Check Request Status610-994-7500

Small Breach, Big Trouble: What CFOs Need to Know About PHI Disclosure Risks

HFMA
Small Breach, Big Trouble: What CFOs Need to Know About PHI Disclosure Risks
With potential financial threat, the risk of breach of unsecured PHI should be top of mind for CFOs. MRO’s Steve Hynes, CEO, and Peter Schmitt, CFO, discuss why and how CFOs need to be more involved in the IT decision-making process to better prevent and protect their organization from financial risks associated with PHI disclosure.

Read More

Achieving PHI disclosure compliance requires standardized policies and procedures

Mariela's Blog - Compliance photo 3.30.16
Last week’s news that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is launching Phase 2 of its HIPAA audit program likely grabbed the attention of compliance professionals across the country. I anticipate that due to this new round of audits, and the large number of Protected Health Information (PHI) breaches last year, major topics of discussion at the upcoming HCCA Compliance Institute will concern best practices around identifying and mitigating risks associated with PHI disclosure.

One area of focus should be centralizing and standardizing PHI disclosure management. While large breaches affecting 500 or more patients made headlines last year, small breaches of fewer than 500 patients happened much more frequently. In fact, of all the PHI breach incidents reported to OCR since 2009, more than 180,000 were small breaches, while there were only 1,400 large ones. Just like the large breaches, small breaches can carry financial penalties from OCR of as much as $50,000 per incident with a maximum of $1.5 million annually for repeated occurrences.

In September, the Inspector General of HHS criticized OCR for not putting enough emphasis on investigating small breaches. OCR’s Chief, Joycelyn Samuels, has stated that they are working to implement the Inspector General’s recommendations.

Smaller breaches can be caused by intentional employee snooping, a lack of compliant standardized policies and procedures, or just human error, such as overlooking comingled records in a disclosure. By taking an enterprise-wide approach to PHI disclosure management, and supporting it with training and technology, healthcare organizations can ensure HIPAA compliance across their health system and mitigate breach risk.

Enterprise-wide standardized policies and procedures essential
With the growth of EMRs, as many as 40 PHI disclosure points have been identified in organizations. Concurrently, health systems acquiring physician practices and specialty centers can add to those disclosure points, bringing with them additional risks and liabilities.

Protecting PHI across these growing enterprises requires disclosure policies and procedures that are consistent across the organization, particularly when bringing in physician practices with different EMRs and differing levels of overall compliance.

Adding to the complexity, PHI disclosure regulations can vary at the federal and state level, while the organization may have its own stricter guidelines for releasing information. It is also important to get the right information into the hands of a requester in a compliant and timely manner. Consistently enforced standardized policies and procedures can help address all of these concerns, but proper training and technology is essential.

People and technology for optimal PHI disclosure compliance
Training staff to follow an organization’s PHI disclosure policies and procedures, which should include all HIPAA and relevant state regulations, is the foundation for meeting compliance regulations and staying compliant. Significant resolution agreement fines are often levied when organizations have ignored HIPAA requirements for documented policies, procedures and programs to mitigate breach risk.

Training should include timely content, a mixture of learning formats such as videos, interactive training, and testing to ensure effective teaching. This education should be consistently delivered as policies and regulations change and as new information technology is implemented.

Technology is an advantage for compliance by mitigating human error risk. For example, a procedure may be to check every page of every disclosure with the human eye, which some would assume to be 100 percent accurate, but it’s simply not possible.

At MRO, our IdentiScan® solution uses optical character recognition technology to assist our record integrity specialists in identifying and correcting comingled patient records prior to disclosing the PHI. This compliance step ensures our 99.99 percent accuracy rate for getting the right records to right requesters in our Release of Information (ROI) workflow. If a human were to perform such a review, it would be much more time-consuming, greatly reducing productivity.

We’re excited to showcase IdentiScan at the upcoming HCCA event, where we’ll demonstrate use cases for checking for comingled records outside of the ROI workflow. Key integration points include admissions or discharge times; when generated paper is scanned into patient charts; and when records are imported into the EMR from legacy systems.

Staying compliant
Compliance professionals need to understand their PHI disclosure management processes now more than ever because PHI breaches can be financially costly and damaging to reputations.

By implementing compliant, standardized disclosure policies and procedures across the enterprise, organizations can reduce their risk. Through rigorous training, as well as deploying technology to support HIM teams in releasing information, and having regulatory experts on staff to answer questions in real-time, organizations can not only reduce risk, but also improve client service.

Sign Up for Future Blog Posts

Read More

OCR HIPAA Phase 2 Audits: What to Expect

Audit photo for OCR audit blog

On Monday, March 21, I attended the 24th National HIPAA Summit in Washington, D.C., where Jocelyn Samuels, Director of the HHS Office for Civil Rights (OCR), announced the launch of Phase 2 of its HIPAA audits of Covered Entities (CEs) and Business Associates (BAs). The OCR anticipates conducting approximately 200 audits during Phase 2 of the HIPAA Audit Program, which will be executed in three stages. The first stage will involve desk audits of CEs; desk audits of BAs will be conducted during the second stage; and on-site audits of both CEs and BAs will be performed during the third stage.

What is the HIPAA Audit Program?
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the OCR conduct periodic audits of CEs and BAs to evaluate their compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Completed in 2012, Phase 1 of the HIPAA Audit Program involved approximately 115 audits of CEs. This first phase of audits found that many of the participants lacked awareness of key Privacy and Security Rule requirements, such as the need to provide patients with Notices of Privacy Practices, the proper protocol for providing individuals and their personal representatives with timely access to the individual’s Protected Health Information (PHI), the need to conduct a risk analysis on a regular basis, and the importance of disposing of media containing PHI in a secure manner.

Who will be subject to Phase 2 of the HIPAA Audit Program and how will participants be selected?
Since announcing the launch of Phase 2 of the HIPAA Audit Program, the OCR has started sending emails to CEs to verify contact information. CEs need to check their spam filters to ensure that any emails from the OCR have not been incorrectly identified as junk email.

Those CEs who are asked by the OCR to verify their contact information may eventually be sent a pre-audit questionnaire that will ask recipients a host of questions about their organization, including where they are located, how many employees they have, what services they provide, and who their BAs are. The questionnaires will be used by the OCR to determine which CEs and BAs will be selected to participate in Phase 2 of the HIPAA Audit Program. The OCR wants to audit a diverse selection of CEs and BAs that will range in size, type and location.

All CEs and BAs are eligible for an audit and could be asked to participate in either one or two stages of Phase 2 of the HIPAA Audit Program. However, CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review will not be selected as an audit participant during Phase 2 of the HIPAA Audit Program.

What is the timeline for the three stages?
Stage 1 – Desk Audits of CEs

The first stage of Phase 2 of the HIPAA Audit Program will involve desk audits of CEs. The focus of these desk audits will be on the CE’s compliance with specific requirements of the Privacy, Security or Breach Notification Rules. Audit participants should be prepared to share their risk analyses, policies and procedures and their Notice of Privacy Practices with the OCR. It appears that the OCR will also be interested in learning about how the CE process individuals’ requests for PHI copies. The OCR states that these desk audits will be completed by the end of December 2016.

Stage 2 – Desk Audits of BAs

The second stage of Phase 2 will be very similar to the first stage, except desk audits will be conducted on BAs. The OCR states that these desk audits will also be completed by the end of December 2016.

Stage 3 – On-Site Audits of CEs and BAs

The third stage of Phase 2 will involve on-site audits of select CEs and BAs. These on-site audits will be comprehensive and will likely include a three- to five-day on-site visit by the OCR.

What’s next?
Any day now, the OCR will be publishing audit protocols for Phase 2 of the HIPAA Audit Program. These protocols will provide instructions to CEs and BAs on what the OCR will be evaluating during the various stages of Phase 2.

MRO will be sharing helpful tips to our clients in upcoming email and webinar formats. Stay tuned for more details.

This blog post is made available by MRO’s general counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s general counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

HIMSS16 Reflections

After a busy yet exciting week at HIMSS16, most attendees are settling back into their daily routines, but strong impressions from the event remain. Main takeaways tend to vary from year to year, and this time, privacy and security was a prevailing theme across the HIMSS floor.

Several of MRO’s executive leaders shared insights from the event that reinforced this idea. For example, Charlie Wilson, CIO of MRO, noted, “A security awareness permeated the show, as there were a host of vendors that focused on cybersecurity, encryption, risk management, single sign-on with two-factor authentication; and there was buzz created by recent breach incidents, both domestic and international.” With the potential for both internal and external threats, his comments point out the wide range of issues that underlie security concerns.

Healthcare organizations clearly need to cover many fronts as part of their privacy and security vigilance; chief among them are enforcement of policies and procedures, protection of data integrity and mitigation of risk.

“Privacy, security and compliance are of paramount importance across the spectrum of healthcare products and services,” said Wilson.

Best Practices and Tools
Best practice concepts in managing the secure flow of Protected Health Information (PHI) were among major topics of discussion. Steve Hynes, CEO of MRO, noted that the creation of a Data Governance plan was in the forefront of ideas. Defining procedures and accountability to support stated enterprise-wide policies can help align the various departments of a healthcare group in a common effort to meet privacy and security standards.

Rita Bowen, MA, RHIA, CHPS, SSBG, Vice President of Privacy, HIM Policy and Education for MRO, saw a common focus on meeting these standards as well, saying, “innovation was a key theme.” Bowen noted the use of technology “as an enabling tool to assist in data quality and integrity standards, which are integral components of an organization’s Information Governance program.”

Finding and implementing the right tools can help organizations raise the bar to a higher level of data integrity. One example of such a tool is MRO’s IdentiScan®, introduced as a standalone record integrity application at HIMSS16. At MRO’s exhibit space, Bowen and colleague David Borden, CTO of MRO, demonstrated the tool which uses optical character recognition to review electronic medical records and flag any potentially misfiled records. Ensuring that the correct patient information is maintained in the health record is key to the successful use and exchange of PHI.

The conversations and awareness raised at HIMSS16 can serve to inspire healthcare providers and their business associates to implement new practices and technologies to improve privacy and security efforts. Healthcare organizations can collaborate with partners like MRO to build stronger methodologies and meet the challenges of enforcing compliance across their groups.

Missed MRO at HIMSS? No problem. Schedule your no-obligation demo of IdentiScan today and learn how you can improve record integrity, patient safety and quality of care.

Sign Up for Future Blog Posts

Read More

Information governance requires technology, consistency and HIM leadership

More Protected Health Information (PHI) and other data is coming in and going out of healthcare organizations than ever before. Electronic medical records (EMRs) and numerous electronic devices make accessing and exchanging information much easier than with paper. But it’s also easier to disclose PHI to an unauthorized recipient, resulting in breach that can be costly financially, but also to an organization’s reputation.

This challenge—among many others—has spurred the adoption of Information Governance (IG) programs across organizations. Protecting patient information and mitigating an organization’s risk, however, are only two reasons why implementing an IG program at your organization is so important.

Crucial to implementing an IG program is having the right technology and a knowledgeable team in place, which we’ll explore in this blog post. But first, a little background about IG.

HIM becoming the IG leaders
In 2014, AHIMA laid out its eight IG principles, described in greater detail here. The overriding theme across these principles is that organizations need to implement consistent, standardized policies and procedures surrounding the access, disclosure and management of information across their enterprises.

To achieve this, collaboration with the CIO, HIT, Compliance and other senior executives is essential, but HIM can lead in helping design and implement an IG program. Why? Because HIM has the most applicable knowledge base and experience in ensuring consistent policies and procedures around managing PHI and other information.

Additional expertise HIM leaders can share are best practices to educate other departments on compliant information access and disclosure. This leadership role should institute a continual effort to address gaps and ensure compliance with the organization’s IG program. HIM leaders also have insight into the technology that can help protect data integrity and prevent breaches.

How technology supports IG
As centralized policies are developed and communicated, technology solutions can be implemented to help manage information in a coordinated manner across the enterprise. One such tool available to support an organization’s IG efforts is MRO’s IdentiScan®, which uses optical character recognition technology to search medical record content to identify and correct comingled records containing information for multiple patients. Correcting comingled records prior to Release of Information (ROI) can prevent a PHI breach, but more importantly, it can protect patient safety and improve quality care by ensuring that providers are reviewing the right data for the right patient.

Eliminating mixed records using this automated validation process can noticeably enhance overall accuracy. For example, one large health system we assisted utilized eight full-time employees just to perform quality reviews of their charts at the point of patient discharge. Even with this extra layer of focused manual checks, IdentiScan detected more than 350 instances of comingled patient records, in addition to what the healthcare organization’s staff found over the course of nearly two and a half years.

Integrity is one of AHIMA’s primary IG principles, focusing on eliminating errors and ensuring accuracy. IdentiScan also supports organizations in helping follow most of AHIMA’s other IG principles, including Protection, Compliance, Availability and Accountability. However, advanced technology alone won’t help organizations achieve their IG goals. Technology is only a tool that supports a knowledgeable, highly trained staff of HIM experts. This staff can help organizations achieve the AHIMA IG goals of helping to improve patient safety, care quality, interoperability and organization-wide efficiency, among others.
Schedule a no-obligation demonstration of MRO’s IdentiScan today to learn how our technology can protect your organization’s data integrity and mitigate its breach risk.

Sign Up for Future Blog Posts

Read More