Attorney Articles | Therapists as Diplomatic Gatekeepers

Articles by Legal Department Staff

The Legal Department articles are not intended to serve as legal advice and are offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in the article.

Therapists as Diplomatic Gatekeepers

This article discusses the topic of responding to requests for confidential information regarding patients in relation risk-adjustment audits by insurance carriers.

Responding to Records Requests for "Risk Adjustment" Audits

Michael Griffin, JD, LCSW
Staff Attorney
The Therapist
July/August 2016

Risk-Adjustment Audits
Recently, a number of therapists in California have received requests for patient records from insurance carriers for the stated purpose of “risk-adjustment audits,” under the Affordable Care Act (ACA).1 Briefly stated, risk-adjustment is one of the measures utilized under the ACA that is intended to protect insurance carriers from exposure to excessive risk in the marketplace based upon the relative cost of treating enrollees’ health problems. Information that is obtained from health care providers,(including psychotherapists), is used to determine the overall severity of enrollees’ health problems, and the associated treatment costs, for enrollees in each of the plans. Insurers who are determined to have a disproportionate number of “lower-risk” enrollees are ultimately required to transfer funds to plans who have a greater number of “higher-risk” enrollees. In theory, riskadjustment also helps to prevent insurance companies from profiting by virtue of enrolling comparatively healthy (“lower-risk”) individuals.

Anthem Blue Cross, for example, is utilizing a company named “Inovalon” to contact providers on their behalf, while Aetna insurance is utilizing a company by the name of “Episource” for the same purpose. The reason for such requests relates to the data collection obligations of insurance carriers under the ACA. Insurers who provide coverage to individuals under the ACA are required to collect data regarding the severity of enrollees’ health problems and to report the information to the Department of Health and Human Services (with identifying data removed), to facilitate a process known as “riskadjustment.” In California, this process only applies to insurance carriers who offered coverage to individuals in subsidized plans via “Covered California.”2

Legal and Ethical Considerations
Insurance carriers commonly request information from health care providers for a variety of reasons. Examples include: requests for information related to billing or payment issues, eligibility for coverage, or to determine “medical necessity” for treatment. Requests for information from insurance companies for purposes of risk-adjustment audits are a recent development, and therefore unfamiliar to providers, but they are simply a variation of a request from an insurance carrier for information concerning a patient. In all such circumstances, there is a need to review the particular request and respond in a manner that is consistent with ethical standards, HIPAA , and the requirements of California law.3

CAMFT Code of Ethics
Section 2.1 of the CAMFT Code of Ethics provides that marriage and family therapists do not disclose patient confidences, including the names or identities of their patients, to anyone except as mandated or permitted by law, when the marriage and family therapist is a defendant in a civil, criminal or disciplinary action arising from the therapy, or if there is an authorization previously obtained in writing, and then such information may only be revealed in accordance with the terms of the authorization. Therefore, in the absence of a signed release from the patient, the therapist has to ensure that he or she is legally permitted to release the information in question. 4

The HIPAA “Privacy Rule” provides a set of standards for the use and disclosure of individuals’ protected health information (“PHI”) by persons and organizations who are “covered entities” under HIPAA.5 A provider who is a “covered entity”6 is permitted to release PHI in a variety of circumstances, such as (but not limited to), payment-related activities, and actions which fall under the heading of “health care operations,” such as case management, quality assurance reviews, medical reviews and insurance related audits.7 Under HIPAA, requests for information for the purpose of risk-adjustment audits would not therefore require a release of information, and the release of information would be permissible in such an instance because the request concerns a type of health oversight audit or investigation.8 However, therapists who are “covered entities” should be familiar with the “minimum necessary standard.”

Minimum Necessary Standard
In some instances a therapist may be asked to provide a copy of specified progress notes. Or, the request may be for a copy of the entire record. Unfortunately, determining what to disclose is not always an easy proposition. Therapists who are “covered entities” under HIPAA are (with some exceptions) expected to provide only the minimum amount of information that is necessary under the circumstances. This is known as the “minimum necessary standard” under HIPAA, and it is based upon the premise that PHI should not be disclosed if doing so is unnecessary to satisfy a legitimate purpose or function.9 A provider who is a HIPAA-covered entity may therefore inquire about the need for the information that is being requested, and attempt to reach an agreement with the requesting party as to a limited subset of information that would reasonably respond to the question or concerns that have been raised.

The Confidentiality of Medical Information Act
Permissive Disclosure
The Confidentiality of Medical Information Act, codified in Sections 56.10-56.16 of the California Civil Code, defines the conditions under which a health care provider may disclose information concerning a patient.10 Subdivision (c)10 of section 56.10 is particularly relevant to this topic. It states that, “...information may be disclosed to a health care service plan by providers of health care that contract with the health care service plan...for the purpose of administering the health care service plan.”11 This means that a provider would be permitted to release information about a patient’s care to an insurance company, when the request is for the express purpose of administering the plan, which, generally speaking, encompasses a broad range of activities. In spite of this broad exception, however, a California psychotherapist has more to consider before he or she may respond to an insurer’s request for information about a patient.

Required Written Request Per Section 56.104 Prior to releasing information from a patient’s outpatient psychotherapy record, California psychotherapists must be cognizant of the requirements stated in Section 56.104 of the Civil Code. This law requires an insurance plan, who is requesting psychotherapy records, to provide to a psychotherapist, a written request that includes the following information:12

  1. The specific information relating to a patient’s participation in outpatient treatment with a psychotherapist being requested and its specific intended use or use;
  2. The length of time during which the information will be kept before being destroyed or disposed of;
  3. A statement that the information will not be used for any purpose other than its intended use; and
  4. A statement that the person or entity requesting the information will destroy the information and all copies in the person’s or entity’s possession or control, will cause it to be destroyed, or will return the information and all copies of it before or immediately after the length of time has expired.”13

Some therapists who have received requests for “risk-adjustment” purposes indicate that they have not been provided with the information that is specifically identified in Section 56.104. When that is the case, a therapist may appropriately point out to the insurance plan that he or she is required to have the information stated in this section of law, prior to responding. Something to consider here is that the insurance plan may or may not be familiar with the detailed provisions of California law and thus may be unaware of the fact that Section 56.104 contains stricter provisions regarding the release of outpatient psychotherapy records, than HIPAA.14

Consider Discussing Options with the Patient 
Requests for information vary, and it is not possible to say what information should be provided in every case. It is ordinarily prudent for a therapist to discuss any request for information with the patient and to ask for his or her opinion or preference. It is the patient’s record, after all, and he or she is free to release the requested information, or to ask the therapist to limit the disclosure. (Be sure to have the patient sign an appropriate release in such instances). Alternately, a patient may insist that the information from his or her treatment record not be released in response to a particular request. When a patient takes such a stance, it is usually advisable for the therapist to inform the requesting party, and to explain that he or she is reluctant (or unwilling) to contradict the wishes of his or her patient.

Contractual Matters
Therapists who are contracted providers (aka “in-network”) with an insurance company should be aware of their contractual agreements with the company concerning requests for information from the provider. Common reasons for such requests include the determination of medical necessity, or
to clarify a billing matter, etc. While the language of insurance companies’ provider agreements varies, they will usually include some provisions which state that the provider agrees to cooperate with the insurance company concerning requests for information. A contracted provider who flatly ignores a request from an insurance company, or who appears to be dismissive, or hostile in responding to the request may be potentially subject to the termination of his or her contract. It is preferable therefore, for a provider to promptly respond to the carrier’s request, to clarify the nature and the purpose of the information being requested, and to request the information that is required by California law.

A provider must be prepared to respond to a request for information about his or her patient in a firm but diplomatic manner, while being sure to explain the specific reasons for his or her response. Generally speaking, it is desirable for a therapist to attempt to negotiate a reasonable compromise or alternative rather than offering a blanket refusal to a request for information. Regardless of the circumstances, there is little to be gained from adopting an overly aggressive approach and it is more likely that the requesting insurance company will be reasonable when the provider conveys a desire to cooperate and maintains a civil, professional demeanor.

Michael Griffin, JD, LCSW, is a staff attorney at CAMFT. Michael is available to answer member calls regarding legal, ethical, and licensure issues.


1 March 23, 2010, The Patient Protection and Affordable Care Act (PPACA), Pub. L. No. 111-148, 124 Stat. 119.

2 See:

3 45 CFR Health Insurance Portability and Accountability Act of 1996(“HIPAA”).

4 Code of Ethics, Section 2.1 The Code of Ethics is available on the CAMFT website:, under Association Documents and Forms. Section 2.1 is not reproduced in its entirety.

5 45 CFR.164.103 (‘Privacy rule”)

6 HIPAA only applies to organizations and providers who qualify as “covered entities.” Covered entities under HIPAA are defined as: (1) health plans, (2) health care clearinghouses, (3) health care providers who electronically transmit private health information (“PHI”) in connection with certain administrative or financial transactions known as “covered transactions.” For further information on the topic of covered entities, See: Jensen, David, JD, “Are you a covered entity?” The Therapist, July/Aug.,2010

7 45 CFR.164.103

8 45 CFR.164.512(d)

9 45 CFR 164.502(b), 164.514 (d). The “minimum necessary standard” does not apply in all circumstances. Exceptions include, but are not limited to: Disclosures to, or requests by, a health care provider for treatment purposes, disclosures made pursuant to an individual’s authorization, disclosures to the patient, or disclosures which are required by law. For further information, see, David Jensen, JD., “HIPPA’s Minimum Necessary Standard,” The Therapist, January/February, 2010.

10 Civil Code, Section 56.10, et.seq.

11 Civil Code, Section 56.10(c)10

12 Under Civil Code, Section 56.104, “psychotherapist” means a person who is both a “psychotherapist” as defined in Section 1010 of the Evidence Code and a “provider of health care” as defined in Section 56.05.

13 Civil Code, Section 56.104 (Emphasis added). This statute is not reproduced in its entirety.)

14 Civil Code, Section 56.104(b). One of the peculiar aspects of this statute is that it requires the requesting party to supply all of the above-listed information to the patient within thirty days of receiving the information from the provider, rather that at the time that the request is made. The requesting party must satisfy this requirement unless the patient has provided the provider with a signed a signed letter, waiving his or her right to receive the information This article is not intended to serve as legal advice and is offered for educational purposes only. The information provided should not be used as a substitute for independent legal advice and it is not intended to address every situation that could potentially arise. Please be aware that laws, regulations and technical standards change over time. As a result, it is important to verify and update any reference or information that is provided in this article.