Check Request Status610-994-7500

5 essential tips for avoiding a HIPAA violation

Health Insurance Portability and accountability act HIPAA and stethoscope.

As more health information is stored and transmitted electronically, the risk of such data being compromised or breached is growing. In this environment, Protected Health Information (PHI) obviously must be secure, but also accessible to authorized requesters, as mandated by HIPAA.

I explored all aspects of HIPAA compliance in greater detail in a June 2016 Group Practice Journal article. The following are brief summaries of the five tips discussed in the article:

1. Avoid Patient Access Barriers
HIPAA-compliant authorizations are only required when a third party requests access to a patient’s PHI. Provider organizations can require that patients use a specific form to request their own PHI, but the form cannot create an access obstacle. Another compliance consideration is that patients’ personal representatives have the same rights as the individual to the PHI, provided they can supply information regarding their authority to act on behalf of the patient.

2. Implement HIPAA Security Rule Safeguards
Almost all organizations investigated by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for complaints or breaches have been cited for not properly conducting a risk analysis. This essential element is one of the technical safeguards that Covered Entities (CEs) and Business Associates (BAs) must comply with under the HIPAA Security Rule. Conducting a risk analysis, as well as assessing the organization’s physical and technical PHI safeguards, should also be considered.

3. Reduce Breach Risk
Standardizing PHI policies and procedures and centralizing Release of Information (ROI) processes can reduce breach risk. In addition, engaging vendors who offer advanced technology, highly trained and knowledgeable staff, and HIPAA-compliant best practices to manage ROI offer providers an enhanced level of breach protection.

4. Train and Audit Staff
As these technologies used to manage PHI evolve, organizations must provide ongoing education and training to staff. This can include ensuring they understand technology, and also that staff follows HIPAA-compliant procedures to prevent breaches and offer unencumbered access to authorized parties. Testing staff year-round, including mock breaches to simulate the response steps, is also important.

5. Assess Business Associates
Ensure your BAs are also in compliance with applicable state and federal privacy and security laws. Periodic vendor assessments will help ensure BA compliance with HIPAA and Business Associate Agreements (BAAs).

To learn about these five steps and more, please fill out the form below to receive a complimentary copy of the Group Practice Journal article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Group Practice Journal Article

Read More

Consider ROI vendor’s reputation, people, quality and technology before partnering

Blog 26 photo - P&S month Hynes

As Release of Information (ROI) processes continue to evolve, forward-thinking health information management (HIM) directors are moving their previously in-house ROI workflows to outsourced vendors who offer the specialized services, trained workforce and advanced technologies needed to meet today’s demands.

When researching ROI vendors, it’s important to ask the following questions when evaluating potential partnerships:

How is the vendor rated by KLAS?
KLAS is an organization that rates healthcare companies based on customer feedback in the following areas: sales and contracting; implementation and training; and service and support. KLAS began ranking ROI in 2012, and in June 2015 released its HIM Services report, which covered ROI, transcription and coding. The scores and comments from HIM professionals and C-level executives should be carefully considered when researching potential partners.

What role will the vendor’s staff play in improving quality?
Many ROI vendors offer a variety of service models, such as staffed, shared or remote, but regardless of the model, the most sophisticated partners will offer clients extra levels of team support and services, such as a Requester Services division that includes a call center to handle all requester inquiries and status checks. Some ROI partners will also offer personalized support to patients, with a heightened sense of empathy, such as MRO’s Patient Advocate program.

By leveraging multiple support teams who are highly trained in ROI and their specialized support functions, and by providing regular access to management, advanced ROI vendors essentially offer a ‘no single point of failure’ approach to ROI.

How many levels of Quality Assurance (QA) are applied to the vendor’s workflow?
Incorporating multiple levels of QA to ROI workflows is essential, given that 20 to 30 percent of ROI authorizations are invalid, and 10 percent of authorizations could be processed with errors if not reviewed a second time.

Even with the best training, human error will result in comingled records being shared 0.7 percent of the time. That may seem like a small number, but imagine a hospital releasing 100,000 records annually – that’s 700 mixed patient records likely to be shared, resulting in potential breach.

The most progressive ROI partners will use record integrity applications – like MRO’s proprietary optical character recognition (OCR) technology, called IdentiScan®, to scan each page of a record for comingled data. With 5 percent of electronic medical records (EMRs) containing data integrity issues, such technology is crucial in a ROI partner.

How is technology leveraged to improve service levels?
In addition to providing QA through record integrity applications, the most sophisticated vendors will also offer EMR integrations, such as MROeLink®, which improves efficiency and reduces keying errors by interfacing with an organization’s Master Patient Index (MPI), Epic’s ROI module, or other information technology systems.

Vendors with strong technology capabilities should also have interfaces with government agencies, such as the U.S. Social Security Administration (SSA) for automating Disability Determination Services (DDS) and the Centers for Medicare & Medicaid Services’ (CMS) to reduce turnaround times and labor for fulfilling DDS and audit requests.

To request a side-by-side comparison of how partnering with MRO for ROI services compares to both in-house processing and other ROI vendors, please fill out the form below.

Request Side by Side Comparison

Read More