Last week’s news that the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) is launching Phase 2 of its HIPAA audit program likely grabbed the attention of compliance professionals across the country. I anticipate that due to this new round of audits, and the large number of Protected Health Information (PHI) breaches last year, major topics of discussion at the upcoming HCCA Compliance Institute will concern best practices around identifying and mitigating risks associated with PHI disclosure.
One area of focus should be centralizing and standardizing PHI disclosure management. While large breaches affecting 500 or more patients made headlines last year, small breaches of fewer than 500 patients happened much more frequently. In fact, of all the PHI breach incidents reported to OCR since 2009, more than 180,000 were small breaches, while there were only 1,400 large ones. Just like the large breaches, small breaches can carry financial penalties from OCR of as much as $50,000 per incident with a maximum of $1.5 million annually for repeated occurrences.
In September, the Inspector General of HHS criticized OCR for not putting enough emphasis on investigating small breaches. OCR’s Chief, Joycelyn Samuels, has stated that they are working to implement the Inspector General’s recommendations.
Smaller breaches can be caused by intentional employee snooping, a lack of compliant standardized policies and procedures, or just human error, such as overlooking comingled records in a disclosure. By taking an enterprise-wide approach to PHI disclosure management, and supporting it with training and technology, healthcare organizations can ensure HIPAA compliance across their health system and mitigate breach risk.
Enterprise-wide standardized policies and procedures essential
With the growth of EMRs, as many as 40 PHI disclosure points have been identified in organizations. Concurrently, health systems acquiring physician practices and specialty centers can add to those disclosure points, bringing with them additional risks and liabilities.
Protecting PHI across these growing enterprises requires disclosure policies and procedures that are consistent across the organization, particularly when bringing in physician practices with different EMRs and differing levels of overall compliance.
Adding to the complexity, PHI disclosure regulations can vary at the federal and state level, while the organization may have its own stricter guidelines for releasing information. It is also important to get the right information into the hands of a requester in a compliant and timely manner. Consistently enforced standardized policies and procedures can help address all of these concerns, but proper training and technology is essential.
People and technology for optimal PHI disclosure compliance
Training staff to follow an organization’s PHI disclosure policies and procedures, which should include all HIPAA and relevant state regulations, is the foundation for meeting compliance regulations and staying compliant. Significant resolution agreement fines are often levied when organizations have ignored HIPAA requirements for documented policies, procedures and programs to mitigate breach risk.
Training should include timely content, a mixture of learning formats such as videos, interactive training, and testing to ensure effective teaching. This education should be consistently delivered as policies and regulations change and as new information technology is implemented.
Technology is an advantage for compliance by mitigating human error risk. For example, a procedure may be to check every page of every disclosure with the human eye, which some would assume to be 100 percent accurate, but it’s simply not possible.
At MRO, our IdentiScan® solution uses optical character recognition technology to assist our record integrity specialists in identifying and correcting comingled patient records prior to disclosing the PHI. This compliance step ensures our 99.99 percent accuracy rate for getting the right records to right requesters in our Release of Information (ROI) workflow. If a human were to perform such a review, it would be much more time-consuming, greatly reducing productivity.
We’re excited to showcase IdentiScan at the upcoming HCCA event, where we’ll demonstrate use cases for checking for comingled records outside of the ROI workflow. Key integration points include admissions or discharge times; when generated paper is scanned into patient charts; and when records are imported into the EMR from legacy systems.
Compliance professionals need to understand their PHI disclosure management processes now more than ever because PHI breaches can be financially costly and damaging to reputations.
By implementing compliant, standardized disclosure policies and procedures across the enterprise, organizations can reduce their risk. Through rigorous training, as well as deploying technology to support HIM teams in releasing information, and having regulatory experts on staff to answer questions in real-time, organizations can not only reduce risk, but also improve client service.