Check Request Status610-994-7500

An Enterprise-Wide Approach to PHI Disclosure Management: Closing the Gaps in Compliance


In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
  • Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

  • Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
  • With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
  • 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
  • Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

Download MRO’s eBook "Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization."

Read More

Heard on the Hill: AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

On Wednesday, December 5, 2018, I visited Capitol Hill with colleagues from AHIMA and the American Medical Informatics Association (AMIA) to address challenges around patient access to health information and to propose ways to modernize HIPAA to better support patient care. As HIM and privacy professionals are aware, the Office for Civil Rights (OCR) released guidance on patient access to health information in February 2016. However, healthcare leaders have been calling for an upgrade to the 22-year-old HIPAA regulation for some time. The recommendations from AHIMA and AMIA were as follows.

Converge HIPAA with Health IT Certification

We recommended creating a new term, Health Data Set (HDS), which would encompass all clinical, biomedical and claims data maintained by the covered entity (CE) or business associate (BA). The data set would be supported through the certification program at the federal Office of the National Coordinator for Health Information Technology (ONCHIT), enabling individuals to view, download or transmit this information electronically to a third party and access this information via API.

We also suggested the revision of the HIPAA Designated Record Set (DRS) and the requirement that Certified Health IT provide the amended DRS to patients electronically while maintaining computability. This revision would give providers and patients greater clarity and predictability regarding what constitutes the DRS.

Extend the HIPAA Individual Right of Access to Non-Covered Entities

In an effort to provide uniformity of health data access, we suggested establishing a uniform health data access policy that would apply not only to CEs and BAs, but also to non-covered entities such as developers of applications/technologies including mHealth and healthcare-based social media.

Encourage Note Sharing with Patients in Real Time

To enhance patient access to health information, we recommended promoting communications efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.

Clarify Existing Regulatory Guidance on Third-Party Access to Patient Data

This especially relates to third-party legal requests that seek information without appropriate patient direction and beyond what is part of the DRS. I reported that ROI vendors and providers continue to be challenged with the discernment of third-party versus patient requests for transmittal to a third party. Third-party requesters demand the patient pricing, and the documentation does not always provide assurances that the requester is the patient or that the patient is aware of the request.

Our experience with some high-volume third-party requesters includes their demand for patient pricing and threats of, or actual submission of, OCR complaints. While we are steadfast in our commitment to patients’ privacy, the ongoing dispute by third-party requesters declining to provide reimbursement for healthcare costs in responding to these requests increases the administrative burden on both the health systems and the OCR.

We are asking that the 2016 guidance be updated to specify the original intent that a patient may direct their information to a third party who is specifically “acting on their behalf regarding a healthcare decision.”

MRO is presently working alongside industry experts to construct a white paper that will delve deeper into this topic and provide recommendations. We will share the paper on our blog once it is released.

 

Additional Resources and Media Coverage:

HealthIT Security – AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access

MedPage Today – Rules Needed for Better Patient Record Access, Say Experts

AHIMA and AMIA – Full Recommendation

Sign Up for Future Blog Posts

Read More

Webinar Recap: Healthcare Privacy and Security—Predictions for 2019

On November 7, 2018, I joined my colleagues Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services, and Anthony Murray, CISSP, Vice President of Information Technology, to present the fourth and final installment of MRO’s healthcare compliance webinar series. In this webinar titled “Healthcare Privacy and Security—Predictions for 2019,” we highlighted privacy and security trends and predictions to help Health Information Management (HIM) and other healthcare leaders navigate compliance in the coming year.

Patient-Directed Requests

Attorney misinterpretation of patient-directed requests (PDRs) was front and center in 2018 and will continue to require clarification and guidance in 2019. When the validity of a PDR is questionable, the patient should be contacted to clarify and confirm consent. Here are additional strategies for handling attorney requests submitted under the guise of a PDR:

  • Inform your state legislators of this questionable attorney behavior
  • Discuss the issue with HIM peers in your area
  • Hold meetings with your OCR representative to determine the best course of action
  • Question and verify (with the patient) any suspicious PDR

We welcome a dialogue with the Office for Civil Rights (OCR) for clarification of the guidance to ensure requests are made for the purpose of assisting the patient with continuity of care—the original intent of the guidance. At MRO, we use the criteria provided by the guidance. The request must be made by the patient, written in the first person and signed by the patient. It must clearly state who is to receive the information and provide the address of that person.

Global Data Protection Rule (GDPR)

Released in May 2018 in the EU, the GDPR provided information on breach protection and response, which could affect guidance in the U.S. regarding notification timelines, documentation controls and data protection rules. The focus in 2019 will likely increase, prompting healthcare organizations to determine changes needed to strengthen privacy and security programs. Also, be aware of state action that is patterning to this rule.

Increased Information Collection

Technology will continue to advance through 2019—becoming faster and safer. With more apps and sophisticated technology, patients must be able to trust that their data is safe and secure. Here are several considerations:

  • What data will you protect?
  • What policies and procedures need to be reviewed?
  • Do you have a complete inventory of your data?

Digital mobile engagement is center stage—wearable devices, home monitors, patient portals, patient generated health data (PGHD) and ongoing technology innovation. The goal is for patients to have a connected, fluid experience throughout the healthcare journey.

Increased Access to Care

The patient experience has changed over the past several decades—from the focus on where patients receive care to where patients search for and choose to receive care. Increased access to care includes urgent care, virtual care, retail settings and nontraditional players such as Amazon and Google. All use some type of technology involving Protected Health Information (PHI) that must be documented and protected.

Population Health, Data and Analytics

Total consumer health requires awareness of educational needs, especially considering the aging population and proactive management of healthcare. Consumers will benefit from initiatives that promote informed decision-making through awareness of available resources and rights regarding PHI. Those efforts demand emphasis on data collection, protection and analytics to improve population health and ensure compliance.

AHIMA’s Vision for 2019

AHIMA recently released its vision for 2019 as the year of transformation. Based on a back-to-basics strategy, AHIMA will emphasize core strengths and services to move HIM forward:

  • Coding/clinical documentation improvement
  • Advocacy/AHIMA World Congress
  • Privacy and security
  • Operational effectiveness—patient-focused access, quality improvement, artificial intelligence, precision medicine, privacy demands

The top three drivers will be security risks, business needs and evolving industry changes.

Technology and Cybersecurity

In 2019, advancements in technology will remain centered on interoperability and cybersecurity. Interoperability is critical to patient engagement and optimal EHR investment required for proper PHI disclosure management.

Additionally, cybersecurity must be a top priority to ensure effective information security programs. Organizations must clarify policies regarding:

  • Risk assessments versus gap assessments
  • Incident response
  • External support
  • Business Associates
  • Third-party assessments
  • Certifications, audits, standards

The evolution of cybersecurity threats means increasingly sophisticated ransomware and other attacks including cryptojacking and whaling. In case of a technology incident, the best strategy is a layered security model to protect, detect, identify and respond.

To learn more about privacy and security predictions for 2019, fill out the form below to receive a copy of this webinar.

Receive a copy of our webinar "Healthcare Privacy and Security—Predictions for 2019.”

Read More

Heard at AHIMA 2018—Privacy, Cybersecurity and Information Governance Institute and ROI Roundtable

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

This year’s institute focused on industry adoption of IG, citing AHIMA’s Information Governance Adoption Model (IGAM)™ as a guide to advance IG practices toward achieving Level 5 maturity. Here are the five levels:

1—Unaware, IG concerns not addressed

2—Limited progress, early stage

3—Defined policies and procedures

4—Proactive program throughout operations

5—Fully integrated into overall infrastructure and business processes

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

In the audience was Jim Bailey, President of the Association of Health Information Outsourcing Services (AHIOS), who suggested that states come together to address the issue. Here are four recommended strategies:

  • Raise awareness with your legislators
  • Hold conversations with other hospitals in your area
  • Don’t be afraid of meeting with the OCR
  • Exercise the right to question and verify any request

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

Sign Up for Future Blog Posts

Read More

Enterprise-Wide PHI Disclosure Management—Six Strategies Guided by Information Governance Principles

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

  1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
  2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
  3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
  4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
  5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
  6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

Read More

Webinar Recap: Healthcare Regulatory Updates and Guidance

Healthcare Compliance

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

  • Risk analyses and gap analyses
  • Ongoing end-user training
  • Appropriate and up to date patching
  • Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs
  • A system must be implemented to monitor the activity of authorized users when accessing PHI
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
  • Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
  • Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

  • Restitution back to victims who were harmed by a violation of HIPAA
  • Consideration to remove NPP signature forms
  • Good faith disclosures (related to Opioid crisis)
  • Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.

Receive a copy of the part 2 webinar recording and a PDF of the slides

Read More

Privacy Dashboards: A Powerful Tool for Compliant PHI Disclosure Management

Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.

Centralize Release of Information to Improve Privacy Compliance

Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.

Use Privacy Dashboards to Track Patterns and Trends

Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.

The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.

Examples of corrective action include:

    • Revising compliance policies and procedures
    • Providing additional staff training on hospital policy and HIPAA regulations
    • Assessing and improving PHI disclosure management processes
    • Ensuring encryption of all devices used by staff

    As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.

    Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.

Sign Up for Future Blog Posts

Read More

HIMSS18 Recap: Patient Data Takes Center Stage for Privacy Protection

HIMSS18

The 2018 Healthcare Information Management Systems Society’s (HIMSS) Health IT Conference (HIMSS18), hosted more than 43,000 attendees. Groups of healthcare industry professionals filled educational sessions and convention hall aisles on March 5—9 in Las Vegas. With over half of attendees representing provider, payer, and governmental agencies, HIMSS reaffirmed its position as the top event for everyone involved in the health information technology (HIT) industry.

As Vice President of Privacy, Compliance, and HIM Policy for MRO, my personal focus at HIMSS18 was on the need for greater patient data integrity and evolving data privacy. Below are a few main points and strategic tasks gleaned for fellow patient privacy professionals. I discuss these points more in detail in this article.

Break Down Barriers

Attendees this year intentionally focused on the need to make health information accessible and fully actionable. The importance of creating actionable data, versus simply sharing information, was a key point throughout HIMSS18.

Direct sharing of the Continuity of Care Document (CCD) was another strategic task presented to HIT professionals during HIMSS18. CCD includes the predefined data elements needed for continuing care in any setting. The underlying thought is that these data elements could be shared through direct messaging to the next caregiver and prepopulate the provider’s EHR for continuity of care. The same reasoning would hold that these data elements should be downloadable to the patient application of choice so the patient always has this information.

The bottom line for data access in healthcare: information silos must be eliminated.

Encourage Patient Ownership

Multiple sessions covered the importance of patient ownership of personal healthcare data. To effectively meet the goal of patient ownership, speakers reiterated the need for data segmentation. For example, patients can specify which data they want to be held privately—not the entire record, but granular information at the data element level.

The General Data Privacy Regulation (GDPR), the European move to segment data for special protections, was also covered in detail at HIMSS18. Patient privacy is now a global initiative. For more information on this topic, download a copy of MRO’s recent webinar on the topic.

Finally, information for quality reporting was a central topic, as quality reporting moves from an encounter-centric to a patient-centric approach. Both of these capabilities, data segmentation and whole patient reporting, must be supported as healthcare makes the transition to value-based purchasing.

Watch Threats, Ensure Compliance

Cloud computing vulnerabilities remain top of mind for all healthcare providers, payers, and governmental agencies. For Business Associates (BAs) using cloud computing, speakers emphasized the need to know where data resides and how it is controlled. These details should be in BA Agreements, along with specifications on how the confirmed BA meets security regulations.

Effective healthcare privacy compliance plans must manage policies and procedures, auditing, disciplinary guidelines, and corrective actions. Focus on your ability to detect, respond to, and recover from any privacy or security events through proactive risk plans and accountability to protect patient data.

People, processes, and technology are the golden keys for privacy and security compliance and breach prevention.

The biggest benefit of attending the 2018 HIMSS annual conference was gaining useful knowledge. Technology is rapidly advancing, and the conference is one of the best venues to observe the transformational impact of technology on the healthcare industry.

DOWNLOAD MRO’S EBOOK “PREVENTING A BREACH: TIPS AND BEST PRACTICES TO SAFEGUARD YOUR HEALTHCARE ORGANIZATION.”

Read More

Four Healthcare Compliance Webinars to Attend in 2018: Covering Privacy, Security and Information Governance

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

Sign Up for Future Blog Posts

Read More

Health Information Management: A Look at 2017 and Predictions for 2018

Predictions for 2018

As we enter 2018, health information management (HIM) and compliance professionals have the opportunity to reflect on healthcare privacy and security in 2017, look at lessons learned, and make predictions as to what’s next.

In 2017, there were many natural disasters that took center stage and continue to play a role in healthcare— for example, disaster waivers. We also saw the defunding of ONC’s Chief Privacy Officer position. In addition to that, data security and breach notification issues grabbed headlines. I go more into detail on these items and offer predictions for 2018 in an InterviewNow podcast, which you can listen to here.

Health Information Management Best Practices

During 2017, data security and breach notification issues grabbed the headlines, and the Office for Civil Rights (OCR) was one of the most active regulators. Health Information Management (HIM) leaders can learn lessons from last year’s enforcement actions and apply the following best practices in 2018:

1) Know Where Your Risks Are
Knowing that cyber risk security issues are still out there, your organization needs to be aware of them, so you are able to respond and prepare for those types of attacks. Your organization should make sure to spend enough on cyber security, so that your IT department is better able to respond and act on attacks.

2) Educate and Train Employees
For a good percentage of these security and breach notification issues, there is a human factor involved. Knowledge is power. Training and educating your employees should be part of your organization’s due diligence. Employees need to know what they can and cannot click on and they also need to understand the type of phishing episodes that can occur. Another reason why this is important is because now at many organizations, employees bring their own devices into work. The due diligence with this has grown because with more and more things getting connected, the bigger the risk is for a breach.

3) Update System Patches
Validate that your IT team is current with software updates and patches to assure the latest security enhancements are applied to protect the data.

4) Look at Policies and Procedures
Make sure your organization has up to date policies and procedures. It is important to do internal auditing to make sure your employees understand and follow these policies and procedures. If you come across weaknesses during your internal auditing, be sure to address them as well.

OCR Wall of Shame Facelift, Intelligent Apps and Analytics

Now, more than ever, is the time to get your breach prevention and compliance measures in order, because the OCR wall of shame may get a facelift in 2018. The facelift could allow you to link over and see who also is involved from a Business Associate standpoint. I personally think the facelift could help people with their due diligence and reviews.

More things to look at in 2018 include intelligent apps and analytics. With all the new and advanced devices today, personal health information is much easier to track now. Once that tracked information becomes shared, it could become part of your doctor’s diagnostic tool kit. I think the availability of health data, if used correctly, could help the world become a better place.

To learn more about 2018 watch list items, including General Data Protection Regulation (GDPR), Internet of Things (IoT), research and de-identification, litigation, OCR updates and cyber-security, be sure to look for details about an upcoming webinar series, hosted by MRO, which will cover those items.

To sign up for future blog posts, complete the form below.

Sign Up for Future Blog Posts

Read More