Check Request Status610-994-7500

Heard at AHIMA 2018—Privacy, Cybersecurity and Information Governance Institute and ROI Roundtable

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

This year’s institute focused on industry adoption of IG, citing AHIMA’s Information Governance Adoption Model (IGAM)™ as a guide to advance IG practices toward achieving Level 5 maturity. Here are the five levels:

1—Unaware, IG concerns not addressed

2—Limited progress, early stage

3—Defined policies and procedures

4—Proactive program throughout operations

5—Fully integrated into overall infrastructure and business processes

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

In the audience was Jim Bailey, President of the Association of Health Information Outsourcing Services (AHIOS), who suggested that states come together to address the issue. Here are four recommended strategies:

  • Raise awareness with your legislators
  • Hold conversations with other hospitals in your area
  • Don’t be afraid of meeting with the OCR
  • Exercise the right to question and verify any request

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

Sign Up for Future Blog Posts

Read More

Enterprise-Wide PHI Disclosure Management—Six Strategies Guided by Information Governance Principles

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

  1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
  2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
  3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
  4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
  5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
  6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

Read More

Webinar Recap: Healthcare Regulatory Updates and Guidance

Healthcare Compliance

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

  • Risk analyses and gap analyses
  • Ongoing end-user training
  • Appropriate and up to date patching
  • Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs
  • A system must be implemented to monitor the activity of authorized users when accessing PHI
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
  • Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
  • Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

  • Restitution back to victims who were harmed by a violation of HIPAA
  • Consideration to remove NPP signature forms
  • Good faith disclosures (related to Opioid crisis)
  • Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.

Receive a copy of the part 2 webinar recording and a PDF of the slides

Read More

Privacy Dashboards: A Powerful Tool for Compliant PHI Disclosure Management

Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.

Centralize Release of Information to Improve Privacy Compliance

Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.

Use Privacy Dashboards to Track Patterns and Trends

Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.

The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.

Examples of corrective action include:

    • Revising compliance policies and procedures
    • Providing additional staff training on hospital policy and HIPAA regulations
    • Assessing and improving PHI disclosure management processes
    • Ensuring encryption of all devices used by staff

    As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.

    Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.

Sign Up for Future Blog Posts

Read More

HIMSS18 Recap: Patient Data Takes Center Stage for Privacy Protection

HIMSS18

The 2018 Healthcare Information Management Systems Society’s (HIMSS) Health IT Conference (HIMSS18), hosted more than 43,000 attendees. Groups of healthcare industry professionals filled educational sessions and convention hall aisles on March 5—9 in Las Vegas. With over half of attendees representing provider, payer, and governmental agencies, HIMSS reaffirmed its position as the top event for everyone involved in the health information technology (HIT) industry.

As Vice President of Privacy, Compliance, and HIM Policy for MRO, my personal focus at HIMSS18 was on the need for greater patient data integrity and evolving data privacy. Below are a few main points and strategic tasks gleaned for fellow patient privacy professionals. I discuss these points more in detail in this article.

Break Down Barriers

Attendees this year intentionally focused on the need to make health information accessible and fully actionable. The importance of creating actionable data, versus simply sharing information, was a key point throughout HIMSS18.

Direct sharing of the Continuity of Care Document (CCD) was another strategic task presented to HIT professionals during HIMSS18. CCD includes the predefined data elements needed for continuing care in any setting. The underlying thought is that these data elements could be shared through direct messaging to the next caregiver and prepopulate the provider’s EHR for continuity of care. The same reasoning would hold that these data elements should be downloadable to the patient application of choice so the patient always has this information.

The bottom line for data access in healthcare: information silos must be eliminated.

Encourage Patient Ownership

Multiple sessions covered the importance of patient ownership of personal healthcare data. To effectively meet the goal of patient ownership, speakers reiterated the need for data segmentation. For example, patients can specify which data they want to be held privately—not the entire record, but granular information at the data element level.

The General Data Privacy Regulation (GDPR), the European move to segment data for special protections, was also covered in detail at HIMSS18. Patient privacy is now a global initiative. For more information on this topic, download a copy of MRO’s recent webinar on the topic.

Finally, information for quality reporting was a central topic, as quality reporting moves from an encounter-centric to a patient-centric approach. Both of these capabilities, data segmentation and whole patient reporting, must be supported as healthcare makes the transition to value-based purchasing.

Watch Threats, Ensure Compliance

Cloud computing vulnerabilities remain top of mind for all healthcare providers, payers, and governmental agencies. For Business Associates (BAs) using cloud computing, speakers emphasized the need to know where data resides and how it is controlled. These details should be in BA Agreements, along with specifications on how the confirmed BA meets security regulations.

Effective healthcare privacy compliance plans must manage policies and procedures, auditing, disciplinary guidelines, and corrective actions. Focus on your ability to detect, respond to, and recover from any privacy or security events through proactive risk plans and accountability to protect patient data.

People, processes, and technology are the golden keys for privacy and security compliance and breach prevention.

The biggest benefit of attending the 2018 HIMSS annual conference was gaining useful knowledge. Technology is rapidly advancing, and the conference is one of the best venues to observe the transformational impact of technology on the healthcare industry.

DOWNLOAD MRO’S EBOOK “PREVENTING A BREACH: TIPS AND BEST PRACTICES TO SAFEGUARD YOUR HEALTHCARE ORGANIZATION.”

Read More

Four Healthcare Compliance Webinars to Attend in 2018: Covering Privacy, Security and Information Governance

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

Sign Up for Future Blog Posts

Read More

Health Information Management: A Look at 2017 and Predictions for 2018

Predictions for 2018

As we enter 2018, health information management (HIM) and compliance professionals have the opportunity to reflect on healthcare privacy and security in 2017, look at lessons learned, and make predictions as to what’s next.

In 2017, there were many natural disasters that took center stage and continue to play a role in healthcare— for example, disaster waivers. We also saw the defunding of ONC’s Chief Privacy Officer position. In addition to that, data security and breach notification issues grabbed headlines. I go more into detail on these items and offer predictions for 2018 in an InterviewNow podcast, which you can listen to here.

Health Information Management Best Practices

During 2017, data security and breach notification issues grabbed the headlines, and the Office for Civil Rights (OCR) was one of the most active regulators. Health Information Management (HIM) leaders can learn lessons from last year’s enforcement actions and apply the following best practices in 2018:

1) Know Where Your Risks Are
Knowing that cyber risk security issues are still out there, your organization needs to be aware of them, so you are able to respond and prepare for those types of attacks. Your organization should make sure to spend enough on cyber security, so that your IT department is better able to respond and act on attacks.

2) Educate and Train Employees
For a good percentage of these security and breach notification issues, there is a human factor involved. Knowledge is power. Training and educating your employees should be part of your organization’s due diligence. Employees need to know what they can and cannot click on and they also need to understand the type of phishing episodes that can occur. Another reason why this is important is because now at many organizations, employees bring their own devices into work. The due diligence with this has grown because with more and more things getting connected, the bigger the risk is for a breach.

3) Update System Patches
Validate that your IT team is current with software updates and patches to assure the latest security enhancements are applied to protect the data.

4) Look at Policies and Procedures
Make sure your organization has up to date policies and procedures. It is important to do internal auditing to make sure your employees understand and follow these policies and procedures. If you come across weaknesses during your internal auditing, be sure to address them as well.

OCR Wall of Shame Facelift, Intelligent Apps and Analytics

Now, more than ever, is the time to get your breach prevention and compliance measures in order, because the OCR wall of shame may get a facelift in 2018. The facelift could allow you to link over and see who also is involved from a Business Associate standpoint. I personally think the facelift could help people with their due diligence and reviews.

More things to look at in 2018 include intelligent apps and analytics. With all the new and advanced devices today, personal health information is much easier to track now. Once that tracked information becomes shared, it could become part of your doctor’s diagnostic tool kit. I think the availability of health data, if used correctly, could help the world become a better place.

To learn more about 2018 watch list items, including General Data Protection Regulation (GDPR), Internet of Things (IoT), research and de-identification, litigation, OCR updates and cyber-security, be sure to look for details about an upcoming webinar series, hosted by MRO, which will cover those items.

To sign up for future blog posts, complete the form below.

Sign Up for Future Blog Posts

Read More

Reflections from AHIMACon17: Merger Mania and its Impact on Privacy and Health Information Management Systems

Merger Mania

At the 2017 AHIMA National Convention and Exhibit, MRO’s client Melissa Landry of Ochsner Health System and I co-presented a session titled “Merger Mania: Impact to Privacy and Health Information Management.” In this presentation, we discussed industry trends around mergers of healthcare organizations and the impact on privacy, Health Information Management (HIM) systems and Protected Health Information (PHI) disclosure management.

Melissa Landry shared how Ochsner successfully responded to challenges resulting from healthcare mergers. Audience members learned strategies for addressing these types of challenges. Below is a video interview where I recap the presentation.

Video Recap: Merger Mania and its Impact on Privacy and Health Information Management Systems


Video Transcript

Rita: I’m Rita Bowen, and I am with MRO. And, I am their Vice President for Privacy, Compliance and HIM Policy.

Question: Tell us about the presentation you gave at the AHIMA Convention about “Merger Mania.”

Rita: I had the opportunity to work with Melissa Landry from Ochsner on a discussion of Merger Mania, and that has been so important because there have been so many physician facilities that are actually merging, buying physician practices, and there needs to be a dedicated process in getting that done correctly. It’s not simply, “I’m going to buy you, and make you part of my team.” There are Information Governance components that have to be demonstrated to make it work correctly.

Question: What best practices did you discuss during your presentation?

Rita: During our presentation today, we talked about best practices for this process of Merger Mania, and we actually took each of the components of Information Governance and threaded that through the discussion; the project management skills required in that; and, actually, the workflow that has to be determined. Because, you often find that the workflow in a physician practice has never been discussed, and you may find that a physician never closes their record, and most of the records will not come into an electronic health record system that you may be trying to merge unless they have actually been closed, which means someone has signed off on those records.

Question: What is MRO doing to address Merger Mania?

Rita: At MRO, we’re doing many things to address Merger Mania—through our acquisition process when we’re bringing on and partnering with a new customer, through the implementation process. We have an assessment phase that helps us do a deeper dive into workflow, and helps analyze those workflow issues. Then, there’s the policy review, which I do, which helps identify policies that the facility may be missing and/or may be complementing policies that we have; or they may be more stringent; or we may perhaps have a policy that’s more stringent, so that sets the foundation for the framework for the implementation team as they go through their education process.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s AHIMA Convention?

Rita: At this year’s convention, some of the biggest trends that I’ve noticed and observed, especially in the general sessions, is that there’s still a focus and discussion regarding Information Governance (IG). There’s still a disconnect from many members thinking they’re not in that IG space. I contend that everything that everybody does in HIM is IG. Everybody is in some kind of lane of IG. It’s not different; it’s not a different domain; it’s one in the same of Health Information Management. The other big thing is population management and how information has got to flow in a way that it can be used in a way that patient privacy is still protected but it actually helps the population management improve health and improvements can be seen—because we still have a way to go there in this country.

Question: What is your favorite part about AHIMA?

Rita: When you ask me what my favorite part about AHIMA is, that’s hard because this is my 43rd convention, so obviously I love to come here. But, my favorite part is seeing friends. Seeing and networking with all the colleagues who I’ve worked with over the years. And, then networking is an excellent way to learn. You stay engaged with someone that’s doing one niche, because you may be working in a different lane, so it helps you stay identifiable into the whole processes. But, the friendships that you’ve maintained through those years is just so vital.

To download slides from MRO’s Merger Mania presentation, complete the form below.

Download MRO’s Merger Mania Presentation

Read More

2017 National AHIMA Convention: Takeaways for Health Information Management Professionals

The American Health Information Management Association (AHIMA) held its annual convention and exhibit in Los Angeles, October 7-11. This year’s event delivered a renewed focus on the profession’s responsibility to protect and govern Protected Health Information (PHI). During the convention, updates for privacy, security, interoperability and information governance were provided. Here is a quick overview of lessons learned at the conference. You can read more in my recent post to HIM Scene’s blog, titled Heard at #AHIMACon17: Lessons Learned for HIM.

Privacy and Security Institute

This year was the 11th anniversary of AHIMA’s Privacy and Security Institute. Speakers from the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Federal Bureau of Investigations (FBI) and Health Information Trust Alliance (or HITRUST) joined privacy and HIM consultants for a two-day seminar.

Additionally, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I co-presented a session titled, “Developing Best Practices from OCR Audits and Enforcement Activities.” In this session, we offered best practices for HIM professionals based on lessons learned from the OCR’s patient access guidance, resolution agreements and HIPAA Audit Program protocols. You can download a copy of our presentation by completing the form at the bottom of this blog post.

Cutbacks Underway

The position of Chief Privacy Officer (CPO) at the Office of the National Coordinator for Health Information Technology (ONC) has been vacant for the past year, and during this time Deven McGraw, Deputy Director of Health Information Privacy at the OCR, successfully served as acting CPO. Her recent departure, along with other cutbacks, will have a trickle-down impact for privacy compliance in 2018.

Onsite Audits Cease

Yun-kyung (Peggy) Lee, Deputy Regional Manager for the OCR, informed attendees that onsite HIPAA audits would no longer be conducted for Covered Entities or Business Associates due to staffing cutbacks in Washington, D.C. The concern here is that whatever doesn’t get regulatory attention, may not get done.

Interoperability Advances HIPAA

The national push for greater interoperability is an absolute necessity to improve healthcare delivery. However, 30 years of new technology and communication capabilities must be incorporated into HIPAA rules. Old guidelines block us from addressing new goals. We expect more fine-tuning of HIPAA in 2018 to achieve the greater good of patient access and health information exchange.

In an article published shortly before the AHIMA convention, OCR Director Roger Severino touched on the need to modify HIPAA in light of technology advancements and cyber threats saying, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target. At most I will say the big, juicy case is going to be my priority and the methods for finding it – stay tuned.”

Luminary Healthcare Panel

This session was a very relevant discussion for my role as Vice President of Privacy, Compliance and HIM Policy at MRO. Panelists provided a glimpse into the future of healthcare while reiterating HIM’s destiny—data integrity and information governance.

Final Takeaway

There is no doubt that HIM’s role is expanding. We have the underlying knowledge of the importance of data and the information it yields. More technology leads to more data and an increased need for sophisticated health information management and governance. Our history of protecting patient information opens the door to our future in the healthcare industry.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

Read More