA) audits insurance companies are required to conduct under the Affordable Care Act (ACA), we’ve seen a big increase in the number of insurance companies sending these audit requests. We expect to have a clearer picture of how prevalent RA audits will be for members by the first annual deadline in November 2015.
As reported last fall, RA audits are required by risk adjustment provisions of the ACA. Passage of the ACA means a larger segment of the population has entered the insurance market, many of whom were previously uninsurable. Federal regulators set up a Risk Adjustment Program to keep insurance plans with unhealthy patient populations competitive with plans with healthier populations for whom care is less expensive. Millions of dollars from plans with healthier populations will flow to plans with less healthy populations.
The primary purpose of these audits is to annually and randomly “spot check” that patients’ health status and diagnoses are accurately reported, so that the large flow of risk adjustment dollars is based on accurately reported patient data. The RA audits are aimed primarily at plans sold through the health insurance exchanges (HIX) created by the ACA, but there are reports of audits comparing care under HIX plans to care under traditional commercial plans.
In contrast to traditional managed care audits examining recordkeeping, billing or medical necessity (PDF, 649KB), these audits affect the insurance company (through the risk adjustment payments it makes or receives), rather than the individual patient or psychologist. They also have a much narrower focus than traditional audits — confirming the basic health status and diagnosis of the sampled patient — as opposed to a broad examination of recordkeeping or medical necessity.
This leads to the APA Practice Organization’s (APAPO) main concern with these audits, which often request the patient’s “full chart.” Some companies were not aware that many psychologists keep what we call a “combined record” — the basic clinical information comingled with sensitive details of therapy — instead of protecting those details from insurer scrutiny in separate psychotherapy notes.
If for example, the psychologist produces 20 pages of a combined record in response to a RA audit, this is not only a lot more than the auditor wants to read in order to glean the patient’s health status; it is also arguably much more than the “minimum necessary” information that the insurer should be receiving according to the HIPAA Privacy Rule.
Our second major concern is that because RA audits focus on the full array of health care (which is relevant to the patient’s overall health status), some audit companies had not focused on the heightened protection that state confidentiality laws confer on mental health records. Thus, many audit letters assure the psychologist that HIPAA allows the release of information when in fact, most state’s confidentiality laws require patient consent (typically obtained in the informed consent documents) and a few states have more stringent requirements for notice or authorization at the time of the audit.
We raised these two issues with the first major insurer to conduct these RA audits, Anthem BCBS. In response, Anthem worked collaboratively with us to develop a protocol that addresses our patient privacy concerns, while allowing the company to meet its RA-audit obligations under the ACA.
We believe that our advocacy and collaboration with Anthem has achieved a reasonable standard for approaching any RA audit, so we recommend following the steps outlined below regardless of the company initiating the review. To the extent that other companies are unwilling to follow this approach, we will engage in necessary discussions and advocacy.
Step 1: Determine if this is a RA or traditional managed care audit
It is not always easy to make this determination, but RA audit letters may specifically mention “risk adjustments” and the ACA, talk about verifying or clarifying member health status or diagnosis, or meeting documentation requirements of the Department of Health & Human Services. We have seen some companies describe this as “data collection” or “data review,” instead of using the term “audit.”
If you unable to determine whether this is an RA audit, you can contact the auditing company or the insurance company (on whose behalf the audit is being conducted). Members may also contact the Office of Legal & Regulatory Affairs for assistance.
If this is an RA audit, follow the steps below. If it is a traditional managed care audit, see our prior guidance for that type of audit (PDF, 649KB).
Step 2. Determine whether you have the necessary consent before releasing information.
Note: The following instructions are for the majority of states that merely require patient consent at the start of treatment in order to release information to insurers. For California and states like Washington that require a detailed, contemporaneous "authorization" see Special Instructions below.
In “consent” states, we believe that the necessary consent is covered if you used language from the psychotherapist-patient agreement in the APAPO/Trust HIPAA for Psychologists product or from The Trust website. Those informed consent documents include language designed to provide consent for releasing patient information in response to a broad array of insurance company requests. The key part of that language says:
You should also be aware that your contract with your health insurance company requires that I provide it with information relevant to the services that I provide to you. I am required to provide a clinical diagnosis. Sometimes I am required to provide additional clinical information such as treatment plans or summaries, or copies of your entire clinical record.... By signing this Agreement, you agree that I can provide requested information to your carrier.
If you have had your patients sign this or similar consent language that allows release of records to insurers for any purpose (not limited to situations where you are seeking payment/reimbursement), then you can proceed to the next step of determining what records to provide.
If you have do not have such a consent from your patient, you should ask them to sign a consent form using language like that above.
Please note: We recommend that you respect a patient’s objection to producing records in response to an RA audit, even if he/she previously signed an appropriate informed consent document.
Step 3: Determine what records to provide
Psychologists who keep separate psychotherapy notes as defined by HIPAA can just produce the separate clinical record. Similarly, members who keep a single lean clinical record with no sensitive therapy details of therapy or thoughts about diagnosis can provide that record. Companies should not be requesting psychotherapy notes for RA audits (or any other type of audit). See recordkeeping discussion at the end of this article for more details.
Psychologists who keep a “combined record” (containing basic clinical information comingled with extensive detail from therapy sessions) must be more careful about what to provide. Anthem (and subsequently BCBS MN) has indicated that psychologists may extract just the information that is needed, as detailed in the list below. We also suggest you also follow this approach when providing information to other companies.
- Clinical documentation (admission, discharge notes, or progress notes).
- Medication prescription and monitoring.
- Modalities and frequencies of treatment furnished.
- Results of clinical tests.
- Summary of the following:
- Functional status.
- Treatment plan.
- Progress to date.
This is essentially the list of items that HIPAA excludes from heightened protection under psychotherapy notes. It is also the core of what we recommend as the content for the clinical record for those who keep separate psychotherapy notes, or a “lean” clinical record. Psychologists can include this information in the clinical record because this is the type of information that is appropriate for sharing with insurers or other providers.
Note: Psychologists in New Jersey should extract information based on the somewhat narrower list of information in the New Jersey Peer Review law. Psychologists in the District of Columbia should follow D.C.’s similarly restrictive privacy law.
We suggest that you extract the relevant information from a combined record in a way that provides a copy of the actual record text (rather than summarizing the record) because audits are typically based on original records. We have heard of one company that allowed psychologists to just provide a summary of a combined record. That may be easier to do, if the auditing company allows it.
Notice requirement for psychologists in California
In California, insurance companies must send the psychologist and patient a notice required by California Civil Code 56.104 when requesting outpatient psychotherapy records. So for California audits, follow this section instead of Step 1 above.
You should not send records in response to an RA audit until you have received the required notice under 56.104 which specifies the therapy information being sought, and the intended use of that information, among other things. The company is then required to send the patient a notice within 30 days of receiving the records. We realize that the timing makes little sense — that patients receive notice after their records have been released — but that is how the law is written.
While prior patient consent does not appear to be required under 56.104, we recommend that if your patient informs you that he/she objects to producing their records before you respond to the audit, you should respect that objection.
Anthem has agreed to send notice to the psychologist and patient as described above. Other insurance companies conducting RA audits in California should follow this requirement as well.
Special Instructions for “authorization” states
In a small number of states like Washington, a general consent at the start of treatment is not sufficient. In those few states, instead of following Step 1 above before releasing records, you will need to obtain an "authorization" form signed by your patient (or his/her parent, guardian or other representative) that specifically authorizes releasing records to the audit company for the particular risk-adjustment audit. If you practice in these states, we expect that you have a standard authorization form, such as the one provided in the APAPO/Trust HIPAA for Psychologists compliance course.
A Note about Notes: Recordkeeping in light of increased audits
We are aware that many psychologists do not keep separate psychotherapy notes. Since we anticipate a greater frequency of these RA audits (and traditional managed care audits) in the future, those who keep a combined record as described above might consider the following approaches:
- Continue keeping a combined record and understand that you will need to devote more time to extract the clinical information as audits are received.
- Keep the details of therapy in separate psychotherapy notes as a matter of practice.
- If your style/practice does not require you to record those details, just omit them from your record and keep a lean record.
- Create separate psychotherapy notes only for those patients and/or sessions where more detail is necessary.
These recordkeeping approaches will simplify your task should you face further audit requests in the future.
Please note: Legal issues are complex and highly fact specific and require legal expertise that cannot be provided by any single article. In addition, laws change over time and vary by jurisdiction. The information in this article does not constitute legal advice and should not be used as a substitute for obtaining personal legal advice and consultation prior to making decisions regarding individual circumstances.