Firm Overview
Practice Area Descriptions
AttorneyBiographies
Articles
Health Law Alerts
What's New
Events and Seminars
Media/PR
Contact Us
Resource Links
Home
Abrams, Fensterman, Fensterman, Eisman, Greenberg, Formato & Einiger, LLP
Articles

Insurance Carrier Audits and Record Demands: Review Before You Refund

If you would like more information about this topic or any other topic contact Scott Einiger or Stacy Steinberg

Over the past few years, insurance companies have, with increasing frequency, audited physician[1] practices seeking refunds for services rendered because of "lack of documentation", "medical necessity" or "coding" issues. These refunds are portrayed by insurers as overpayments for certain treatment(s) rendered, which enable them to extrapolate and demand monies be re-paid by the provider (in some cases going back 6 years).[2]

While insurers routinely initiate these "retrospective reviews" and/or "audits", without disclosing their true intention (calling them quality reviews) and anticipating that doctors will blindly comply with their record requests, the health care provider should be wary of any request for records, not only for the practical consideration that the insurer will seek monies from the claims it has already paid, but also for the legal consideration of state confidentiality laws and the HIPAA regulations to ensure the privacy of his or her patients.

Typically, these audits begin with the insurer's request for a sample of the health care provider's records, i.e. ten to 20 records. In some cases, over a hundred patient records have been requested. The provider has usually been reimbursed for the services rendered (as it relates to these audited records) so this is considered a retrospective review and is clearly not for payment purposes. If the provider is a participating provider, an analysis of the health care professional's contract with the insurer must be undertaken to understand the provider's rights and obligations. However, whether or not the physician is a participating provider, or a non-participating provider who has no contractual obligation to the insurer, this request for records must comply with the HIPAA regulations and New York State Public Health Law, Section 18 notwithstanding the contract terms.

Based on our extensive experience and dealings with these audits and subsequent refund requests in almost every medical specialty, we require the carriers to follow the various state and federal laws and guidance from the New York State Department of Health ("DOH") prior to our clients undergoing such a review. Providers unaware of the state and federal laws will often forward these records without the appropriate authority often leading to refund demands and exposure by the practitioner to potential privacy violations that could lead to professional misconduct allegations and/or civil liability.[3]

When conducting their retrospective reviews or audits, insurers often insist, erroneously, that providers are obligated to supply records, purportedly in accordance with HIPAA, because they are entitled to access to a provider's records for "treatment, payment and healthcare operations" under the regulations. Yet, the insurer's reading of HIPAA is misleading and erroneous as it does not take into account New York State law. Indeed, HIPAA specifically mandates that where state law is more protective, state law controls and will not be overridden or "preempted" by the federal HIPAA regulations.

In limited instances, Section 18 of the New York Public Health Law does allow disclosure of the relevant portion of the record by providers to obtain payment for their claims submissions. However, this is an exceptions to the general rule that one must obtain written authorizations and does not encompass retrospective audits. Specifically, Section 18(1)(e) only excludes disclosure of portions of the medical records for payment purposes:

For purposes of the of this subdivision, 'disclosure to any other person' shall not include disclosures made to ... insurance companies licensed pursuant to the insurance law and other third parties requiring information necessary for payments to be made on behalf of patients (emphasis added).

The State of New York does have a more stringent approach to confidentiality than HIPAA. The current law in New York State, codified under New York Public Health Law, Section 18, requires written patient consent prior to release of medical records. The DOH has articulated this position that patient consent is mandated under state confidentiality laws and is more restrictive than HIPAA.

Significantly, the DOH unequivocally stated that "[t]he New York state law on consent remains unchanged by HIPAA in situations involving disclosure for treatment, payment and health care operations because HIPAA does not provide new authority for the unconsented release of identifiable patient information when more protective state laws or regulations exist." Such unauthorized release could lead to sanctions under the professional conduct statutes, as described below. The DOH's statement provides clear support for the provider's request for compliance with state confidentiality laws and request for express written consent from the patient, the insurer's enrollees, prior to any disclosure of their records.

Additionally, the DOH has emphasized in a March 24, 2003 letter to Insurance carrier's Medical Directors that the provider's disclosure of records without patient authorization could lead to violations under the New York State Education Law. See New York State Education Law § 6530(23) (prohibiting physicians from disclosing information gained in their professional capacity without prior consent of the patient, except as mandated by law). Further, as recognized by the DOH, Title 8, Section 29.1 of the New York Code Rules and Regulations (N.Y.C.R.R.) "prohibits licensed professionals from revealing personal identifying information, data, or facts ("health information") obtained in a professional capacity without the prior consent of the patient except as authorized by law." Finally, the DOH highlighted that New York State confidentiality laws are "more stringent and more protective of patient confidentiality" than HIPAA. Thus, the Public Health Law, Section 18 is clear that written consent of the patient must be obtained in advance before any release of patient information.

Further, New York courts analyzing Public Health Law, Section 18 have required that "any individual, including government officials, who possess medical records to keep those records confidential and not to release them to third parties without proper authorizations." Grosso v. Town of Clarkstown, 1998 WL 566814, *8 (S.D.N.Y. 1998) (citing N.Y. Public Health L. § 18(6)); Caraveo v. Nielson Media Research, Inc., et al., 2003 WL 169767 (S.D.N.Y. January 22, 2003) (Section 18 of the Public Health Law "mandates that whenever patient information is to be released to a party other than the patient, written consent must be obtained in advance before such disclosures can occur"). The intent of Section 18 of the Public Health Law is to "prevent [] the disclosure of confidential medical records to third parties." Mantica, et al. v. New York State Department of Health, et al., 94 N.Y.2d 58, 62, 699 N.Y.S.2d 1 (N.Y. 1999). In sum, regardless of the factual scenario, "whenever patient information is to be released to a party other than the patient, written consent must be obtained in advance before such disclosures can occur." Caraveo v. Nielson Media Research, Inc., et al., 2003 WL 169767 (S.D.N.Y. January 22, 2003) (citing Public Health Law, Section 18(6)).

In summary, while providers may face audits and the practical economic concern of having the insurer scrutinize his or her records to find any available opportunity to recoup monies already paid to the provider, the provider should also be cognizant of these legal considerations prior to release of patient records. Clearly, the insurer has all of the weapons in its arsenal to target providers to demand records and analyze them for "overpayment." Yet, the provider can, and should, request that the insurer comply with the state and federal confidentiality laws, for the protection of the privacy of his or her patients.

(The information presented in this article is intended for educational purposes only and does not constitute legal advice. In cases of specific legal questions, always contact an attorney.)

[1] Participating and non-participating providers.

[2] Insurers are generally able to make refund demands covering a six year time frame under a contractual theory, as the statute of limitations for a cause of action for breach of contract (here theoretically asserted by the insurer against the provider) is six years. Aetna and Cigna, however, can only make refund demands for a two year time frame and a one year time frame respectively, since these carriers have agreed under the Settlement Agreement in the class action litigation to limit their contractual time period to less than the six year statute of limitations.

[3] The Medical Society of the State of New York has also expressed its support for the position taken by our firm concerning the importance of the insurers' compliance with state and federal confidentiality laws prior to the disclosure of patient records by a provider facing an audit.
A Full Service Law Firm for the Discerning Client

NEW YORK

1111 Marcus Avenue, Suite 107
Lake Success, New York 11042
Telephone: (516) 328-2300 / (516) 437-7575
Fax: (516) 328-6638

630 Third Avenue
New York, New York 10017
Telephone: (212) 279-9200
Fax: (212) 279-0600

NEW JERSEY

4006 Route 9 South
Morganville, NJ 07751
Telephone: (732) 828-4241
Fax: (732) 247-8546