Release of Information and Audits - For The Record Magazine

Home | Subscribe | Resources | Reprints | Writers' Guidelines

Fall 2024 Issue

Release of Information and Audits
By Bart Howe
For The Record
Vol. 36 No. 4 P. 24

Birds of a Feather (and They Should Stick Together!)

Release of information is all about getting patient health data to an authorized requestor, which can include the patient, their representative, and another physician or an attorney, to name a few. Fulfilling these requests can be time consuming and complex (but if you’re reading this, you’re no stranger to that!). HIM leaders are tasked with managing backlogs and releasing requests in a timely manner, all while complying with HIPAA and other regulations to ensure patient privacy and verify that the right person receives the right records, every time.

Now, let’s consider audits. Unlike traditional release of information requests, which come from a variety of sources, audit requests mainly come from a single group of requestors—payers. Audits also deal with the exchange of health information but usually on a much bigger scale. Instead of managing one request or a handful of individual requests, you may have to manage hundreds or thousands at a time. And in many cases, audits are held to tight deadlines, putting strain on the staff responsible for reviewing records in bulk, assessing them for accuracy and maintaining regulatory compliance. Not to mention the impact they can have on your reimbursement.

Many of us in HIM treat release of information and audits as separate functions, but this is a mistake. Audits are, in fact, a form of release of information and should be integrated into your overall release of information strategy. With audits growing in volume year over year, if your audit process is siloed from release of information, now is the time to rethink this approach before your audit backlog gets the better of you.

This article explores why audits must be considered part of your release of information strategy, not only for HIPAA compliance but also for efficiency and accuracy. It also shines a light on the ways a disconnected audit strategy can jeopardize the security of patient health data and shows how you can bridge the gap between your audit and release of information strategies.

Audit Volumes Are on the Rise
Health care audit volumes are climbing at an unprecedented rate, making a robust and integrated audit strategy more crucial than ever. This surge is driven by two main factors: the aging Medicare population and the evolution toward value-based care (VBC).

Based on trends we’ve observed here at HealthMark, Medicare Risk Adjustments (MRA) are growing at a rate of 8% to 10% annually, with MRA requests now driving the largest volume of audit activity. And it’s not just MRA; we’re seeing significant growth in HEDIS (Healthcare Effectiveness Data and Information Set) audits too. Why these two audit types specifically? They’re both related to Medicare reimbursement, and there has been a steady increase in the US population older than age 65 in the past eight to 10 years. Medicare Advantage enrollment is increasing at a 7% compound annual growth rate, and audit volumes are following that same trend.1

On a similar growth trajectory is VBC. At a high level, VBC rewards providers for delivering high-quality, cost-effective care. Medicare Advantage VBC plans have doubled compared with 2018, and there’s a 50% increase in VBC plans from commercial payers.2 Payers are now looking for more than just traditional claims data, which focuses on the billable services provided to a patient. To evaluate VBC effectiveness, payers need access to clinical data such as lab results, clinical notes, vital signs, and allergies. Enter audits.

With audit volumes showing no signs of slowing down, now is the time to create an audit strategy that’s as sharp and integrated as your release of information process to protect both your organization and your patients. By aligning audit strategies with your overall release of information process, documentation, and workflow, you maintain control over access to sensitive health information and ensure no list falls through the cracks and only the minimum necessary information is shared.

Why Audit Access Should Mirror Release of Information Access
If you find yourself growing anxious at the mere thought of an unexpected audit, you’re not alone—audits are notoriously labor-intensive, frustrating, and disruptive. The volume of requests and the complexities involved in fulfilling them only add to the strain.

It’s also not uncommon to experience pressure from auditors pushing for more direct access to the data, either onsite, via remote access to your EHR, or via application programming interface (API). Each record request from a payer has a direct impact on their revenue and reimbursement under CMS and VBC programs, so it’s not surprising that access to this data is a priority for payers. When considering all these factors, it’s no wonder audit requestors may offer to handle the data capture themselves with your permission.

But allowing auditors to access the requested information themselves can come with many risks and consequences in the long term.

Think of it like this: You wouldn’t give a lawyer requesting health data access to your EHR to find whatever information they need. Rules like the minimum necessary requirement under HIPAA exist for a reason; no third party, regardless of their intent, is entitled to more patient health information than it is legally required to access.

Any request type comes with a defined scope of information that can be released. In the case of audits, it’s often related to certain patient populations, medical diagnoses, and/or dates of service. For example, if an audit’s scope is mammogram results in women older than 40, only that specific information should be accessed. Some other examples of data being accessed that is beyond the scope of an audit could include the following:

• If a patient changes an insurance provider due to a job change, an auditor pulling records from an EHR for an audit could inadvertently access data from the previous coverage period.

• An auditor reviewing records of diabetes patients to assess eye exam compliance could access a patient’s full medical history. If they misinterpret a note about an eye infection treatment as an eye exam, they might incorrectly conclude that the patient met the guideline.

In general, it can seem like a low risk to provide access to the entire patient chart to a payer as opposed to specifically what’s in scope, and this temptation can be even stronger with audits, which often see hundreds or thousands of charts requested at a time. But these previous scenarios show why this isn’t the best practice and should be avoided at all costs.

To be clear, audit requestors, lawyers, and other third parties typically aren’t “bad actors”—protecting protected health information (PHI) from bad actors is a whole different discussion! The risk of allowing unauthorized access isn’t that these requestors are going to turn around and sell patient data on the black market. The issue is that HIPAA and other regulations grant patients certain rights and privacy expectations that organizations must safeguard as stewards of their patients’ health data. And when large volumes of data are processed without proper oversight, the likelihood of accessing data that is not within scope goes up.

Patients have a right to know and understand how their data is being used. And without a structured release of information process and quality control measures, the risk of misinterpretation and mistakes increases.

Five Questions to Shape Your Audit Strategy
If you’ve ever outsourced release of information, you likely went through a very extensive review process with your vendor before allowing that vendor to ever touch your patients’ data, from verifying security and compliance measures to understanding operational procedures. And that’s a great thing! However, that level of scrutiny is often not applied to the audit process; after all, you’re already dealing with a familiar party in the payer. Applying the same rigor to your audit process that you do for your release of information process is the key to linking these strategies.

As a starting point, consider asking yourself or someone at your organization these questions when developing a solution to safely, securely, and effectively tackle all those audit requests:

1. What criteria are being followed when accessing information?
To ensure data security and integrity, audit requestors and any third party handling medical records must adhere to certain protocols. These include the following:

• internal policies and procedures that dictate how information should be accessed and managed, ensuring consistency and compliance;

• adopting best practices from leading industry bodies, such as HIMSS and AHIMA; and

• compliance with federal and state regulations, including HIPAA, HITECH, and more.

• Before you provide an audit requestor or any other third-party access to your PHI, ask about the mechanisms in place to ensure that only the data authorized for access is retrieved. This may include access controls, data segmentation, and regular audits to verify compliance with authorization protocols.

2. Is the data collection process compliant with HIPAA and privacy regulations?
HIPAA compliance is not an area in which you have any room to take shortcuts. Any data collection methods used by an audit requestor or any third party must be HIPAA-compliant and ensure that:

• secure data transfer protocols have been implemented;
• encryption is used both in transit and at rest to protect data;
• only authorized personnel can access sensitive data; and
• audit trails are maintained using detailed logs for compliance verification.

3. Is an accounting of disclosures maintained to track data access?
When patient data is being shared, HIPAA requires that you maintain an accounting of disclosures and provide it to patients upon request. Patients have the right to request this accounting to understand how their information has been used or shared and to ensure their privacy is protected according to HIPAA.

Maintaining an accounting of disclosures involves the following:

• logging who has accessed what data;

• leaving detailed audit trails for all data access and disclosure activities;

• conducting regular reviews of disclosure logs to identify and address any anomalies;

• ensuring that the tracking system complies with HIPAA’s accounting of disclosures requirements; and

• providing transparency to patients and stakeholders about data access and disclosures.

4. Are there any contract terms that would require a certain type of access?
Be sure you understand any contractual obligations that require you to provide access to health data through a specific method such as an API to your EHR. APIs are incredibly valuable as we work to increase interoperability across the health care ecosystem, but it’s important that they’re implemented with safeguards and oversight. A good best practice is to avoid committing to any specific data access method in contracts. This way, you remain free to choose the method that best serves your organization and protects your patients’ data without being obligated to any one approach.

5. Are there clear channels for addressing questions and discrepancies?
Mistakes happen, even in robust auditing processes with many quality control safeguards. With that said, it’s important to have a clear line of communication with whomever is handling your audits in case there’s an issue or if you have a pressing question. This might look like having a dedicated person of contact or team to promptly handle your needs as they arise.

Audits and Release of Information: Birds of a Feather
Audits can feel very different from traditional release of information, but the obligation to safeguard patient data remains the same. Whether handling routine release of information requests or managing a large-scale audit, HIM professionals are entrusted with protecting patients’ health information at every step of the way.

As stewards of PHI, our role in HIM is not just about compliance—it’s about trust. Every audit must be approached with the same rigor and care as any other release of information. Ensuring that only the necessary information is shared and that it’s done securely isn’t just good practice, it’s essential for maintaining the confidence of the patients we serve.

A patient may never know if too much of their health data was unnecessarily disclosed during an audit, but our diligence behind the scenes speaks volumes. By proactively protecting their data, we reinforce the trust that is fundamental to the health care system. It’s not just about meeting regulatory standards; it’s about upholding the ethical responsibility we have to our patients and the integrity of the entire health care system.

— Bart Howe is the CEO of HealthMark Group, a leader in digital health information management based in Dallas. In that role, he leads a team focused on developing patient-centric technology solutions that streamline the flow of health care data to promote information accessibility and workflow optimization without sacrificing privacy or security. Howe is also president of the Association for Health Information Outsourcing Services, an organization composed of the leading HIM service companies with the mission to promote compliance and excellence in the management of confidential, patient-identifiable information.

Prior to his current roles, Howe was executive vice president of business development and corporate strategy at Caris Life Sciences, a pioneering leader in precision medicine, biotechnology and molecular diagnostics, where he led global business development, corporate strategy, international distribution, marketing and biopharma services. His entrepreneurial experience includes cofounding Ubiquitous Energy, Inc, a venture-backed solar energy technology company. He began his career in finance as an analyst at JPMorgan Chase. Howe holds a BBA in finance from Texas A&M University and a master’s degree in business administration from Harvard Business School.

References
1. Freed M, Fuglesten Biniek J, Damico A, Neuman T. Medicare Advantage in 2024: enrollment update and key trends. KFF website. https://www.kff.org/a824685/. Published August 8, 2024.

2. Addressing the rising cost of health care: the shift to value-based care & value-based care examples. American Medical Association website. https://www.ama-assn.org/practice-management/payment-delivery-models/addressing-rising-cost-health-care-shift-value-based. Published July 24, 2024.