Record Requests610-994-7500

Updates from the OCR: Phase 2 of the HIPAA Audit Program

Auditor sends file audited financial statements of the Company to executives.

At the recent National HIPAA Summit in Washington, D.C., Jocelyn Samuels, Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and Deputy Director Deven McGraw, gave an update on the OCR’s compliance enforcement efforts, including the status of the HIPAA Audit Program, which launched Phase 2 in March 2016.


The OCR stated that they plan to complete 200-250 audits of Covered Entities (CEs) and Business Associates (BAs) over the course of three stages during Phase 2 of the HIPAA Audit Program. Currently, the OCR is in the process of evaluating documentation it received from the 167 CEs selected in June 2016 to participate in the first stage of Phase 2. Preliminary draft audit reports will soon be sent to audited CEs for their feedback, before the drafting of final reports. The OCR anticipates completing the first stage of Phase 2 by the end of 2016.

Future Outlook: Second and Third Stages for Phase 2 HIPAA Audits


In the meantime, the OCR plans to launch the second stage of Phase 2 – BA desk audits – in October 2016. The OCR will select 40-50 BAs from lists provided by stage one CE auditees to participate in stage two. Those BAs selected for the second stage will be evaluated on CE breach notification and compliance with the HIPAA Security Rule. Prior to the launch of the second stage, selected BAs will be invited to participate in a webinar hosted by the OCR, allowing the BAs to ask questions. Like stage one, selected BAs will have ten days to respond to the OCR’s request for documentation and will be given an opportunity to review and provide feedback on a draft of the report before the final version is completed.


In the next few months, the OCR will initiate the third stage, which will consist of onsite audits of select CEs and BAs. The OCR does not yet have an exact number of audits for stage three, but anticipate conducting only a small number.


After completing Phase 2 of the HIPAA Audit Program, the OCR will issue a public report, which will aggregate and address “lessons learned,” including best practices for BAs and CEs to implement.


Even for organizations not selected for participation in Phase 2, the OCR strongly encourages all CEs and BAs to review and implement the audit protocols, as most organizations that have entered into resolution agreements and civil money penalties with the OCR have been cited for not having proper risk analyses and risk assessments in place.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.


MRO will hold an informal HIPAA Q&A during the upcoming AHIMA16 convention in Booth #1020. If you’re attending the conference, please stop by.


This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.


Read More

Five stellar tips for providing patient access while protecting privacy

Confidential documents

MRO recently hosted a webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” exploring ways Covered Entities (CEs) can provide patients and their personal representatives easy access to Protected Health Information (PHI), while staying compliant with HIPAA and protecting their data from breach.

As the title promised, we offered the following five tips:

1. Do not create patient access barriers

The HIPAA Privacy Rule requires CEs to provide patients and their personal representatives – persons with authority under state or applicable law to make healthcare decisions for a patient – easy access to their PHI for a “reasonable, cost-based” fee within 30 days of request. CEs can require the requests be made in writing and using their own supplied forms, but cannot create barriers or unreasonably delay patients from obtaining PHI.

2. Implement the HIPAA Security Rule’s safeguards

This includes:
a. Administrative Safeguards: Administrative actions to manage security measures to protect electronic PHI (ePHI).
b. Physical Safeguards: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusions.
c. Technical Safeguards: Technology used to protect and control access to ePHI.

3. Standardize and centralize

Standardizing PHI procedures and centralizing Release of Information (ROI) processes reduces the risk of HIPAA violations and decreases the number of PHI disclosure points, lessening the chance of improper disclosure and breach.

4. Educate and train workforce members

Often times, compliance issues are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information. With this in mind, it is important to create a culture of compliance. Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state laws, and the effectiveness of this training should be tested through measures such as phishing exercises and desk audits.

5. Monitor Business Associate compliance with HIPAA

CEs are required to enter into Business Associate Agreements (BAAs) with their Business Associates (BAs), as BAs are now liable for violations of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.

The webinar also included an update on HIPAA Compliance Enforcement, including information on Phase 2 of the Office for Civil Rights (OCR) HIPAA audits, which began in March 2016.

To receive a recording of the webinar, please fill out the form below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Recording of our Webinar

Read More

Four ways HIM leaders can leverage technology to improve the Release of Information process

network cable with high tech technology color background

In today’s fast-changing healthcare environment, health information management (HIM) professionals encounter a variety of challenges, including Information Governance, standardizing disclosure processes across an enterprise, operating in an environment of disparate information technology (IT) and paper systems, managing data integrity, and navigating the sharing of electronic Protected Health Information (ePHI) and interoperability initiatives. These challenges, however, can be turned into opportunities for forward-thinking, tech-savvy HIM leaders to establish organizational leadership and develop innovative strategies.

MRO will lead an educational session at the upcoming AHIMA Convention and Exhibit in Baltimore exploring some of these opportunities. Alongside our Release of Information (ROI) client Charlotte Walton-Sweeney, RHIT, Director of HIM for Lancaster General Health/Penn Medicine, we will discuss how HIM leaders can leverage technology to improve operational efficiency, increase security and mitigate breach risk.

The following is a sneak peek into some of the ROI tips we’ll cover:

1. Deploy an enterprise-wide ROI platform
MRO research shows as many as 40 disclosure points in a health system, including HIM, radiology, billing offices and physician practices. Deploying one platform across a health system ensures standardized policies, procedures and technology are in place; improves compliance; and provides centralized oversight of ROI.

2. Utilize integrations with EMR and other hospital IT systems
Automating manual steps of the ROI process by enabling system integrations saves time and drives accuracy. Sophisticated ROI vendors off such system integration solutions, like MROeLink®. At its core, MROeLink is a direct synchronization between MRO’s PHI disclosure management platform, ROI Online®, and the ROI module within the Epic electronic medical record (EMR) system. It also includes a variety of other IT system integrations, such as an MPI patient lookup feature, which enables HIM staff to electronically access patient identifiers and demographics, and encounter history directly within ROI Online, eliminating the need for copying or retyping information.

3. Implement electronic delivery methods
Implementing electronic delivery methods, such as portal technology, esMD for CMS audits, integrations with the U.S. Social Security Administration for disability determination, and Direct Secure Messaging all improve efficiency by reducing associated time and labor, and reduce risk by moving paper processes to secure, electronic methods.

4. Leverage Quality Assurance (QA) technology
Technology can be used to enhance QA in the ROI process. For example, MRO’s record integrity application IdentiScan® is powered by optical character recognition (OCR) technology that “reads” medical records to identify comingled records, resulting in accuracy rates of 99.99 percent.

Be sure to attend our session at AHIMA to learn more, and complete the form below to request a copy of a case study detailing how Lancaster General Health/ Penn Medicine partnered with MRO to improve ROI quality, service and efficiencies.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

Defining OCR Patient Access Guidelines

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

In the September issue of the Journal of AHIMA, some of my colleagues and I authored an article outlining the Office for Civil Rights’ (OCR) guidelines for patient access to health information. Providing individuals and their designated personal representatives easy access to their health information is prescribed by the HIPAA Privacy Rule, and is one of the OCR’s most important mandates. While the OCR’s guidance did not change HIPAA regulations, it is recommended procedure for audits.

The OCR is developing further clarifications and guidance to clear up challenges and confusion surrounding their frequently asked questions (FAQs) published in early 2016. During AHIMA’s 14th Annual Hill Day and Leadership Symposium, Deven McGraw, deputy director of the OCR, stated the initial clarification published on the OCR website still contained gray areas, stemming from the OCR’s desire to give patients more access to their health information, while promoting more engagement with health outcomes.

Patient requests for access to health information vs. third party requests

One area of confusion is the difference between a patient’s right to access health information and third-party Release of Information (ROI) requests requiring the patient’s signed authorization.

Requests for copiies of Protected Health Information (PHI) made by patients and their personal representatives – individuals with authority under applicable law to make healthcare decisions on behalf of the patient – do not need accompanying HIPAA-compliant authorizations. Only requests made by third parties must be accompanied by HIPAA-compliant authorizations.

Covered Entities (CEs), however, can require patients and their personal representatives to submit their requests for copies of PHI in writing, though they may not require patients and personal representatives to come onsite to their facility to request in person, nor can CEs require patients to submit their requests via web portal or through the mail. CEs can also require patients and their personal representatives to complete a designated form when requesting health information, “provided use of the form does not create a barrier to or unreasonably delay” patient access to PHI. Additionally, it is not recommended for providers to ask patients for a description of purpose regarding the information requested; while it is not prohibited to ask, denying access based on the answer is prohibited.

If a patient or their personal representative wants to direct a CE to send copies of the patient’s PHI to a designated third party, the request must be in writing, signed by the patient or the personal representative, and clearly identify the designated recipient and where to send the PHI.

Other dos and don’ts of patient access to health information were summarized in the Journal of AHIMA article.

 As the OCR continues to define guidance for patient access to health information, it is important for providers to allow patients easy access to their PHI.

Join our blog mailing list

Read More