Check Request Status610-994-7500

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

Remove patient access barriers to stay HIPAA-compliant

Compliance Today
Remove patient access barriers to stay HIPAA-compliant
MRO’s Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy, and Sara Goldstein, Esq., General Counsel, explore what healthcare providers can do to stay compliant with HIPAA and the Department of Health and Human Services’ Office for Civil Rights (OCR) FAQs on patient access.

Read More

How collaboration and technology helped Lancaster General Health/ Penn Medicine improve PHI disclosure management

Group of people meeting with technology.

This guest post is by Charlotte Walton-Sweeney, RHIT, Director of Health Information Management for Lancaster General Health/ Penn Medicine

I recently co-authored an article for ADVANCE for Health Information Professionals with MRO’s Vice President of Information Technology (IT), Anthony Murray. In the article, we looked at how extensive planning, collaboration and technology helped Lancaster General Health/ Penn Medicine (LG Health/ Penn Medicine) improve accuracy, security and efficiency in our Protected Health Information (PHI) disclosure management processes.

Establishing strong Information Governance

Mergers are set to rise in 2017. These mergers demand not only system integrations, but also standardization of Release of Information (ROI) policies and processes to ensure compliance with HIPAA and internal policies. Strong Information Governance (IG) can help ensure HIPAA compliance, PHI security and data integrity. Collaboration between Health Information Management (HIM) and IT departments is essential in developing an effective IG plan, as each group brings unique expertise to the table.

Collaboration yields benefits for Lancaster General Health/ Penn Medicine

At LG Health/ Penn Medicine, we wanted to use technology to automate processes and improve quality and turnaround times for an estimated 50,000 annual ROI requests. The first step was selecting a new PHI disclosure management partner.

After a request for proposals for ROI services was issued, the new vendor selection process took about 18 months. The search included collaboration between HIM and IT while vetting candidates, presenting options and helping establish realistic implementation timelines.

We selected MRO as our vendor, as they offered high levels of service quality and unique technology, including a seamless integration with our organization’s Epic EMR. MROeLink® offers a direct synchronization between Epic and the ROI Online® platform, eliminating dual data entry and other duplicative processes, and automates typically manual steps. MRO also performs redundant Quality Assurance (QA) checks, including the use of their record integrity application, IdentiScan®.

Since the beginning of our partnership with MRO, approximately 13,000 improper disclosures have been prevented by redundant QA, including through the use of IdentiScan, which uses optical character recognition technology to help identify potential comingling of records within charts prior to PHI disclosure. Additionally, the use of MROeLink has cut LG Health/ Penn Medicine’s processing times by 50 percent.

Offering more than just technical support and expertise, MRO also educated both our HIM and IT departments to understand changes with HIPAA and other regulations, and provides regular, ongoing training programs to help us stay compliant.

We were also so taken with the prompt and effective service MRO delivered to ensure requester satisfaction that we had their education leadership train hospital HIM staff in customer service. We have recognized improvements in our overall customer service and patient satisfaction.

Fill out the form below to receive MRO’s LG Health/ Penn Medicine case study and learn more about how collaboration and technology helped us improve PHI disclosure management.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information

ADVANCE for Health Information Professionals
Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information
Lancaster General Health/ Penn Medicine’s Charlotte Walton-Sweeney, RHIT, Director of Health Information Management, and MRO’s Anthony Murray, Vice President of Information Technology (IT), explore how IT is helping healthcare organizations cut processing times while ensuring accurate Release of Information.

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More