Distinction singles out Patient Advocate program for its innovative approach to customer service
Monitor Monday Focus Report: Release of Information Challenges
Listen to MRO’s Sara Goldstein, Esq., General Counsel, report on the challenges involved in complying with requests for Release of Information.
With the advent of healthcare tracking apps and wearable technology, patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”
As this information is incorporated into electronic medical records (EMRs), PGHD can provide a more comprehensive picture, since health information is collected continuously between medical visits. This sharing of PGHD leads to shared decision-making and results in improved care, helping prevent issues from being overlooked, and cutting down the number of redundant or unnecessary tests, which saves money.
As the use of PGHD continues to increase, determining how to incorporate the stream of information into EMRs, as well as how to utilize this newly minted Protected Health Information (PHI), is a top concern.
Information Governance strategies for managing PGHD
Developing a strong Information Governance (IG) plan, including a mapping strategy, is imperative to successfully incorporating PGHD into patient EMRs. Health Information Management (HIM) leaders need to talk to their teams about what PGHD should actually be utilized and how to integrate that information.
Since there are no existing standards for PGHD, healthcare organizations need to be wary of multiple sources of information, which can cause information integrity issues. Ensuring patient data comes from properly calibrated equipment is one concern. Once the information is incorporated into EMRs, the question becomes how best to utilize it.
For example, tracking weight is important for congestive heart failure patients, and sending scale readings to doctors can alert them when significant and dangerous spikes occur, prompting doctors to take action. This is where data mapping becomes key. Identifying what information is relevant will help to avoid burdening physicians with reviewing large amounts of information in a relatively short time, and will help keep patient expectations realistic.
Continued education for providers and patients
It is important to develop site-specific training for incorporating and leveraging PGHD. This ongoing training should keep team members up to date on best practices for maintaining and utilizing PGHD, as well as handling the Release of Information (ROI) for this new data. Additionally, it is important for patients to be informed not only of the benefits of PGHD, but of their responsibilities in the gathering and use of PGHD as well.
MRO will be presenting on the topic of PGHD at the 2017 annual meetings of ASHIMA, MOHIMA/ KLIMA, ILHIMA and TXHIMA. To see a full calendar of tradeshow events at which you can visit with MRO, please view our event listings.
Sign Up for Future Blog Posts
For the Record
ROI Demands on the Rise
Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, discusses how to tackle common Release of Information hurdles.
Benchmark Survey Addresses Most Challenging Aspects of ROI
Sara Goldstein, Esq., MRO’s General Counsel, examines the findings of HCPro’s HIM Briefings’ first Release of Information benchmarking survey of 2017 and dives into the biggest challenges facing the industry.
Lexington Medical Center (LMC), located in West Columbia, South Carolina, consists of a 428-bed hospital and more than 70 clinics. LMC receives more than 35,000 Release of Information (ROI) requests annually. LMC wanted to standardize their ROI workflow and widen the scope of their Health Information Management (HIM) department to encompass both inpatient and outpatient requests.
LMC implemented ROI Online®, MRO’s enterprise-wide Protected Health Information (PHI) disclosure management solution, in July 2016. Focusing on efficiency and transparency, MRO worked side-by-side with LMC to ensure a smooth transition to the new platform.
This transition began with a site assessment, allowing MRO to learn LMC’s specific needs. The site assessment was followed up by a series of pre-implementation project planning calls with LMC management to establish implementation goals. MRO’s implementation team was then deployed onsite to facilitate the transition. The process also included 16-20 training sessions for onsite staff.
LMC implemented MROeLink® roughly three months after their initial go-live. MROeLink is a suite of interfaces featuring a direct synchronization between the ROI Online platform and Epic’s ROI module. This interface eliminates the need for dual logging in the ROI and EMR systems, effectively cutting LMC’s ROI processing times in half.
LMC also leveraged MRO’s Remote Service’s team for payer audit management when they received a large payer audit. The Remote Services team provided batch logging and bulk processing for the 7,600 request audit, completing the task ahead of schedule and enabling onsite staff to continue operating as normal, leaving turnaround times unaffected.
LMC has seamlessly integrated MRO’s ROI solution across their enterprise, standardizing and centralizing the process, which has led to overall improved processes and patient satisfaction.
Fill out the form below to download our case study detailing the Lexington Medical Center implementation.
Fill Out Form to Receive the Lexington Medical Center Case Study
OCR’s patient access fee guidance offers more questions than answers
MRO’s Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy, explores the confusion surrounding personal representatives in the OCR guidance on patient access.
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.
There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.
Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.
Here are three key points about risk analysis:
1. Risk analysis must be a living document
Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.
2. Conduct Business Associate risk analysis
Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.
3. Ensure breach notification compliance
Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.
If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.
For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.
This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.