AHIMA’s Dan Kelly interviews our industry expert Rita Bowen to clear up misconceptions about HIPAA rules, privacy and compliance, and AHIMA’s release of information guidelines during the COVID-19 pandemic.
In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.
What this means for caregivers
Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.
In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.
What this means for business associates
While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.
To learn more, and read the entire HHS release, click here.
On December 11, 2019, I joined my colleague Danielle Wesley, Esq., Vice President and General Counsel, to present the fourth and final installment of MRO’s PHI Disclosure Management Webinar Series. In this webinar titled “Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope,” we reviewed trends and national efforts underway, discussed how the health system is impacted and formulated tactics to combat the confusion.
Patient-Directed Request Trends
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding more clarification for healthcare provider organizations, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in mounting challenges for healthcare providers. Recently, we have begun to see the following trends:
- Attorneys and other third parties have increased the number of “patient-directed” requests and are using the records for their own for-profit activities—such as litigation or data sharing/selling.
- Such requests demand that records be sent directly to the third party but be billed at the patient rate under the HITECH Act.
- Use of the phrase “any and all” has led to a rise in page count per request. This phrase is used as an attempt to receive all PHI regarding a patient, not just the specific encounters or visits that are relevant to the litigation.
- An increase in the submission of meritless complaints to release of information companies such as MRO, their clients, and the OCR has resulted in more time and effort to respond to baseless complaints, which ultimately generates greater operational costs.
These trends are concerning for release of information companies and their clients because attorneys and record retrieval companies are able to obtain large volumes of essentially unrestricted, unregulated PHI at lower fees by using generic, template forms. Furthermore, patients are unaware of the risks associated with the documents they are signing and are not actually providing “informed consent.” Such risks include:
- No acknowledgement of HIPAA rights
- No expiration date, allowing third parties to copy and use the “patient-directed” request letter indefinitely
- No restriction on sensitive information regarding HIV, sexually transmitted diseases, psychotherapy notes, substance abuse and more
Health System Impacts
As the misuse of patient-directed requests grows, so does the impact across health system departments. Not only does this issue directly affect the Health Information Management (HIM) department, it also affects the Compliance and Legal/Risk Management departments.
HIM departments must mitigate patient privacy risks while managing an increase in volume, workload, costs and staffing.
Compliance departments are concerned about OCR incrimination, which results in knee-jerk responses versus well-informed actions. There is also a lack of time and resources to appropriately push back on meritless attorney complaints and threats.
Legal and Risk Management departments face OCR complaints and outside attorney pressure, and lack understanding of the steps and costs required to fulfill requests for medical records. For all parties involved, proper training is needed to mitigate risk and take appropriate action in response to attorney requests and patient-directed requests.
PHI Disclosure Management: Recommendations for Organizations
All health systems and organizations should have a plan in place to combat attorney misuse of patient-directed requests. Here are four simple, yet effective tactics:
- Provide HIPAA training and education throughout your organization, particularly focused on patient access and patient privacy. Include departments such as HIM, Legal, Compliance, Risk Management, Finance, etc.
- Recognize this as a long-term problem that cannot be resolved effectively by short-term solutions. Consistency is essential, begin by understanding your responsibilities set forth in your organization’s HIPAA compliant Notice of Privacy Practices.
- Don’t be afraid to push back. Engage with the OCR whenever possible since it is critical that they hear from your organization directly. MRO’s most successful clients have taken a strong stance for their patients and against third parties misusing patient access.
- Contact your representatives and senators to share your concerns regarding misuse and abuse of patient-directed requests from attorneys, record retrieval companies and other third parties. Specifically, contact members of the Health, Education, Labor and Pensions (HELP) Committee.
Continuing Education for the Misuse of Patient-Directed Requests
As we begin the New Year, Danielle and I will continue to educate our client base by hosting webinars, publishing additional content and visiting Capitol Hill alongside other industry experts. Stay connected and view the latest updates by following us on our social media platforms.
To learn more about the misuse of patient-directed record requests, fill out the form below to receive a copy of this webinar.
Receive a copy of the webinar "Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope"
In a Healthcare IT Today blog post, MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB is quoted on what she believes to be the hottest topic for 2020. She explains that the Information Blocking Rule could have some areas that will be in conflict with HIPAA, which will further drive the discussion and need for an update to HIPAA.
Anthony Murray and Rita Bowen explain it is crucial that healthcare organizations be detail-oriented and methodical in assessing their business associates. Furthermore, they urge organizations to conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data and its breach prevention practices. They believe it is essential that the vendor meets the 12 requirements outlined in this article.
In a For The Record magazine article, MRO’s Danielle Wesley, Esq. and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB are quoted on how to avoid a misstep when it comes to distinguishing between patient and third-party requests. They discuss the problems with current OCR guidance, as well as strategies that can be used to help combat this issue.
On June 27, 2019, MRO presented a webinar as part of our Protected Health Information (PHI) disclosure management educational series. In this presentation titled “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” we covered best practices for standardizing PHI disclosure management policies and procedures, ensuring consistent policy enforcement, and minimizing privacy breach.
The webinar content can be used as a guide for Health Information Management (HIM), privacy and compliance professionals to ensure the highest levels of compliance and prevent breach when disclosing PHI.
PHI Disclosure Management: Risky Business
MRO’s research shows there can be as many as 40 disclosure points across a health system. Most of these disclosure points tend to be managed outside the HIM department by individuals not trained in Release of Information (ROI). This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.
Another risk factor involves gaps in the Quality Assurance (QA) around PHI disclosure. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of those invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some 5 percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, about 0.4 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 400 comingled records. With that, comes substantial risk to a healthcare organization.
Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
As described in the webinar, MRO recommends deploying an enterprise-wide strategy for PHI disclosure management to standardize policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.
Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These quality checks should come from a combination of trained ROI specialists and record integrity technology, such as MRO’s IdentiScan®, that uses optical character recognition to locate and correct comingled records. This combination of people and technology drives improved accuracy and minimizes breach risk.
Breach Prevention: Best Practices for PHI Disclosure Management
The webinar includes eight best practices for minimizing breach in the Release of Information process. Here are six of those practices.
- Implement Multiple QA Checks on Requests. It is important to ensure the ROI authorization is legitimate. In reviewing authorizations, certain required information is often missing. A Quality Assurance check-in that involves multiple people helps to avoid a one-point area for failure. This double-check process ensures a complete review of that area for control.
- Sync Your ROI Platform to the MPI. It’s imperative to sync your ROI platform to your MPI to avoid manual information entry. This minimizes the possibility of making a mistake when entering information into your ROI platform. MRO offers a tool called MROeLink® that provides this type of integration.
- Send Notifications to Requesters. Sending initial notifications of receipt to requesters confirms that requests have been received and indicates who is processing them on your organization’s behalf. If a patient-directed request is obtained, you should notify the patient to let them know a patient-directed request has been received in case they did not direct the request.
- Ensure Shipping Integrity. Establish a QA process for shipping copies of medical records, such as a barcoding system that assists distribution center reps in ensuring the right content goes in the correct envelope.
- Leverage Secured Delivery. When possible, leverage secure, electronic delivery, including portals and direct interfaces with government agencies such as SSA and CMS.
- Hire, Train and Retain Exceptional People. It is essential to hire, train and retain exceptional people who will be touching PHI. These people must be properly trained and knowledgeable about the information they are handling, and understand the penalties involved. People working in the ROI industry must be highly trained and educated.
To get details on all our suggested best practices for breach prevention—and more information on compliant PHI disclosure management—request the playback of the presentation using the form below.
Request Webinar Playback
The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.
I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:
- Current Environment and Statistics Related to Healthcare Breaches
- Breaches under HIPAA and State Law
- HIPAA Security Rule Safeguards that Address Incident Response Plans
- Best Practices for Incident Response Plans
- The First 24 Hours Following a Breach
Fill out the form below to request a copy of our presentation.
Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).
Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:
- We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
- Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
- Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.
This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.
Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:
- Patients over Paperwork
- Interoperability and MyHealthEData
- Opioid Epidemic
- Program Integrity
This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.
Continue Your Compliance Education by Attending MRO’s Upcoming Webinar
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.
In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.
Request HCCA Incident Response Breach Management Slides
In a Journal of Health Care Compliance article, privacy expert Rita Bowen outlines strategies to improve efficiency, reduce costs, and achieve compliant PHI disclosure management.
The month of March holds important projections for the healthcare industry—especially for those involved in privacy, security and patient access to health information. It is when the annual National HIPAA Summit is held every year in Washington, D.C., and this year was no exception.
The 28th National HIPAA Summit was held March 4 – 6 at the Grand Hyatt Washington. Thousands of healthcare professionals gathered to discuss current challenges, future goals and expert predictions for our industry. This year’s event focused on the changing landscape of healthcare privacy, security, HIPAA and Protected Health Information (PHI). Here are my five top takeaways from the National HIPAA Summit 2019.
- Beacons of Change: GDPR and CCPA
Passage of both the European General Data Protection Rule (GDPR) and the California Consumer Protection Act (CCPA) is paving the way for stricter standards and expansion of HIPAA. GDPR and CCPA serve as the new measuring sticks for 2019 privacy conversations in healthcare. With this shift come increased compliance risks for providers and business associates (BAs), alongside greater privacy right of action for individuals. For example, presenters at the HIPAA Summit suggested that all stakeholders should be governed by revised guidelines including those currently carved out of the HIPAA rule.
- Uptick in Audits
Speakers also suggested there will be an increase in third-party audits to assure a culture of compliance within organizations and BAs. Audits currently conducted reveal four ongoing concerns in healthcare privacy and security:
- Lack of BA agreements
- Incomplete or inaccurate risk analysis
- Impermissible disclosure of PHI
- Recurring compliance issue—gaps from risk register not closed
Significant attention remains focused on network servers compromised by hackers and malware. However, smaller breach incidents where patterns are identified but no mitigation efforts occurred will also be investigated.
- New Approach to BA Assessments
With regard to BA assessments, generic risk assessments completed by BAs at the request of covered entities (CEs) have become obsolete. A new approach suggests that BAs provide information specific to three aspects of risk:
- Describe delivery of the BA’s services
- Identify the BA’s risk components
- Detail how the BA works to close privacy and security gaps
- Push for Greater Patient Access to Health Information
From HIMSS to the HIPAA Summit in 2019, the healthcare industry is squarely focused on the patient. Patient engagement, patient satisfaction and patient access to health information are top goals for most healthcare provider organizations in the year ahead. Similar to a call for better patient access, heard during a December 2018 congressional briefing, summit presenters pushed for specific improvements for the healthcare consumer:
- Harmonize information across all states for easier patient access
- Give the patient (or directed requester) information from the designated record set (DRS)
- Ensure right of access to the requester (patient and/or their representative)—a primary audit focus with penalties associated with any type of information blocking or hindrance to obtaining health information
Unless providers have contacted the patient and the patient states otherwise, requests for information should be processed by the CE in accordance with existing guidance. Proper alignment of processes to policy helps mitigate breach risk when processing patient-directed requests (PDRs) for information. For example, a specific individual must be named to receive information.
Greater patient access to information is an important step to improve patient satisfaction and create positive patient experiences. In fact, it is one of three key results highlighted in a recent blog post about MRO’s partnership with Saint Luke’s Health System.
- Interoperability Promotes Data Sharing, Streamlines the Business of Healthcare
My final takeaway from the HIPAA Summit 2019 was renewed emphasis on interoperability in an effort to streamline the business of healthcare—especially data sharing between providers and payers. Both the OCR and ONC have announced initiatives around interoperability. Two areas in particular were discussed.
Electronic claims. An electronic claims attachments rule was passed in 2012, but has not been widely adopted or enforced. Enforcement of electronic remittance advice (ERA) will reduce paperwork between providers and clearinghouses, with the potential to save $8 billion annually. Facilities will be reviewed for compliance via the “optimization program” versus process audits.
Health plans. Getting data back to health plans is vital to success under value-based reimbursement. Our patients are health plan members. We all have the same purpose—to improve the health of those we serve. Direct exchange of information between CE, provider and plan support this goal while streamlining processes across all stakeholders. The ability for patients to also contribute electronic health data for better patient care coordination is the industry’s audacious goal.
HIPAA was first signed into law in 1996. Today, 22 years and 28 HIPAA summits later, I still learn and advance in concert with healthcare industry changes. Keeping abreast of predictions, such as those listed above, ensures every healthcare professional gains the knowledge they need to deliver high-quality care while protecting privacy, security and patient access to health information.
MRO is committed to keeping our clients and the HIM industry up to date on the latest happenings. To receive updates from MRO when we release new blog posts, complete the form below. You can also learn more in our upcoming PHI disclosure management webinar series, which kicks off April 10, 2019 with a session focused on payer requests for medical records, including audits and reviews.