In this episode of Agile&Me, Richard discusses the complexities of medical records in healthcare with Tiffany Warden. Covering a range of topics including the historical shift to electronic records, patient rights governed by HIPAA, the financial consequences of non-compliance with regulations and challenges in managing medical record requests from patients, payers, and state agencies.
Richard: Welcome back to Agile&Me, a Physical Therapy leadership podcast series. I am excited to welcome back Tiffany Warden. Tiffany needs no introduction, but I suppose we should. So Tiffany, would you like to introduce yourself to the guest before we talk about medical records?
Tiffany: Yes, my name is Tiffany Warden and I've been with Alliance for 10 years. I've been in the physical therapy field now for about 19 years and I serve as the Corporate Compliance Officer for Alliance Physical Therapy Partners.
Richard: Part of that role is essentially managing the medical records component of the outpatient PT business, correct?
Tiffany: Yes, I handle all of the supervision of our staff that processes our medical records that come in.
Richard: So I know people have been really looking forward to this episode. I get so many requests from listeners to talk about medical records. It's unreal. Sarcasm there, but joking aside. This is actually an area that is imperative for listeners, outpatient PT leaders, owners to understand, isn't it? Because there are a lot of rules and regulations around this. And if you don't comply, there are significant consequences potentially associated with this. Is that right?
Tiffany: Yes, the consequences are often financial in nature. And they can run into the tens of thousands of dollars per incident, depending upon the amount and type of information that's released. How it was released and what type of rules and protocols you had in place to prevent the inappropriate release of that information and whether or not you followed them.
Richard: We talk about medical records in the ancient times, when I first came across the states, the clinician, it was basically the idea of, well, the patient walks in, you make a photocopy of their paper chart, you hand it to them and everything's golden. But things have kind of moved on quite considerably since that time, haven't they? And when we talk about medical records, there has to be a level of sophistication, not only with regards to understanding what needs to be given to the various stakeholders, but timeframes and exactly what information they want, how they want it presented, et cetera. Is that right?
Tiffany: Yes, we've seen a definite shift towards the individuals, their rights with regards to their medical records, and this is relatively new. I say this is from 1996 on, which is when HIPAA was first put out there. And the changes have actually been quite extraordinary. We've moved on from things being regulated in 50 different ways by 50 different states. And now we have HIPAA that governs us at the federal level. We are a covered entity, healthcare providers in large part are a covered entity. And so what we have to do is we have to recognize what our responsibilities are, both at the state level and also at the federal level. And when those two ideas collide, or maybe they don't match up. What set of rules do we go with and then it just kind of trickles down. It trickles down from there. There are a lot of things to consider. You cannot just release medical records and that's a good thing, right? Because it's your private personal health information. And interestingly enough, I don't know if everybody knows this, the office of Civil Rights actually oversees this area and I think that's really interesting just simply because privacy is one of the fundamental rights in our country and this piece of legislation is largely associated with how we keep private our personal health information, who has access to it, who can get it without permission and with our permission. So to me, it's very interesting to kind of see how the legislation and the ideas of privacy regarding our own health information have progressed throughout the years, especially over the past decade or so.
Richard: To me it seems a really, really difficult push pull. What I mean by that, is the idea that people want access to medical records, and understandably, and that's fine, but then there's so many rules and regulations in regards to how you can give access and if you can give access. To me, it's just a complete minefield when you take into account the federal regulations and under that. And I would imagine there's probably different entities with different rules, then you have state rules, and then you have probably, maybe I could be speaking out of turn here, possibly some local or payor rules, perhaps I have no idea, depending on who you're sending the notes, the medical records to, and trying to understand. All the stakeholders involved and which takes priority and which rule do you go with? It seems like a complete minefield.
Tiffany: It is because historically, the states have regulated medical records, they regulate the basic required content of the record, they look at retention timelines, charging guidelines, the various disciplines specific state practice acts will also address additional information that has to be held within the medical record. They've always done that. But if you've noticed over the past probably 10 years, you'll see these state practice acts that are getting very specific based in large part on payer feedback, but also just on good medical practice. We need that historical record in order to appropriately treat a patient 10 years down the road. So we need to know what is in these medical records and we need a base. We need the basic library of information on every patient in order to be able to choose how to go about providing the best health care to them. So the state regs do that. The various disciplines will also drill down a bit. We see that specifically in physical therapy. We see a lot of talk about Timeliness of certain interventions and how we're supposed to document what we're supposed to document how we sign what kind of supervision is required even within a medical record, not just within a practice of, say, a student comes into your practice and is doing a clinical rotation in there. There are guidelines that are within the state practice acts that address the type of information they can enter into the student, meaning the student can enter into the patient record and how that information has to be overseen by the licensed professional, so we've drilled down quite a bit from the way it used to be, which was we're just going to write down stuff in a medical record and keep it on file to now we have specific pieces of information that have to be in there in order for it to constitute an appropriate medical record. The other thing is the older state regulations, they didn't address and most of them don't address the ownership of the record. It's always been assumed that the person creating the record owns the record. And that's still true. HIPAA doesn't dispute that. But what HIPAA does dispute is who owns the information within the record. It was a new idea that they introduced to us. HIPAA did that, again, it's that patient right, that right to access that private information about their health. And so HIPAA came along and established that the patient owns the information within the record while the provider owns the record itself. Most states don't even address ownership of the medical record, just about under half of them do. So HIPAA changed that a little bit and put those delineations there for us. And that was a good thing, because, making it clear that an entity is owning the record, a provider is owning the record, is a good thing. You and I both know being in healthcare, if you're not responsible for it, you're probably not going to pay a lot of attention to it. But if you are responsible for it, you are going to be paying attention to every little thing that comes in there. Especially when things like payments and future healthcare and things like that are dependent upon the information within these records. They're incredibly important. So HIPAA came along and established that concept of patient right of access and included in that right of access are some timelines and there are other allowances that patients have over their medical records, such as the right to amend their medical record. Patients have a right to inspect their medical record and determine whether or not they agree with what is in the medical record. HIPAA sets out a timeline and a process that we have to follow in order to provide that type of transparency to the patient with regards to that record. Covered entities can deny those requests because ultimately they do on the record and they have a final say in what is appropriate and what is correct from a medical perspective, but a patient again has that right to inspect it and to request it and to have a record of those requests in the record itself. It's pretty circular.
Richard: It blows my mind the fact that the provider owns the record, but the individual owns the content of the record. So, I understand it, but it does seem strange to me. But anyway, regardless of that, let's step back a little bit, because when we talk about medical records as a provider or as an owner, there's two, to me, there's kind of two fundamental components of this. The first off is I'm making these medical records every day of the visits that I'm seeing and how long do I have to keep them? You know, who do I have to keep for what length? Because even though it's now electronic, we don't want to continue to store personal information any longer than we need to. So that's the first thing I'd like to cover. And then the second component of medical records is when you're asked for a copy. So let's start, let's focus on the first thing first of all. So as a provider, let's stick with outpatient therapy. How long do we need to keep medical records for?
Tiffany: It depends on the state.
Richard: I knew that was going to be a depends answer, wasn't it? It had to be a depends. Nothing, nothing is simple when it comes to regulation, is it?
Tiffany: There are at least 51 answers, so 50 for every state, and then, and then of course you have your federal requirement. HIPAA kind of sets that at six years but we all know that in healthcare especially in the world of compliance and regulatory items, we have to default to the most restrictive rule set at play. And so that is often shorter, that six year limit is often a shorter time period than what is required by the state. Very common length of time is seven years. for adults. What we have with children is we often have to keep the records until they reach the age of majority plus a year or two afterwards. So, depending on your patient population that could be, you know, anywhere from seven years to 27 years. It really just depends on the situation. Then the other thing that comes into effect is, you know, you have your six years at federal, you've got your state, that can be anywhere from five to seven with seven being the most common, but you also have certain payer contracts that have look back periods of 10 years. And so when you start looking at, especially these Medicare Advantage, you know, contracts that have come out in the past decade or so, when you look at them, what you're now seeing is they are requiring you to store those records for 10 years. In the event that they would need to pull them for their 10 year retention period. CMS and governmental agencies can go in for 10 years, I'm referring to the payer and request to pull their records and review them, so they pass that requirement down to us. Our own internal policy is 10 years because again, we go with the most restrictive set of rules on file. The exception, of course, is still the kids and and we have to just we have to do that on a case by case basis 50 state laws, but doesn't address the minor records the states do.
Richard: So it would be without Medicare Advantage. Let's give Medicare Advantage a big round of applause. Once again, we love such great programs and pay so well for therapy anyway. Let's move on. The other thing about medical records to me, storage is you have those constraints but there's also the issue of work comp and personal injury, isn't that because if there's personal injury and the claim isn't, you really have to be cognizant of when that claim closes as well, because if the claim goes on for an extended period of time, which they can You've that changes perhaps even your medical records policy.
Tiffany: Yes, that time retention period is based on the last encounter you had with a patient. So it's not the 1st encounter, it's the last encounter. So, if something drags on and you are still involved, you're creating records past a certain date, you just keep extending your retention period out.
Richard: So I think we've covered the piece in regards to how long you keep records for. If you see pediatrics, then you could keep them for up to almost 30 years, potentially, which is crazy, but it is what it is, isn't it? Thankfully, at least it's not paper records now for most places. Let's turn our attention a little bit to medical records requests. So we've talked, mentioned it, but let's talk a little bit about how medical records are regulated a little bit more. So the entities and what they expect and enforce, makes sense?
Tiffany: Well, sure. I mean, it's easier, I think, to start again back in 1996, of course, when HIPAA was established, because again, it established the right of access. It also established the right to restrict who is receiving that information, the uses or disclosures of, of the patient's medical record. It also includes a right to amend, as we discussed earlier there are timelines and processes associated and they're outlined really clearly in HIPAA. And HIPAA is good in that, you can go to the HHS website and there are templates and there are just really direct instructions on how to abide by these different HIPAA requirements. The reason you have to look back at that, at the history of it, and then also the, the additional rights that, that have been granted to the patients is, Because that's how you have to structure your medical records program internally, you have to think about who is requesting, why are they requesting, what are they requesting, are they requesting the whole thing, the partial thing you know has the patient restricted the release of that information, so the record requires further scrutiny prior to it being released, do we have to scrub all the record or part of the record, these are all questions that have to be considered. When you're structuring your compliant medical records program another good thing HIPAA did was they laid out the critical components, the required components of what an authorization to release medical records looks like. I think we could probably start there. We take a look at what are the minimal pieces, what are the minimum pieces of information that have to be there in order for us to be able to release it, and they're pretty clear, a description, of course, of what it is that the patient is wanting us to release, the name of the person making the authorization, is it the patient, is it the patient's spouse, is it the patient's guardian, is it their attorney, you know, who, who is making it the name of the person or organization who's authorized to receive the protected health information. Where are we sending it? How are we sending it? A description of the purpose, why does this person need their medical record? Is it for litigation? Is it to satisfy a disability claim? There's got to be some description. Unless the patient's making that request and then the patient makes the request, as long as it meets all of the other guidelines, we have to release it. They don't really have to provide a lot for third parties, but we also have to have an expiration date. It doesn't have an expiration date. We're going to assume that the authorization expires within one year. That's what we do unless it's a longer period of time, such as till the end of litigation or till the claim is adjudicated, there's got to be some type of language in there referencing it, then of course, the signature of the person that is actually authorized to to make. The release of information happens a lot of times. The patient or it could be their spouse or parent or guardian. So those are the things that we have to look at and all of those components are addressed in HIPAA. Under all of these rights of access the right to amend the right to restrict. If you notice, we're talking about who's doing it. Why are they doing it? Why are they asking it? Who's it going to? It's all about those three. A lot of it is about those three rights that were granted to patients under HIPAA. So I think that the basis of any good medical records program is that number one, you have to be really cognizant of what law is actually governing. Is it the state law? Is it the federal law? And then once that's happened, does it meet the minimal requirements in order to even come into the queue to be released? Releasing the release of records is the point of your medical records program because your maintenance now, like you said, since we're mostly electronic in our documentation practices, we don't have to worry about maintaining a paper set of records, a physical set of records. That's IT's job. So ours is actually controlling the process of how the records and when the records and to whom the records are released.
Richard: Again, from a very practical perspective. What is considered a medical record because not every piece of information that is in the patient's folder chart record is necessarily provided within that request, correct?
Tiffany: That is correct. So, the medical record is anything that has to do with the treatment of the patient and the billing, you've got the billing component and then you and then you have the treatment entities covered entities need to establish what they deem as their designated record set. That's something that we have to do. We actually have a policy internally that lays out what pieces of information are to be included in the patient's medical record set so that when we go to release, that's what we're releasing. There are certain things like incidental notes that aren't really clinical in nature, but maybe just a reminder or a flag in a case that that is working for us on the administrative end, that's not really include, that's not going to be included in the, in the medical records that if something happened to the patient while they're on the premises of the healthcare provider, that's not always part of the medical record. It just, it depends, in each covered entity, each healthcare provider needs to define, clearly define in their policies and procedures. what constitutes their designated medical record set. There are certain things that you have to include. And that's just kind of a common sense, our daily notes for PT, it's our initial eval, our plan of care, referrals and things and other things. So it's pretty straightforward what should be included, what you have to worry about sometimes are those ancillary pieces of information and how you're going to, how you're going to view them and classify them internally, and then that will guide what you release.
Richard: I just thought of this, but let's say a provider is using a patient app. So let's say MedBridgeGo, there's plenty of apps out there, but let's say they use a third party application, an electronic application. It's separate from the EMR system. If there is a request for medical records, I would assume that any information that isn't medical in nature associated and contained within those other software systems, theoretically, would be part of the patient's chart, or am I incorrect there?
Tiffany: It depends. I mean from an accuracy perspective, should you be including communications with the patient about their medical record in the medical record? Yes, to an extent, again it's a common sense thing. If the patient is calling to ask a question about a prescription you know that's a certain kind of question. But if a patient is messaging you through the app about hours or rescheduling an appointment, Is that something that needs to be recorded? Probably not because it's already going to be recorded in the scheduling component of the EMR that that was done. So is that something that you need to transfer over yourself? No, because you are going to have access to that information anyway. And when people are requesting a medical record, they're not really looking for those types of things. That type of information. What they want is they're more interested in just the basic information such as what is my diagnosis code? Why was I seeking treatment? What was done to me? And what's my outlook? And then of course you get into the billing records and you want to see what was charged versus what was paid versus what was outstanding. Those are the basic pieces of information that people are looking for when they request a medical record because they're usually doing it. To either continue to contest a decision that was made by another insurance company or by some other entity, they're looking to establish validity for their argument with the information in that record. And there aren't really many more other than just wanting to know or just to have a copy. I am that person. I like having a copy of my health care. And so other than that, though, there aren't a whole lot of reasons to release a medical record. You're trying to answer some very basic questions. And so when you, when you look at that, it's kind of the same idea when we're trying to, let's say, collect on a patient account. Do you have to put in every single action that you take to do that? The answer is, well, it's likely recorded already. You know, your phone call. Did you make a phone call? Sure. Do you have to document the conversation? No. If somebody asked for the medical record, are they really asking for that piece of information? Probably not. I mean, they're going to have to get really specific if they want that information, from our team. But mostly we focus on the big pieces of information.
Richard: When there are medical requests, essentially, I believe, correct me if I'm wrong, there's essentially three different stakeholders that asked for one is the patient himself. Secondly, is the payer and third is if there is any sort of third party involved, be that lawyers or case managers. Are there any other groups that tend to ask for medical records?
Tiffany: No, I mean you have your state agencies, your patients, of course, you mentioned that's pretty straightforward, but for the state agencies, you know, your workers compensation courts, your workers compensation oversight, whatever agency is governing that state's workers compensation program, they may be requesting the records because somebody has contested a finding by a workers compensation carrier. There are all kinds of governmental agencies that will request records. So, that covers most of that, but players, it gets interesting. And I'll talk about attorneys in a second, but payers, it actually gets interesting because you have your routine audits, you know, payers are entitled to the records unless the patient has restricted information and restricted the release of that information to the payer. And, paid for the cost of the treatment in total out of pocket. Okay, so if they've done that, then we are not required to release information to the payer. But anything that we bill to the payer is fair game for them. And so, they can ask for it for just a general claims review, just a general audit to determine whether or not they're going to give additional authorizations, but they also do just random audits, which are fun.
And then they also do risk adjustment. If you're on a Medicare Advantage plan. They'll do what's called a risk adjustment audit, and those can get pretty intense. They're still entitled to the information, but essentially you'll have a medical records request come in with anywhere from one patient to, I've seen up to 150 patients on one request. And what they're looking for is to validate how they have tiered the patient needs wise in their system. They want to validate existing diagnostic codes in that patient's record, not just from us, but from all the providers. And so they're requesting records from us and for all the other providers to validate the diagnosis codes that they have assigned them and what risk tier they've been assigned to within that program, because that's how they're paid by the government. So those are difficult because they're just so big sometimes. And usually January through about May, we get a ton of these requests in and we can process 2000 charts off of these, just a very few number of requests. It's just a large number of charts that are included in the request. So that's a lot of what we do for payers. When we talk about third parties, we again go back to state agencies. Disability is a big one. Long term disability, short term disability. You have your disability with the state, but that's under the state agency. But you have your long term and short term disability requests that are, you know, that need to take priority. You have your continuation of care. That's a big one. We always prioritize continuation of care because somebody out there is waiting on this record. So again, make a determination on how to approach treatment for a shared patient. So we prioritize those. So those can come from doctors. They can come from well, any kind of provider actually. So we honor those and we prioritize those. Then we look at attorneys. We have attorneys that are just sending medical records requests. All they want are the medical records. We have attorneys that are wanting medical records requests and affidavits and notaries on these records because they're going to introduce them as evidence in their litigation. And so there are a lot of things that come into play when we're looking at how we provide records to not only the attorney, but the court, because you, there's a difference, right? An attorney can send a subpoena that's signed by another attorney, and it is a subpoena, but it's not a court order. But then we have an order, which looks very similar, coming from the court, ordering us to produce the records, and we have to turn those over as well. So we can have them coming from a hundred different sources. You just, again, you have to go back to who are you releasing it to, why, who has the authority to approve the release or order the release, all of these things that were outlined.
Richard: We might as well have another dig at Medicare Advantage. That's really my pastime nowadays, is this idea of risk adjustment. Correct me if I'm wrong, but in the news recently, wasn't it the case that the government, CSM, was inferring or stating that the Medicare Advantage plans were actually up-selling, but upcoding the level of risk for patients and being overpaid by the government. Is that correct?
Tiffany: Yes. The government right now, CMS, is very active. They're actively pursuing this right now. And, you know, of course that's gonna, that's gonna trickle down to us because the more that the Medicare Advantage plans are asked for information, the more information they're gonna want from us to substantiate their current position. And so we're gonna feel. But ultimately, Medicare Advantage plans are reimbursed based on how they're tiering that person, right? Are they level one, level two, level three? I'm not saying that's what they call it, but essentially, it's, how complex are the medical conditions for this patient and how complex is the care that needs to be provided and even, even something, physical therapists don't normally provide in most states, medical diagnoses, we get those from the doctor. And so what we do a lot in physical therapy is we provide information that substantiates the diagnosis code assigned to the patient by the referring position, because essentially we're coding out. the symptomatology that we're treating in the patient. And so that's important to substantiate ultimately that medical diagnosis. But it's also coming in from multiple sources. So if that patient is being seen by PT, by OT, by a chiropractor, by a podiatrist, all of the information is being fed into the system. And ultimately the level that they're tiered at is going to Mark what or mark how that Medicare Advantage plan is reimbursed. So the more complex the case, the higher the reimbursement to the plan, because the assumption is they will need more money to manage the more complex cases.
Richard: Exactly. That's the point I was going to make. Once again, outpatient therapy is collateral damage to help payers justify their fees to the government for higher rates of reimbursement, but we don't get different reimbursement at all. But anyway, let's move on because we are talking about medical records. It's always about time and money, isn't it? Everything in life is about time and money. So let's talk about time and money because when it comes to medical record requests, there are time constraints, aren't there? And they can bite you in the butt a little bit. And then also we don't have to do this for free, do we? You know, again, 20 years ago when I was working in a clinic, patients would come in. They'd ask for a set of medical records or anyone would ask for a set of records as long as they came and I just handed it over and didn't even think about the time or cost associated with it. But things have changed. So let's talk a little bit about time first. And then if you can talk about money.
Tiffany: Well, currently HIPAA says 30 days, 30 calendar days, from the day we receive the request. That's how long we have to produce. There are avenues that we can go down if we have to go get the records or they're not, maybe it's that older paper record and we have to go find it. So you can allow or request additional time, but again, HIPAA laid out that process, laid out what that paperwork needs to look like. Generally speaking, 30 days. What we've seen in the past 5 to 7 years are states moving to a lower threshold to 15 days. You know, it hasn't been published yet but there is supposed to be a new final rule coming out with regards to HIPAA that will lower the threshold federally to 15 days in most circumstances. I haven't seen it yet, it was just in the proposed rule. And the release date keeps getting pushed back. But I think 15 days is likely where we're going, and the reason for that adjustment is because we switched from that paper model over to the EMR, where a lot of times, you just have to press a button to download the records. Now, that doesn't account for, if you have to go in and redact certain pieces of information, it doesn't account for, the same amount of time that's used to review the authorization to make sure that everything's in place for the release, that the person requesting the information is entitled to the information, all of those stay the same, but that time period to actually grab the records and package them up are now, you know, since it's an electronic process, they allow less time. Also, because we send them a lot, HIPAA allows the requester or requires the owner of the information, they allow them to actually tell you how they want their records released. So if they want them emailed, if they want them faxed, if they want them, you know, sent on a disk drive or a thumb drive, You have to take that into consideration. You have to take your own abilities and your own equipment into consideration as well, but you have to really give deference to those, to those requests or those patient preferences in that way.
Richard: Before we talk about money though, it's funny, isn't it? Can you imagine a governmental agency being expected to actually respond in a meaningful way in 15 days? That would be truly remarkable, wouldn't it? It would be. They expect us to be able to, to return documentation in that period of time. But again, I'm being rather cynical and I shouldn't, but 15 days sounds a lot, but it's not actually that much time. Is it particularly if, if the person that gets the request doesn't necessarily pass it on in a timely manner to the right person?
Tiffany: That's the other thing is that you have to look at the structure of your company, you know, for us, we are in multiple states and we have multiple entities doing this. And so we have to work by all these different sets of rules and we don't always get things the same day that they're received. If something's received in California on a Monday, I might not see it until Thursday. And then I might not actually process it until a couple of days after that because everything has to be queued up. Everything comes out in the order that it comes in. Everything goes out in the order that it comes out with very few exceptions. So it's difficult to balance. It's difficult to balance those timelines, especially if you're not all in one place. And I don't think most medical providers are these days. Usually you're dealing with multiple locations, multiple providers. And so it just, it gets a little bit, you know, difficult sometimes to figure out the best way. But again, you have to go back and look historically at the intent of what HIPAA was, what was the intent, and what are the basic requirements. And if you can use that as your jumping off point, you'll be able to set up a pretty good process that allows you to operate within those timelines. I do think it is the level of oversight on the administrative side of medicine in the past 15 to 20 years. Has increased dramatically. I think you as a provider can attest that, you used to have just total control over what happens in your clinic, what you were documenting, what you were doing. And now we've got all of these rules at the federal and state levels that are governing how we do the administrative functions and It gets, it gets pretty complicated, but again, it's important that you know the basics and it's important that every company out there that has a medical records release program in house is very familiar with every state law, you know, that they have to operate under and of course the federal law as well. And then you get into charging. So, part of having access to your records was breaking down the barrier of what's going to cost you 100 to get your records. That's not right. It can be right, but it, you know, to some people they can't afford that. And so what HIPAA did was they also put a threshold on what you can charge a patient for a reasonable cost, and you also can't restrict the release of records to an attorney or to someone else because the patient failed to pay on that account. So that was a good thing because you really don't want to interrupt certain processes just over a medical records bill, but charging also be, it became this big target and when HIPAA, when that, when this it's $6.50. I remember this because I thought $6.50 for a medical record. That's nothing. And a lot of attorneys were sending us records requests that said you can't charge me more than $6.50. And so, we did some investigation into that. And that just wasn't the case. It was largely misunderstood. But what HIPAA did was either allow you to, to not even take what your cost is into consideration and, and establish that base rate or you can do something that's based on the actual labor. The cost of labor that it takes. And so it depends on what your view is here. We go by labor cost. If it's not otherwise specified, we go by the cost that the average cost that it would take to produce a medical record. And so that's what we charge our patients. And that's what we charge. That's what we charge across the board within. It can vary by state, though. It just depends on what you're working with, who you're working with, why you're releasing the record, to whom you're releasing the record. Everything is just kind of dependent upon an array of facts, not just a fact that a request to release exists.
Richard: So time's running out. Let's pull it back to a very practical, everyday example. Patient walks in and wants a record either on the spouse or a patient's father, mother guardian walks in, wants a medical record of Jimmy or Sharon, the wife that's being treated and stands there and expects the medical record. First and foremost, I assume there is a form they would need to fill out, regardless of who asked for it, regardless of whether they're in person or not. I assume you'd at the very least have to check identification. And then secondly, if they turn up in person, is there a charge? And do you expect or is it, is it expected to have paid? Before you provide them with the medical record during after when is, when is payment required as well. So it depends. You're going to have that on your grave, Tiffany.
Tiffany: I'm going to have it on my grave. If a patient themselves walks in our internal practice to provide one free copy of the patient record annually to the patient. And we document that that record was provided in the account. It's their record who knows what they want to do with it, but it's their information. So if they walk in, they can provide appropriate identification. There's really not a problem with them getting their records that day. Again, we're in the EMR world, so we can pretty much go over and just print it off in a matter of five minutes or less. So that's just good customer service, and it's our practice internally. If somebody other than the patient walks in, we have to ask, More questions. And we definitely are going to have to have a form unless we already have something on file. So it, it depends, you've got the power of attorney to issue those things we normally have on file. So if they walk in, as long as they can fill out the form for us, we'll go ahead and release them right there. Or they can choose to submit a form online. We have these forms online that come straight to our medical records department on all of our websites. So yeah, I don't have an issue with it, and as far as you know, when the payment is due, we're mostly charging third parties. So if a patient or their personal representative, not an attorney, not, not their claims adjuster, Their personal, their guardian, their spouse, they come in as long as they meet the criteria for the person that we're allowed to release the records to, we can release them and we really don't expect payment right then and there, if it's a third or fourth time that they've been in there, you know, second, third, fourth time they've been in there, we may request payment, but we will not refuse to release the records to that patient or to their authorized representative based on non payment with attorneys. With certain other entities, we do require prepayment and so that is, you know, we get a request in on Monday, we can turn the request around by Friday and we can send them a bill and say, okay, here's your invoice. If you can issue payment to us, we'll go ahead and mail or email the records today.
And then we do that because, of course everybody has issues collecting after the point of service. And so, you know, the appropriate thing would be to collect prior to prior to the service. So we do request that, but it largely depends on our history with the requester as well, especially the third party requesters. We want to know, are they good? We have attorneys in certain companies where they handle 40 percent of our patient caseload or car accidents. We just know them and we either know they pay or they don't pay. And so we kind of let that guide our decision because it's a requiring prepaid to me is a lot like hurry up and stop because you ramp, you get this request you ramp up you get everything ready and then you just, you put it on hold and you're waiting for this so it introduces a snag in the timeline. And so, hurrying up and stopping often frustrates me but it is a necessary step in some instances, but we take it case by case. We take it case by case and we do go back and we treat those collections just like we would any other collection if we notice that they're not paying it, we run our reports and and we see who who's doing what, and then we respond appropriately and they may you know that person that has trouble paying in the past may or may not get moved to the prepay list. It all depends. But we, we won't deny continuity of care requests ever, and we will not deny anything that is urgent or, you know, urgent in nature. We just won't do it.
Richard: I can’t believe you're inferring that the lawyer's office might not pay that. Imagine that ever happening. But anyway, on that note, we've run out of time. I could talk about this all day. This is such a scintillating subject. Hopefully, it's been helpful to practice owners. I'm sure it will, because this is something that's always confused me somewhat about what I have to do and when. So thank you so much, Tiffany, for your font of knowledge. You certainly have a remarkable grasp on this subject. So Thank you for being a guest.
Tiffany: Thank you. My pleasure.
Podcast Transcript
Richard: Welcome back to Agile&Me, a Physical Therapy leadership podcast series. I am excited to welcome back Tiffany Warden. Tiffany needs no introduction, but I suppose we should. So Tiffany, would you like to introduce yourself to the guest before we talk about medical records?
Tiffany: Yes, my name is Tiffany Warden and I've been with Alliance for 10 years. I've been in the physical therapy field now for about 19 years and I serve as the Corporate Compliance Officer for Alliance Physical Therapy Partners.
Richard: Part of that role is essentially managing the medical records component of the outpatient PT business, correct?
Tiffany: Yes, I handle all of the supervision of our staff that processes our medical records that come in.
Richard: So I know people have been really looking forward to this episode. I get so many requests from listeners to talk about medical records. It's unreal. Sarcasm there, but joking aside. This is actually an area that is imperative for listeners, outpatient PT leaders, owners to understand, isn't it? Because there are a lot of rules and regulations around this. And if you don't comply, there are significant consequences potentially associated with this. Is that right?
Tiffany: Yes, the consequences are often financial in nature. And they can run into the tens of thousands of dollars per incident, depending upon the amount and type of information that's released. How it was released and what type of rules and protocols you had in place to prevent the inappropriate release of that information and whether or not you followed them.
Richard: We talk about medical records in the ancient times, when I first came across the states, the clinician, it was basically the idea of, well, the patient walks in, you make a photocopy of their paper chart, you hand it to them and everything's golden. But things have kind of moved on quite considerably since that time, haven't they? And when we talk about medical records, there has to be a level of sophistication, not only with regards to understanding what needs to be given to the various stakeholders, but timeframes and exactly what information they want, how they want it presented, et cetera. Is that right?
Tiffany: Yes, we've seen a definite shift towards the individuals, their rights with regards to their medical records, and this is relatively new. I say this is from 1996 on, which is when HIPAA was first put out there. And the changes have actually been quite extraordinary. We've moved on from things being regulated in 50 different ways by 50 different states. And now we have HIPAA that governs us at the federal level. We are a covered entity, healthcare providers in large part are a covered entity. And so what we have to do is we have to recognize what our responsibilities are, both at the state level and also at the federal level. And when those two ideas collide, or maybe they don't match up. What set of rules do we go with and then it just kind of trickles down. It trickles down from there. There are a lot of things to consider. You cannot just release medical records and that's a good thing, right? Because it's your private personal health information. And interestingly enough, I don't know if everybody knows this, the office of Civil Rights actually oversees this area and I think that's really interesting just simply because privacy is one of the fundamental rights in our country and this piece of legislation is largely associated with how we keep private our personal health information, who has access to it, who can get it without permission and with our permission. So to me, it's very interesting to kind of see how the legislation and the ideas of privacy regarding our own health information have progressed throughout the years, especially over the past decade or so.
Richard: To me it seems a really, really difficult push pull. What I mean by that, is the idea that people want access to medical records, and understandably, and that's fine, but then there's so many rules and regulations in regards to how you can give access and if you can give access. To me, it's just a complete minefield when you take into account the federal regulations and under that. And I would imagine there's probably different entities with different rules, then you have state rules, and then you have probably, maybe I could be speaking out of turn here, possibly some local or payor rules, perhaps I have no idea, depending on who you're sending the notes, the medical records to, and trying to understand. All the stakeholders involved and which takes priority and which rule do you go with? It seems like a complete minefield.
Tiffany: It is because historically, the states have regulated medical records, they regulate the basic required content of the record, they look at retention timelines, charging guidelines, the various disciplines specific state practice acts will also address additional information that has to be held within the medical record. They've always done that. But if you've noticed over the past probably 10 years, you'll see these state practice acts that are getting very specific based in large part on payer feedback, but also just on good medical practice. We need that historical record in order to appropriately treat a patient 10 years down the road. So we need to know what is in these medical records and we need a base. We need the basic library of information on every patient in order to be able to choose how to go about providing the best health care to them. So the state regs do that. The various disciplines will also drill down a bit. We see that specifically in physical therapy. We see a lot of talk about Timeliness of certain interventions and how we're supposed to document what we're supposed to document how we sign what kind of supervision is required even within a medical record, not just within a practice of, say, a student comes into your practice and is doing a clinical rotation in there. There are guidelines that are within the state practice acts that address the type of information they can enter into the student, meaning the student can enter into the patient record and how that information has to be overseen by the licensed professional, so we've drilled down quite a bit from the way it used to be, which was we're just going to write down stuff in a medical record and keep it on file to now we have specific pieces of information that have to be in there in order for it to constitute an appropriate medical record. The other thing is the older state regulations, they didn't address and most of them don't address the ownership of the record. It's always been assumed that the person creating the record owns the record. And that's still true. HIPAA doesn't dispute that. But what HIPAA does dispute is who owns the information within the record. It was a new idea that they introduced to us. HIPAA did that, again, it's that patient right, that right to access that private information about their health. And so HIPAA came along and established that the patient owns the information within the record while the provider owns the record itself. Most states don't even address ownership of the medical record, just about under half of them do. So HIPAA changed that a little bit and put those delineations there for us. And that was a good thing, because, making it clear that an entity is owning the record, a provider is owning the record, is a good thing. You and I both know being in healthcare, if you're not responsible for it, you're probably not going to pay a lot of attention to it. But if you are responsible for it, you are going to be paying attention to every little thing that comes in there. Especially when things like payments and future healthcare and things like that are dependent upon the information within these records. They're incredibly important. So HIPAA came along and established that concept of patient right of access and included in that right of access are some timelines and there are other allowances that patients have over their medical records, such as the right to amend their medical record. Patients have a right to inspect their medical record and determine whether or not they agree with what is in the medical record. HIPAA sets out a timeline and a process that we have to follow in order to provide that type of transparency to the patient with regards to that record. Covered entities can deny those requests because ultimately they do on the record and they have a final say in what is appropriate and what is correct from a medical perspective, but a patient again has that right to inspect it and to request it and to have a record of those requests in the record itself. It's pretty circular.
Richard: It blows my mind the fact that the provider owns the record, but the individual owns the content of the record. So, I understand it, but it does seem strange to me. But anyway, regardless of that, let's step back a little bit, because when we talk about medical records as a provider or as an owner, there's two, to me, there's kind of two fundamental components of this. The first off is I'm making these medical records every day of the visits that I'm seeing and how long do I have to keep them? You know, who do I have to keep for what length? Because even though it's now electronic, we don't want to continue to store personal information any longer than we need to. So that's the first thing I'd like to cover. And then the second component of medical records is when you're asked for a copy. So let's start, let's focus on the first thing first of all. So as a provider, let's stick with outpatient therapy. How long do we need to keep medical records for?
Tiffany: It depends on the state.
Richard: I knew that was going to be a depends answer, wasn't it? It had to be a depends. Nothing, nothing is simple when it comes to regulation, is it?
Tiffany: There are at least 51 answers, so 50 for every state, and then, and then of course you have your federal requirement. HIPAA kind of sets that at six years but we all know that in healthcare especially in the world of compliance and regulatory items, we have to default to the most restrictive rule set at play. And so that is often shorter, that six year limit is often a shorter time period than what is required by the state. Very common length of time is seven years. for adults. What we have with children is we often have to keep the records until they reach the age of majority plus a year or two afterwards. So, depending on your patient population that could be, you know, anywhere from seven years to 27 years. It really just depends on the situation. Then the other thing that comes into effect is, you know, you have your six years at federal, you've got your state, that can be anywhere from five to seven with seven being the most common, but you also have certain payer contracts that have look back periods of 10 years. And so when you start looking at, especially these Medicare Advantage, you know, contracts that have come out in the past decade or so, when you look at them, what you're now seeing is they are requiring you to store those records for 10 years. In the event that they would need to pull them for their 10 year retention period. CMS and governmental agencies can go in for 10 years, I'm referring to the payer and request to pull their records and review them, so they pass that requirement down to us. Our own internal policy is 10 years because again, we go with the most restrictive set of rules on file. The exception, of course, is still the kids and and we have to just we have to do that on a case by case basis 50 state laws, but doesn't address the minor records the states do.
Richard: So it would be without Medicare Advantage. Let's give Medicare Advantage a big round of applause. Once again, we love such great programs and pay so well for therapy anyway. Let's move on. The other thing about medical records to me, storage is you have those constraints but there's also the issue of work comp and personal injury, isn't that because if there's personal injury and the claim isn't, you really have to be cognizant of when that claim closes as well, because if the claim goes on for an extended period of time, which they can You've that changes perhaps even your medical records policy.
Tiffany: Yes, that time retention period is based on the last encounter you had with a patient. So it's not the 1st encounter, it's the last encounter. So, if something drags on and you are still involved, you're creating records past a certain date, you just keep extending your retention period out.
Richard: So I think we've covered the piece in regards to how long you keep records for. If you see pediatrics, then you could keep them for up to almost 30 years, potentially, which is crazy, but it is what it is, isn't it? Thankfully, at least it's not paper records now for most places. Let's turn our attention a little bit to medical records requests. So we've talked, mentioned it, but let's talk a little bit about how medical records are regulated a little bit more. So the entities and what they expect and enforce, makes sense?
Tiffany: Well, sure. I mean, it's easier, I think, to start again back in 1996, of course, when HIPAA was established, because again, it established the right of access. It also established the right to restrict who is receiving that information, the uses or disclosures of, of the patient's medical record. It also includes a right to amend, as we discussed earlier there are timelines and processes associated and they're outlined really clearly in HIPAA. And HIPAA is good in that, you can go to the HHS website and there are templates and there are just really direct instructions on how to abide by these different HIPAA requirements. The reason you have to look back at that, at the history of it, and then also the, the additional rights that, that have been granted to the patients is, Because that's how you have to structure your medical records program internally, you have to think about who is requesting, why are they requesting, what are they requesting, are they requesting the whole thing, the partial thing you know has the patient restricted the release of that information, so the record requires further scrutiny prior to it being released, do we have to scrub all the record or part of the record, these are all questions that have to be considered. When you're structuring your compliant medical records program another good thing HIPAA did was they laid out the critical components, the required components of what an authorization to release medical records looks like. I think we could probably start there. We take a look at what are the minimal pieces, what are the minimum pieces of information that have to be there in order for us to be able to release it, and they're pretty clear, a description, of course, of what it is that the patient is wanting us to release, the name of the person making the authorization, is it the patient, is it the patient's spouse, is it the patient's guardian, is it their attorney, you know, who, who is making it the name of the person or organization who's authorized to receive the protected health information. Where are we sending it? How are we sending it? A description of the purpose, why does this person need their medical record? Is it for litigation? Is it to satisfy a disability claim? There's got to be some description. Unless the patient's making that request and then the patient makes the request, as long as it meets all of the other guidelines, we have to release it. They don't really have to provide a lot for third parties, but we also have to have an expiration date. It doesn't have an expiration date. We're going to assume that the authorization expires within one year. That's what we do unless it's a longer period of time, such as till the end of litigation or till the claim is adjudicated, there's got to be some type of language in there referencing it, then of course, the signature of the person that is actually authorized to to make. The release of information happens a lot of times. The patient or it could be their spouse or parent or guardian. So those are the things that we have to look at and all of those components are addressed in HIPAA. Under all of these rights of access the right to amend the right to restrict. If you notice, we're talking about who's doing it. Why are they doing it? Why are they asking it? Who's it going to? It's all about those three. A lot of it is about those three rights that were granted to patients under HIPAA. So I think that the basis of any good medical records program is that number one, you have to be really cognizant of what law is actually governing. Is it the state law? Is it the federal law? And then once that's happened, does it meet the minimal requirements in order to even come into the queue to be released? Releasing the release of records is the point of your medical records program because your maintenance now, like you said, since we're mostly electronic in our documentation practices, we don't have to worry about maintaining a paper set of records, a physical set of records. That's IT's job. So ours is actually controlling the process of how the records and when the records and to whom the records are released.
Richard: Again, from a very practical perspective. What is considered a medical record because not every piece of information that is in the patient's folder chart record is necessarily provided within that request, correct?
Tiffany: That is correct. So, the medical record is anything that has to do with the treatment of the patient and the billing, you've got the billing component and then you and then you have the treatment entities covered entities need to establish what they deem as their designated record set. That's something that we have to do. We actually have a policy internally that lays out what pieces of information are to be included in the patient's medical record set so that when we go to release, that's what we're releasing. There are certain things like incidental notes that aren't really clinical in nature, but maybe just a reminder or a flag in a case that that is working for us on the administrative end, that's not really include, that's not going to be included in the, in the medical records that if something happened to the patient while they're on the premises of the healthcare provider, that's not always part of the medical record. It just, it depends, in each covered entity, each healthcare provider needs to define, clearly define in their policies and procedures. what constitutes their designated medical record set. There are certain things that you have to include. And that's just kind of a common sense, our daily notes for PT, it's our initial eval, our plan of care, referrals and things and other things. So it's pretty straightforward what should be included, what you have to worry about sometimes are those ancillary pieces of information and how you're going to, how you're going to view them and classify them internally, and then that will guide what you release.
Richard: I just thought of this, but let's say a provider is using a patient app. So let's say MedBridgeGo, there's plenty of apps out there, but let's say they use a third party application, an electronic application. It's separate from the EMR system. If there is a request for medical records, I would assume that any information that isn't medical in nature associated and contained within those other software systems, theoretically, would be part of the patient's chart, or am I incorrect there?
Tiffany: It depends. I mean from an accuracy perspective, should you be including communications with the patient about their medical record in the medical record? Yes, to an extent, again it's a common sense thing. If the patient is calling to ask a question about a prescription you know that's a certain kind of question. But if a patient is messaging you through the app about hours or rescheduling an appointment, Is that something that needs to be recorded? Probably not because it's already going to be recorded in the scheduling component of the EMR that that was done. So is that something that you need to transfer over yourself? No, because you are going to have access to that information anyway. And when people are requesting a medical record, they're not really looking for those types of things. That type of information. What they want is they're more interested in just the basic information such as what is my diagnosis code? Why was I seeking treatment? What was done to me? And what's my outlook? And then of course you get into the billing records and you want to see what was charged versus what was paid versus what was outstanding. Those are the basic pieces of information that people are looking for when they request a medical record because they're usually doing it. To either continue to contest a decision that was made by another insurance company or by some other entity, they're looking to establish validity for their argument with the information in that record. And there aren't really many more other than just wanting to know or just to have a copy. I am that person. I like having a copy of my health care. And so other than that, though, there aren't a whole lot of reasons to release a medical record. You're trying to answer some very basic questions. And so when you, when you look at that, it's kind of the same idea when we're trying to, let's say, collect on a patient account. Do you have to put in every single action that you take to do that? The answer is, well, it's likely recorded already. You know, your phone call. Did you make a phone call? Sure. Do you have to document the conversation? No. If somebody asked for the medical record, are they really asking for that piece of information? Probably not. I mean, they're going to have to get really specific if they want that information, from our team. But mostly we focus on the big pieces of information.
Richard: When there are medical requests, essentially, I believe, correct me if I'm wrong, there's essentially three different stakeholders that asked for one is the patient himself. Secondly, is the payer and third is if there is any sort of third party involved, be that lawyers or case managers. Are there any other groups that tend to ask for medical records?
Tiffany: No, I mean you have your state agencies, your patients, of course, you mentioned that's pretty straightforward, but for the state agencies, you know, your workers compensation courts, your workers compensation oversight, whatever agency is governing that state's workers compensation program, they may be requesting the records because somebody has contested a finding by a workers compensation carrier. There are all kinds of governmental agencies that will request records. So, that covers most of that, but players, it gets interesting. And I'll talk about attorneys in a second, but payers, it actually gets interesting because you have your routine audits, you know, payers are entitled to the records unless the patient has restricted information and restricted the release of that information to the payer. And, paid for the cost of the treatment in total out of pocket. Okay, so if they've done that, then we are not required to release information to the payer. But anything that we bill to the payer is fair game for them. And so, they can ask for it for just a general claims review, just a general audit to determine whether or not they're going to give additional authorizations, but they also do just random audits, which are fun.
And then they also do risk adjustment. If you're on a Medicare Advantage plan. They'll do what's called a risk adjustment audit, and those can get pretty intense. They're still entitled to the information, but essentially you'll have a medical records request come in with anywhere from one patient to, I've seen up to 150 patients on one request. And what they're looking for is to validate how they have tiered the patient needs wise in their system. They want to validate existing diagnostic codes in that patient's record, not just from us, but from all the providers. And so they're requesting records from us and for all the other providers to validate the diagnosis codes that they have assigned them and what risk tier they've been assigned to within that program, because that's how they're paid by the government. So those are difficult because they're just so big sometimes. And usually January through about May, we get a ton of these requests in and we can process 2000 charts off of these, just a very few number of requests. It's just a large number of charts that are included in the request. So that's a lot of what we do for payers. When we talk about third parties, we again go back to state agencies. Disability is a big one. Long term disability, short term disability. You have your disability with the state, but that's under the state agency. But you have your long term and short term disability requests that are, you know, that need to take priority. You have your continuation of care. That's a big one. We always prioritize continuation of care because somebody out there is waiting on this record. So again, make a determination on how to approach treatment for a shared patient. So we prioritize those. So those can come from doctors. They can come from well, any kind of provider actually. So we honor those and we prioritize those. Then we look at attorneys. We have attorneys that are just sending medical records requests. All they want are the medical records. We have attorneys that are wanting medical records requests and affidavits and notaries on these records because they're going to introduce them as evidence in their litigation. And so there are a lot of things that come into play when we're looking at how we provide records to not only the attorney, but the court, because you, there's a difference, right? An attorney can send a subpoena that's signed by another attorney, and it is a subpoena, but it's not a court order. But then we have an order, which looks very similar, coming from the court, ordering us to produce the records, and we have to turn those over as well. So we can have them coming from a hundred different sources. You just, again, you have to go back to who are you releasing it to, why, who has the authority to approve the release or order the release, all of these things that were outlined.
Richard: We might as well have another dig at Medicare Advantage. That's really my pastime nowadays, is this idea of risk adjustment. Correct me if I'm wrong, but in the news recently, wasn't it the case that the government, CSM, was inferring or stating that the Medicare Advantage plans were actually up-selling, but upcoding the level of risk for patients and being overpaid by the government. Is that correct?
Tiffany: Yes. The government right now, CMS, is very active. They're actively pursuing this right now. And, you know, of course that's gonna, that's gonna trickle down to us because the more that the Medicare Advantage plans are asked for information, the more information they're gonna want from us to substantiate their current position. And so we're gonna feel. But ultimately, Medicare Advantage plans are reimbursed based on how they're tiering that person, right? Are they level one, level two, level three? I'm not saying that's what they call it, but essentially, it's, how complex are the medical conditions for this patient and how complex is the care that needs to be provided and even, even something, physical therapists don't normally provide in most states, medical diagnoses, we get those from the doctor. And so what we do a lot in physical therapy is we provide information that substantiates the diagnosis code assigned to the patient by the referring position, because essentially we're coding out. the symptomatology that we're treating in the patient. And so that's important to substantiate ultimately that medical diagnosis. But it's also coming in from multiple sources. So if that patient is being seen by PT, by OT, by a chiropractor, by a podiatrist, all of the information is being fed into the system. And ultimately the level that they're tiered at is going to Mark what or mark how that Medicare Advantage plan is reimbursed. So the more complex the case, the higher the reimbursement to the plan, because the assumption is they will need more money to manage the more complex cases.
Richard: Exactly. That's the point I was going to make. Once again, outpatient therapy is collateral damage to help payers justify their fees to the government for higher rates of reimbursement, but we don't get different reimbursement at all. But anyway, let's move on because we are talking about medical records. It's always about time and money, isn't it? Everything in life is about time and money. So let's talk about time and money because when it comes to medical record requests, there are time constraints, aren't there? And they can bite you in the butt a little bit. And then also we don't have to do this for free, do we? You know, again, 20 years ago when I was working in a clinic, patients would come in. They'd ask for a set of medical records or anyone would ask for a set of records as long as they came and I just handed it over and didn't even think about the time or cost associated with it. But things have changed. So let's talk a little bit about time first. And then if you can talk about money.
Tiffany: Well, currently HIPAA says 30 days, 30 calendar days, from the day we receive the request. That's how long we have to produce. There are avenues that we can go down if we have to go get the records or they're not, maybe it's that older paper record and we have to go find it. So you can allow or request additional time, but again, HIPAA laid out that process, laid out what that paperwork needs to look like. Generally speaking, 30 days. What we've seen in the past 5 to 7 years are states moving to a lower threshold to 15 days. You know, it hasn't been published yet but there is supposed to be a new final rule coming out with regards to HIPAA that will lower the threshold federally to 15 days in most circumstances. I haven't seen it yet, it was just in the proposed rule. And the release date keeps getting pushed back. But I think 15 days is likely where we're going, and the reason for that adjustment is because we switched from that paper model over to the EMR, where a lot of times, you just have to press a button to download the records. Now, that doesn't account for, if you have to go in and redact certain pieces of information, it doesn't account for, the same amount of time that's used to review the authorization to make sure that everything's in place for the release, that the person requesting the information is entitled to the information, all of those stay the same, but that time period to actually grab the records and package them up are now, you know, since it's an electronic process, they allow less time. Also, because we send them a lot, HIPAA allows the requester or requires the owner of the information, they allow them to actually tell you how they want their records released. So if they want them emailed, if they want them faxed, if they want them, you know, sent on a disk drive or a thumb drive, You have to take that into consideration. You have to take your own abilities and your own equipment into consideration as well, but you have to really give deference to those, to those requests or those patient preferences in that way.
Richard: Before we talk about money though, it's funny, isn't it? Can you imagine a governmental agency being expected to actually respond in a meaningful way in 15 days? That would be truly remarkable, wouldn't it? It would be. They expect us to be able to, to return documentation in that period of time. But again, I'm being rather cynical and I shouldn't, but 15 days sounds a lot, but it's not actually that much time. Is it particularly if, if the person that gets the request doesn't necessarily pass it on in a timely manner to the right person?
Tiffany: That's the other thing is that you have to look at the structure of your company, you know, for us, we are in multiple states and we have multiple entities doing this. And so we have to work by all these different sets of rules and we don't always get things the same day that they're received. If something's received in California on a Monday, I might not see it until Thursday. And then I might not actually process it until a couple of days after that because everything has to be queued up. Everything comes out in the order that it comes in. Everything goes out in the order that it comes out with very few exceptions. So it's difficult to balance. It's difficult to balance those timelines, especially if you're not all in one place. And I don't think most medical providers are these days. Usually you're dealing with multiple locations, multiple providers. And so it just, it gets a little bit, you know, difficult sometimes to figure out the best way. But again, you have to go back and look historically at the intent of what HIPAA was, what was the intent, and what are the basic requirements. And if you can use that as your jumping off point, you'll be able to set up a pretty good process that allows you to operate within those timelines. I do think it is the level of oversight on the administrative side of medicine in the past 15 to 20 years. Has increased dramatically. I think you as a provider can attest that, you used to have just total control over what happens in your clinic, what you were documenting, what you were doing. And now we've got all of these rules at the federal and state levels that are governing how we do the administrative functions and It gets, it gets pretty complicated, but again, it's important that you know the basics and it's important that every company out there that has a medical records release program in house is very familiar with every state law, you know, that they have to operate under and of course the federal law as well. And then you get into charging. So, part of having access to your records was breaking down the barrier of what's going to cost you 100 to get your records. That's not right. It can be right, but it, you know, to some people they can't afford that. And so what HIPAA did was they also put a threshold on what you can charge a patient for a reasonable cost, and you also can't restrict the release of records to an attorney or to someone else because the patient failed to pay on that account. So that was a good thing because you really don't want to interrupt certain processes just over a medical records bill, but charging also be, it became this big target and when HIPAA, when that, when this it's $6.50. I remember this because I thought $6.50 for a medical record. That's nothing. And a lot of attorneys were sending us records requests that said you can't charge me more than $6.50. And so, we did some investigation into that. And that just wasn't the case. It was largely misunderstood. But what HIPAA did was either allow you to, to not even take what your cost is into consideration and, and establish that base rate or you can do something that's based on the actual labor. The cost of labor that it takes. And so it depends on what your view is here. We go by labor cost. If it's not otherwise specified, we go by the cost that the average cost that it would take to produce a medical record. And so that's what we charge our patients. And that's what we charge. That's what we charge across the board within. It can vary by state, though. It just depends on what you're working with, who you're working with, why you're releasing the record, to whom you're releasing the record. Everything is just kind of dependent upon an array of facts, not just a fact that a request to release exists.
Richard: So time's running out. Let's pull it back to a very practical, everyday example. Patient walks in and wants a record either on the spouse or a patient's father, mother guardian walks in, wants a medical record of Jimmy or Sharon, the wife that's being treated and stands there and expects the medical record. First and foremost, I assume there is a form they would need to fill out, regardless of who asked for it, regardless of whether they're in person or not. I assume you'd at the very least have to check identification. And then secondly, if they turn up in person, is there a charge? And do you expect or is it, is it expected to have paid? Before you provide them with the medical record during after when is, when is payment required as well. So it depends. You're going to have that on your grave, Tiffany.
Tiffany: I'm going to have it on my grave. If a patient themselves walks in our internal practice to provide one free copy of the patient record annually to the patient. And we document that that record was provided in the account. It's their record who knows what they want to do with it, but it's their information. So if they walk in, they can provide appropriate identification. There's really not a problem with them getting their records that day. Again, we're in the EMR world, so we can pretty much go over and just print it off in a matter of five minutes or less. So that's just good customer service, and it's our practice internally. If somebody other than the patient walks in, we have to ask, More questions. And we definitely are going to have to have a form unless we already have something on file. So it, it depends, you've got the power of attorney to issue those things we normally have on file. So if they walk in, as long as they can fill out the form for us, we'll go ahead and release them right there. Or they can choose to submit a form online. We have these forms online that come straight to our medical records department on all of our websites. So yeah, I don't have an issue with it, and as far as you know, when the payment is due, we're mostly charging third parties. So if a patient or their personal representative, not an attorney, not, not their claims adjuster, Their personal, their guardian, their spouse, they come in as long as they meet the criteria for the person that we're allowed to release the records to, we can release them and we really don't expect payment right then and there, if it's a third or fourth time that they've been in there, you know, second, third, fourth time they've been in there, we may request payment, but we will not refuse to release the records to that patient or to their authorized representative based on non payment with attorneys. With certain other entities, we do require prepayment and so that is, you know, we get a request in on Monday, we can turn the request around by Friday and we can send them a bill and say, okay, here's your invoice. If you can issue payment to us, we'll go ahead and mail or email the records today.
And then we do that because, of course everybody has issues collecting after the point of service. And so, you know, the appropriate thing would be to collect prior to prior to the service. So we do request that, but it largely depends on our history with the requester as well, especially the third party requesters. We want to know, are they good? We have attorneys in certain companies where they handle 40 percent of our patient caseload or car accidents. We just know them and we either know they pay or they don't pay. And so we kind of let that guide our decision because it's a requiring prepaid to me is a lot like hurry up and stop because you ramp, you get this request you ramp up you get everything ready and then you just, you put it on hold and you're waiting for this so it introduces a snag in the timeline. And so, hurrying up and stopping often frustrates me but it is a necessary step in some instances, but we take it case by case. We take it case by case and we do go back and we treat those collections just like we would any other collection if we notice that they're not paying it, we run our reports and and we see who who's doing what, and then we respond appropriately and they may you know that person that has trouble paying in the past may or may not get moved to the prepay list. It all depends. But we, we won't deny continuity of care requests ever, and we will not deny anything that is urgent or, you know, urgent in nature. We just won't do it.
Richard: I can’t believe you're inferring that the lawyer's office might not pay that. Imagine that ever happening. But anyway, on that note, we've run out of time. I could talk about this all day. This is such a scintillating subject. Hopefully, it's been helpful to practice owners. I'm sure it will, because this is something that's always confused me somewhat about what I have to do and when. So thank you so much, Tiffany, for your font of knowledge. You certainly have a remarkable grasp on this subject. So Thank you for being a guest.
Tiffany: Thank you. My pleasure.