Over the past few months, the California Medical Association (CMA) has received several calls from practices who had received requests for medical records from various payors stating the records are needed for “risk adjustment.” The records requests are a result of the commercial risk adjustment program created by Section 1343 of the Affordable Care Act. The primary goal of the risk adjustment program is to spread the financial risk borne by payors more evenly in order to stabilize premiums and provide issuers the ability to offer a variety of plans to meet the needs of a diverse population. 

Similar to Medicare risk adjustment audits, the commercial risk adjustment program is designed to identify the health status and demographic characteristics of enrollees in non-grandfathered plans in the individual and small group markets to determine a risk score average. The risk score is a relative measure of how costly an individual is anticipated to be. If at the end of the annual risk adjustment assessment, Plan A has a lower-risk average score than Plan B, then Plan A has to issue a payment to Plan B. In a nutshell, the program is intended to prevent payors from cherry-picking only healthy enrollees.

Because the information reported by physicians and other providers is at the heart of payment adjustments, health plans must engage providers by requesting copies of medical records that accurately reflect diagnoses and/or underlying health conditions to comply with risk adjustment program requirements.

Although the risk adjustment program is a requirement on the payor, payors typically require their contracting physicians to comply with the risk adjustment medical record requests. Non-contracted physicians are under no obligation to comply with the requests. Most payors appear to be contracting with third-party vendors to handle the record requests and collection.

A frequently asked question by physicians about the requests is whether the records can be released without written authorization from the patient under HIPAA. Both HIPAA and California’s Confidentiality of Medical Information Act permit disclosures of protected health information to third-party payors for treatment and payment purposes without patient authorization, including to plans for risk adjustment purposes.

However, when dealing with sensitive medical information such as mental health records or psychotherapy notes, the circumstances in which disclosures may be made to third-party payors absent the patient’s signed authorization are limited. Given the sensitivity of this information, provisions allowing for permissive disclosure of these records should be interpreted narrowly and physicians should err on the side of caution with regards to disclosures absent patient authorization. For more information, see CMA On-Call document #4250, “Confidentiality of Sensitive Medical Information.”

At least one payor appears to be offering to provide a scanner technician upon request, paid for by the plan, who will come to the practice to retrieve the needed records; others are requiring the practice to handle the copying/scanning with submission either by fax or mail. Additionally, the commercial risk adjustment audits usually involve only a handful of patients per practice, but if the request is voluminous, practices may wish to contact the payor and request that it send a copy/scanner service out to the practice.

For more information on the commercial risk adjustment program, click here.