Record Requests610-994-7500

AHIMA Convention Reflections: Business Associate Management and Best Practices for Risk Analysis

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities


Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.


Read More

Five Ways CEs can Mitigate Breach Risk Associated with BAs

As advancements in health information technology allow increased access to Protected Health Information (PHI), the risk of breach is on the rise. In 2017 alone, there have been 233 reported data breaches, which have impacted 3,159,236 patients. This steady climb suggests that Covered Entities (CEs) and Business Associates (BAs) are still struggling to establish the measures needed to protect patient data and confidentiality.

CEs must be vigilant about the risks and threats directly related to their activities. And now more than ever, they need to focus on the additional threat vector presented by their BAs. As you would expect, the types of breaches encountered by BAs are similar to the threats facing CEs. The causes of breaches include malware/ransomware incidents, accidental disclosures, loss or theft of media containing sensitive data, physical loss of records, application and system vulnerabilities, social engineering exploits and payment fraud. While there are many different culprits of breach, improper and accidental disclosure of PHI is the most common cause of data security incidents. These improper disclosures of PHI include a wide range of errors such as comingled records and misdirected faxes and emails.

The impact of BA breaches on patients of a CE can run deep—from cases of identity theft to exposure of sensitive information regarding a condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are levied, sanctions and actions will be held against the CE as well.

In an upcoming AHIMA Convention educational session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis,” my colleague Rita Bowen, MA, RHIA, CHPC, CHPS, SSGB, and I will review ways CEs can mitigate breach risk associated with BAs. The following is a sampling of what we will discuss.

    1. Perform initial due diligence. Identify what services are being performed, where the services are being performed, and what contracts should be in place including Master Service Agreements (MSAs), Business Associate Agreements (BAAs), Nondisclosure Agreements (NDAs), Data Use and Reciprocal Support Agreement (DURSA) and others.
    2. Get your security and compliance teams on board early in the process to avoid delayed services or rushed assessments. I cannot tell you how many meetings I’ve attended with our prospective client’s security and compliance teams, when we are just days away from finalizing a contract, and their opening statement is: “Well this is the first time we’re hearing of this. Let’s start from the beginning.” So, we just lost two weeks getting a project started, and the client needs us to go live in seven days. To avoid these types of delays, it’s recommended to have security and compliance teams involved in the onboarding of new partner services and technologies early in the process.
    3. Have a standard assessment. Have an equal way to measure the risk associated with the various services BAs can provide. No one shoe fits all, but attempting to keep the assessment process as standardized as possible allows for better assessments of risk. This assessment should cover all the applicable administrative, physical and technical controls associated with the services provided—all shoe sizes!
    4. Confirm cyber insurance. Make sure your BAs have adequate cyber insurance protections in the event of a breach—based on the services being delivered and the associated risk.
    5. Perform annual reviews and third-party assessments. Healthcare organizations should implement a formal program to review their BAs on an appropriate schedule. This would include your typical or an abridged assessment and any third-party certifications, accreditations or audits your BA has achieved.

    Complete the form to download the HCPro HIPAA Briefings article “Managing HIPAA Business Associate Relationships.”

Download "Managing HIPAA Business Associate Relationships”

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.


Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Join our blog mailing list

Read More

Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information


Lancaster General Health/ Penn Medicine’s Charlotte Walton-Sweeney, RHIT, Director of Health Information Management, and MRO’s Anthony Murray, Vice President of Information Technology (IT), explore how IT is helping healthcare organizations cut processing times while ensuring accurate Release of Information.

ADVANCE for Health Information Professionals
Leveraging Technology for Accurate and Efficient Disclosure of Protected Health Information
Lancaster General Health/ Penn Medicine’s Charlotte Walton-Sweeney, RHIT, Director of Health Information Management, and MRO’s Anthony Murray, Vice President of Information Technology (IT), explore how IT is helping healthcare organizations cut processing times while ensuring accurate Release of Information.

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More

Four ways HIM leaders can leverage technology to improve the Release of Information process

network cable with high tech technology color background

In today’s fast-changing healthcare environment, health information management (HIM) professionals encounter a variety of challenges, including Information Governance, standardizing disclosure processes across an enterprise, operating in an environment of disparate information technology (IT) and paper systems, managing data integrity, and navigating the sharing of electronic Protected Health Information (ePHI) and interoperability initiatives. These challenges, however, can be turned into opportunities for forward-thinking, tech-savvy HIM leaders to establish organizational leadership and develop innovative strategies.

MRO will lead an educational session at the upcoming AHIMA Convention and Exhibit in Baltimore exploring some of these opportunities. Alongside our Release of Information (ROI) client Charlotte Walton-Sweeney, RHIT, Director of HIM for Lancaster General Health/Penn Medicine, we will discuss how HIM leaders can leverage technology to improve operational efficiency, increase security and mitigate breach risk.

The following is a sneak peek into some of the ROI tips we’ll cover:

1. Deploy an enterprise-wide ROI platform
MRO research shows as many as 40 disclosure points in a health system, including HIM, radiology, billing offices and physician practices. Deploying one platform across a health system ensures standardized policies, procedures and technology are in place; improves compliance; and provides centralized oversight of ROI.

2. Utilize integrations with EMR and other hospital IT systems
Automating manual steps of the ROI process by enabling system integrations saves time and drives accuracy. Sophisticated ROI vendors off such system integration solutions, like MROeLink®. At its core, MROeLink is a direct synchronization between MRO’s PHI disclosure management platform, ROI Online®, and the ROI module within the Epic electronic medical record (EMR) system. It also includes a variety of other IT system integrations, such as an MPI patient lookup feature, which enables HIM staff to electronically access patient identifiers and demographics, and encounter history directly within ROI Online, eliminating the need for copying or retyping information.

3. Implement electronic delivery methods
Implementing electronic delivery methods, such as portal technology, esMD for CMS audits, integrations with the U.S. Social Security Administration for disability determination, and Direct Secure Messaging all improve efficiency by reducing associated time and labor, and reduce risk by moving paper processes to secure, electronic methods.

4. Leverage Quality Assurance (QA) technology
Technology can be used to enhance QA in the ROI process. For example, MRO’s record integrity application IdentiScan® is powered by optical character recognition (OCR) technology that “reads” medical records to identify comingled records, resulting in accuracy rates of 99.99 percent.

Be sure to attend our session at AHIMA to learn more, and complete the form below to request a copy of a case study detailing how Lancaster General Health/ Penn Medicine partnered with MRO to improve ROI quality, service and efficiencies.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More