Millions of payer requests for medical records are sent to hospital business offices every day. Business office staff are often tasked with gathering and releasing Protected Health Information (PHI) to payers in a very short amount of time to get claims paid. During this rush to meet payer deadlines and expedite claims, human mistakes can be made. Critical steps of the Release of Information (ROI) process may be skipped or accidentally omitted. This increases PHI breach risk.

To ensure business office disclosures are kept safe and secure, organizations should train their staff on disclosure management using the same information, curriculum and courses presented to Health Information Management (HIM) teams. Below is a video where I discuss MRO’s unique approach for training and educating employees, as well as five PHI disclosure management topics to train your business office staff on.

PHI Disclosure Management Training/Education at MRO Corp.

Five PHI Disclosure Management Topics to Train Your Business Office Employees On

1) ROI and HIPAA Basics

Ensure employees understand the definition of HIPAA (Health Insurance Portability and Accountability Act), the privacy rule, ARRA HITECH Omnibus, PHI and differences between federal versus state law. This distinction is especially important for business offices that process requests for care locations across different states.

Another important topic to cover is the Health and Human Services (HHS) minimum necessary guidance under the HIPAA privacy rule. This guidance helps organizations determine what information can be used, disclosed or requested by payers for a specific purpose. Business office staff need to know which parts of the record to send to the payer. By training business office staff to fully understand and apply the minimum necessary guidance, organizations tighten privacy and mitigate breach risk.

2) Medical Record Components

Make sure to define the various components of the medical record to business office staff. These components include: common documents, various types of encounters, properly documented corrections and amendments.

3) Confidentiality and Legal Issues

Outline the legal health record concept and what it includes for your organization. Additionally, all the various confidentiality and legal issues should be explained in full detail.

4) Types of Requests

List all the various types of requests that might be received in the business office. For each category, differentiate which are part of Treatment, Payment and Healthcare operations (TPO) and which are not. Those that fall outside of TPO require a patient authorization and should be forwarded to HIM for processing. For a list of types of requests to discuss, read this article.

5) Sensitive Records and Special Situations

Identify and describe specific PHI disclosure management practices related to sensitive records. These cases can include information on genetics, HIV/AIDS, STDs, mental/behavioral health, substance abuse, deceased patients, minors and other sensitive issues. Federal and state legal issues may be involved with these and business office employees should be aware of them.

If you’re concerned about the ability of business office or other staff to properly and securely process requests, a centralized ROI model may be your organization’s safest approach.

To sign up for future blog posts, complete the form below.