All HIM leaders know what it’s like to dread medical record audits. With requests often flooding in hundreds of thousands at a time, it’s no wonder why you may be tempted to let payers and auditors handle the requests themselves. This could be done by having an auditor come onsite to pull the information, providing the auditor with some type of remote access, or by setting up an Application Programming Interface (API) to automate the process.
Allowing requestors to take the reins on audit processing certainly saves you time and headache in the short term, but relying solely on the requestors to manage medical record information comes with many compliance and privacy risks. Read on to discover why having a medical record gatekeeper is important to ensure accuracy and quality control for audits of any size, type or degree.
The Rise of APIs for Medical Record Audits
If you’re not already familiar with APIs, these are tools that help software programs interact with one another. You can think of APIs as bridges that connect different software systems, allowing them to communicate and share data. APIs are useful for promoting interoperability and information sharing, but as we in the healthcare industry know all too well, sharing protected health information (PHI) always comes with a level of risk. It’s important to weigh both the pros and cons of using APIs for medical chart audits:
- Pros: APIs provide quick retrieval of necessary data, reducing the time burden on HIM departments. Automation simplifies the process, making it less labor-intensive for both you and the payers.
- Cons: API access often lacks a quality control process, potentially exposing sensitive patient data to unauthorized access if not properly managed. Without proper oversight, there’s a higher risk of incorrect or excessive data being shared (think: misfiles that aren’t detected by quality control).
Using APIs for medical record audits relieves HIM departments from the burden of the process, but they require a set of quality assurance checks and gatekeeping rules to ensure auditors only receive the data they are authorized to access and that PHI stays that way—protected.
Let’s consider this example: If an audit assesses mammogram results in women over 40, only that specific piece of information should be accessed—not the patient’s entire chart. Without a reliable information gatekeeper, APIs could pull more information than is necessary. This ties back to the minimum necessary requirement under HIPAA, which mandates that only the minimum amount of information necessary to accomplish the intended purpose should be accessed.
What Unlimited Payer & Auditor Access Could Mean for Providers
You might think your patients’ health information is protected when released directly to a payer or auditor, but that’s not always the case. An API may grant access to specific data, but you need to make sure that only the intended information is accessible without exposing additional PHI. Understanding the full scope of an API’s data access requires oversight to uphold accuracy and compliance standards. Having an information gatekeeper who can provide oversight helps maintain the privacy and security of your patients’ protected health information while simplifying and streamlining the dreaded auditing process.
Privacy and Security Issues
One major risk of giving requestors unlimited access to patient data is the potential of accessing too much of the patient’s medical information. In this scenario, an information gatekeeper could verify that the data being accessed is accurate and aligns with the specific request. This oversight prevents payers from pulling unnecessary or excessive information, which in turn protects patient privacy and maintains the integrity of the medical records.
Risk of Misinterpretation
When requestors process large volumes of data through APIs without oversight, errors can skyrocket. Without proper quality control measures, there’s a higher likelihood of misinterpretation and mistakes.
For instance, suppose an auditor is reviewing records to confirm that patients with diabetes received their annual eye exams. Without proper oversight, the auditor accesses a patient’s full medical history and sees a note about an eye infection treatment. Misinterpreting this as the required eye exam, the auditor incorrectly concludes that the patient has met the guideline. An information gatekeeper could prevent this mistake by ensuring that only the specific documentation of the annual eye exam is provided.
Regulatory Risks
There are many reasons why we all work tirelessly to keep protected health information under lock and key, but the biggest reason can be summed up under one acronym: HIPAA. Compliance with regulations like HIPAA is paramount in the healthcare industry, but without proper checks and balances, payers might inadvertently access and share PHI beyond the scope of what is permitted. A gatekeeper plays a vital role in this process by verifying that all accessed data complies with legal requirements and is shared appropriately. This reduces the risk of regulatory breaches and the associated penalties.
Operational Costs
Contrary to popular belief, APIs and IT setups are not “free” solutions, nor are they always the most cost-effective option; they require significant financial investment and regular maintenance.
Essential Questions for You to Ask Payers & Auditors
Before you give API access to protected health information, make sure you ask these questions:
- What specific guidelines and criteria are being followed when information is accessed?
- Is the process for collecting data through the API compliant with HIPAA and privacy regulations?
- Is there clear documentation on what information is being accessed and how it is being accessed? How are use cases for the data validated?
- Is an accounting of disclosures maintained to track data access?
- Are there clear channels for addressing questions and discrepancies?
- How can I verify that only the data that is authorized is the data that is accessed?
Solutions for HIM Leaders
There are many ways to approach medical record audits, but the best way to reduce risk and ensure a smooth, seamless process is to have an information gatekeeper providing guidance and oversight. Utilizing a gatekeeper role comes with many benefits, including:
- Providing crucial oversight: With a gatekeeper in place, providers can handle large-scale audits more effectively. This oversight not only ensures compliance and accuracy but also helps in negotiating better rates with payers by showcasing a robust and reliable audit process.
- Ensuring accurate data interpretation: One significant risk in medical record audits is the misinterpretation of data. If auditors are searching for specific information, there’s a chance they could misinterpret the data by looking at the wrong part of the chart. An information gatekeeper can review the requested data, provide accurate context, and prevent potential misunderstandings.
- Committing to quality control: They ensure that only the information requested is received, which aligns with the minimum necessary requirement under HIPAA. This oversight protects patient privacy and maintains data integrity, giving providers peace of mind.
Meeting in the Middle
Managing payer and auditor access to medical records is crucial for protecting patient privacy and ensuring compliance. You must ask critical questions and seek solutions that balance audit needs with operational efficiency and patient confidentiality. The best way to achieve this is by finding a middle ground that takes into account both your concerns and the auditors’ time constraints. By maintaining oversight in the auditing process, providers can guard the gates and cultivate a seamless, accurate and compliant audit process.