Responding to a Risk Adjustment Audit
Samuel Knapp, Ed. D. ABPP
Director of Professional Affairs
Rachael Baturin, JD, MPH
Director of Legal and Regulatory Affairs
Many psychologists have received letters from insurance companies (or intermediaries hired by insurance companies) to send in information about their patients. Sometimes the companies call these requests for information “audits,” and sometimes they say that they are simply engaging in data collection. This article will give information about these types of audits (or data collection activities) and how psychologists can respond to them.
These kinds of data requests are called risk adjustment audits which are done with patients of health exchanges (sometimes abbreviated as “HX” plans) or Medicare Advantage (privatized Medicare) programs. Risk adjustment is the process that the Centers for Medicare and Medicaid Services (CMS) uses to determine the appropriate premiums that health exchanges are permitted to charge, or which determine the appropriate reimbursement that CMS will give to Medicare Advantage programs.
Health insurers vary substantially in their expenditures depending on the health status of the beneficiaries they insure. For example, CMS reimburses Medicare Advantage Plans on the basis of the health status of the population it covers and not on the basis of the average cost per Medicare beneficiary. If it failed to do so, then it would be possible for a particular Medicare Advantage to solicit business from the healthiest senior citizens, such as those who are younger or who live in more affluent communities where the people tend to be healthier. The Medicare Advantage Plan could then have low expenditures for themselves, generate large profits, and leave the traditional (fee-for-service) Medicare program with the sicker and more expensive beneficiaries.
Early risk adjustment models were imprecise and based only on the patient demographics (such as age or gender). Current risk adjustment models are based on the risk score for the beneficiary that includes the actual health status or health care utilization of the patients covered by the insurer. The risk adjustment process is complicated and includes coding and adjustments for many diagnostic categories according to degree of risk. Advantage plans must report to CMS diagnostic, demographic, and encounter (actual health care visit) data to CMS.
Unfortunately, a few Advantage Plans over represented the risk of their beneficiaries by including historical (not current) diagnoses or diagnoses that were presumed, but not based on a face-to-face encounter with a health care provider. The result is that CMS now requires information to ensure the accuracy of the risk adjustment data submitted by the Medicare Advantage programs. These audits check the accuracy of the data submitted by the plans. In a similar manner, CMS gathers information on health exchange plans to ensure that the rates charged are reasonable given the health status of the population covered.
These audits will occur yearly with a small sample of the patients served by each plan on both physical and mental health services. The audits are meant to gather information on the health status of the patients; they are not an inquiry into the quality of work of the health care professional.
How Should Psychologists Respond to These Data Collection Requests?
The data request letters typically state that HIPAA authorizes these requests for information and that no additional permissions by the patients are required. Often they require the health care professionals to send in a wide range of information including X-rays and laboratory tests. Most of these requests go to professionals who provide physical health services. Although their statements are accurate for professionals who provide physical health care services, the letters typically fail to account for the difference in confidentiality laws between physical and mental health.
It is true that HIPAA does permit health plans (or their intermediaries) to gather some health information in order to comply with the mandated reporting requirements of CMS. However, the letters typically fail to note that HIPAA contains the “minimum necessary rule” which requires that professionals send the minimum amount of information necessary to fulfill a request for information. Also, the letters typically fail to note that HIPAA grants psychotherapy notes greater protection than other health care information. Although a company may request and receive most protected health care information (PHI) based only on the signatures that beneficiaries made when they enrolled in a program, the release of psychotherapy notes (often called process notes) requires a specific written authorization by the patient.
Consequently, we recommend that psychologists who keep two sets of notes (progress and process [psychotherapy] notes) can respond to these information requests by sending their progress notes alone. Psychologists who do not keep two sets of notes may respond by sending PHI which includes results of testing and a summary of the diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. The summary does not have to be exhaustive. The goal of these audits is to provide the company with information about the health status of their beneficiaries and a short direct letter can fulfill that need. We could easily envision a matter-of-fact letter consisting of three paragraphs (or one or one and a half pages) fulfilling this requirement. Of course the letters for some patients where the psychologist had very limited contact could be even shorter.
No additional patient releases are needed to send PHI. However, psychologists should note this exception to confidentiality in their informed consent agreement. That is, they should include a sentence that they may be required to release limited information without the consent of the patient in response in response to insurance company audit.
 We thank the staff of Legal and Regulatory Affairs of the American Psychological Association for providing background information to help us write this article.
 Psychologists may recall that HIPAA defines psychotherapy notes as “notes recorded (in any media) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or group, joint or family counseling sessions and that are separated from the rest of the individual’s medical record.” The definition of psychotherapy notes specifically excludes several items of information including “any summary of the following: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” (45 C. F. R. 164.501).
To Cite this Article:
Knapp, S., & Baturin, R. (2015 May). Response to a risk adjustment audit. The Pennsylvania Psychologist, 75 (5), 3-4.
This article was reprinted with the permission of the Pennsylvania Psychological Association.Tags: HIPAA, Insurance, Practice