Demanding HIPAA Compliance When Submitting Medical Records

Repeated submissions of medical records to carriers is a frustrating, often unnecessary, burden on medical providers. Unfortunately, when carriers are unable to locate mailed medical records, medical providers have little recourse other than duplicating the time consuming process of copying, preparing and shipping an often voluminous file.

From a practical standpoint, medical billing professionals will need to comply for requests for resubmission of lost documentation in order to get paid. However, providers may want to deal with “repeat offenders” by seeking an internal investigation into the carrier’s security/privacy safeguards. Such a request could ask the carrier to perform a security audit to ensure that medical records are being processed in compliance with the carrier’s own security/privacy protocols.

“One of my favorite letters from AppealTraining.com is the HIPAA audit letter. It’s amazing how quickly payers find those lost appeals and medical records after receiving this letter. The appeal coordinators from our Patient Financial Services Department and Care Management use AppealTraining.com with a lot of success,” states Theresa Halbritter, Coordinator, Appeals for West Virginia University Healthcare. Halbritter recently spoke at the Kentucky Healthcare Financial Management Association (HFMA) meeting and included information about using AppealTraining.com for effective appeals.

AppealTraining.com members can download the HIPAA audit letter online. This letter demands an audit of a carrier’s internal medical record processing procedures for compliance with Health Insurance Portability and Security Act (HIPAA) privacy and security requirements and certain state utilization review regulations.

Insurance carriers have a duty to maintain professional standards in processing submitted medical documentation. Under HIPAA, a covered entity (group health plan) must “reasonably safeguard protected health information from any intentional or unintentional use or disclosure that is in violation of the standards, implementation specifications or other requirements of this subpart.”

To comply with HIPAA, covered entities such as group health plans have developed written procedures for protecting the privacy of patient medical records. HIPAA has also required group health plans to designate a privacy/security officer who is responsible for assessing compliance with those written procedures.

If a medical provider has a problem with a carrier losing records, an inquiry can be sent to that carrier’s compliance officer to try to determine what could be happening to the protected health information submitted as instructed. To assist with the review, the provider should outline what records were mailed, the date of the mailing, address used and how the records were sent. Providers could then also request that the carrier review their records for all medical records received during the week before and after the anticipated arrival date of the submitted records. If the carrier refuses the request, providers could also seek from the carrier a description of the efforts made to locate the submitted information and summary of the carrier’s written policy and procedures for handling protected health information.

Providers also have the option of filing a HIPAA complaint related to the carrier’s loss of protected health information. According to several HIPAA consultants, HIPAA fines have only been issued for situations involving a confirmed disclosure to an unauthorized party. The “loss” of medical records is not, by itself, a HIPAA violation.

Although filing a complaint might not result in a penalty being assessed, it could still focus attention on the question of where the records are going and why. Filing a complaint could also, at least, require the carrier’s security office to investigate the matter of lost records.

Leave A Response

* Denotes Required Field