Recorded at HEALTHCON 2025 in Orlando, FL

This session discusses key legal considerations regarding compliance and documentation in healthcare. It emphasizes the importance of following escheat rules when dealing with refunds and the legal rights to request medical records for risk validation.

The panel advises on maintaining proper documentation to defend against audits and highlights the complexities of IDR disputes. Additionally, it touches on the significance of adhering to HIPAA regulations and the necessity of using the patient's current sex designation.

Coordinating benefits and unclaimed overpayments

When a coordination of benefits dispute won’t resolve and the true secondary refuses both a system update and a refund, the money cannot be kept. Follow your state’s escheat rules: remit the funds to the state’s unclaimed property program, document the transfer, and move on.

Every state has an online portal; upload the details under the entity owed. If no one claims the funds after the statutory period, the state keeps them. Operationally, escheat is a clean way to close the loop when you’ve tried in good faith to refund but the payer won’t accept.

Third-party record requests: When to send and how to protect yourself

Medical record requests from companies like Episource or DataVantage often feel like data mining, but many are legitimate risk adjustment validation pulls on behalf of a Medicare Advantage plan. Under HIPAA’s health care operations provision and your Notice of Privacy Practices, these can be disclosed without a separate patient authorization.

Still, always validate the requestor and the contract chain (for example, confirm they are acting for a named plan). Refusal or nonresponse can expose you to network actions or, in extreme cases, the kinds of participation consequences discussed earlier in the conference. For commercial plans, participation agreements typically obligate you to provide records, often at no cost and within a set time frame.

If their secure portal is unreliable, your role is to prove transmission. Take screenshots of each upload step and confirmation, keep fax receipts if you resort to fax, and store any automated acknowledgments. If they claim “records not received,” send your proof and ask them to resolve their internal handling.

Your duty is to disclose lawfully and timely; it is not to debug a vendor’s system. When requests are voluminous or unduly burdensome, you can often negotiate a smaller sample; vendors are frequently willing to narrow scope, especially when the document count is massive.

Avoiding audits vs. being audit-ready

There is no universal way to “prevent” audits because payers use sophisticated analytics across specialties. What triggers scrutiny are outlier patterns: unusual code pairings, identical levels every visit, high spend per encounter, or frequency exceeding policy norms.

An example from pain management is stacking trigger point injections across months so every patient receives triple the annually allowed volume; even if each note seems superficially justified, the population-level pattern flags you.

Rather than chasing avoidance, build audit-ready operations. Align with medical policies and contract terms, monitor your own outlier metrics (level distribution, units per visit, frequency by diagnosis), and correct drifts before a payer’s bot notices. If an audit arrives, strong alignment and contemporaneous documentation allow you to defend your care, reduce extrapolation risk, and avoid unforced errors that convert to overpayments.

Documentation fundamentals the auditors emphasized

Notes should separate carried-forward history from today’s work. If you are billing an E/M today, show today’s interval changes, decisions, and the “why” behind actions. Copy-forward without context leads reviewers to assume nothing changed and pushes levels down.

If you coordinate care (for example, discuss a case with infectious disease or call the emergency department), make the linkage explicit to earn appropriate data or risk credit: who you spoke with, what was decided, and how it affected management.

Practical problems with uploads and “lost” records

If a third-party vendor repeatedly loses your uploads, the compliance answer is to document and persist, not to stop responding. Keep evidence of each submission, escalate to a supervisor, and offer a fallback (secure fax, SFTP, or encrypted media).

If the burden is disproportionate, request a reduced sample. The risk exposure for you is not the vendor’s security gap per se; it’s failing to respond. Proof of submission protects you.

Sensitive claim details and sex designation

A question surfaced about surgeries where the patient’s current physical sex and claim edits collide with payer rules (for example, edits firing when procedure codes historically align to a different sex). The panel’s core point was that revocation rules don’t create new duties; they enforce existing ones like truthfulness and medical necessity.

Practically, use the designation that will be understood as accurate for the clinical circumstances on that date of service, document your reasoning, and when in doubt, obtain payer guidance and memorialize it (date, representative, summary of instruction). You may not love the answer, but a documented payer directive is your safest course.

No Surprises Act: good faith estimates and independent dispute resolution

On the good faith estimate side for self-pay or uninsured patients, there is some activity, but most of the energy is in the out-of-network independent dispute resolution pipeline. The IDR process remains messy: backlogs, inconsistent tracking, and delayed cases dating to 2022–2023.

Providers are winning a substantial portion of IDR decisions, but enforcement can be inconsistent, and some payers resist payment even after a favorable decision, forcing follow-on litigation in a few jurisdictions. Operationally, expect variability and keep clean files: eligibility verification, notices, timelines, and the calculation inputs you used for your estimate or IDR position.

“How do we stop red flags?”—the specialty lens

Because analytics are specialty-specific, know your specialty’s common triggers. In procedural fields, watch code pairings and modifier use that imply unbundling.

In evaluation and management, avoid flat-lined level distributions and make sure time-based billing actually includes total time and a short description of how time was spent.

In longitudinal care, ensure frequency aligns with policy and clinical need. Nothing beats a periodic self-audit against payer policies and your contractual language.

Audience Q&A highlights you can apply tomorrow

When a vendor’s portal repeatedly “loses” uploads, keep proof of timely submission and push the vendor to troubleshoot; your obligation is to disclose lawfully and on time, not to fix their tech.

For tricky claims scenarios around sex-specific edits, proactively contact the payer or MAC, record the guidance, and follow the instruction on file; documentation of that conversation is part of your defense.

On good faith estimates, disputes do occur but are far less common than IDR fights for out-of-network claims; nonetheless, validate your GFE workflow and mailing addresses so you receive notices before an ALJ decision lands.

For audit avoidance vs. readiness, monitor your own outlier patterns—average allowed per visit, level mix, and frequency by diagnosis—and normalize where clinical reality doesn’t support the variance.

When record pulls are excessive, negotiate scope; ask the requester to reduce the sample to a reasonable number, especially for high-page encounters like substance use treatment or complex admissions.

The throughline: compliance is process, not panic

The panel’s overarching message was to replace fear of audits with disciplined process. When you receive an unfamiliar request, validate the authority, understand which rule is in play (HIPAA operations, contract obligation, risk adjustment validation), and respond within timelines with proof.

When analytics flag you, know your story in the data and be ready to show medical necessity and policy alignment. When policy gray zones arise — like sex-specific edits or payer differences on telehealth — seek and document payer guidance, then build that guidance into your internal policy so staff can act consistently.

In short, you won’t eliminate audits or messy vendor experiences, but you can make them routine rather than existential. Document today’s work, know your contracts and policies, keep receipts for every disclosure, and track your own data patterns before a payer does. That is how practices stay compliant, protect revenue, and keep care moving.