Record Requests610-994-7500

Preparing Your Healthcare Enterprise for Phase 2 OCR Audits

Are You Ready

Earlier this year, MRO published a white paper, A Proactive Approach to PHI Disclosure Management: Strategies to Prepare Your Healthcare Enterprise for Phase 2 Audits. In the white paper, we shared the most-up-to-date information about Phase 2 of Office of Civil Rights (OCR) HIPAA compliance audits and offered tips to prepare for them by implementing an enterprise-wide approach to disclosure management.

While OCR’s widely anticipated Phase 2 audits are still pending, there has been some activity since publication of the white paper. Here are some updates:

Myth Busted

AHIMA’s June 4, 2015 E-Alert quoted from a FierceHealthIT article that pre-audit screening questionnaires had been sent to potential Covered Entity (CE) auditees. In preparation for an MRO presentation at the MSHIMA annual convention, we reached out to an OCR contact, who replied on June 12, 2015 via email: “The report is misleading. OCR has started verifying contact information of CEs. Pre-audit screening questionnaires have not been sent out.”

Sneak Peek

We also contacted attorney Adam Greene, a nationally recognized authority on HIPAA and the HITECH Act, who provided a link (look for the survey PDF titled “Survey 03 13 2015” under “Instrument File”) to the screening questionnaire. The web page suggests they are seeking 500 respondents.

Audit Focus

OCR’s presentation at the HCCA Compliance Institute in April confirmed that “desk audits” will focus on privacy, security and breach notification. The speaker also emphasized that the OCR will conduct onsite audits, as funds permit, in addition to desk audits. Key focuses by audit type are expected to be:

  • Privacy Rule audits: Notice of Privacy Practices and Patient’s Right to Access
  • Breach Notification audits: Breach Notification Policy, Breach Notifications to Patients, instances where Breach Risk Assessment concluded no breach, and timeline from discovery to notification
  • Security Rule audits: Security Risk Analysis and Risk Management Plan

It’s important to remember that complaints can trigger an investigation that may lead to full-scale audits. Thus, it’s important to be ready for an onsite audit by reviewing the protocol on OCR’s website. The website states: “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule.” OCR is reportedly working on the audit protocol update now. Another task they are tackling is a method for sharing penalty amounts with harmed individuals. We suspect that will encourage more people to file more complaints to the OCR due to possible payouts

Being Prepared

What steps can you take now to prepare?

  • Make sure all documentation is up-to-date
  • Implement an enterprise-wide PHI disclosure management strategy
  • Invest in security technologies
  • Train your workforce (we can help)

The Ponemon Institute’s 2015 State of Endpoint Report: User-Centric Risk states that 78 percent of organizations cited employee negligence as the biggest security threat. Privacy and security compliance and breach prevention training are critical. It’s also key to make sure employees fully understand your policies and procedures for PHI disclosure. If an onsite auditor wants to evaluate your privacy and security culture, he’ll solicit information from non-management staff.

To learn more about OCR audits and tips for audit preparation, download our white paper today.

Join our blog mailing list

Read More

Understanding the Release of Information Process

The Release of Information (ROI) process is complex, with up to 45 steps from start to finish. According to the Association of Health Information Outsourcing Services (AHIOS), various ROI steps can be grouped into these main sections:

  • Logging, tracking and verifying requests
  • Retrieving patient Protected Health Information (PHI)
  • Protecting sensitive information
  • Releasing authorized information
  • Completing and invoicing the request

MRO’s Quality-Infused Release of Information Workflow Process

One of the ways MRO’s Release of Information workflow yields an impressive 99.99% accuracy rate is through multi-tiered Quality Assurance processes, cutting-edge technology and highly trained, experienced people.

Click here for a comparison of traditional ROI workflows and MRO’s quality-infused ROI workflow.

Read More

KLAS Puts MRO at the Top of the ROI Class


The concept of a report card can still evoke feelings of eagerness, excitement and perhaps some anxiety in adults whose parents put great emphasis on these scholastic performance judgments. If you were smart, studied hard and delivered quality work, you could hand over that piece of paper with a smile. For everyone else, it was time to get creative about your lapses.

Memories of eagerly awaiting a report card flashed through my mind as we waited at MRO to receive the “HIM Services Performance 2015: Coding, Transcription, Release of Information” report from KLAS. With a track record of being KLAS “Category Leader” for Release of Information (ROI), as designated in both the 2013 and 2014 “Best in KLAS: Software & Professional Services” reports, we were excited to see if we had once again received the highest performance ratings in the new HIM report.

We weren’t disappointed. I’m pleased to report that MRO was named the overall performance leader and rated “significantly higher” in quality for ROI services in the 2015 HIM report. We were compared to both Healthport and IOD; the ROI category is a small “class” since only MRO and the two other companies had client bases that were statistically large enough to be included in the HIM services report.

Here are a few of the key highlights from the KLAS report:

  • MRO was named the highest performing ROI services provider overall and is the only one to have any clients say that quality is “significantly higher” than expected.
  • 100 percent of clients stated that they would hire MRO again – the only vendor that had 100 percent of its clients say this.
  • 100 percent of clients agreed that MRO keeps its promises.
  • Recurring themes in client comments included quality of services, innovative technology and knowledgeable, responsive employees.

One provider said, “MRO has a higher quality of work than other vendors. They are definitely fantastic. They are very proactive. I can rely on them for HIPAA information. They are very familiar with the laws in our state, and I know that if we were to miss something, they would catch it. They are very good at giving us information ahead of time, and their communication is exceptional.”

Another provider stated, “Releasing information is not a process I have to actively manage. It is out of sight and out of mind. MRO is a well-run company that provides a good service. I don’t get phone calls from attorneys or other people complaining about MRO’s level of service. They have really taken the management of releasing information out of my hands.”

I’m pleased that MRO’s leading-edge technology, dedicated team of experts and uncompromising commitment to our clients’ success were recognized by KLAS, not just in relation to the other ROI companies, but on an objective performance scale.

We’re very proud of our “report card” and would be happy to share this executive summary of the KLAS report with you.

Join our blog mailing list

Read More

Mind the Gap – Enterprise-Wide Disclosure Management

Mind the gap

It’s hard to believe that only two decades ago there were not significant penalties for improperly disclosing Protected Health Information (PHI), especially when regulations and oversight seem to become more stringent by the day.

Since the HIPAA breach notification requirement was instituted in 2009, there have been 1,185 breaches of more than 500 records each reported, compromising more than 133 million patient records. Hospitals are subject to penalties of up to $1.5 million per incident per calendar year, and criminal penalties include fines and up to 10 years in prison. There are currently pending judgments of $3-4 billion each in two class action lawsuits, and these figures don’t include the damage to a hospital’s reputation.

The migration to electronic medical records (EMR) systems may improve patient care, but it also makes it more difficult for hospitals to control access and manage patient privacy. According to MRO’s research, hospitals may have more than 40 PHI disclosure points through various departments such as billing, lab and radiology as well as hospital-owned clinics and physician practices.

With that many access points – which do not include HIEs, patient portals and other interfaces – the question becomes whether every employee at each of these disclosure points has been properly trained on PHI access and disclosure guidelines.

Centralization of the Release of Information (ROI) function places the responsibility of disclosing PHI into the hands of highly-trained professionals and offers better control, higher quality and cost savings. Using a single, enterprise-wide system that is overseen by a single department helps organizations standardize processes and enforce policies across the entire healthcare enterprise.

This model allows software and services to be deployed as a common platform, and all departments receive secure technology, comprehensive workflow and quality assurance checks. Best practices place the responsibility for the function with Health Information Management (HIM), which typically has subject matter expertise on health information governance, privacy and PHI disclosure management.

Hospitals that take an enterprise approach through their HIM department find they are able to better manage ROI processes, achieve compliance and reduce liability and financial risk.

Ready to learn more? View MRO’s case study on East Jefferson General Hospital, where HIM leadership standardized PHI disclosure management processes and policies across various hospital departments and 23 physician practices.

Join our blog mailing list

Read More