Record Requests610-994-7500

MRO Celebrates Health Information Professionals Week

Healthcare organizations around the country are celebrating Health Information Professionals (HIP) Week, for which the theme this year is “Leading the way in quality data.” At MRO, we always enjoy honoring the great work of our Health Information Management (HIM) partners during this celebration week.

As part of MRO’s celebration of our own staff during HIP Week, we’ve launched a social media campaign to showcase MRO Everyday Heroes who make a difference in the lives of patients and other customers. You can learn more about our heroes by following MRO on Facebook, Twitter, LinkedIn and Instagram.

Additionally – and just in time for HIP Week – recently named MRO to their list of the 125 top workplaces in the Philadelphia area, based on responses to our annual employee survey. The survey noted MRO’s professional development and growth, career advancement opportunities, training and educational programs, our positive workplace environment and people.

Here’s what some of our employees had to say:

  • “Our company is focused on providing the highest level service to our clients and the patients they serve. The management staff operates with integrity and truly cares.”
  • “The training process at MRO is the best one I have ever experienced.”
  • “MRO provides a positive atmosphere and job opportunities, as well as open communication. Every day is a new learning experience.”
  • “My work is valued, and I am given opportunities for professional development and growth. This is an exciting place to work!”

At the MRO National Service Center in Valley Forge, Pennsylvania, and across our client sites throughout the nation, we are having fun celebrating HIP Week and thanking our employees for making MRO such a great place to work. We hope you are also enjoying the week of festivities and celebration of the HIM profession.

Thank you to our clients and our employees for all the masterful work you do.

Join our blog mailing list

Read More

HCCA Compliance Institute Hot Topics: Patient Access to Health Information and Privacy Breaches

As patients continue requesting access to their Protected Health Information (PHI) in greater numbers, removing barriers to access continues to be one of the hottest topics in compliance. In addition to adding complexity to the process of disclosing PHI, this increased demand for access, and the accompanying U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) guidelines for providing easy access, has had the negative side effect of increasing breach risk.

To mitigate this rise in breach risk, healthcare organizations can standardize PHI disclosure processes and procedures across their organizations. As we gear up for the annual HCCA Compliance Institute, here are some things to keep in mind:

OCR Guidance Promotes Patient Access to Health Information

Under the new OCR guidance, healthcare organizations cannot create barriers or unreasonably delay patient access to health information. For example, one of the most common compliance mistakes is requiring patients or their personal representatives to submit HIPAA-compliant authorizations when requesting PHI.

Small Scale Privacy Breaches Are Also a Threat

Increased access for patients can also lead to an increase in small scale breaches affecting less than 500 patients at a time. Unlike more attention-grabbing cybercrimes or device thefts, breaches occurring during normal Release of Information (ROI) processes are far more common, and just as devastating to healthcare organizations.

MRO research has found as many as 40 points of disclosure within healthcare organizations, and with the growing number of requests flooding a changing market, risk will continue to rise as organizations attempt to handle the higher volume. Standardizing and centralizing PHI disclosure management is key to combating these breaches.

HIPAA Audits are in Play

OCR Phase 2 HIPAA audits are in motion and include Business Associate desk audits and HIPAA Breach Notification and Security Rule compliance evaluations. HIM and compliance professionals alike are eager to learn the findings of these audits, and we look forward to sharing what we learn as soon as more information is available.

To learn more about these hot compliance topics, visit MRO at booth #325 at this year’s HCCA Compliance Institute. Fill out the form to schedule your meeting.

Attending the HCCA Compliance Institute? Request a Meeting with MRO at Booth #325

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.


Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Join our blog mailing list

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More