Record Requests610-994-7500

How to Ensure Proper PHI Disclosure across your Healthcare Enterprise

PHI Disclosure

When it comes to Protected Health Information (PHI), one of the main duties of Health Information Management (HIM) departments is to protect their patients’ privacy and ensure proper disclosure. HIM departments have had a long-held reputation of being the top disclosers of PHI within a healthcare enterprise. However, recent trends in PHI disclosure management are changing things around. Combined requests from other areas such as radiology, business offices, and physician practices are matching, if not exceeding, the PHI disclosure volumes in HIM. This combination of departments managing PHI disclosure causes high volumes of records and increases risk. Below are a few best practices, as outlined in a Journal of AHIMA article, for how HIM professionals can ensure proper disclosure and mitigate breach.

Know the Risky Spots: Audit your Points of PHI Disclosure

A practical first step is to conduct an enterprise-wide audit of all disclosure points. An audit of all PHI disclosure points should be conducted and updated yearly as part of your organization’s privacy compliance assessment. Auditing your enterprise helps HIM leaders become aware of the risks, which they can then work to mitigate. HIM professionals should audit non-HIM PHI disclosure areas to ensure compliance with relevant laws. During the audit, HIM leaders should review a list of items for disclosures which includes date received, date delivered and more.

Train and Educate Based on Needs

Training is essential for safe and compliant enterprise-wide Release of Information. This goes for the HIM department as well as any other employees that release PHI. Well-trained ROI staff keep the flow of information running smoothly. Based on the individual department’s most common requests, ROI training should be focused on accuracy, include all HIPAA privacy basics, and include the following six PHI disclosure management fundamentals:

  1. Track and monitor each type of request being received.
  2. Define each type of request.
  3. Emphasize accuracy.
  4. Reiterate minimum necessary.
  5. Coach personnel on patient requests.
  6. Direct requests to HIM.

Establish HIM as the Enterprise-wide PHI Gatekeepers

Annual HIM reviews and continuous communication with other departments that release information are essential to mitigate breach risk, expedite payer reimbursement, and prevent a requester dissatisfaction crisis. Non-HIM staff are focused on their core competency areas and are rarely trained in proper PHI disclosure management. The result is often hasty PHI processing and increased risk of breach. To mitigate risk while also ensuring the appropriate ROI, HIM departments should maintain oversight of PHI disclosure management across the entire enterprise—not just within HIM.

Complete the form below to download MRO’s eBook “Breach Risk in Release of Information: Don’t Leave Risk to Chance” and learn strategic, enterprise-wide approaches to PHI disclosure management and mitigating breach risk.


Read More

HIMSS18 Recap: Patient Data Takes Center Stage for Privacy Protection


The 2018 Healthcare Information Management Systems Society’s (HIMSS) Health IT Conference (HIMSS18), hosted more than 43,000 attendees. Groups of healthcare industry professionals filled educational sessions and convention hall aisles on March 5—9 in Las Vegas. With over half of attendees representing provider, payer, and governmental agencies, HIMSS reaffirmed its position as the top event for everyone involved in the health information technology (HIT) industry.

As Vice President of Privacy, Compliance, and HIM Policy for MRO, my personal focus at HIMSS18 was on the need for greater patient data integrity and evolving data privacy. Below are a few main points and strategic tasks gleaned for fellow patient privacy professionals. I discuss these points more in detail in this article.

Break Down Barriers

Attendees this year intentionally focused on the need to make health information accessible and fully actionable. The importance of creating actionable data, versus simply sharing information, was a key point throughout HIMSS18.

Direct sharing of the Continuity of Care Document (CCD) was another strategic task presented to HIT professionals during HIMSS18. CCD includes the predefined data elements needed for continuing care in any setting. The underlying thought is that these data elements could be shared through direct messaging to the next caregiver and prepopulate the provider’s EHR for continuity of care. The same reasoning would hold that these data elements should be downloadable to the patient application of choice so the patient always has this information.

The bottom line for data access in healthcare: information silos must be eliminated.

Encourage Patient Ownership

Multiple sessions covered the importance of patient ownership of personal healthcare data. To effectively meet the goal of patient ownership, speakers reiterated the need for data segmentation. For example, patients can specify which data they want to be held privately—not the entire record, but granular information at the data element level.

The General Data Privacy Regulation (GDPR), the European move to segment data for special protections, was also covered in detail at HIMSS18. Patient privacy is now a global initiative. For more information on this topic, download a copy of MRO’s recent webinar on the topic.

Finally, information for quality reporting was a central topic, as quality reporting moves from an encounter-centric to a patient-centric approach. Both of these capabilities, data segmentation and whole patient reporting, must be supported as healthcare makes the transition to value-based purchasing.

Watch Threats, Ensure Compliance

Cloud computing vulnerabilities remain top of mind for all healthcare providers, payers, and governmental agencies. For Business Associates (BAs) using cloud computing, speakers emphasized the need to know where data resides and how it is controlled. These details should be in BA Agreements, along with specifications on how the confirmed BA meets security regulations.

Effective healthcare privacy compliance plans must manage policies and procedures, auditing, disciplinary guidelines, and corrective actions. Focus on your ability to detect, respond to, and recover from any privacy or security events through proactive risk plans and accountability to protect patient data.

People, processes, and technology are the golden keys for privacy and security compliance and breach prevention.

The biggest benefit of attending the 2018 HIMSS annual conference was gaining useful knowledge. Technology is rapidly advancing, and the conference is one of the best venues to observe the transformational impact of technology on the healthcare industry.


Read More