Record Requests610-994-7500

Recent Guidance on Contacting COVID-19 Patients for Blood Donations

The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently issued guidance on how providers can contact former COVID-19 patients regarding opportunities for blood and plasma donations. Though healthcare providers can use Protected Health Information (PHI) to identify and contact previous patients, specific guidelines should be followed.

What the guidance outlines

Contacting previous COVID-19 patients to notify them of opportunities for donating blood and plasma is allowed in order to assist healthcare providers in collecting antibodies for treatment of other patients with COVID-19. The use of PHI for this purpose is permitted as a population-based healthcare operations activity, as outlined in the HIPAA Privacy Rule for HIPAA covered entities and their business associates. Furthermore, facilitating the supply of donated blood and plasma is expected to improve the provider’s ability to conduct case management for patients who have been infected with COVID-19.

However, safeguards remain in place when contacting previous COVID-19 patients. The provider can contact its previous patients for this purpose, without authorization, to the extent that the activity is not considered marketing. As defined by HHS, marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. However, under one exception, a covered healthcare provider is permitted to make such a communication for the population-based case management and related healthcare operations activities, provided there is no payment associated with the activities.

Additionally, providers are not permitted to share PHI with third parties. For example, a provider cannot release a patient’s PHI to a blood and plasma donation center so that the center can contact the patient for its own purposes, such as collecting the blood and plasma for a profit. For such a transaction to occur, the provider must receive the patient’s authorization prior to making the disclosure of PHI.

For more information, the complete guidance can be found here.

Read More

MRO’s Special Webinar Series: Information Blocking

MRO’s four-part special webinar series regarding the Interoperability Rule will teach attendees how this rule helps healthcare data and systems become more standardized, so that data can be exchanged seamlessly. Even if you and your organization are already making strides toward achieving interoperability at your facility, you can benefit by continually learning more. The Interoperability Rule, which consists of over 1,200 pages, probably seems daunting. Therefore, we created these expert-led sessions to break down the rule for you, since the rule has major compliance implications that your organization needs to prepare for.

Highlighted below are the four sessions included in our webinar series.

Information Blocking and the Interoperability Rule

Information Blocking: Setting the Stage – Lauren Riplinger, AHIMA

The first session of the Information Blocking webinar series, presented by an AHIMA staff member, provides an introduction by setting the stage for the other sessions. Attendees will learn the history of information blocking as well as the legislative background of the 21st Century Cures Act. They will also take a deep dive into the intended goals of the rule, and how the ONC got to the current state we are in.

Information Blocking and Interoperability: Decoding API Elements, Incompatibilities, and the Role of HIM in Technical Developments – Jeff Smith, AMIA and Diana Warner, MRO

The second session of the Information Blocking webinar series breaks down the technical developments and considerations from the ruling. Jeff Smith from AMIA will highlight the informatics and the technical compatibility requirements, as well as delve deeper into the technical aspects of the ruling and what it means for supporting CIOs and their teams. Specializing in information governance, Diana Warner from MRO will then guide attendees through the special considerations for HIM teams.

Information Blocking and HIPAA: Road to Compliance – Rita Bowen, MRO and Angela Rose, MRO

The third session of the Information Blocking webinar series, presented by two of MRO’s industry experts, analyzes the rule with a focus on HIPAA. Attendees will be immersed in a discussion around critical aspects of the rule and explore ways to operationalize its requirements to achieve compliance. Furthermore, they will take away tips and strategies to share with their organizations to guide planning efforts for success.

Information Blocking: Looking Ahead – All Webinar Presenters

The fourth and final session of the Information Blocking webinar series features a roundtable panel discussion from all the previous presenters. This session will briefly summarize what attendees learned during the first three sessions, as well as discuss what comes next. Attendees will learn practical enforcement mechanisms, OIG timing and enforcements, and possible penalties. The expert panel will also provide answers to the most frequently asked questions from the entire series.

Please join us for the first webinar, presented by Lauren Riplinger, JD, from AHIMA, Information Blocking: Setting the Stage, on June 11, 2020 at 2 pm ET.

Register today!

Read More

Maintaining Compliance and Privacy Amid COVID-19

 

In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.

What this means for caregivers

Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.

In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.

What this means for business associates

While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.

To learn more, and read the entire HHS release, click here.

Read More

PHI Disclosure Management Webinar Recap: Attorney Misuse of Patient-Directed Record Requests and How to Cope

 

On December 11, 2019, I joined my colleague Danielle Wesley, Esq., Vice President and General Counsel, to present the fourth and final installment of MRO’s PHI Disclosure Management Webinar Series. In this webinar titled “Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope,” we reviewed trends and national efforts underway, discussed how the health system is impacted and formulated tactics to combat the confusion.

Patient-Directed Request Trends

The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding more clarification for healthcare provider organizations, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in mounting challenges for healthcare providers. Recently, we have begun to see the following trends:

  • Attorneys and other third parties have increased the number of “patient-directed” requests and are using the records for their own for-profit activities—such as litigation or data sharing/selling.
  • Such requests demand that records be sent directly to the third party but be billed at the patient rate under the HITECH Act.
  • Use of the phrase “any and all” has led to a rise in page count per request. This phrase is used as an attempt to receive all PHI regarding a patient, not just the specific encounters or visits that are relevant to the litigation.
  • An increase in the submission of meritless complaints to release of information companies such as MRO, their clients, and the OCR has resulted in more time and effort to respond to baseless complaints, which ultimately generates greater operational costs.

These trends are concerning for release of information companies and their clients because attorneys and record retrieval companies are able to obtain large volumes of essentially unrestricted, unregulated PHI at lower fees by using generic, template forms. Furthermore, patients are unaware of the risks associated with the documents they are signing and are not actually providing “informed consent.” Such risks include:

  • No acknowledgement of HIPAA rights
  • No expiration date, allowing third parties to copy and use the “patient-directed” request letter indefinitely
  • No restriction on sensitive information regarding HIV, sexually transmitted diseases, psychotherapy notes, substance abuse and more

Health System Impacts

As the misuse of patient-directed requests grows, so does the impact across health system departments. Not only does this issue directly affect the Health Information Management (HIM) department, it also affects the Compliance and Legal/Risk Management departments.

HIM departments must mitigate patient privacy risks while managing an increase in volume, workload, costs and staffing.

Compliance departments are concerned about OCR incrimination, which results in knee-jerk responses versus well-informed actions. There is also a lack of time and resources to appropriately push back on meritless attorney complaints and threats.

Legal and Risk Management departments face OCR complaints and outside attorney pressure, and lack understanding of the steps and costs required to fulfill requests for medical records. For all parties involved, proper training is needed to mitigate risk and take appropriate action in response to attorney requests and patient-directed requests.

PHI Disclosure Management: Recommendations for Organizations

All health systems and organizations should have a plan in place to combat attorney misuse of patient-directed requests. Here are four simple, yet effective tactics:

  • Provide HIPAA training and education throughout your organization, particularly focused on patient access and patient privacy. Include departments such as HIM, Legal, Compliance, Risk Management, Finance, etc.
  • Recognize this as a long-term problem that cannot be resolved effectively by short-term solutions. Consistency is essential, begin by understanding your responsibilities set forth in your organization’s HIPAA compliant Notice of Privacy Practices.
  • Don’t be afraid to push back. Engage with the OCR whenever possible since it is critical that they hear from your organization directly. MRO’s most successful clients have taken a strong stance for their patients and against third parties misusing patient access.
  • Contact your representatives and senators to share your concerns regarding misuse and abuse of patient-directed requests from attorneys, record retrieval companies and other third parties. Specifically, contact members of the Health, Education, Labor and Pensions (HELP) Committee.

Continuing Education for the Misuse of Patient-Directed Requests

As we begin the New Year, Danielle and I will continue to educate our client base by hosting webinars, publishing additional content and visiting Capitol Hill alongside other industry experts. Stay connected and view the latest updates by following us on our social media platforms.

To learn more about the misuse of patient-directed record requests, fill out the form below to receive a copy of this webinar.

 

Receive a copy of the webinar "Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope"

Read More

12 Criteria to Assess and Mitigate BA Management Risk

Anthony Murray and Rita Bowen explain it is crucial that healthcare organizations be detail-oriented and methodical in assessing their business associates. Furthermore, they urge organizations to conduct an assessment of the vendor’s compliance with HIPAA regulations, the integrity of the vendor’s data and its breach prevention practices. They believe it is essential that the vendor meets the 12 requirements outlined in this article.

Read More

Eight ROI Missteps to Avoid

In a For The Record magazine article, MRO’s Danielle Wesley, Esq. and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB are quoted on how to avoid a misstep when it comes to distinguishing between patient and third-party requests. They discuss the problems with current OCR guidance, as well as strategies that can be used to help combat this issue.

Read More

Webinar Recap – Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

On June 27, 2019, MRO presented a webinar as part of our Protected Health Information (PHI) disclosure management educational series. In this presentation titled “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” we covered best practices for standardizing PHI disclosure management policies and procedures, ensuring consistent policy enforcement, and minimizing privacy breach.

The webinar content can be used as a guide for Health Information Management (HIM), privacy and compliance professionals to ensure the highest levels of compliance and prevent breach when disclosing PHI.

PHI Disclosure Management: Risky Business

MRO’s research shows there can be as many as 40 disclosure points across a health system. Most of these disclosure points tend to be managed outside the HIM department by individuals not trained in Release of Information (ROI). This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.

Another risk factor involves gaps in the Quality Assurance (QA) around PHI disclosure. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of those invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some 5 percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, about 0.4 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 400 comingled records. With that, comes substantial risk to a healthcare organization.

Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

As described in the webinar, MRO recommends deploying an enterprise-wide strategy for PHI disclosure management to standardize policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.

Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These quality checks should come from a combination of trained ROI specialists and record integrity technology, such as MRO’s IdentiScan®, that uses optical character recognition to locate and correct comingled records. This combination of people and technology drives improved accuracy and minimizes breach risk.

Breach Prevention: Best Practices for PHI Disclosure Management

The webinar includes eight best practices for minimizing breach in the Release of Information process. Here are six of those practices.

  1. Implement Multiple QA Checks on Requests. It is important to ensure the ROI authorization is legitimate. In reviewing authorizations, certain required information is often missing. A Quality Assurance check-in that involves multiple people helps to avoid a one-point area for failure. This double-check process ensures a complete review of that area for control.
  2. Sync Your ROI Platform to the MPI. It’s imperative to sync your ROI platform to your MPI to avoid manual information entry. This minimizes the possibility of making a mistake when entering information into your ROI platform. MRO offers a tool called MROeLink® that provides this type of integration.
  3. Send Notifications to Requesters. Sending initial notifications of receipt to requesters confirms that requests have been received and indicates who is processing them on your organization’s behalf. If a patient-directed request is obtained, you should notify the patient to let them know a patient-directed request has been received in case they did not direct the request.
  4. Ensure Shipping Integrity. Establish a QA process for shipping copies of medical records, such as a barcoding system that assists distribution center reps in ensuring the right content goes in the correct envelope.
  5. Leverage Secured Delivery. When possible, leverage secure, electronic delivery, including portals and direct interfaces with government agencies such as SSA and CMS.
  6. Hire, Train and Retain Exceptional People. It is essential to hire, train and retain exceptional people who will be touching PHI. These people must be properly trained and knowledgeable about the information they are handling, and understand the penalties involved. People working in the ROI industry must be highly trained and educated.

To get details on all our suggested best practices for breach prevention—and more information on compliant PHI disclosure management—request the playback of the presentation using the form below.

Request Webinar Playback

Read More