Stand up to Data Mining in Risk Adjustment

Did you receive an audit requesting records recently? If they’re calling it “Risk Adjustment,” watch out: it could be a legal excuse for data mining.

You’ll get these letters if you saw Medicare Advantage, Medicaid managed care, or clients with Marketplace coverage in 2023. The audit notices will arrive from companies you’ve never heard of. Names like Ciox, Episource, Inovalon, Cotiviti, MedInsight, and others.

It doesn’t matter whether you’re in or out of network. You’ll get these letters regardless.

Each year, private insurance companies who receive tax monies to sponsor government health insurance policies go through annual risk adjustment audits.

Say what? What the heck is risk adjustment?

Risk Adjustment (for once) isn’t about clawing back money from you. It’s definitely about money, though.

Here’s how it works.

Insurance is about managing risk. If too many sick people sign up for Plan A and only healthy people sign up for Plan B, then Plan A might go bankrupt while Plan B makes off too much taxpayer money.

So “risk adjustment audits” were set up to equalize the risk among the competing managed care public plans. The auditors ask you for information on clients you’ve treated who have those policies. Whatever they receive gets put into an analysis and is sent to CMS. Who then authorizes additional federal funding to compensate plans whose enrollees are shown to be “sicker” than average.

But – and I’m sure this will come as no surprise – there have been abuses. Imagine that

Risk adjustment has become a legal means to go data mining – in your clients’ private records!

The goal of the auditing entity is to find as many diagnosis codes as possible – so the insurance company gets more money from the government. 

Am I exaggerating?

That payers and their outsourced risk adjustment vendors go on a diagnosis code data mining expedition through patient records in order to get extra money from the government has been very well-documented over the last decade. And they’ve received overpayments from taxpayers to the tune of billions of dollars.

Take a look at this “Wall of Shame.” Contact me if you want any of the articles.

Then there’s the most recent KFF report, dated September 30, 2024. Warning: don’t read it unless you’re prepared for some serious outrage.

How much money would you estimate the feds have recouped back from these overpayments? (the answer is at the end of the article).

Do I have to respond to risk adjustment audits?

Unfortunately, you do. Or they’ll conclude you have no documentation, and initiate a clawback, even though clawbacks weren’t their primary intent. In order to prevent the clawback, you’d have to send the records. So either way, they get what they want.

What about HIPAA?

HIPAA allows disclosures without a signed release for “healthcare operations,” which includes risk adjustment. It’s how you respond that complies (or not) with HIPAA. And that depends on what’s in the letter you receive.

Most risk adjustment letters I’ve seen ask for the entire contents of the chart. That’s data mining, and should be a firm “no!” By asking for the entire record, they’re asking for more than they would legally be entitled to receive under HIPAA. But they’re hoping you’ll send everything rather than engage in efforts to push back.

As the “covered entity,” HIPAA puts YOU, not the risk adjustment auditor, in control of what gets released.

How to respond to a Risk Adjustment Audit

No “Psychotherapy Notes”

Before you copy and send everything you have, please review what HIPAA considers to be “psychotherapy notes.” Information in mental health records are granted special protection under HIPAA and are never to be released without the client’s written authorization.

With the following exceptions. The below is what you can send without a release of information:

  • Session start/stop times
  • Modalities/frequency of treatment
  • Medication prescription/monitoring (if you’re the prescriber)
  • Results of clinical tests
  • Summary of:
    • Diagnosis
    • Functional status
    • Treatment plan
    • Symptoms
    • Progress to date / prognosis

Start with a treatment summary.

Your best bet is to write a short summary of the above. Only include data from YOUR treatment. If the client has past or present diagnostic conditions you weren’t actively treating on the date(s) of service covered by the audit, don’t include these diagnoses unless they were reported on your claims. Your responsibility is to report what you were treating (what the insurer paid for). No more, and no less.

Don’t hide anything you were treating – remember, they can access the claim records. But just because Ciox or Episource requests something and asserts that their request falls under HIPAA’s TPO exception (treatment/payment/operations), doesn’t make it so. In fact – it’s probably not compliant. Despite what their letter would have you believe.

Why?

Remember the “Minimum Necessary” rule!

HIPAA requires of covered entities to release only the minimum amount of information necessary for the stated purpose in the request. You get to decide what’s “necessary.”

When they request your entire chart, it’s not exactly “minimum.” It’s data mining.

If all they want are the conditions / diagnosis codes treated, then a summary should and will suffice.

Get a release from your client if they persist in wanting more.

If they say a treatment summary isn’t “sufficient,” you should discuss with your client what other information they’re comfortable allowing you to disclose. If the client consents, disclose what the client gives you permission for.

What do I do if my client won’t release any more but the auditors say a summary isn’t good enough?

There are ways to push back and get them to stop.

Write a letter, using any or all of the following arguments:

  • Because of the sensitive and potentially stigmatizing nature of mental health conditions, I felt it necessary to discuss releasing further information with my client. My client declined, as is their right under HIPAA.
  • If you still believe the additional information you’re requesting is necessary to your purposes, please indicate those purposes clearly so that I can discuss with my client. What will these records be used for? Who will see them?
  • Cite HIPAA: “a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.” 45 CFR 164.514
  • Since Ciox / Episource etc does not have a direct relationship with my client, our practice’s policy is to request a copy of your Business Associate Agreement with the Medicare Advantage payer who is requesting this information.
  • Please provide a copy of CMS’s request to you for the information you require from our practice. The request from CMS must be on CMS letterhead, and include the Medicare beneficiary number, name, and date of birth. We will conduct an independent verification of the validity of your request for the complete medical record.
  • Because the medical record you’re requesting is for the purposes of CMS Risk Adjustment, as the covered entity, our policy is to ensure the information Ciox reports to CMS from our practice is accurate. We request a copy of all information disclosed to CMS, and a copy of the attestation made by the Medicare Advantage payer to CMS that its Risk Adjustment submission was complete and accurate.

After some or all of that…they’ll probably give up!

What do I do if I send the records and they keep calling, saying they didn’t receive anything?

They’re hoping you’ll send more the second time around. Don’t fall for it. Instead, use the HIPAA shield again.

Imagine the conversation going something like this:

Episource Rep: So sorry for the inconvenience, but we did not receive those records. Would you please mind to send again?

Clinician: I have proof that they were received in the mailroom on October 9, 2024 and the person who signed for the package had the initials F.U.

Episource Rep: I am so sorry to bother you but we do not have the records.

Clinician: Have you asked the department where F.U. works?

(this can go on as long as you want it to…but now we get to the good part)

Clinician: Ok, let me speak to your compliance officer.

Episource Rep: I don’t know who you mean.

Clinician: The manager in charge of making sure your company complies with the HIPAA Privacy Act. You’re supposed to know who that is and are required to release their name / contact information upon request. I’m making the request. You lost confidential mental health records that were sent to you. I followed your exact instructions when submitting those records.

Episource Rep: [stammers, is confused].

Possibly at this point the Episource Rep will give you the name, phone, or email address of the Compliance Department, but more likely they’ll continue to stonewall you. Or they’ll attempt to “transfer” you and the call mysteriously drops right at that moment. How fortuitous for them!

During the call, keep reminding them of their obligations under HIPAA as a business associate to the Medicare “Advantage” plan. For good measure, you can even wonder aloud if their loss of records constitutes a breach that requires reporting to OCR (Office of Civil Rights, AKA “The HIPAA Police.“). I’m not above stating “I think I’ll put in a formal inquiry to my compliance department.”

It’s amazing how fast they “find” your “lost” records. I guarantee you: they won’t bother you again – at least not for that client!

I’m Susan, your PsychBilling Coach. If you have a burning issue or problem with Medicare, private insurance, billing, credentialing, or other practice topics, you can schedule a consultation here.

Susan Frager | PsychBilling Coach

Enter your information to receive the latest news, promos, and discounts from PsychBilling Coach!

Additional Posts: