Example is the request states, “All Medical Records from 01/01/2024 to 2025 YTD”

 

• This violates the Minimum Necessary Standard. Even for Risk Adjustment, HIPAA does not permit blanket requests for all medical records within a date range unless each record is needed for the purpose (e.g., HCC validation).

• CMS and OCR do not mandate entire charts; they require documentation to support specific claims or HCC codes submitted for payment.

 

No Specific Diagnoses or Dates of Service Identified

 

• They failed to specify the diagnoses, HCC codes, or dates of service that they are trying to validate.

• This makes it impossible to determine if the records are truly necessary.

 

Biographical Information Sheet

 

• Asking for full biographical/intake sheets may be overbroad unless there's a valid reason, such as missing identifying data for coding but this must be justified.

 

What the Law Says

 

45 CFR §164.502(b) – Minimum Necessary

• Covered entities must make reasonable efforts to disclose only the minimum necessary PHI to accomplish the intended purpose of the use, disclosure, or request.

OCR Guidance on Risk Adjustment (2016)

• Even for risk adjustment and health care operations, only the minimum necessary information to support the purpose should be disclosed. Entire medical records should not be disclosed unless specifically justified.

 

So even if:

 

• Advantmed, Datavant, Episource is a Business Associate

• This is for risk adjustment

• CMS standards are mentioned

 

You still cannot be forced to release full charts unless the request complies with HIPAA.

 

What You Can Do

 

• Push Back with a Written Response

 

• Politely but firmly push back and request clarification. Example language:

 

• Subject: Response to Risk Adjustment Record Request – HIPAA Compliance Required

 

Dear Blue Cross/Advantmed Representative,

 

Thank you for your request dated [insert date] regarding medical records for CMS risk adjustment purposes.

 

While we understand and support efforts to ensure accurate data submission, as a HIPAA Covered Entity, we are legally required under 45 CFR §164.502(b) to limit disclosures to the minimum necessary information required for the stated purpose. The request for “all medical records from 01/01/2024 to 2025 YTD” is overly broad and does not comply with this standard.

 

In order to comply with HIPAA and CMS guidelines, please:

 

• Specify the exact diagnoses, HCC codes, or conditions being audited

• Provide the specific dates of service for which documentation is required

 

Once we receive this information, we will be happy to provide the relevant portions of the medical record that support the risk adjustment review.

 

If Blue Cross/Advantmed comes back with a compliant request that satisfies HIPAA’s minimum necessary standard, here’s exactly what you must provide and what you do not have to provide.

 

What You MUST Provide (When the Request Is HIPAA-Compliant)

 

If the request includes:

 

• Specific member(s)

• Date(s) of service (e.g., 3/14/2024 visit)

• Targeted diagnoses or HCC codes (e.g., diabetes, COPD, major depressive disorder)

• And it is for risk adjustment or another health care operations purpose (which does not require patient authorization),

 

Then you must provide:

 

Clinical documentation that supports the diagnosis codes submitted on claims, such as:

 

• Progress notes / encounter notes

• Assessment & plan

• Problem list (only if updated and current)

• Relevant history and physicals

• Diagnostic test results (labs, imaging, etc.) only if they support the diagnosis

• Medication lists if relevant to diagnosis or treatment

• Vitals / objective measures that substantiate chronic conditions (e.g., BP readings for HTN, weight for obesity)

 

What You Do NOT Have to Provide

 

Even for risk adjustment and even when the request is correctly framed, you do NOT need to send:

 

• Entire medical records or full charts

  • Only documentation that supports the specific diagnoses or HCCs being audited

• Unrelated visits or conditions

  • If the patient is being reviewed for diabetes, you don’t have to send mental health notes, GI notes, or orthopedic records that don’t mention diabetes

• Psychotherapy notes

  • Protected under HIPAA and never required to be released without explicit patient authorization

• Substance use disorder info

  • Protected under 42 CFR Part 2 cannot be disclosed without the patient’s specific written consent, even to insurers or for risk adjustment

• Sensitive data protected by state laws

  • E.g., reproductive health info, gender identity-related notes, HIV status especially in states with added privacy protections (like California, New York, Illinois)

 

Under HIPAA, you can and absolutely should redact or limit disclosures to only the portions of the visit note that are relevant to the requested diagnosis or purpose.

 

This is not just allowed it's actually your legal obligation under the:

 

Minimum Necessary Standard (45 CFR §164.502(b))

 

You must “make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose.”

 

Redact or remove:

• Irrelevant clinical content (e.g., discussions about anxiety when the request is for diabetes)

• Sensitive content (e.g., mental health, substance use, sexual health, unless relevant)

• Entire sections of the note not tied to the requested diagnosis or date of service

• Review of Systems (ROS) and Mental Status Exam (MSE) and in many cases, you should if they are not relevant to the diagnosis or HCC code being reviewed.

 

HIPAA Position

 

Under the Minimum Necessary Standard (45 CFR §164.502(b)), you are required to limit disclosures to only what is necessary to accomplish the stated purpose.

 

So, if an insurance company is:

 

• Requesting documentation for a medical diagnosis like diabetes, COPD, CHF, etc., and

• The ROS or MSE does not reference or support that diagnosis,

 

Then you are not required to disclose that portion and redaction is appropriate.

 

 

What You Should NOT Do

 

• Submit the entire note because it’s easier

• Say “I’m not allowed to redact this” you are not only allowed to redact, but you’re also required to when appropriate

• Include sensitive content just in case they want it they must specifically request it and justify its relevance

 

You can include a short cover letter or stamp that says:

“This record has been redacted to comply with HIPAA’s minimum necessary disclosure standard (45 CFR §164.502(b)). Only information relevant to the requested diagnosis and date of service has been disclosed.”

​

POINT TO PONDER on BUSINESS ASSOCIATE AGREEMENTS

​

Just because someone has a Business Associate Agreement with a health plan doesn’t mean they’re authorized to receive your patients’ records.

​

HIPAA holds you, the provider, responsible for ensuring that any disclosure meets federal law including verification of the recipient and the presence of required agreements.