Check Request Status610-994-7500

2019 HCCA Compliance Institute Recap

 

 

 

 

 

 

 

 

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

  • Current Environment and Statistics Related to Healthcare Breaches
  • Breaches under HIPAA and State Law
  • HIPAA Security Rule Safeguards that Address Incident Response Plans
  • Best Practices for Incident Response Plans
  • The First 24 Hours Following a Breach

Fill out the form below to request a copy of our presentation.

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

  • We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
  • Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
  • Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

  • Patients over Paperwork
  • Interoperability and MyHealthEData
  • Opioid Epidemic
  • Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Continue Your Compliance Education by Attending MRO’s Upcoming Webinar

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

Request HCCA Incident Response Breach Management Slides

Read More

Five Takeaways from the 28th National HIPAA Summit

 

 

 

 

 

 

 

 

The month of March holds important projections for the healthcare industry—especially for those involved in privacy, security and patient access to health information. It is when the annual National HIPAA Summit is held every year in Washington, D.C., and this year was no exception.

The 28th National HIPAA Summit was held March 4 – 6 at the Grand Hyatt Washington. Thousands of healthcare professionals gathered to discuss current challenges, future goals and expert predictions for our industry. This year’s event focused on the changing landscape of healthcare privacy, security, HIPAA and Protected Health Information (PHI). Here are my five top takeaways from the National HIPAA Summit 2019.

  1. Beacons of Change: GDPR and CCPA

Passage of both the European General Data Protection Rule (GDPR) and the California Consumer Protection Act (CCPA) is paving the way for stricter standards and expansion of HIPAA. GDPR and CCPA serve as the new measuring sticks for 2019 privacy conversations in healthcare. With this shift come increased compliance risks for providers and business associates (BAs), alongside greater privacy right of action for individuals. For example, presenters at the HIPAA Summit suggested that all stakeholders should be governed by revised guidelines including those currently carved out of the HIPAA rule.

  1. Uptick in Audits

Speakers also suggested there will be an increase in third-party audits to assure a culture of compliance within organizations and BAs. Audits currently conducted reveal four ongoing concerns in healthcare privacy and security:

  1. Lack of BA agreements
  2. Incomplete or inaccurate risk analysis
  3. Impermissible disclosure of PHI
  4. Recurring compliance issue—gaps from risk register not closed

Significant attention remains focused on network servers compromised by hackers and malware. However, smaller breach incidents where patterns are identified but no mitigation efforts occurred will also be investigated.

  1. New Approach to BA Assessments

With regard to BA assessments, generic risk assessments completed by BAs at the request of covered entities (CEs) have become obsolete. A new approach suggests that BAs provide information specific to three aspects of risk:

  1. Describe delivery of the BA’s services
  2. Identify the BA’s risk components
  3. Detail how the BA works to close privacy and security gaps

In addition, HIPAA Summit attendees reiterated that best-practice criteria for vetting BAs include compliance with HITRUST and SOC 2 certification.

  1. Push for Greater Patient Access to Health Information

From HIMSS to the HIPAA Summit in 2019, the healthcare industry is squarely focused on the patient. Patient engagement, patient satisfaction and patient access to health information are top goals for most healthcare provider organizations in the year ahead. Similar to a call for better patient access, heard during a December 2018 congressional briefing, summit presenters pushed for specific improvements for the healthcare consumer:

  • Harmonize information across all states for easier patient access
  • Give the patient (or directed requester) information from the designated record set (DRS)
  • Ensure right of access to the requester (patient and/or their representative)—a primary audit focus with penalties associated with any type of information blocking or hindrance to obtaining health information

Unless providers have contacted the patient and the patient states otherwise, requests for information should be processed by the CE in accordance with existing guidance. Proper alignment of processes to policy helps mitigate breach risk when processing patient-directed requests (PDRs) for information. For example, a specific individual must be named to receive information.

Greater patient access to information is an important step to improve patient satisfaction and create positive patient experiences. In fact, it is one of three key results highlighted in a recent blog post about MRO’s partnership with Saint Luke’s Health System.

  1. Interoperability Promotes Data Sharing, Streamlines the Business of Healthcare

My final takeaway from the HIPAA Summit 2019 was renewed emphasis on interoperability in an effort to streamline the business of healthcare—especially data sharing between providers and payers. Both the OCR and ONC have announced initiatives around interoperability. Two areas in particular were discussed.

Electronic claims. An electronic claims attachments rule was passed in 2012, but has not been widely adopted or enforced. Enforcement of electronic remittance advice (ERA) will reduce paperwork between providers and clearinghouses, with the potential to save $8 billion annually. Facilities will be reviewed for compliance via the “optimization program” versus process audits.

Health plans. Getting data back to health plans is vital to success under value-based reimbursement. Our patients are health plan members. We all have the same purpose—to improve the health of those we serve. Direct exchange of information between CE, provider and plan support this goal while streamlining processes across all stakeholders. The ability for patients to also contribute electronic health data for better patient care coordination is the industry’s audacious goal.

HIPAA was first signed into law in 1996. Today, 22 years and 28 HIPAA summits later, I still learn and advance in concert with healthcare industry changes. Keeping abreast of predictions, such as those listed above, ensures every healthcare professional gains the knowledge they need to deliver high-quality care while protecting privacy, security and patient access to health information.

MRO is committed to keeping our clients and the HIM industry up to date on the latest happenings. To receive updates from MRO when we release new blog posts, complete the form below. You can also learn more in our upcoming PHI disclosure management webinar series, which kicks off April 10, 2019 with a session focused on payer requests for medical records, including audits and reviews.

Sign Up for Future Blog Posts

Read More

Four PHI Disclosure Management Webinars to Catch in 2019

 

 

 

 

 

 

 

 

As we move into 2019, it is important for healthcare professionals to stay up to date on the latest trends and best practices for managing Protected Health Information (PHI) disclosure across healthcare enterprises.

In MRO’s upcoming 2019 “Best Practices in PHI Disclosure Management” webinar series, the latest trends and best practices for organizations to consider will be covered. There are four parts to this webinar series, and each session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics in our webinar series, which MRO’s subject matter experts will go into more detail. To register, click here.

Webinar Watch List: Payer Audits, Compliance, Cybersecurity and Patient-Directed Requests

1) The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense
Payer requests for medical records are challenging, time-consuming undertakings for healthcare organizations, typically requiring the release of hundreds or thousands of patient records. MRO’s payer relations expert Greg Ford, Senior Director of Requester Relations and Receivables Administration, will share tips and best practices to shore up your defenses against the rising tide of payer requests for medical records.

2) Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI by implementing new technology and HIPAA-compliant policies and procedures. In this webinar, I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps.

3) Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI
In an era of evolving cybersecurity threats, healthcare leaders are challenged to be vigilant in their efforts to minimize risk and implement new, robust safeguards to protect the privacy and security of patient data. MRO’s security expert Anthony Murray, CISSP, Vice President of Information Technology and ISSO, and I will provide best practices for safeguarding PHI across your healthcare enterprise.

4) Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding clarification for healthcare providers, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in rising challenges for healthcare providers. MRO’s legal expert Danielle Wesley, Esq., Vice President and General Counsel, and I will provide clarity on the topic and cover strategies and tactics for combatting the related issues.

Register today for our first webinar, on the topic The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense.

Register for "The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense"

Read More

An Enterprise-Wide Approach to PHI Disclosure Management: Closing the Gaps in Compliance


In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
  • Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

  • Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
  • With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
  • 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
  • Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

Download MRO’s eBook "Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization."

Read More

Heard on the Hill: AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

On Wednesday, December 5, 2018, I visited Capitol Hill with colleagues from AHIMA and the American Medical Informatics Association (AMIA) to address challenges around patient access to health information and to propose ways to modernize HIPAA to better support patient care. As HIM and privacy professionals are aware, the Office for Civil Rights (OCR) released guidance on patient access to health information in February 2016. However, healthcare leaders have been calling for an upgrade to the 22-year-old HIPAA regulation for some time. The recommendations from AHIMA and AMIA were as follows.

Converge HIPAA with Health IT Certification

We recommended creating a new term, Health Data Set (HDS), which would encompass all clinical, biomedical and claims data maintained by the covered entity (CE) or business associate (BA). The data set would be supported through the certification program at the federal Office of the National Coordinator for Health Information Technology (ONCHIT), enabling individuals to view, download or transmit this information electronically to a third party and access this information via API.

We also suggested the revision of the HIPAA Designated Record Set (DRS) and the requirement that Certified Health IT provide the amended DRS to patients electronically while maintaining computability. This revision would give providers and patients greater clarity and predictability regarding what constitutes the DRS.

Extend the HIPAA Individual Right of Access to Non-Covered Entities

In an effort to provide uniformity of health data access, we suggested establishing a uniform health data access policy that would apply not only to CEs and BAs, but also to non-covered entities such as developers of applications/technologies including mHealth and healthcare-based social media.

Encourage Note Sharing with Patients in Real Time

To enhance patient access to health information, we recommended promoting communications efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.

Clarify Existing Regulatory Guidance on Third-Party Access to Patient Data

This especially relates to third-party legal requests that seek information without appropriate patient direction and beyond what is part of the DRS. I reported that ROI vendors and providers continue to be challenged with the discernment of third-party versus patient requests for transmittal to a third party. Third-party requesters demand the patient pricing, and the documentation does not always provide assurances that the requester is the patient or that the patient is aware of the request.

Our experience with some high-volume third-party requesters includes their demand for patient pricing and threats of, or actual submission of, OCR complaints. While we are steadfast in our commitment to patients’ privacy, the ongoing dispute by third-party requesters declining to provide reimbursement for healthcare costs in responding to these requests increases the administrative burden on both the health systems and the OCR.

We are asking that the 2016 guidance be updated to specify the original intent that a patient may direct their information to a third party who is specifically “acting on their behalf regarding a healthcare decision.”

MRO is presently working alongside industry experts to construct a white paper that will delve deeper into this topic and provide recommendations. We will share the paper on our blog once it is released.

 

Additional Resources and Media Coverage:

HealthIT Security – AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access

MedPage Today – Rules Needed for Better Patient Record Access, Say Experts

AHIMA and AMIA – Full Recommendation

Sign Up for Future Blog Posts

Read More