Responding to Requests from Payers to Providers

Introduction

Providers across the country frequently receive requests for information such copies of medical records and provider documents such as policies. These requests can come from the patient or the family, attorneys, state and federal agencies, as well as health plans. The focus of this article is on the requests that providers receive from payers and will review reasons that prompt these requests, challenges that providers (especially post-acute care providers) may face with these types of requests, and the importance of establishing processes for responding to payer requests.

Why Payers Request Information

Compliance with Laws and Regulations

When requests are received from a health plan, providers first thoughts may be that these can only affect them in a negative way, such as a payment change.  Although that is sometimes the case, in many cases, health plans are requesting this information to allow for ongoing care as well as to meet federal and state regulations. 

One reason for these types of requests is that health plans are subject to federal, state, and local laws or regulations. For example, the Centers for Medicare & Medicaid Services (CMS) has mandatory reporting requirements for Medicare beneficiaries who have coverage under group health plans as well as requirements for those who receive different settlements or other insurance coverage.^1,2,3

To meet these requirements, payers may need to request information about a member’s care directly from a provider. The time frames of these requests can vary based on specific regulation but are generally time sensitive. CMS requires health plans to respond to quality of care grievances within 30 days of receipt. CMS also requires that health plans cooperate with the Beneficiary and Family Centered Care Quality Improvement Organization (BFCC-QIO) for any quality of care grievances they received.  This requirement includes health plans directing providers to respond to requests from the BFCC-QIO for information within 14 days of the request.⁴

An example of a state health plan requirement is from The Insurance Company Law of 1921 from the Commonwealth of Pennsylvania (PA). This law requires that health plans, especially those servicing the Medicaid population, focus on quality health care accountability and protection. The state of PA requires that health plans ensure that all participating health care providers maintain current and comprehensive medical records.⁵  Health plans in many states are required to have processes in place to receive and investigate health plan member grievances, complaints, and reported quality of care concerns.  This process may include a request for and a review of the medical record for a set period of time or the entire medical record from one or more providers.^6,7  Some payers even request that providers collaborate with them or their vendors on root cause analysis to determine what occurred related to a reported quality of care concern.

Additional Reasons for Payer Requests

There are a number of additional reasons why a provider may receive a request from a health plan. Some of these include: in response to an authorization request, an appeal, a reported quality of care concern or grievance; for care coordination; a reporting requirement specific to a health plan’s value-based reimbursement; ensuring accuracy and integrity of risk adjusted data submitted to the Centers for Medicare & Medicaid Services; as well as for various audits.

These requests may be for copies of a medical record, a copy of a specific policy or procedure, a response to a corrective action plan assigned by the health plan or read only access to a provider’s electronic health record (EHR) for care management purposes.

Beyond the regulatory requirements listed in the previous section, another reason why a health plan may request medical records is part of the authorization process and utilization reviews.  Many providers are already familiar with these requests from managed care organizations.  It is important for providers to understand the process to submit for authorizations, including retro-authorizations, for the major health plans in their area.  In many instances, health plans publish this information on their publicly available websites or via their provider portals.
Health plans can also request information from providers to aid in care coordination.  This information can allow for a proactive approach to identifying health plan members that could benefit from health plan specific programs to improve wellness and to help keep people living in the community setting longer.

Response to Requests from Payers

It is important to have processes in place to respond to requests from insurance companies.⁸  Since the reasons for the requests can vary, your organization may need to have different processes in place to handle the different types of requests.  For example, if additional information is needed for an initial authorization request, it may be your admissions team that would respond.  If, however, the request is related to a quality of care concern, it may be your leadership as well as your medical records team that responds.  

When these requests are received, providers should be aware that in all instances health plans are required to meet the requirements for protected health information (PHI) under HIPAA.⁹  It is also important for providers to understand what is required of them by payers as part of their contract to participate in a specific health plan’s network.  This information is generally included in the signed agreement with the payer and also in the health plan’s provider manual.

When developing or updating a process to respond to payer requests, it should include the following:

• Which roles or departments would be involved
• If part of a larger organization, whether the response comes from the corporate team or individual location
• The process your organization will use to respond including
  • A review of the request
  • Ensuring a timely response to a request
  • Including only what is being requested 

Organizations should respond to the requests in the manor requested by the health plan.  If the route requested is not possible, further coordination should take place with the health plan.

Challenges to Responding to Payer Requests

Providers can sometimes face challenges with collecting quality documentation from external partners, such as post-acute care EHRs, to obtain a complete picture to support payer requests like case reviews.  If you are asked to submit a specific item such as therapy notes for a five-day period of time, sending just those dates is all that is needed.  Submitting a complete medical record when only a specific item is requested can be time consuming on both the provider and the payer, not to mention providers should always focus on the Minimum Necessary for HIPAA.¹⁰ 

Sometimes sharing of information can also be complicated because each health plan may have a different way it would like to receive the information. This can be confusing, especially if an organization serves a geographic area with diverse health plan coverage.  In a region with a mix of health plan members, providers may receive requests from multiple health plans and each request can require a different way to respond that is specific to that health plan. By following the directions on the request letter, as well as what is available in the health plan specific provider manual, the information should get to the intended team.  Some health plans have modernized how they receive information from providers, such as through electronic portals, while others require copies of the medical record to be faxed or even mailed to them. 

It is important to know that it is acceptable to contact a health plan if you have any questions related to the request. Requests from health plans may include a way to contact them for questions.  If that is not available, information should be available in the health plan provider manual or on their website.

On the Horizon

While much of the discussion thus far has focused on current provider payer interactions, it is also important to understand changes that will be coming on the horizon. Providers should understand that regulatory guidance will be driving much of the future provider payer relationships. At first glance, most of the guidance being given by CMS is centered around their official statement for Value Based Care (VBC).  The CMS strategic direction guidance states that all Medicare fee-for-service beneficiaries will be in a VBC relationship with accountability for quality and total cost of care by 2030.¹¹ This is one of the boldest declarations from CMS in recent memory and there are multiple layers that make up the overall announcement. These layers may be construed as placing more of the burden on the providers. 

So, the question is what does CMS mean by issuing an ultimatum of this size? While this statement reflects a specific requirement for VBC, there are more recent federal announcements that are starting to shape how this ultimatum is going to be achievable across the healthcare spectrum. The Assistant Secretary for Technology Policy/Office of the National Coordinator for Health Information Technology (ASTP/ONC) announced the HTI-1 final rule in January of 2024, and it is created on the pillar of interoperability and nationwide data exchange becoming more mainstream.¹²  This means that many of the challenges providers face in responding or abiding by strict payer requirements, will now be handled at a federal level. There are provisions of the HTI-1 rule that specifically deal with individual data access to PHI and therefore will demand more interoperable and open data exchanges between payers and providers to empower individuals with that access. Obtaining and maintaining the Office of the National Coordinator for Health Information Technology (ONC) certifications at the EHR level are also covered in HTI-1. By facilitating the requirements EHR vendors must build to, providers will have more standardized and less proprietary options. The integrations required to be able to request and send crucial data to meet payer requests will be much more attainable, agnostic of the EHR vendor.

The ASTP/ONC quickly followed the HTI-1 final rule with the HTI-2 ‘proposed’ rule. The HTI-2 proposed rule was announced in July 2024, and while it has not been finalized, this rule looks to build on the HTI-1 rule and push towards easier nationwide data exchange.¹³ A specific point to note with HTI-2 is the release of requirements around Application Programming Interface (API) use for data exchange. This specifically includes information around APIs being used for data exchange between payers and providers to alleviate time constraints plus strict requirements that prevent timely access to care today. For instance, the Prior Authorization API requirements outlined in the rule states that certain impacted payers are required to send standard prior authorization decisions within seven calendar days and expedited prior authorization decisions within 72 hours. This rule stresses the need for more real-time communication between providers and payers for these determinations to be made in a timely manner.

While the regulatory guidance is heavy in this space, it is lending itself to paving a future path that will help facilitate the relationship between payers and providers. Keeping the focus on coordinated care for the patient while providing clarity around how payers and providers interact, these rules should allow for positive outcomes of improved health for everyone in the country.

Summary

When providers receive requests from a health plan it can be alarming.  It is important to remember that all requests are not punitive and can be a requirement to meet regulatory requirements as well as provider agreements with health plans.  As interoperability and data exchanges are implemented, it should make the exchange of information between providers and payers easier. The future regulatory guidance is lending itself to facilitate these types of requests. Both providers and health plans need to be proactive in staying up to date on these changes. Until these are in place, there may be more work on the provider side to respond to requests from payers, but it is important to respond to these requests as timely as possible.

¹ Centers for Medicare & Medicaid Services. (2024). Medicare-Medicaid Plan (MMP) Reporting Requirements. https://www.cms.gov/medicare/medicaid-coordination/plans/mmp-reporting-requirements

² Centers for Medicare & Medicaid Services. (2024). Mandatory Insurer Reporting (NGHP). https://www.cms.gov/medicare/coordination-benefits-recovery/mandatory-insurer-reporting

³ Centers for Medicare & Medicaid Services. (2024). Mandatory Insurer Reporting for Group Health Plans (GHP). https://www.cms.gov/medicare/coordination-benefits-recovery/mandatory-insurer-reporting-group-health-plans

⁴ Centers for Medicare & Medicaid Services. (2024). Parts C & D Enrollee Grievances, Organization/Coverage Determinations, and Appeals Guidance. https://www.cms.gov/medicare/appeals-and-grievances/mmcag/downloads/parts-c-and-d-enrollee-grievances-organization-coverage-determinations-and-appeals-guidance.pdf

⁵ Commonwealth of Pennsylvania. (2024). Pennsylvania General Assembly. https://www.legis.state.pa.us/WU01/LI/LI/US/PDF/1921/0/0284..PDF

⁶ Medicaid and CHIP Payment and Access Commission. (2024). Quality of Care. https://www.macpac.gov/topic/quality-of-care/

⁷ Social Security Administration. (2024). Compilation of the Social Security Laws. https://www.ssa.gov/OP_Home/ssact/title19/1932.htm

⁸ McNary, A. L. (2022). Responding to Record Requests: The Basics. Innovations to Clinical Neuroscience, 71-73.

⁹ U.S. Department of Health and Human Services. (2024). HIPPA for Professionals. https://www.hhs.gov/hipaa/for-professionals/index.html

¹⁰ Ibid

¹¹ Centers for Medicare & Medicaid Services. (2024). https://www.cms.gov/priorities/innovation/about/strategic-direction

¹² Health Data, Technology, and Interoperability: certification program updates, algorithm transparency, and information sharing (HTI-1).(2024). https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and

¹³ Health Data, Technology, and Interoperability: patient engagement, information sharing, and Public Health interoperability (HTI-2). (2024). https://www4.federalregister.gov/documents/2024/08/05/2024-14975/health-data-technology-and-interoperability-patient-engagement-information-sharing-and-public-health