News & Press

< Back to Association News

Identifying Legit Records Requests – Safety tips from OCHN

August 6, 2025

In response to a surge of suspicious communications sent to members recently, Katie Eisel, Payer Relations Director at OCHN, has written up a detailed safety toolkit to help everyone keep their agency and patient data safe and secure.

Scams come in many forms – some seem innocent and are “just following up on…” while others try to look complicated and official, mimicking an actual ADR, sometimes with alarming authenticity. So, first, where does the communication say it’s from?

From Medicare

Verify the Sender

  • Legit ADRs typically come from Medicare contractors (e.g., MACs like Palmetto GBA, CGS, NGS).
  • Check the email address/domain – e.g., legitimate ones will end in .gov or a known MAC’s secure domain.
  • Be cautious of free email services (e.g., Gmail, Yahoo).

Check Official Portals

  • Always verify if an ADR request is reflected in the provider portal (like eServices for Palmetto GBA or myCGS).
  • If an email ADR doesn’t match portal records, that’s suspicious and you should verify with a known point of contact.

CMS Letterhead & Documentation

  • Official ADRs have a standardized format with CMS letterhead, case ID numbers, and references to a specific claim.

Red Flags

  • Urgent or Threatening Language:  Phishing emails often pressure with language like “act immediately,” “final warning,” or “your payments will be stopped.”
  • Requests for Unusual Info or Format:  Legit ADRs never ask you to upload documents to third-party sites like Dropbox or Google Drive. They won’t request login credentials, banking info, or non-claim-related PII.
  • Poor Grammar or Formatting:  Real CMS or MAC communications are professionally written. Spelling errors, poor grammar, or odd phrasing are warning signs.
  • Suspicious Attachments or Links:  Hover over links before clicking — the URL should clearly show a trusted domain. Avoid attachments from unrecognized senders, especially .exe, .zip, or macro-enabled Word/Excel files.

Safety Recommendations

  • Centralize ADR requests within your organization.
  • Keep a log of requests, portal requests, submissions, and responses.
  • Do not share any information via email unless it is encrypted.
  • Never call a number provided within a suspicious email or letter, call the plan or the contractor directly to verify.
  • Don’t depend on your mobile phone for email. Phone email apps often only show a “display name” not the full email address. If you’re suspicious at all, view the email on a desktop to see everything.
  • If the communication contains claim-specific details, it is more likely legit, but it never hurts to double check.
  • Consult with your IT department/vendor to establish best practices, cyber security awareness training, and failsafes to keep your team sharp and secure.

From a Letter

  • The communication should include the CMS or Palmetto GBA logo.
  • It should include the CMS or Palmetto official address.
  • Make sure it looks like previous ADR requests.
  • It should include specific beneficiary details AND claims/dates of service in question/to be reviewed.
  • It should always specify specific pieces of the medical record to be provided.
  • There is also typically a request number or patient identification number for the request.
  • When in doubt, ask. Contact the sender via a known phone number to verify the letter is legit.

From an Insurance Plan

Check the Source

  • Ensure the request comes from the payer directly (e.g., Humana, Aetna) or their known contracted review vendor, like Equian / Optum (often for Aetna, UHC), Cotiviti (used by many plans for audits), Telligen, Verscend, or Performant
  • Always cross-reference vendors with your payer’s provider manual or portal.

Verify Claim-Specific Info. A real ADR will include:

  • Member name and ID number
  • Date(s) of service
  • Claim number
  • Your agency’s name, NPI, and TIN
  • What specific documentation is being requested (e.g., SOC OASIS, visit notes)
  • If it’s vague or just says “send all records,” you should be suspicious and verify with a known point of contact.

Check for Authorization. Insurance plan ADRs are often part of:

  • Post-payment reviews
  • Pre-payment reviews
  • Utilization management audits
  • Verify that the request matches a claim you actually submitted

Questions?

OCHCH and OCHN Members can always contact us to get advice via the Provider Help Desk at OCHCH.org/Help.

About OCHN

We are a dedicated non-profit organization representing a wide array of home health care agencies. Our mission is to support our member agencies by fostering collaboration, advocating for excellence in home health care, and ensuring that our services meet the highest standards of quality and professionalism. Whether you are a current member, a prospective member, or an insurance provider, our network is committed to providing the resources and support needed to navigate the complexities of home health care. Join us in our mission to enhance the lives of those we serve. Learn more at TheOCHN.org

{altimage}
{altimage}
prev next

1105 Schrock Road, Suite 120
Columbus, OH 43229
(614) 885-0434
Get Directions

Quick Links:

Copyright © 2025 Ohio Council for Home Care & Hospice

< Back to Association News

Identifying Legit Records Requests – Safety tips from OCHN

August 6, 2025

In response to a surge of suspicious communications sent to members recently, Katie Eisel, Payer Relations Director at OCHN, has written up a detailed safety toolkit to help everyone keep their agency and patient data safe and secure.

Scams come in many forms – some seem innocent and are “just following up on…” while others try to look complicated and official, mimicking an actual ADR, sometimes with alarming authenticity. So, first, where does the communication say it’s from?

From Medicare

Verify the Sender

  • Legit ADRs typically come from Medicare contractors (e.g., MACs like Palmetto GBA, CGS, NGS).
  • Check the email address/domain – e.g., legitimate ones will end in .gov or a known MAC’s secure domain.
  • Be cautious of free email services (e.g., Gmail, Yahoo).

Check Official Portals

  • Always verify if an ADR request is reflected in the provider portal (like eServices for Palmetto GBA or myCGS).
  • If an email ADR doesn’t match portal records, that’s suspicious and you should verify with a known point of contact.

CMS Letterhead & Documentation

  • Official ADRs have a standardized format with CMS letterhead, case ID numbers, and references to a specific claim.

Red Flags

  • Urgent or Threatening Language:  Phishing emails often pressure with language like “act immediately,” “final warning,” or “your payments will be stopped.”
  • Requests for Unusual Info or Format:  Legit ADRs never ask you to upload documents to third-party sites like Dropbox or Google Drive. They won’t request login credentials, banking info, or non-claim-related PII.
  • Poor Grammar or Formatting:  Real CMS or MAC communications are professionally written. Spelling errors, poor grammar, or odd phrasing are warning signs.
  • Suspicious Attachments or Links:  Hover over links before clicking — the URL should clearly show a trusted domain. Avoid attachments from unrecognized senders, especially .exe, .zip, or macro-enabled Word/Excel files.

Safety Recommendations

  • Centralize ADR requests within your organization.
  • Keep a log of requests, portal requests, submissions, and responses.
  • Do not share any information via email unless it is encrypted.
  • Never call a number provided within a suspicious email or letter, call the plan or the contractor directly to verify.
  • Don’t depend on your mobile phone for email. Phone email apps often only show a “display name” not the full email address. If you’re suspicious at all, view the email on a desktop to see everything.
  • If the communication contains claim-specific details, it is more likely legit, but it never hurts to double check.
  • Consult with your IT department/vendor to establish best practices, cyber security awareness training, and failsafes to keep your team sharp and secure.

From a Letter

  • The communication should include the CMS or Palmetto GBA logo.
  • It should include the CMS or Palmetto official address.
  • Make sure it looks like previous ADR requests.
  • It should include specific beneficiary details AND claims/dates of service in question/to be reviewed.
  • It should always specify specific pieces of the medical record to be provided.
  • There is also typically a request number or patient identification number for the request.
  • When in doubt, ask. Contact the sender via a known phone number to verify the letter is legit.

From an Insurance Plan

Check the Source

  • Ensure the request comes from the payer directly (e.g., Humana, Aetna) or their known contracted review vendor, like Equian / Optum (often for Aetna, UHC), Cotiviti (used by many plans for audits), Telligen, Verscend, or Performant
  • Always cross-reference vendors with your payer’s provider manual or portal.

Verify Claim-Specific Info. A real ADR will include:

  • Member name and ID number
  • Date(s) of service
  • Claim number
  • Your agency’s name, NPI, and TIN
  • What specific documentation is being requested (e.g., SOC OASIS, visit notes)
  • If it’s vague or just says “send all records,” you should be suspicious and verify with a known point of contact.

Check for Authorization. Insurance plan ADRs are often part of:

  • Post-payment reviews
  • Pre-payment reviews
  • Utilization management audits
  • Verify that the request matches a claim you actually submitted

Questions?

OCHCH and OCHN Members can always contact us to get advice via the Provider Help Desk at OCHCH.org/Help.

About OCHN

We are a dedicated non-profit organization representing a wide array of home health care agencies. Our mission is to support our member agencies by fostering collaboration, advocating for excellence in home health care, and ensuring that our services meet the highest standards of quality and professionalism. Whether you are a current member, a prospective member, or an insurance provider, our network is committed to providing the resources and support needed to navigate the complexities of home health care. Join us in our mission to enhance the lives of those we serve. Learn more at TheOCHN.org

Search

Archive

Sign up for LISTSERVJoin a Forum