Legal Issues in Health Insurance Audits

By Elizabeth M. Felton, JD, LICSW, Associate Counseland Carolyn I. Polowy, JD, General Counselgavel

© February 2015. National Association of Social Workers. All rights reserved.


This article discusses some of the issues involved in retrospective audits of mental health records. A retrospective audit occurs when a health insurer reviews past paid claims on a case by case or aggregate basis. Many provider agreements give health insurers the right to audit practitioners’ records. A retrospective audit is initiated by a letter from the health insurer or a third party acting on its behalf, usually requesting medical records from the practitioner in order to conduct an audit or review. When an audit notification is received, a social worker generally will have to determine whether it is necessary to comply with the record request based on the terms of the provider agreement.

There are a number of reasons given to justify the audit. Retrospective audits can be conducted randomly or specifically to detect fraudulent billing practices, coding issues, inadequate recordkeeping, processing claim errors, and to seek recoupment for overpayment. Oftentimes, however, insurers initiate retrospective audits without fully disclosing the full extent or purpose of the review to the provider. This can cause the social worker to feel anxious until the specific reason has been identified. It is acceptable for the social worker to request the reason for the audit.


A significant part of the audit is a request for client files and records. The provider agreement usually authorizes the release of client records to the health insurer and the social workers’ Notice of Privacy Practice required by HIPAA should also reference the right of the insurer to review client records. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that practitioners only release the “minimum necessary” information for the intended purposes of a request. Therefore, if a practitioner believes that the release of some or all of the information requested as part of the audit goes beyond the “minimum necessary” standard, the social worker should explain, in writing, that there is a legal basis in HIPAA that requires maintaining privacy of these records. This protection of psychotherapy notes is recognized if the notes are maintained separately from the client files. Thus, it is necessary to determine the scope of the audit record request and not conclude that an entire file with psychotherapy notes is being requested. Furthermore, health plans and third party payers may not condition treatment, payment, enrollment, or eligibility for benefits on obtaining information in psychotherapy notes. For example, a health insurer cannot tell a client that they will not authorize further therapy sessions unless the client signs an authorization to release psychotherapy notes about his/her treatment.



In cases where overpayments are alleged to be due to coding errors, audits may be performed using “extrapolation” procedures. With this process, the insurer requests a sampling of records and then reviews them for errors. The insurer identifies a percentage of error among the sample claims, projects that error rate retrospectively over a specified period of time, and requests refunds based on that percentage for all claims during that time period. Contesting this process or any other outcome is more easily done with counsel. The provider manual should outline details about the appeal process or a request should be made for information about the right to appeal an adverse outcome.


If a health insurer determines through a retrospective audit that overpayments have been made because documentation does not support the billed charges, practitioners may be asked to make repayments for services already provided or have “offsets” which are automatic reductions in future reimbursements. Practitioners will need to review their payer-provider agreement and research state laws directly or with the assistance of legal counsel to determine if offsets are allowed. If the social worker agrees with the audit findings, a repayment agreement could be requested to spread repayment over a period of months rather than as a lump sum payment. If the findings are in dispute, a request for reasons supporting the conclusions should be made to the insurer explaining why the refund is legitimate, the factual basis for it, including the language in the provider agreement and the laws supporting it.

A request for a refund by the insurer as a result of a retrospective audit should describe the specific findings of the audit. Health insurance is frequently an employer-sponsored benefit and most commercial payers are governed by the federal employee benefit law called the Employee Retirement Income Security Act (ERISA). Retrospective audits could violate ERISA regulations if the audit negatively affects the beneficiary. Recoupment requests may be considered retroactive denials of coverage. Under ERISA, payers have to share with the provider all the documentation supporting their audit findings and give the provider an opportunity to appeal. If a resolution cannot be reached, the practitioner should consult legal counsel, if not already involved, to determine whether an appeal should be filed through the appropriate administrative procedures.

Client Consent to Release of Records

Audits are treated as part of the federal HIPAA exception permitting access to health records for treatment, payment, and health care operations (TPO) activities without an authorization from the client. Health care operations include certain administrative, financial, legal, and quality improvement activities of a covered entity that are necessary to run its business and to support the core functions of treatment and payment. Conducting or arranging for medical review, legal, and auditing services, including fraud and abuse detection and compliance programs, are generally considered a part of health care operations under HIPAA regulations. HIPAA does not require a covered entity to obtain the client’s consent to use and disclose protected health information for treatment, payment, and health care operations. However, more stringent state confidentiality laws, as well as the NASW Code of Ethics, may require prior client consent. It is prudent that social workers obtain the client’s written authorization to release client records to the insurance carrier, as may be needed for purposes of TPO activities including audits. The Notice of Privacy Practices on NASW’s HIPAA webpage includes language to cover TPO activities. See Sample Notice of Privacy Practices. An Authorization to Release Mental Health Treatment Information can be found at Sample Standard Authorization Mental Health Treatment.

Copying costs

During a retrospective audit, reviewers may try to avoid reimbursing providers for copies of requested records by claiming it is a TPO activity or that their reviews are covered by the payer-provider agreement. The language in the provider agreement pertains to non-reimbursable claims adjudication record requests which are requests for additional documentation for treatment that is submitted at the time of claims submission and payment. These are different from reimbursable retrospective audit record requests. If a claim has been paid, the review is retrospective and a fee for record copies can be charged in accordance with state record reproduction rules unless the payer-provider agreement explicitly states otherwise. The insurer is responsible for reimbursing the provider for reasonable and expected record reproduction charges. Check the state regulations for the amount that can be charged for copying records in your jurisdiction. In order to avoid any risk of the reviewer claiming records should be provided at no charge, the practitioner should request, in writing, proof that the requester is a “legal acting agent” of the medical insurer and the provider agreement language that states medical records are to be released to the insurer at no charge for the purpose of retrospective reviews or audits.

What to do if selected for an audit?

  • Review the audit request letter and contact the health insurer in writing for any clarification. If a request to schedule an audit is received by telephone, the social worker should ask for a letter on company stationery setting out the basis and parameters for the audit.
  • Shortly after receiving notice of the audit, consider conferring with legal counsel familiar with healthcare law who is also knowledgeable about audits and recoupment requests in order to limit potential exposure to liability.
  • Prior to providing access to records confirm the identification of the reviewer. Confirm that the person conducting the audit is a representative of the insurance company by requesting identification and making a copy for the file. If they are not an employee, then request a copy of the Business Associate Agreement (BAA) to serve as proof that the reviewer is an individual under contract with the insurer and understands the confidentiality requirements for mental health records.
  • Review the provider agreement, paying attention to retrospective audit provisions. The provider agreement usually outlines a process for retrospective audits and for the recoupment of payments, such as “offset” provisions which allow carriers to deduct from future reimbursements. Also note the absence of such a provision.
  • Review applicable state laws regarding the statute of limitations for detection and recovery of overpayment by insurers. At least 35 states have statutes that regulate how far back and under what circumstances an insurer can recoup money for previously paid claims. Learn More About Post-Payment Audits & Refund Requests
  • Review the documentation that is the subject of the audit and gather all relevant records. Keep originals and provide copies to the health insurer. Ensure compliance with federal and state confidentiality requirements prior to responding. Review HIPAA requirements and ensure only the “minimum necessary” information is made available.
  • Make sure the client file includes consent to treatment and that an acknowledgement of the Notice of Privacy Practices is signed by the client which allows the records to be shared as a TPO exception of HIPAA where consent is optional.
  • Check for timely, accurate, and detailed records. Administrative documents and notes supporting the professional services under review should be in the client file, to substantiate treatment decisions and related fees.

Audits present a variety of legal issues. It is difficult to address all of the specific situations that may develop with all the different carriers. Practitioners are strongly encouraged to consult with a healthcare attorney for specific legal advice when informed of an audit or if the audit request raises any concerns.


Resources and References

Gerald P. Koocher; John C. Norcross; Beverly A. Greene. Practice Management Psychologists Desk Reference p. 636 Part X: Financial and Insurance Matters and p.667-668 Part XI: Practice Management (September 2013)

“Retrospective Audits,” American Medical Association Model Managed Care Agreement: Supplement 6, (2005)

Derlink, Amy L; Schembari, Elaine. “The Privacy Mindset: Setting Better Boundaries with Third-Party Record Reviewers.” Journal of AHIMA 83, no.3 (March 2012): 26-29

“Post-Payment Audits & Refund Requests,” American Association of Oral and Maxillofacial Surgeons, (June 11, 2013)

“Third Party Record Reviewers: Establishing Better Boundaries through Policies and Procedures,” IOD Incorporated, (April 2012)

“ACA – Provider Resource Page on Audits and Recoupments,” American Chiropractic Association, 2014

Kathleen B. Vega. “Avoiding Commercial Payer Recoupment.” Healthcare Financial Management Association (HFMA) (August 5, 2013)

Legal Issue of the Month, Social Workers and Psychotherapy Notes (June 2006)

45 CFR 164.501

45 CFR 164.502(b), 164.514(d)