Health Information Management (HIM) and healthcare compliance professionals will concur that there is heightened awareness of small breaches across the healthcare industry. And though small privacy breaches affecting fewer than 500 patients per incident are not usually publicized as widely as large-scale cyberattacks, the impact can be just as detrimental to healthcare organizations.

A small breach can be as simple as making an error in the Release of Information (ROI) process, involving a patient’s Protected Health Information (PHI) mistakenly sent to the wrong person—or the wrong patient’s PHI sent to the correct requesting party.

When you look at the stats, there is plenty of room for those types of errors. MRO’s research shows there are as many as 40 disclosure points across a single healthcare system. Most of those disclosure points tend to be outside of the HIM department, where individuals not trained in proper PHI disclosure management are handling the release of PHI. This trend of expanding disclosure points is one of the key factors driving breach risk in the Release of Information process.

Another risk factor involves gaps in the Quality Assurance (QA) processes. Research shows that roughly 30 percent of all Release of Information authorizations are initially invalid. And if Release of Information workflows lack redundant QA checks, up to 10 percent of those invalid authorizations are processed with errors.

Moreover, 5 percent of patient information in electronic medical records (EMRs) have integrity issues, including comingled patient records. MRO’s research shows that without proper QA measures in place, 1 in 200 records released will contain mixed patient information—which means an organization releasing 100,000 requests annually could potentially release 500 comingled records. That’s 500 potential breaches by way of errors in the Release of Information process.

Filling the Gaps in ROI Workflow to Minimize Breaches

Given the potential risk of breach due to improper PHI disclosure, healthcare leaders should closely review gaps in their PHI disclosure management processes and consider ways to enhance workflows to improve accuracy and quality. Here are some recommendations.

First, deploying an enterprise-wide strategy for PHI disclosure management will standardize policies, procedures and technologies across a health system. As part of that strategy, a streamlined Release of Information workflow helps eliminate inconsistencies, inefficiencies, distractions and errors.

Second, redundant QA checks are vital for PHI disclosure accuracy. Even the most experienced ROI specialists are subject to human error. Multiple layers of QA are needed throughout the lifecycle of an Release of Information request, from receipt through delivery, to ensure accuracy and compliance—and prevent a privacy breach. Best practice is to bolster workflows to ensure multiple teams review both the authorizations and medical records associated with each Release of Information request prior to release.

Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These additional quality checks should come from a combination of trained ROI specialists and record integrity technology that uses optical character recognition to locate and correct comingled records. For example, MRO offers its patented IdentiScan® record integrity application to ensure PHI disclosure accuracy. This tool scans records for patient identifiers throughout the record set, helping ROI specialists identify and correct mixed patient information prior to release. The right combination of people and technology promotes improved accuracy and minimizes breach risk.

Patent Issued to MRO for IdentiScan Application

Learn more about the benefits of IdentiScan® by watching our video. Complete the form below to request a demo of MRO’s ROI solution, which ensures 99.99% disclosure accuracy.

Managing the disclosure of Protected Health Information (PHI) from within a healthcare organization has become increasingly complex. As the volume of medical Release of Information (ROI) continues to rise, multiple disclosure points place organizations at risk for privacy breach. Many have turned to outsourcing Release of Information to promote proper PHI disclosure. Choosing the right vendor can be a challenge if you don’t know where to start. Here are some suggestions to make the process easier.

DO—Use HIM peer feedback

The best way to begin is by seeking feedback from HIM peers who have experience with ROI vendors. Trusted peers can help with steps to identify vendors that offer high levels of service quality, accuracy and compliance.

Ensure the vendor is equipped to handle a health system your size

In today’s environment, there are fewer independent hospitals than in the past. Increased consolidation among hospital groups adds a new level of complexity due to size of the organization. It’s important to conduct a thorough evaluation to ensure the vendor can accommodate the size of your organization.

Over the years, many independent hospitals have used small local ROI companies that served them well at the time. But as these organizations grow to include multiple facilities with hundreds of clinics, ROI becomes a more complicated process. Vendor reassessment involves two critical considerations—scalability and expertise. Does the vendor have the scalability to meet the needs of all facilities and the expertise to conduct the implementation from a proven project management perspective?

Scalability is especially important for organizations acquiring physician practices. For one organization, we are currently hiring 40 people to serve five hospitals and 300 physician practice locations. Few vendors are equipped to manage a project of that size. Organizations should consider the scope of the project and the vendor’s ability to conduct a smooth and seamless implementation. Best practice is to engage a dedicated implementation team of trained specialists to onboard staff and ensure a successful implementation.

Assess the vendor’s ability to offer high levels of service quality, accuracy and compliance

Your organization must have confidence in the vendor’s ability to measure quality and accuracy to ensure compliance. While seeking feedback from peers, review the company’s resources to assess quality standards, documentation processes, areas of priority and methods of measurement. What is the success rate in terms of service delivery and accuracy? What internal quality measures are in place to ensure proper disclosure of PHI and prevent breach? Also, look for independent measures of quality and reputation of a vendor you’re considering. One of those measures is KLAS, a third-party group that rates companies based on customer ratings.

DO—Visit the vendor

As part of the evaluation process, schedule an onsite visit. At MRO, we welcome the opportunity to show and tell what we do. Showing tells a lot about an organization. Take a tour of the workflow to see ROI processes firsthand. That’s where you’ll see those crucial quality checks.

DO—Leverage the latest technology innovations

Advanced technology is essential to provide optimal ROI services. Top priorities include EMR integration, electronic delivery, optical character recognition (OCR) technology for Quality Assurance, and IT expertise and leadership.

EMR integration

Look for technology with the capability to integrate with most EMR systems. Some ROI companies have built interfaces between their ROI platforms and EMRs to enhance workflows through automation. For example, MRO’s MROeLink® interface with Epic’s ROI module has the capability to automate typically manual and redundant steps in the ROI process to improve efficiency and reduce errors.

Electronic delivery

Organizations today need import and export capabilities that extend beyond extraction of information.

Look for the ability to receive requests and deliver information via electronic interchange. At MRO, we have thousands of portals set up with different organizations around the country to securely receive and deliver information. Additionally, our proprietary interface with SSA’s Disability Determination Services (DDS) and esMD for CMS enables healthcare organizations to enhance revenue, improve efficiency and drive compliance.

OCR technology for Quality Assurance

Quality Assurance requires the right people, processes and technology. The most effective programs offer technology and human intervention to review documents at various points within information management workflows. For example, we suggest a combination of OCR technology and specially trained staff to perform multiple quality checks during the ROI process. MRO’s IdentiScan® OCR validation technology checks for patient identifiers to catch comingled records. Any detected errors are quickly corrected and documented by Quality Assurance experts.

IT expertise and leadership

Finally, consider the vendor’s future plans for investment on the IT side of the ROI process. Many times smaller vendors can’t make large investments required to be on the leading edge of IT. Is the vendor forward thinking regarding IT? What capabilities are in place? Recommended practice is to have extensive internal IT resources backed by plans for future investment. Look for progressive companies with IT knowledge, experience and leadership.

DO—Consider an enterprise-wide approach

A centralized, enterprise-wide approach to PHI disclosure management is the recommended strategy to have complete confidence in achieving compliance. This approach guards a patient’s privacy while also protecting the organization against breach, financial risk and reputational harm. The benefits across the health system include:

• Standardized policies and procedures
• Consistent policy enforcement
• Improved patient and third-party requester experience
• Heightened PHI disclosure accuracy through quality-infused workflows

DON’T—Prioritize low cost over quality

Prioritizing low cost over quality and compliance will cost your organization more in the long run. Everyone wants the most economical deal, but not at the expense of quality. Noncompliance and associated costs are too great a risk. When evaluating a vendor, shop for accuracy and quality.

MRO is proud to be KLAS-rated #1 for outsourced Release of Information services, offering scalability, expertise, innovative technologies, and the highest levels of accuracy, quality and service. To request a demo of our ROI Online® solution, complete the form.

Releasing medical records from a healthcare organization’s business office can be accomplished in a more efficient and cost-effective method. Instead of distracting billers and collectors from their main duties of collecting revenue, business offices should consider the following options to improve efficiency and ensure proper tracking of Protected Health Information (PHI). I provide more detailed information in an HFMA blog “PHI Disclosure Management in the Business Office.”

Centralize all Requests for Records

If the business office wishes to continue to process using their staff, the function should be centralized and assigned to a core group of processors to fulfill all requests. This will help minimize administrative burden from the billers and collectors. Centralization also promotes consistent, standardized processes. These dedicated business office staff should be thoroughly trained in proper PHI disclosure management to maximize efficiency, eliminate redundancy and mitigate risk of HIPAA breach for requests that may fall outside of TPO such as itemized bills for outside attorney requests.

Transfer the Work to HIM

HIM staff are well trained in processing requests for information. They have the knowledge and skills to complete requests efficiently and in compliance with HIPAA guidelines. Nevertheless, some organizations fear delegating this function to HIM because of concerns regarding timeliness and payer deadlines. To reduce turnaround time fears, the following four best practices should be implemented:

1. Ensure open and ongoing communication between the business office and HIM
2. Optimize the use of EHR and PHI disclosure management technologies to route requests and share information
3. Assign dedicated Release of Information (ROI) experts to support the business office and process requests
4. Conduct regular meetings to discuss new trends in payer requests and proactively improve turnaround time through SFTP delivery

Outsource Business Office PHI Disclosures

A number of national firms, including MRO, provide Release of Information services to process payer requests. MRO’s services for business office disclosure management ensure timely delivery of information to payers, full compliance with HIPAA guidelines, and around-the-clock staffing to avoid backlogs or delays.

Careful and strategic tracking of information released, to whom and why, will make the PHI disclosure process more efficient. If your organization needs to improve this process, you should consider: centralization, delegating work to HIM or outsourcing PHI disclosure management. By implementing these alternative workflow options, your organization will be taking the right steps towards improving billing processes and decreasing denials.

Small scale privacy breaches, like those caused by errors in the Release of Information process, can be just as damaging to healthcare organizations as larger breaches. The repercussions include both monetary penalties and reputational harm. With the stakes this high, it is important to ensure the highest levels of quality when disclosing Protected Health Information (PHI).

The Cost of PHI Breach

Although small breaches, affecting less than 500 patients per incident, are not usually broadcasted as widely as a large cyberattack, the financial impact is real.

• Each breach can cost between $8,000 to $300,000, not including HIPAA violation civil penalties.

• Penalties are rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.

• As many as 10 states now consider HIPAA to be the “relevant standard of care for state privacy violation claims brought by individuals.”

Release of Information – Risky Business

Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches in recent years, but almost as many—40 percent—were due to “unintentional employee action,” according to 2015 survey results from the Ponemon Institute.

Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. There are multiple points in the ROI process that can result in breaches.

• With typical ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. MRO’s research shows there are around 100 types of authorization errors.

• Five percent or more of patient data in Electronic Medical Records (EMRs) have integrity issues, including comingling of patient records.

• Well-trained ROI specialists will catch the majority of mixed records; however, with just one level of quality control, up to 0.7 percent will contain mixed patient data.

Additionally, in the typical ROI workflow, requests for health information come into a facility and are logged by onsite ROI staff that also handle many other responsibilities, such as: requester calls, support and issue resolutions, record retrieval, invoicing and collections, producing copies, and delivering records. There is no “second set of eyes” for Quality Assurance. This approach results in inefficiencies, distractions and increased errors.

Closing the Quality Assurance Gap in ROI

At MRO, we believe the best practice is to ensure “second set of eyes” Quality Assurance measures are taken across multiple steps of the ROI process. Not one, but two teams should check each ROI authorization for accuracy, in addition to checking PHI multiple times for accuracy, e.g. ensuring there are no comingled records.

Sophisticated ROI vendors will offer technologies to assist with this process – like MRO’s IdentiScan® record integrity application that uses optical character recognition to scan for mixed patient data. Technology, such as barcoding systems, can also be used to maintain shipping integrity.

Introducing MRO’s Two Private Eyes on Your ROI

If you subscribe to the Journal of AHIMA, or have visited MRO’s website or social media pages recently, you may have noticed our new campaign called Two Private Eyes on Your ROI. This theme was developed by the creative team at MRO. The idea was born while brainstorming ad concepts that could be tied into a Miami theme, with the 2018 annual AHIMA Convention being hosted in Miami Beach. What started as a Miami Vice theme quickly turned to a private investigator theme when the idea of “Two Private Eyes on your ROI” – a play on MRO’s “second set of eyes” redundant quality checks within our Release of Information workflow – was bounced around. Since the Miami Vice detectives were with the police force and not PI’s, we looked at famous private eyes over history and developed the characters Magnum PHI and SureLook Holmes.

Be sure to check out the “premier episode” of Two Private Eyes on Your ROI by visiting our microsite.