Small scale privacy breaches, like those caused by errors in the Release of Information process, can be just as damaging to healthcare organizations as larger breaches. The repercussions include both monetary penalties and reputational harm. With the stakes this high, it is important to ensure the highest levels of quality when disclosing Protected Health Information (PHI).
The Cost of PHI Breach
Although small breaches, affecting less than 500 patients per incident, are not usually broadcasted as widely as a large cyberattack, the financial impact is real.
• Each breach can cost between $8,000 to $300,000, not including HIPAA violation civil penalties.
• Penalties are rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.
• As many as 10 states now consider HIPAA to be the “relevant standard of care for state privacy violation claims brought by individuals.”
Release of Information – Risky Business
Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches in recent years, but almost as many—40 percent—were due to “unintentional employee action,” according to 2015 survey results from the Ponemon Institute.
Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. There are multiple points in the ROI process that can result in breaches.
• With typical ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. MRO’s research shows there are around 100 types of authorization errors.
• Five percent or more of patient data in Electronic Medical Records (EMRs) have integrity issues, including comingling of patient records.
• Well-trained ROI specialists will catch the majority of mixed records; however, with just one level of quality control, up to 0.7 percent will contain mixed patient data.
Additionally, in the typical ROI workflow, requests for health information come into a facility and are logged by onsite ROI staff that also handle many other responsibilities, such as: requester calls, support and issue resolutions, record retrieval, invoicing and collections, producing copies, and delivering records. There is no “second set of eyes” for Quality Assurance. This approach results in inefficiencies, distractions and increased errors.
Closing the Quality Assurance Gap in ROI
At MRO, we believe the best practice is to ensure “second set of eyes” Quality Assurance measures are taken across multiple steps of the ROI process. Not one, but two teams should check each ROI authorization for accuracy, in addition to checking PHI multiple times for accuracy, e.g. ensuring there are no comingled records.
Sophisticated ROI vendors will offer technologies to assist with this process – like MRO’s IdentiScan® record integrity application that uses optical character recognition to scan for mixed patient data. Technology, such as barcoding systems, can also be used to maintain shipping integrity.
Introducing MRO’s Two Private Eyes on Your ROI
If you subscribe to the Journal of AHIMA, or have visited MRO’s website or social media pages recently, you may have noticed our new campaign called Two Private Eyes on Your ROI. This theme was developed by the creative team at MRO. The idea was born while brainstorming ad concepts that could be tied into a Miami theme, with the 2018 annual AHIMA Convention being hosted in Miami Beach. What started as a Miami Vice theme quickly turned to a private investigator theme when the idea of “Two Private Eyes on your ROI” – a play on MRO’s “second set of eyes” redundant quality checks within our Release of Information workflow – was bounced around. Since the Miami Vice detectives were with the police force and not PI’s, we looked at famous private eyes over history and developed the characters Magnum PHI and SureLook Holmes.
Be sure to check out the “premier episode” of Two Private Eyes on Your ROI by visiting our microsite.