Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and HIPAA for FREE!!

Health Plans Need Your Records: Know What’s Driving Requests and How to Be Prepared

Posted on July 26, 2016 I Written By

The following is a guest blog post by Craig Mercure, Chief Operating Officer of Payer Solutions at CIOX Health.
Craig Mercure
Audits. Reviews. HEDIS. Stars Ratings. No matter what, health plan record requests are growing by leaps and bounds each year. And the stakes are high for health plans to ensure they receive medical records in a timely way. What we also know – the large volume of requests and submission deadlines can put a drain on provider resources.

High volumes of medical record requests make it more important than ever for providers and health plans to work cooperatively and collaboratively. Here’s some helpful background on what’s driving the request for medical records and how providers can be prepared.

There are three primary health plan reviews that receive the most focus: Medicare Risk Adjustment, HEDIS Reviews, and Affordable Care Act (ACA) Medical Records Retrieval (MRR). While there are also other ad hoc requests related to fraud, waste and abuse (e.g., Risk Adjustment Data Validation (RADV), Medicaid, etc.), these three health plan reviews cause the most provider abrasion. Medical practices are getting hammered by them.

Say, for example, that a provider chooses 10 health plans. That provider is going to receive requests from each plan for all three of the main reviews, as well as the ad hoc requests. This has a major influence on record release and all other staff members that are impacted by it. The operational impact of receiving, verifying and fulfilling these requests is growing every year.

Here’s how the top three health plan reviews break down:

Medicare Risk Adjustment (MRA) reviews documentation and diagnosis codes to ensure proper reimbursement from the Centers for Medicare and Medicaid Services (CMS). Most records are retrieved from the primary care physician (PCP), specialty doctors, and in-patient stays—wherever the true value of a particular chart may reside. The MRA reviews typically begin in June and goes through early January.

Volumes have skyrocketed to 18 million record requests over the past several years. Plans are prioritizing Medicare Advantage plans and want to research every member. Therefore, depending on the percentage of Medicare Advantage patients seen by an organization, this review can hit providers hard. Medicare Risk Adjustment reviews are most prevalent in late summer and early fall with the end date for all plans to submit all 2015 diagnoses by January 31, 2017.

Two of the primary pain points for health plans are revenue and quality of care. Consider this hypothetical scenario. A healthy Medicare Advantage member has a score of zero. However, if that member develops diabetes within a given year, the score grows to 2.8. The health plan would receive 2.8 times the normal Medicare expenditure to care for that patient. While demographics and regional data also contribute to determining true ratings, this example is very realistic.

From a quality perspective, the health plan’s purpose for medical record reviews is to identify patients with chronic disease before they fall through the cracks. Plans attempt to effectively communicate with members and secure PCP visits before more costly encounters such as emergency or acute inpatient care occur.

Healthcare Effectiveness Data and Information Set (HEDIS) Reviews are driven by the National Committee for Quality Assurance (NCQA), a 501(c)(3) not-for-profit organization dedicated to improving the quality of health care so patients can make informed decisions about which plan they want to choose. HEDIS collects measures from plans, PPOs, physicians, and other organizations which is fed into a 5-star rating system. This rating system has become a marketing tool to help patients find the best health plans. It’s intended to allow patients to make “apples to apples” comparisons of health plans, similar to how you might shop for a car. The review season is typically February to mid-May.

Affordable Care Act (ACA) Medical Records Retrieval (MRR) is in its first year. These reviews are conducted during the same time frame as HEDIS. ACA-MRR has adopted similar risk methodologies as Medicare Advantage.

For providers, dealing with these reviews has become part of doing business with health plans. However, the amount of operational planning and time required to keep up with all the various requests can be monumental. Each provider site is configured differently in terms of medical record systems and IT security. Many providers outsource the chart retrieval (also called release of information—ROI) function to relieve the burden.

Gathering data in the trenches

Information to fulfill the health plan request may come from PCPs, acute-care hospitals, extended and rehabilitation facilities—wherever the health plan determines that the chart holds the most value. Also, caregivers provide medical records to health plans in a variety of ways. These include, but are not limited to: remote access, portals, secure FTP, CDs, mail, flash drives, emails, scans, and the old-fashioned standard—printed paper. While paper is dwindling, some still exists.

The majority of Medicare Advantage and ACA reviews are at the provider level. Sometimes thousands of records are involved. This can be a huge burden on physicians. Most health plan reviewers are interested in documents describing face-to-face interactions between clinician and member, such as progress notes and encounter notes based on specific dates of service.

For health plans and chart retrieval companies, the goal is always to obtain the necessary information with a minimal amount of provider abrasion. Two specific technology capabilities help smooth the process.

Electronic documentation embedded within the provider’s EMR

Various EMR systems and provider sites capture patient encounter notes differently. Some locations might not capture or maintain the encounter and progress information that is needed in an easy-to-retrieve electronic format.

Remote connectivity to retrieve information

Remote connectivity allows real-time access for the data needed by the health plan or chart retrieval service, mitigating the need for labor-intensive processes and onsite technicians.

An experienced chart retrieval service, like CIOX Health, satisfies the information demands of health plans while also reducing operational workload for providers. They’re responsible for securely linking both sides of the health plan review equation.

Experience eases chart retrieval

A chart retrieval service that repeatedly contracts with a specific health plan for reviews gains a year-over-year advantage. They’ve already connected to all the various provider systems and obtained security clearance. Every year they spend in the trenches, they learn and gain experiential data—giving them a head start for next year’s audit season.

Providers want to be fully compliant with health plan requests. They want to honor the request as quickly and efficiently as possible. Provider preference is to work with one chart retrieval service versus multiple ones over several health plans.

A single service can also field calls and inquiries from all the various health plans. Health plans want records to meet their review requirements, and they can be aggressive if records are past due. An experienced chart retrieval service helps both stakeholders move efficiently through the process—including remote connectivity—to meet health plan deadlines.

Finally, a centralized health information management (HIM) department is another way to ease the burden for providers. With centralization, all records and requests are aggregated. While centralized HIM is common practice in hospitals and health systems, it is not always feasible for physician practices and medical groups.

Cooperative steps must be taken to support health plan reviews while also reducing provider abrasion and operational costs. By working together, both plans and providers remain satisfied and smooth the process for everyone involved.

About Craig Mercure
Craig oversees all aspects of business development, including strategic planning, sales, client services, marketing, product development, finance and communications. He also leads the infrastructure development of the company as it grows, which includes: systems, processes, pipeline management, trade support, marketing, facilities, personnel recruitment and development. Over the past 15 years, Craig has worked in executive leadership positions within the electronic medical record and medical documentation industry.

Ransomware Crisis Demands Provider Cooperation

Posted on February 22, 2016 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back.  But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.

Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.

Here’s my proposal. Whereas:

* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND

* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO

I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.

Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup?  I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?

Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.

Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.

Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.

Could the Drive to Value-Based Healthcare Undermine Security?

Posted on November 27, 2015 I Written By

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

As we all know, the healthcare industry’s move toward value-based healthcare is forcing providers to make some big changes. In fact, a recent report by peer60 found that 64% of hospitals responding cited oncoming value-based reimbursement as their top challenge. Meanwhile, only 30% could say the same of improving information security according to peer60, which recently surveyed 320 hospital leaders.

Now, the difference in concern over the two issues can be chalked up, at least in part, to the design of the survey. Obviously, there’s a good chance that a survey of CIOs would generate different results. But as the report’s authors noted, the survey might also have exposed a troublesome gap in priorities between health IT and the rest of the hospital C-suite.

It’s hardly surprising hospital leaders are focused on the life-and-death effects of a major change in payment policy. Ultimately, if a hospital can’t stay in business, protecting data won’t be an issue anymore. But if a hospital keeps its doors open, protecting patient data must be given a great deal of attention.

If there is a substantial gap between CIOs and their colleagues on security, my guess is that the reasons include the following:

  • Assuming CIOs can handle things:  Lamentable though it may be, less-savvy healthcare leaders may think of security as a tech-heavy problem that doesn’t concern them on a day-to-day level.
  • Managing by emergency:  Though they might not admit it publicly, reactive health executives may see security problems as only worth addressing when something needs fixing.
  • Fear of knowing what needs to be done:  Any intelligent, educated health exec knows that they can’t afford to let security be compromised, but they don’t want to face up to the time, money and energy it takes to do infosec right.
  • Overconfidence in existing security measures:  After approving the investment of tens or even hundreds of millions on health IT, non-tech health leaders may find it hard to believe that perfect security isn’t “built in” and complete.

I guess the upshot of all of this is that even sophisticated healthcare executives may have dysfunctional beliefs about health data security. And it’s not surprising that health leaders with limited technical backgrounds may prefer to attack problems they do understand.

Ultimately, this suggests to me that CIOs and other HIT leaders still have a lot of ‘splaining to do. To do their best with security challenges, health IT execs need the support from the entire leadership team, and that will mean educating their peers on some painful realities of the trade.

After all, if security is to be an organization-wide process — not just a few patches and HIPAA training sessions — it has to be ingrained in everything employees do. And that may mean some vigorous exchanges of views on how security fosters value.

Health Information Governance of 3rd Party Vendors

Posted on August 26, 2015 I Written By

John Lynn is the Founder of the blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of and John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I love when my eyes are opened to an issue that I haven’t heard people talking about. That’s what happened when I heard Deborah Green from AHIMA say that health information governance includes your third party vendors. I’m not sure how many organizations realize this and treat it appropriately.

What’s ironic is that we definitely do this with HIPAA. This is particularly true in the HIPAA omnibus world. Healthcare organizations have a certain expectation around security and privacy when it comes to their third party vendors. It’s a major part of every RFP I’ve ever seen in healthcare.

Why then don’t we treat information governance with third parties the same as we do with HIPAA?

My guess is that some organizations do, but they haven’t really thought about it in this way. It’s an informal part of how they deal with third party vendors. For example, how are third party vendors storing your organization’s health data? Do they dispose of it properly? etc etc etc. These are all great health information governance questions that we’re asking ourselves, but are we asking our third party vendors these questions as well? Should we be asking them?

One challenge I think we face is that we assume that if we’re paying a vendor to do something, that the vendor is going to do it the right way. We assume that a paid service is going to be done in the best way possible. I’m sure your experience like mine is that just isn’t the case. Was it Reagan that said, Trust but verify? That seems appropriate in this instance.

What’s clear to me is that health data is going to become more and more valuable to healthcare organizations. Making sure you have a handle on that data is going to be an important part of ensuring your financial future. That includes making sure that your third party vendors use good health information governance principles as well.