Using AHIOS’s CRIS test to evaluate Release of Information competencies of their staff is a best practice that every healthcare provider organization should consider to protect patient privacy and mitigate risk. Mariela Twiggs, MS, RHIA, CHP, FAHIMA, Director of Motivation and Development for MRO, and Education Chair for AHIOS, discusses the importance of using this powerful tool.
MRO’s Mariela Twiggs, MS, RHIA, CHP, FAHIMA, Director of Motivation and Development, offers her expertise on training ROI staff.
Millions of payer requests for medical records are sent to hospital business offices every day. Business office staff are often tasked with gathering and releasing Protected Health Information (PHI) to payers in a very short amount of time to get claims paid. During this rush to meet payer deadlines and expedite claims, human mistakes can be made. Critical steps of the Release of Information (ROI) process may be skipped or accidentally omitted. This increases PHI breach risk.
To ensure business office disclosures are kept safe and secure, organizations should train their staff on disclosure management using the same information, curriculum and courses presented to Health Information Management (HIM) teams. Below is a video where I discuss MRO’s unique approach for training and educating employees, as well as five PHI disclosure management topics to train your business office staff on.
PHI Disclosure Management Training/Education at MRO Corp.
Five PHI Disclosure Management Topics to Train Your Business Office Employees On
1) ROI and HIPAA Basics
Ensure employees understand the definition of HIPAA (Health Insurance Portability and Accountability Act), the privacy rule, ARRA HITECH Omnibus, PHI and differences between federal versus state law. This distinction is especially important for business offices that process requests for care locations across different states.
Another important topic to cover is the Health and Human Services (HHS) minimum necessary guidance under the HIPAA privacy rule. This guidance helps organizations determine what information can be used, disclosed or requested by payers for a specific purpose. Business office staff need to know which parts of the record to send to the payer. By training business office staff to fully understand and apply the minimum necessary guidance, organizations tighten privacy and mitigate breach risk.
2) Medical Record Components
Make sure to define the various components of the medical record to business office staff. These components include: common documents, various types of encounters, properly documented corrections and amendments.
3) Confidentiality and Legal Issues
Outline the legal health record concept and what it includes for your organization. Additionally, all the various confidentiality and legal issues should be explained in full detail.
4) Types of Requests
List all the various types of requests that might be received in the business office. For each category, differentiate which are part of Treatment, Payment and Healthcare operations (TPO) and which are not. Those that fall outside of TPO require a patient authorization and should be forwarded to HIM for processing. For a list of types of requests to discuss, read this article.
5) Sensitive Records and Special Situations
Identify and describe specific PHI disclosure management practices related to sensitive records. These cases can include information on genetics, HIV/AIDS, STDs, mental/behavioral health, substance abuse, deceased patients, minors and other sensitive issues. Federal and state legal issues may be involved with these and business office employees should be aware of them.
If you’re concerned about the ability of business office or other staff to properly and securely process requests, a centralized ROI model may be your organization’s safest approach.
To sign up for future blog posts, complete the form below.
Sign Up for Future Blog Posts
In a blog post to HIM Scene, MRO’s Mariela Twiggs, MS, RHIA, CHP, FAHIMA, CDIA+, Director of Motivation and Development, discusses five key areas of disclosure management to cover with your business office employees.
On May 1, 2017, MRO celebrated our 15th anniversary. As the company continues to grow and evolve, we keep a focus on our “people” – hiring, training and retaining the best and brightest in the industry. Employee retention isn’t an easy feat in the Release of Information (ROI) industry – in fact, the average turnover rate for ROI staff is around 40 percent. At MRO, we keep our turnover at an impressively low 15 percent.
To celebrate our 15th anniversary, we collected a list, through a voluntary employee survey, of the top 15 reasons MRO employees love their release of information jobs. Any employer can learn a lesson or two from the results.
15 Reasons MRO Employees Love Their Release of Information Jobs
- Great managers – Managers are a huge indication of employee job satisfaction, and a major reason employees stay or go. At MRO, we have programs to develop enthusiastic managers who coach team members to be successful.
- Flexible scheduling – People cherish the ability to maintain work life balance.
- Enjoyable work – When work is fun and meaningful, employees tend to go the extra mile. I heard an anecdote that really encapsulates this idea. It goes like this: three people were crushing rocks side by side at a construction job, when they were asked, “What is your job?” The first person answered, “My job is to do whatever I am told so I can get a check.” The second person replied, “My job is to crush rocks.” The third person said, “My job is to build a temple.” Ask yourself, which of these workers do you think is the happiest?
- Coworkers – They’re the best! At MRO, we treat coworkers with the same level of customer service as anyone else.
- Growing company – MRO has been listed on Inc. 5000’s fastest growing companies list for two years in a row. When a company is growing, not only is it exciting, but it’s an indication of stability.
- Fast-paced and exciting jobs – Fast-paced jobs make the day go by. Nobody wants to be bored with all the time we spend on the job!
- Making a difference – We are all in search of a clear and driving purpose for our lives, and want to contribute to something bigger than ourselves. At MRO, our work world offers a great opportunity for people to connect with a purpose. We make a difference in the lives of patients, requesters and our clients by getting the right PHI to the right requesters, on time. We remind our teams regularly that they are “everyday heroes.”
- Career advancement and promotion opportunities – Developing employees, and promoting within, support a positive culture. That’s our approach at MRO. We also encourage our credentialed health information management (HIM) staff to pursue their educational goals by contributing towards membership dues to the American Health Information Management Association (AHIMA).
- Team culture – When everyone is in harmony, working towards a team mission, employees tend to be fulfilled. At MRO, we take pride in our culture, which is based on MRO’s core values of passion, accountability, respect, trust, nurture, excellence and reputation.
- Valued ideas and opinions – Everyone wants to be heard, and employees with great ideas can make a huge impact on a company’s success, from improving efficiency with technology ideas, to enhancing quality and service through recommending adjustments to workflow.
- Leadership that cares – Leaders, from executive management to direct managers, can cheer staff to achieve their highest levels of excellence.
- Stability – When a company is stable, employees have one less thing to worry about. Employees can rest assure with job security, benefits, wages, etc.
- Great benefits – Employees don’t take these for granted! Healthcare insurance, personal time off, etc., all support an employee’s wellbeing, attitude and commitment to the company.
- Company reputation – MRO has been rated #1 by KLAS for four years in a row, and noted for having both the highest quality and fastest turnaround times in the ROI industry. It’s inspiring to be part of a company that is rated top in its field!
- Training programs – People want fun, interactive and easily accessible training – not a boring, old PowerPoint template that has been in use for ten years. MRO Academy is MRO’s primary training tool, offered via a web-based learning management system. Training is continuously updated and offered through the virtual platform.
Other reasons MRO employees listed for loving their jobs included competitive wages, educational opportunities, employee recognition, fun events and charity activities.
In an incredibly competitive business environment, hiring and retaining top talent can be challenging. However, if you listen carefully to what your employees say they love about working for your company – and continue to do more of that – chances are you’ll keep the best of the best working for your organization.
Sign Up for Future Blog Posts
HIPAA compliance for Business Associates (BAs) was the topic of MRO’s AHIMA Virtual Privacy and Security Academy session this month. I presented alongside my colleagues Sara Goldstein, Esq., general counsel and Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy and education.
During this three-credit course, we discussed how BAs must now comply with the HIPAA Security Rule and certain provisions of both the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. We emphasized that BAs can be held liable for violating these rules, as well as for violations by their subcontractors.
We also covered several best practices BAs can follow to stay HIPAA-compliant and avoid liability, which you can learn more about in Sara Goldstein’s recent post.
Although it’s difficult to summarize all of the valuable insight shared during our session, the six major tips offered by our experts included:
1. Check your insurance policy
Verify insurance coverage in the event of a HIPAA violation.
2. Conduct regular internal and third-party audits
Regular internal and third-party technical audits are the foundation of implementing Security Rule administrative, physical and technical safeguards.
3. Consider applying for Health Information Trust Alliance (HITRUST) certification
HITRUST provides an information security framework to harmonize standards and regulations.
4. Implement the right technologies
Utilizing technologies like encryption, access tracking software and record integrity applications, powered by optical character recognition (OCR) software, can also drive BA HIPAA compliance.
5. Document compliance programs
Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.
6. Invest in training and education
Workforce members should undergo formal training at least once a year on privacy, security and compliance, as well as on federal and state disclosure laws, and the healthcare organization’s policies and procedures.
After covering these topics, the Virtual Academy session concluded with a fun, educational and impactful group activity where participants were assigned disclosure management case studies that explored how to identify HIPAA violations and breaches. Rita Bowen and I then tested the participants on their knowledge.
MRO’s team will delve more into the topic of BAs in the next session of AHIMA’s Virtual Privacy and Security Academy: “Advanced Business Associate and Subcontractor Management” on November 9, 2016. If you are interested in attending the session, please fill out the form below and you’ll receive MRO’s promo code for a 15 percent discount.
Receive a 15% Discount for AHIMA's Privacy and Security Academy
For the second year in a row, cyberattacks were the leading cause of data breaches in healthcare, according the Ponemon Institute’s recently released “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.”
Ransomware, malware and denial-of-service (DOS) attacks are the most common and growing cyber threats facing healthcare organizations, according to the study. Protecting your organization from an attack, however, is highly feasible if you pursue a rigorous and consistent program of employee training, testing and IT system updates.
Increase in cyberattacks led by ransomware and DOS
Most ransomware attacks—the hijacking and encrypting of an organization’s data by cybercriminals—are caused by employees clicking a malicious link in an email or opening a file that spreads a malware virus, effectively rendering data inaccessible.
The virus typically includes a ransom message demanding payment, frequently in bitcoins, to unencrypt the computer or server. Cybercriminals are aided by a “dark web” presence, where they can partner with other criminals to execute attacks.
Since data drives safe and effective healthcare decisions, organizations often pay the attackers’ ransom when operations are crippled. Ransomware, however, may also be considered a breach, although not all organizations have been reporting these types of attacks to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
Educate staff and implement safeguards
OCR is currently working on guidance for reacting to and reporting ransomware, but there are three essential steps healthcare organizations should take today to help avoid becoming a victim:
- Education: Employees should be trained about the threat of ransomware—not to click on suspicious links or attempt to access unknown flash drives, and to report suspicious emails.
- Testing: Once a year phishing exercises to test employees’ training are not enough to prevent the next attack. These tests need to be continually repeated at random to drive employee compliance with security policies and procedures.
- Updates: Organizations need to follow recommended IT-management practices, including implementing software patches, anti-virus updates and other software tools immediately as they become available.
At MRO, we seek to mitigate breach risk from all angles, from our Quality Assurance-infused Protected Health Information (PHI) disclosure management workflow to ensuring our staff is properly trained to avoid cyberattacks. Training quality is ensured through MRO Academy, our rigorous and required online educational and testing platform, with the most up-to-date HIPAA regulations and Release of Information (ROI) requirements at the federal, state and facility level. To learn more about MRO’s training and education programs, click here.
Sign Up for Future Blog Posts
On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.
What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.
The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.
How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:
- Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
- Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
- Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.
Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing OSOCRAudit@hhs.gov.
All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.
SIGN UP TO RECEIVE MRO'S USER-FRIENDLY AUDIT PROTOCOL SPREADSHEET
Last week’s news that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is launching Phase 2 of its HIPAA audit program likely grabbed the attention of compliance professionals across the country. I anticipate that due to this new round of audits, and the large number of Protected Health Information (PHI) breaches last year, major topics of discussion at the upcoming HCCA Compliance Institute will concern best practices around identifying and mitigating risks associated with PHI disclosure.
One area of focus should be centralizing and standardizing PHI disclosure management. While large breaches affecting 500 or more patients made headlines last year, small breaches of fewer than 500 patients happened much more frequently. In fact, of all the PHI breach incidents reported to OCR since 2009, more than 180,000 were small breaches, while there were only 1,400 large ones. Just like the large breaches, small breaches can carry financial penalties from OCR of as much as $50,000 per incident with a maximum of $1.5 million annually for repeated occurrences.
In September, the Inspector General of HHS criticized OCR for not putting enough emphasis on investigating small breaches. OCR’s Chief, Joycelyn Samuels, has stated that they are working to implement the Inspector General’s recommendations.
Smaller breaches can be caused by intentional employee snooping, a lack of compliant standardized policies and procedures, or just human error, such as overlooking comingled records in a disclosure. By taking an enterprise-wide approach to PHI disclosure management, and supporting it with training and technology, healthcare organizations can ensure HIPAA compliance across their health system and mitigate breach risk.
Enterprise-wide standardized policies and procedures essential
With the growth of EMRs, as many as 40 PHI disclosure points have been identified in organizations. Concurrently, health systems acquiring physician practices and specialty centers can add to those disclosure points, bringing with them additional risks and liabilities.
Protecting PHI across these growing enterprises requires disclosure policies and procedures that are consistent across the organization, particularly when bringing in physician practices with different EMRs and differing levels of overall compliance.
Adding to the complexity, PHI disclosure regulations can vary at the federal and state level, while the organization may have its own stricter guidelines for releasing information. It is also important to get the right information into the hands of a requester in a compliant and timely manner. Consistently enforced standardized policies and procedures can help address all of these concerns, but proper training and technology is essential.
People and technology for optimal PHI disclosure compliance
Training staff to follow an organization’s PHI disclosure policies and procedures, which should include all HIPAA and relevant state regulations, is the foundation for meeting compliance regulations and staying compliant. Significant resolution agreement fines are often levied when organizations have ignored HIPAA requirements for documented policies, procedures and programs to mitigate breach risk.
Training should include timely content, a mixture of learning formats such as videos, interactive training, and testing to ensure effective teaching. This education should be consistently delivered as policies and regulations change and as new information technology is implemented.
Technology is an advantage for compliance by mitigating human error risk. For example, a procedure may be to check every page of every disclosure with the human eye, which some would assume to be 100 percent accurate, but it’s simply not possible.
At MRO, our IdentiScan® solution uses optical character recognition technology to assist our record integrity specialists in identifying and correcting comingled patient records prior to disclosing the PHI. This compliance step ensures our 99.99 percent accuracy rate for getting the right records to right requesters in our Release of Information (ROI) workflow. If a human were to perform such a review, it would be much more time-consuming, greatly reducing productivity.
We’re excited to showcase IdentiScan at the upcoming HCCA event, where we’ll demonstrate use cases for checking for comingled records outside of the ROI workflow. Key integration points include admissions or discharge times; when generated paper is scanned into patient charts; and when records are imported into the EMR from legacy systems.
Compliance professionals need to understand their PHI disclosure management processes now more than ever because PHI breaches can be financially costly and damaging to reputations.
By implementing compliant, standardized disclosure policies and procedures across the enterprise, organizations can reduce their risk. Through rigorous training, as well as deploying technology to support HIM teams in releasing information, and having regulatory experts on staff to answer questions in real-time, organizations can not only reduce risk, but also improve client service.
Sign Up for Future Blog Posts
The 87th Annual AHIMA Convention and Exhibit in New Orleans was a resounding success, despite the coinciding industry-wide transition to ICD-10, which occurred just a day after the event ended on October 1.
Not surprisingly, ICD-10 was a major topic of discussion during the conference. Other topics addressed were emerging issues surrounding data privacy and security including confidentiality, integrity and availability; interoperability; Release of Information (ROI); health information exchanges (HIEs); cyber security; and the Department of Health and Human Services’ Office for Civil Rights audit readiness, as we approach the launch of desk audits.
Information Governance (IG), however, was the most covered topic at the event. AHIMA defines IG as “an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”
To help navigate this increasingly complex issue, AHIMA released an IG tool kit that urges HIM professionals to take leadership in data sharing, budget allocation and collaboration with other departments for an IG plan. To ensure this collaboration is successful, HIM needs to delegate some IG responsibilities to other departments, which can be difficult, but allows the opportunity for HIM to integrate and oversee data silos it wouldn’t have had access to in years past.
This is just one of the emerging IG challenges that our chief technology officer, David Borden, discussed during the educational session he co-presented at AHIMA with Susan Carey, MHI, RHIT, PMP, the system director of HIM for Norton Healthcare in Louisville, Ky., a not-for-profit system comprised of five hospitals, 19 outpatient centers and 140 practice sites. In their session, Borden and Carey urged HIM professionals to “get in the HIE boat” to ensure their voice is heard and considered during HIE planning.
HIM professionals, who are typically the Protected Health Information (PHI) privacy and HIPAA experts within healthcare organizations, need to be integral in this planning because HIE was not created with HIPAA in mind, and has not been updated since. Organizational compliance has taken a backseat to the technical requirements of HIE, as David also told HealthITAnalytics.com in a dual interview with Susan at AHIMA. This means that without the proper policies, procedures and safeguards, breaches can occur on a larger scale and much easier than in the past — with only a few keystrokes and mouse clicks — which exponentially increases risk and liability for healthcare organizations.
“Very often, it’s not well understood that security and privacy are two very distinct knowledge domains,” David told the publication, as well as AHIMA attendees. “IT is very good at security, and sometimes they may think that means they’re also good at privacy, without realizing that’s just as naïve as someone who’s trained in privacy thinking they understand all the ins and outs of security.”
As David and Susan’s presentation discussed, with the growth of electronic HIE, patient-identity matching is becoming a growing patient safety issue and workflow challenge that usually requires HIM to design a solution, but one that requires IT input and assistance. Patient identity is also one of the many data integrity issues that organizations face including accurately and reliably integrating PHI from other providers into the legal record.
Other emerging issues that David and Susan explored in their presentation include sharing of sensitive and “super-protected information”, such as mental health, AIDS/HIV and substance abuse information; patient consent management, such as opt-in, opt-out, and patient education; and managing the minimum necessary standard requirements for payers in a query-based HIE.
As HIEs expand and connect with other information networks, the rules-of-the-road may change without sufficient input from participants, which is why HIM needs to be ever vigilant in having its voice heard. “I feel like we’re in a good place with HIEs, but there’s a lot more work to be done,” Susan told HITAnalytics.com. “…[K]eeping those avenues open between IT and HIM is really want you want to strive for. We have to understand the roles we all play and what the use cases are.”
For information on these important IG issues that are impacting healthcare organizations, please download the slides from David and Susan’s AHIMA educational session by clicking here.