Check Request Status610-994-7500

5 tips for ensuring quality in PHI disclosure management

Concept of poor sensitive data protection, Folder secured with a simple padlock

With a greater demand for Protected Health Information (PHI) comes the potential for a greater number of breaches, especially small breaches due to unintentional improper disclosures. Since 2009, over 180,000 small breaches impacting less than 500 patients at a time have been reported to the Office for Civil Rights (OCR). The escalated demand and risk associated with sharing PHI creates a serious need for improved accuracy and quality.

Here are five tips for ensuring quality in the Release of Information (ROI) process, so you can keep your organization running smoothly and compliantly.

1) Perform multiple Quality Assurance checks

Instituting multiple Quality Assurance (QA) checks on every release will dramatically improve your disclosure accuracy. Leverage technology to catch human error, and have a second set of eyes on everything before it is released. Some items to double-check include:

  • HIPAA-required criteria
  • Accuracy of patient information
  • Dates of treatment against authorization
  • Record content for comingled patient documents
  • Mailing envelope for correct address

2) Send notifications to requesters

Notify requesters of deficiencies in their requests to increase authorization efficiency. Developing a consistent methodology will streamline the authorization process and help prevent disclosure of unauthorized requests.

3) Develop a rules-based application

Developing a rules-based application that evaluates requests for HIPAA compliance and other requirements, like checking subpoenas for quash periods, will increase efficiency by automating previously manual steps.

4) Perform a final review of content and timeframe

Review the content of requested information to ensure there are no comingled records. As a best practice, leverage record integrity applications that utilize optical character recognition technology to assist humans perform these quality checks. Additionally, check that all records included for release fall within the timeframe requested. This is another iteration of “perform multiple QA checks,” but the importance of checking and rechecking cannot be stressed enough.

5) Create a uniform ROI training program

Train and retrain employees in all aspects of ROI. Without well-trained employees, all the cutting-edge technology and expertly crafted workflows will not do much to prevent breach. Revise and update this training at least annually, and be sure to document all training.

By implementing sophisticated ROI workflows and technologies, and employing expertly trained professionals, healthcare organizations can prevent breach. Often an advanced PHI disclosure management firm can provide the right people, technology and services to ensure compliance.

Watch this video detailing MRO’s National Service Center to see these best practices in action, and fill out the form below to download more information about our service teams.

Receive a Copy of our National Service Center Brochure

Read More

Reduce BA risk through due diligence and documentation

Business People Handshake Greeting Deal Concept

MRO wrote an article for the October issue of Journal of AHIMA, exploring why it’s important for healthcare organizations to ensure the HIPAA-compliance of the entities they partner with to help carry out healthcare activities, and what they can do to guarantee that compliance. Entities that create, maintain or transmit Protected Health Information (PHI) on behalf of a provider organization are considered Business Associates (BAs) under HIPAA, and, as of 2013, can be held liable for violations of the HIPAA Security and Breach Notification Rules and certain provisions of the HIPAA Privacy Rule.

These BAs include PHI disclosure management partners like MRO, as well as providers of services less obviously tied to privacy and security compliance, like food services companies. Regardless of a BAs business, provider organizations need to conduct due diligence and execute Business Associate Agreements (BAAs), ensuring BAs have HIPAA-compliant policies and safeguards in place.

BAs have come under increased scrutiny from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in recent years. This attention stems in part from the large amount of electronic PHI (ePHI) that BAs hold, putting providers and their patients at risk.

Conduct due diligence

While it is very important to conduct due diligence of BAs before beginning a partnership, it should also be part of the provider’s ongoing risk analysis. Providers should create a questionnaire for BAs containing questions about how the BAs protect PHI. If red flags are identified, a more in-depth review or assessment should be conducted.

In addition to these due diligence questionnaires, provider organizations should obtain “satisfactory assurances” from BAs in writing. These “satisfactory assurances,” which state BAs will appropriately safeguard the PHI they receive or create on behalf of the provider organization, are required under the HIPAA Privacy Rule.

Encourage transparency

Additionally, to ensure protection for both the provider organization and the BA, both parties should encourage information and process transparency from the start, beginning with thorough due diligence, which will establish an open relationship and forge a trusting long-term partnership.

To learn more about managing BA risk, join us for AHIMA’s Virtual Privacy and Security Academy. The next session, hosted by MRO, will cover BA and subcontractor management, and will be held on December 14, 2016. Please enter your email address below to receive our special promo code for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More