Check Request Status610-994-7500

MRO’s Everyday Heroes: A Motivational Initiative

I have a fabulous job title: Senior Director of Motivation and Development. When I meet people, they often comment on my title, saying it’s intriguing and then ask what I do. The development aspect of my job at MRO Corp. includes managing all the training content—creating engaging lessons within our learning management system for our large, diverse workforce. But the truly heartwarming and rewarding part of my job is the motivation aspect. It is my responsibility to manage a program that inspires our workforce. I often joke that I get to play MROprah!

Creating Everyday Heroes

The biggest piece of our motivation plan is a program called Everyday Heroes, which celebrates team members who go above and beyond in their job performance. On a bimonthly basis, we produce an Everyday Heroes Newsletter that tells stories about how the actions of a team member touched someone’s life. The stories come from a variety of sources, but each one is about an MRO customer who received outstanding service and took the time to email an employee’s manager. Sometimes these happy customers send a gift of appreciation or call MRO to say they had a wonderful customer service experience. By far, most of these satisfied customers are patients whose lives have been touched.

Additionally, there are customers such as attorneys, insurance company representatives and our clients who write lovely letters to sing someone’s praises. Sometimes a staff member is asked to tell a noteworthy story about their own MRO coworker. Further, the newsletter features a section called “My Manager Cares” where an employee nominates a manager for excellent leadership and an inspirational skillset.

I recently shared with my daughter that one of my career accomplishments I’m most proud of is being able to touch one person’s heart. This is a privilege I treasure. As the Everyday Heroes program begins its fourth year this January, our CEO asked me how we find all the stories. I explained that inspiration is contagious, so team members and managers continue to send me great material.

I like to say, “We don’t just disclose health information, sometimes we save lives.”

Celebrating Great Customer Service at MRO Corp

Many ROI specialists who handle patient walk-in requests often say the most enjoyable part of their job is making a difference in a patient’s life. Our program celebrates these moments and gives people recognition for great customer service. When acknowledged as an Everyday Hero, honorees receive a gift box with a gift card, an MRO Hero frame containing their story, a candygram and a chance to enter a drawing for a big cash prize. Historically, we’ve had around 60 team members per year receive this honor. At the end of each year, we randomly draw three Everyday Heroes and one “My Manager Cares” for the big cash prize.

How We Make a Difference

As I reflect on all the newsletters I’ve written over the years, some memorable stories come to mind. In one case, a patient was in the middle of surgery when a report from an old chart was needed. Our staff member made the request a top priority and walked the report to the surgery area.

In another case, a husband came in to obtain his wife’s report, explaining that she was in the car because she had difficulty walking. To make things easier, our staff member walked to the requester’s car to obtain the patient’s signature on the authorization form.

Another story that comes to mind featured a manager who stayed at work in the Distribution Center during a blizzard because many employees were unable to get to work. It’s so great to hear, “I have been working for many years with many bosses, but I have never had a manager make a difference in my life the way my MRO Manager has done.” Heartwarming, inspirational, making a difference. We care!

Here are some photos of gifts that have been received by staff members:








To stay updated on our heartwarming and inspirational “Everyday Heroes” sign up to receive MRO’s newsletters. 

Stay updated on our heartwarming and inspirational "Every Heroes" by signing up to receive MRO's Newsletters.

Read More

Using the CRIS Test to Evaluate ROI Competencies

Using AHIOS’s CRIS test to evaluate Release of Information competencies of their staff is a best practice that every healthcare provider organization should consider to protect patient privacy and mitigate risk. Mariela Twiggs, MS, RHIA, CHP, FAHIMA, Director of Motivation and Development for MRO, and Education Chair for AHIOS, discusses the importance of using this powerful tool.

Read More

Training Business Office Staff on PHI Disclosure Management

Millions of payer requests for medical records are sent to hospital business offices every day. Business office staff are often tasked with gathering and releasing Protected Health Information (PHI) to payers in a very short amount of time to get claims paid. During this rush to meet payer deadlines and expedite claims, human mistakes can be made. Critical steps of the Release of Information (ROI) process may be skipped or accidentally omitted. This increases PHI breach risk.

To ensure business office disclosures are kept safe and secure, organizations should train their staff on disclosure management using the same information, curriculum and courses presented to Health Information Management (HIM) teams. Below is a video where I discuss MRO’s unique approach for training and educating employees, as well as five PHI disclosure management topics to train your business office staff on.

PHI Disclosure Management Training/Education at MRO Corp.

Five PHI Disclosure Management Topics to Train Your Business Office Employees On

1) ROI and HIPAA Basics

Ensure employees understand the definition of HIPAA (Health Insurance Portability and Accountability Act), the privacy rule, ARRA HITECH Omnibus, PHI and differences between federal versus state law. This distinction is especially important for business offices that process requests for care locations across different states.

Another important topic to cover is the Health and Human Services (HHS) minimum necessary guidance under the HIPAA privacy rule. This guidance helps organizations determine what information can be used, disclosed or requested by payers for a specific purpose. Business office staff need to know which parts of the record to send to the payer. By training business office staff to fully understand and apply the minimum necessary guidance, organizations tighten privacy and mitigate breach risk.

2) Medical Record Components

Make sure to define the various components of the medical record to business office staff. These components include: common documents, various types of encounters, properly documented corrections and amendments.

3) Confidentiality and Legal Issues

Outline the legal health record concept and what it includes for your organization. Additionally, all the various confidentiality and legal issues should be explained in full detail.

4) Types of Requests

List all the various types of requests that might be received in the business office. For each category, differentiate which are part of Treatment, Payment and Healthcare operations (TPO) and which are not. Those that fall outside of TPO require a patient authorization and should be forwarded to HIM for processing. For a list of types of requests to discuss, read this article.

5) Sensitive Records and Special Situations

Identify and describe specific PHI disclosure management practices related to sensitive records. These cases can include information on genetics, HIV/AIDS, STDs, mental/behavioral health, substance abuse, deceased patients, minors and other sensitive issues. Federal and state legal issues may be involved with these and business office employees should be aware of them.

If you’re concerned about the ability of business office or other staff to properly and securely process requests, a centralized ROI model may be your organization’s safest approach.

To sign up for future blog posts, complete the form below.

Join our blog mailing list

Read More

A Lesson in Staff Retention: 15 Reasons Why MRO’s Employees Stay

On May 1, 2017, MRO celebrated our 15th anniversary. As the company continues to grow and evolve, we keep a focus on our “people” – hiring, training and retaining the best and brightest in the industry. Employee retention isn’t an easy feat in the Release of Information (ROI) industry – in fact, the average turnover rate for ROI staff is around 40 percent. At MRO, we keep our turnover at an impressively low 15 percent.

To celebrate our 15th anniversary, we collected a list, through a voluntary employee survey, of the top 15 reasons MRO employees love their release of information jobs. Any employer can learn a lesson or two from the results.

15 Reasons MRO Employees Love Their Release of Information Jobs

  1. Great managers – Managers are a huge indication of employee job satisfaction, and a major reason employees stay or go. At MRO, we have programs to develop enthusiastic managers who coach team members to be successful.
  2. Flexible scheduling – People cherish the ability to maintain work life balance.
  3. Enjoyable work – When work is fun and meaningful, employees tend to go the extra mile. I heard an anecdote that really encapsulates this idea. It goes like this: three people were crushing rocks side by side at a construction job, when they were asked, “What is your job?” The first person answered, “My job is to do whatever I am told so I can get a check.” The second person replied, “My job is to crush rocks.” The third person said, “My job is to build a temple.”  Ask yourself, which of these workers do you think is the happiest?
  4. Coworkers – They’re the best! At MRO, we treat coworkers with the same level of customer service as anyone else.
  5. Growing company – MRO has been listed on Inc. 5000’s fastest growing companies list for two years in a row. When a company is growing, not only is it exciting, but it’s an indication of stability.
  6. Fast-paced and exciting jobs – Fast-paced jobs make the day go by. Nobody wants to be bored with all the time we spend on the job!
  7. Making a difference – We are all in search of a clear and driving purpose for our lives, and want to contribute to something bigger than ourselves. At MRO, our work world offers a great opportunity for people to connect with a purpose. We make a difference in the lives of patients, requesters and our clients by getting the right PHI to the right requesters, on time. We remind our teams regularly that they are “everyday heroes.”
  8. Career advancement and promotion opportunities – Developing employees, and promoting within, support a positive culture. That’s our approach at MRO. We also encourage our credentialed health information management (HIM) staff to pursue their educational goals by contributing towards membership dues to the American Health Information Management Association (AHIMA).
  9. Team culture – When everyone is in harmony, working towards a team mission, employees tend to be fulfilled. At MRO, we take pride in our culture, which is based on MRO’s core values of passion, accountability, respect, trust, nurture, excellence and reputation.
  10. Valued ideas and opinions – Everyone wants to be heard, and employees with great ideas can make a huge impact on a company’s success, from improving efficiency with technology ideas, to enhancing quality and service through recommending adjustments to workflow.
  11. Leadership that cares – Leaders, from executive management to direct managers, can cheer staff to achieve their highest levels of excellence.
  12. Stability – When a company is stable, employees have one less thing to worry about. Employees can rest assure with job security, benefits, wages, etc.
  13. Great benefits – Employees don’t take these for granted! Healthcare insurance, personal time off, etc., all support an employee’s wellbeing, attitude and commitment to the company.
  14. Company reputation – MRO has been rated #1 by KLAS for four years in a row, and noted for having both the highest quality and fastest turnaround times in the ROI industry. It’s inspiring to be part of a company that is rated top in its field!
  15. Training programs – People want fun, interactive and easily accessible training – not a boring, old PowerPoint template that has been in use for ten years. MRO Academy is MRO’s primary training tool, offered via a web-based learning management system. Training is continuously updated and offered through the virtual platform.

Other reasons MRO employees listed for loving their jobs included competitive wages, educational opportunities, employee recognition, fun events and charity activities.

In an incredibly competitive business environment, hiring and retaining top talent can be challenging. However, if you listen carefully to what your employees say they love about working for your company – and continue to do more of that – chances are you’ll keep the best of the best working for your organization.

Sign Up for Future Blog Posts

Read More

Virtual Academy recap: Six Tips for Business Associate Compliance


Businesspeople Sitting In A Conference Room Looking At Computer Screen

HIPAA compliance for Business Associates (BAs) was the topic of MRO’s AHIMA Virtual Privacy and Security Academy session this month. I presented alongside my colleagues Sara Goldstein, Esq., general counsel and Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy and education.

During this three-credit course, we discussed how BAs must now comply with the HIPAA Security Rule and certain provisions of both the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. We emphasized that BAs can be held liable for violating these rules, as well as for violations by their subcontractors.

We also covered several best practices BAs can follow to stay HIPAA-compliant and avoid liability, which you can learn more about in Sara Goldstein’s recent post.

Although it’s difficult to summarize all of the valuable insight shared during our session, the six major tips offered by our experts included:

1. Check your insurance policy
Verify insurance coverage in the event of a HIPAA violation.

2. Conduct regular internal and third-party audits
Regular internal and third-party technical audits are the foundation of implementing Security Rule administrative, physical and technical safeguards.

3. Consider applying for Health Information Trust Alliance (HITRUST) certification
HITRUST provides an information security framework to harmonize standards and regulations.

4. Implement the right technologies
Utilizing technologies like encryption, access tracking software and record integrity applications, powered by optical character recognition (OCR) software, can also drive BA HIPAA compliance.

5. Document compliance programs
Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

6. Invest in training and education
Workforce members should undergo formal training at least once a year on privacy, security and compliance, as well as on federal and state disclosure laws, and the healthcare organization’s policies and procedures.

After covering these topics, the Virtual Academy session concluded with a fun, educational and impactful group activity where participants were assigned disclosure management case studies that explored how to identify HIPAA violations and breaches. Rita Bowen and I then tested the participants on their knowledge.

MRO’s team will delve more into the topic of BAs in the next session of AHIMA’s Virtual Privacy and Security Academy: “Advanced Business Associate and Subcontractor Management” on November 9, 2016. If you are interested in attending the session, please fill out the form below and you’ll receive MRO’s promo code for a 15 percent discount.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

Privacy and security series, part 3: Prevent ransomware from holding your organization hostage

Data Breach

For the second year in a row, cyberattacks were the leading cause of data breaches in healthcare, according the Ponemon Institute’s recently released “Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data.”

Ransomware, malware and denial-of-service (DOS) attacks are the most common and growing cyber threats facing healthcare organizations, according to the study. Protecting your organization from an attack, however, is highly feasible if you pursue a rigorous and consistent program of employee training, testing and IT system updates.

Increase in cyberattacks led by ransomware and DOS

Most ransomware attacks—the hijacking and encrypting of an organization’s data by cybercriminals—are caused by employees clicking a malicious link in an email or opening a file that spreads a malware virus, effectively rendering data inaccessible.

The virus typically includes a ransom message demanding payment, frequently in bitcoins, to unencrypt the computer or server. Cybercriminals are aided by a “dark web” presence, where they can partner with other criminals to execute attacks.

Since data drives safe and effective healthcare decisions, organizations often pay the attackers’ ransom when operations are crippled. Ransomware, however, may also be considered a breach, although not all organizations have been reporting these types of attacks to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).

Educate staff and implement safeguards

OCR is currently working on guidance for reacting to and reporting ransomware, but there are three essential steps healthcare organizations should take today to help avoid becoming a victim:

  • Education: Employees should be trained about the threat of ransomware—not to click on suspicious links or attempt to access unknown flash drives, and to report suspicious emails.
  • Testing: Once a year phishing exercises to test employees’ training are not enough to prevent the next attack. These tests need to be continually repeated at random to drive employee compliance with security policies and procedures.
  • Updates: Organizations need to follow recommended IT-management practices, including implementing software patches, anti-virus updates and other software tools immediately as they become available.

At MRO, we seek to mitigate breach risk from all angles, from our Quality Assurance-infused Protected Health Information (PHI) disclosure management workflow to ensuring our staff is properly trained to avoid cyberattacks. Training quality is ensured through MRO Academy, our rigorous and required online educational and testing platform, with the most up-to-date HIPAA regulations and Release of Information (ROI) requirements at the federal, state and facility level. To learn more about MRO’s training and education programs, click here.

Join our blog mailing list

Read More

Privacy and security series, part 1: OCR protocols for phase 2 HIPAA audits

Audit photo for OCR audit blog

On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.

What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.

The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.

How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:

  • Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
  • Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
  • Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.

Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.


Read More

Achieving PHI disclosure compliance requires standardized policies and procedures

Mariela's Blog - Compliance photo 3.30.16
Last week’s news that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is launching Phase 2 of its HIPAA audit program likely grabbed the attention of compliance professionals across the country. I anticipate that due to this new round of audits, and the large number of Protected Health Information (PHI) breaches last year, major topics of discussion at the upcoming HCCA Compliance Institute will concern best practices around identifying and mitigating risks associated with PHI disclosure.

One area of focus should be centralizing and standardizing PHI disclosure management. While large breaches affecting 500 or more patients made headlines last year, small breaches of fewer than 500 patients happened much more frequently. In fact, of all the PHI breach incidents reported to OCR since 2009, more than 180,000 were small breaches, while there were only 1,400 large ones. Just like the large breaches, small breaches can carry financial penalties from OCR of as much as $50,000 per incident with a maximum of $1.5 million annually for repeated occurrences.

In September, the Inspector General of HHS criticized OCR for not putting enough emphasis on investigating small breaches. OCR’s Chief, Joycelyn Samuels, has stated that they are working to implement the Inspector General’s recommendations.

Smaller breaches can be caused by intentional employee snooping, a lack of compliant standardized policies and procedures, or just human error, such as overlooking comingled records in a disclosure. By taking an enterprise-wide approach to PHI disclosure management, and supporting it with training and technology, healthcare organizations can ensure HIPAA compliance across their health system and mitigate breach risk.

Enterprise-wide standardized policies and procedures essential
With the growth of EMRs, as many as 40 PHI disclosure points have been identified in organizations. Concurrently, health systems acquiring physician practices and specialty centers can add to those disclosure points, bringing with them additional risks and liabilities.

Protecting PHI across these growing enterprises requires disclosure policies and procedures that are consistent across the organization, particularly when bringing in physician practices with different EMRs and differing levels of overall compliance.

Adding to the complexity, PHI disclosure regulations can vary at the federal and state level, while the organization may have its own stricter guidelines for releasing information. It is also important to get the right information into the hands of a requester in a compliant and timely manner. Consistently enforced standardized policies and procedures can help address all of these concerns, but proper training and technology is essential.

People and technology for optimal PHI disclosure compliance
Training staff to follow an organization’s PHI disclosure policies and procedures, which should include all HIPAA and relevant state regulations, is the foundation for meeting compliance regulations and staying compliant. Significant resolution agreement fines are often levied when organizations have ignored HIPAA requirements for documented policies, procedures and programs to mitigate breach risk.

Training should include timely content, a mixture of learning formats such as videos, interactive training, and testing to ensure effective teaching. This education should be consistently delivered as policies and regulations change and as new information technology is implemented.

Technology is an advantage for compliance by mitigating human error risk. For example, a procedure may be to check every page of every disclosure with the human eye, which some would assume to be 100 percent accurate, but it’s simply not possible.

At MRO, our IdentiScan® solution uses optical character recognition technology to assist our record integrity specialists in identifying and correcting comingled patient records prior to disclosing the PHI. This compliance step ensures our 99.99 percent accuracy rate for getting the right records to right requesters in our Release of Information (ROI) workflow. If a human were to perform such a review, it would be much more time-consuming, greatly reducing productivity.

We’re excited to showcase IdentiScan at the upcoming HCCA event, where we’ll demonstrate use cases for checking for comingled records outside of the ROI workflow. Key integration points include admissions or discharge times; when generated paper is scanned into patient charts; and when records are imported into the EMR from legacy systems.

Staying compliant
Compliance professionals need to understand their PHI disclosure management processes now more than ever because PHI breaches can be financially costly and damaging to reputations.

By implementing compliant, standardized disclosure policies and procedures across the enterprise, organizations can reduce their risk. Through rigorous training, as well as deploying technology to support HIM teams in releasing information, and having regulatory experts on staff to answer questions in real-time, organizations can not only reduce risk, but also improve client service.

Join our blog mailing list

Read More