Wiki Medical Records Request & HIPAA

[Katie22c]

Hello. My coding department has been asked to start sending all medical records related to a patient surgery, including pathology, xrays, anes, etc and even all relevant previous office visits to the billing office when an insurance requests medical records for an operation. I know that not all insurances are even asking for this, more specifically, the Medicare ADR letters reference any relevant information, not just "all information". As a biller, I was even called by an NGS rep once and told we had sent too many records and to stop doing it since it would be considered a violation. I believe from my CPB training when we went over HIPAA, we discussed the necessary minimum rule which indicated you shouldn't just send all the information, just want is relevant. I guess I am wondering if an insurance is asking for Op Report for a surgery where the pathology was not relevant to the code selection or the surgery (example knee replacement), why we would need to be pulling and sending multiple medical records for all surgeries? I would think if the insurance wanted those records, they would have denied those specific claims asking for the records. Can you help me reference if it could be considered a violation? Any thoughts or information on what your practice policies are for insurance medical records request? Thank you!

 

[thomas7331]

The 'minimum necessary rule' under HIPAA is often misinterpreted to mean that if more than the minimum necessary information in any given instance then that is a HIPAA violation. I'm not an attorney, but as I understand the law, that is incorrect. What the rule actually requires is that "covered entities...take reasonable steps to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose." What constitutes 'reasonable steps' is a legal grey area. If a practice sends a little more information than was requested now and then, that's unlikely to be considered a violation, but if the practice is not taking proper safeguards and is acting recklessly, then it certain could be a problem.

Here's a link that describes the minimum necessary rule in a little more detail:

https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html

From your description, it does sound to me like your organization needs to look at revising its policies and procedures, especially if you are getting a call from NGS - if your Medicare contractor is pointing this out and contacting you, then that certainly suggests to me that the there's an issue that needs to be addressed. Not only is the an improper way to handle patients' PHI and putting your practice at a legal risk, but it is wasteful and likely costing your organization a lot of money in needless paper, postage, and employee hours to send records that are neither requested nor needed. The best practice is to send only what is requested - there is no good reason to send above and beyond that. If it results in a denial, then additional records may be sent as necessary in order to appeal that denial but I don't see any legitimate purpose in just sending everything up front as it is likely and unnecessarily exposing your practice to scrutiny and to a potential compliance risk. In your place I would certainly speak to my employer's compliance officer to make them aware of this.