Hundreds of Patient Information Requests for Medicare: What This Means for Your Pharmacy

Pharmacy personnel are all tasked with keeping patient protected health information (PHI) secure. When a request to access or release PHI is received by the pharmacy, panic may ensue if staff are not well versed in how to handle the requests to be compliant with 45 CFR §164.524.

First, a patient must …

Become an audit assistance member today to continue reading this article. As a member, you’ll have access to hundreds of articles and receive our monthly proactive newsletter!

Join today!

be granted access to their own medical records (unless otherwise indicated as per 45 CFR §164.524(a)(2) or (a)(3)) whether they are asking for a copy to be provided to them personally or directed to another entity. The Office for Civil Rights [OCR] takes a patient’s right to access their records very seriously and will investigate [and potentially assess a monetary penalty] when a covered entity is found to not be appropriately following HIPAA Privacy Rules. The covered entity is encouraged to respond as soon as possible but must respond no later than 30 calendar days from the date of the request. If the covered entity is unable to comply with the request within 30 calendar days, they can be granted a one-time 30-day extension to their deadline, but they must notify the individual (in writing) of the reason for the delay and provide the date by which they will provide the records (refer to 45 CFR §164.524(b)(2) for additional information). Note some state privacy laws may be more stringent (e.g., Texas).

The request for PHI can be harder to validate when it is not coming from the patient for their own records. Recently, Anthem has been requesting information from numerous pharmacies across the United States. Each request has been issued by Episource, Datavant, or Cotiviti, purportedly on behalf of Anthem, Healthy Blue, or Wellpoint, and the request has been for patient information from January 2023 through current and can range from one patient to several dozen.

The request likely stems from recent investigations with the Office of Inspector General (OIG) looking into numerous Medicare Advantage plans which have uncovered an overabundance of up-coded claims with unsupported diagnosis codes. In an OIG report posted September 25, 2024, they describe selecting one Medicare Advantage organization (Humana) and “focused on eight groups of high-risk diagnosis code (high-risk groups). Our objective was to determine whether Humana’s submission of selected diagnosis codes to CMS, for use in CMS’s risk adjustment program, complied with Federal requirements.”

The results were astonishing! “For the eight high-risk groups covered by our audit, most of Humana’s submission of the selected diagnosis codes to CMS for use in CMS’s risk adjustment program did not comply with Federal requirements. Specifically, for 202 of the 240 sampled enrollee-years, the diagnosis codes that Humana submitted to CMS were not supported by the medical records and resulted in $497,225 in overpayments.” They go on to say, “On the basis of our sample results, we estimated that Humana received at least $13.1 million in overpayments for 2017 and 2018.”

Moreover, in October, OIG issued a report: Medicare Advantage: Questionable Use of Health Risk Assessments Continues to Drive Up Payments to Plans by Billions. It is likely that Medicare Advantage plans are fearful that their claims are up for review next. With such a large potential for CMS overpayment, it is probable that OIG will continue to investigate and try to put a stop to this inappropriate spending.

If your pharmacy receives one of these requests, it should be given to your pharmacy’s Privacy Officer for further evaluation and action. For PAAS Fraud, Waste and Abuse and HIPAA Compliance members, send us a copy of the request and we will walk you through considerations to facilitate your validation of the PHI request and potential documentation requirements.

PAAS Tips:

Pharmacies are allowed to disclose PHI for the purposes of payment, treatment or healthcare operations (PTO)
For non-PTO authorized disclosures, document all HIPAA requests to access or release PHI; PAAS FWA and HIPAA Compliance members can use the Request to Access or Release Protected Health Information form from Appendix B in your Policy & Procedure Manual
All HIPAA-related documents must be maintained for a minimum of six years after the last effective date
For additional guidance on grounds to deny the release of PHI, refer to 45 CFR §164.524(a)(2) and (a)(3); PAAS FWA and HIPAA Compliance members can review Sections 10.4 through 10.5.3 of your Policy & Procedure Manual for additional information

If you are not a PAAS FWA/HIPAA Compliance member and you are interested in adding this service or learning more, please contact us at (608) 873-1342 or email info@paasnational.com

Author
Recent Posts

Sara Hathaway, PharmD

Analyst at PAAS National^®

After graduating from UW-Madison's School of Pharmacy with my PharmD, I spent my first eight years at an independent pharmacy dividing my time between both retail and long-term care. I fell in love with the independent pharmacy world and joined the PAAS team to help independents not only survive, but thrive.

I enjoy assisting pharmacy staff both pre- and post-audit and enjoy providing them with knowledge and tools to decrease audit risk going forward. I write articles for Third-Party Newsline each month and answer member questions daily. I look forward to building professional relationships with each of our members and assisting you with your next audit.

Latest posts by Sara Hathaway, PharmD (see all)

Hundreds of Patient Information Requests for Medicare: What This Means for Your Pharmacy - November 18, 2024
Avoid This Billing Pitfall with Your Medicare Part B Nebulizer Solution Claims - November 16, 2024
OptumRx® Provider Manual Updates May Shift Audits – Especially LTC - October 11, 2024