Payer Access to EHRs: What Providers Need to Know

Payer Access to EHRs: What Providers Need to Know

By Greg Ford and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB


As electronic health information exchange (HIE) becomes more prevalent among providers, payers increasingly are seeking direct access to electronic health record (EHR) systems for automated medical record collection and aggregation. The electronic exchange of protected health information (PHI) allows physicians, nurses, and other healthcare providers and patients to appropriately access and share PHI—improving the quality, efficiency, safety, and cost of patient care. So, why do payers want access to EHRs?

Payers suggest that access to EHRs can expedite claims processing, reviews, and audits without negative impact to the provider. However, there are inherent risks to the provider’s financial health, privacy, security, and information governance when they give access to payers. Providers should recognize that they have choices about how to share this data with payers, and they should carefully evaluate the benefits and risks to their organizations and their patients when doing so.

Why Payers Want Access to Medical Records

Before making a decision regarding payer access, providers need to understand the rationale for payer requests for medical records. The reasons usually fall into three basic categories:

Claims Processing. Payers require patient information to process claims. Granting payers direct access to the EHR offers potential benefits for both payers and providers, enabling faster claims processing and reducing the burden on provider staff.

Post-Payment Audits. Payers conduct retrospective (post-payment) audits to seek opportunities for recoupment of improper claims or claims for which overpayments were made. This type of access is can be a financial detriment to the provider.

HEDIS and Risk Adjustment Reviews. Healthcare effectiveness data and information set (HEDIS) reviews are used for quality and performance rankings, which can lead to significant changes in Centers for Medicare and Medicaid Systems (CMS) reimbursement to payers. Risk adjustment reviews are used to shift payments from CMS away from payers whose member pools are lower risk—and therefore lower cost—to payers with higher-risk, higher-cost members. Though HEDIS and risk adjustment reviews can result in millions of dollars to payers, providers seldom share in the financial benefit unless they have negotiated with the payer or have a partner or owner relationship.

Concerns for Providers and Patients

As healthcare providers carefully consider the benefits and risks of granting direct payer access to EHRs, it is important to understand the following concerns as part of the evaluation process.


Direct, automated access to a wide band of patient records will facilitate the growing trend of post-payment reviews, denials, and recoupments.

Privacy and Consent

Patient consent to share health records automatically for the purpose of providing care should not be assumed to extend to payers for payment purposes. It is unlikely that the aggregation and storage of these records by payers is a practice that patients would approve of in advance and learning it after the fact could lead to strong patient dissatisfaction.


Automated access to health data by payers increases a provider’s exposure to cyberattack, and the aggregation and storage of that data in the payer’s IT systems widens the potential exposure to large-scale healthcare breach.

Information Governance (IG)

Automated sharing of full patient records with payers, and aggregating those records for permanent use, raises multiple legal and IG concerns. These include managing a distributed health record, meeting HIPAA requirements for minimum use and correction of errors, and inadvertently sharing encounters for which the payer was not the guarantor.

Four Recommendations for Providers

EHR access may work well with some payers depending on appropriate parameters for secure, restricted access to PHI. Here are four recommendations for providers to consider.

  1. For claims processing purposes, providers can grant payers manual access to claims-specific encounters, with appropriate access and security restrictions. When handled properly, improved efficiency can benefit the provider.
  2. Do not allow payers to have unrestricted or automated access to the entire patient chart. In each case, allow only controlled access to preloaded information that the payer needs. For example, if the payer inquiry pertains to medical necessity, load only that information. Patients who consent to automated data sharing for the purpose of providing care do not intend for providers to share their data with payers whose interests are not specifically aligned with the patient’s privacy and financial concerns.
  3. Maintain health information management (HIM) governance of release of information (ROI) for post-payment audits and reviews, including HEDIS and risk adjustment.
  4. Negotiate with payers to receive a share of any financial benefits that the payers achieve from the HEDIS and risk adjustment reviews. If this is not possible, be sure to recoup the costs of releasing this data to the payer.

Payers position their requests for access to EHRs as beneficial. However, the question of whether the benefits of payer access outweigh the risks is debatable. Achieving balance is a more reasonable expectation. The goal for providers is to strike a balance between reaping the benefits of direct payer access to patient information and protecting their organizations. For payers and providers, coming together to promote the common good is the best possible path.

Rita Bowen is vice president of privacy, compliance, and HIM policy at MRO. Greg Ford is director of requester relations and receivables administration at MRO.


Legal Disclaimer

The views and opinions expressed in this article are those of the author and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.


**Editor’s Note: Views expressed in this article are those of the author alone and do not necessarily reflect the opinion of AHIMA.

Leave a comment


  1. Furthermore, when third-party payers are granted EHR access to the hospital records, they are also notified of every admission the patient has. This creates an issue for patients that have on-the-job injury related admissions, admissions for car accidents, or any other admission whereas the patient’s primary payor for the hospital stay is NOT the primary payor for the hospital admission. Also, for some patients, they have intra-hospital Psychiatric consultations which also become available as progress notes within the EHR…also viewable by the payors…. anyone else see an issue with this?

  2. Very interesting read. I feel inclined to state that unlimited access for payment purposes might conflict with the concept of the minimum necessary standard? I personally would not agree with extending the trust I have in my provider and healthcare organization to handle my PHI ethically and correctly to third-party payers.

Send a Comment

Your email address will not be published. Required fields are marked *