It’s hard to believe that only two decades ago there were not significant penalties for improperly disclosing Protected Health Information (PHI), especially when regulations and oversight seem to become more stringent by the day.

Since the HIPAA breach notification requirement was instituted in 2009, there have been 1,185 breaches of more than 500 records each reported, compromising more than 133 million patient records. Hospitals are subject to penalties of up to $1.5 million per incident per calendar year, and criminal penalties include fines and up to 10 years in prison. There are currently pending judgments of $3-4 billion each in two class action lawsuits, and these figures don’t include the damage to a hospital’s reputation.

The migration to electronic medical records (EMR) systems may improve patient care, but it also makes it more difficult for hospitals to control access and manage patient privacy. According to MRO’s research, hospitals may have more than 40 PHI disclosure points through various departments such as billing, lab and radiology as well as hospital-owned clinics and physician practices.

With that many access points – which do not include HIEs, patient portals and other interfaces – the question becomes whether every employee at each of these disclosure points has been properly trained on PHI access and disclosure guidelines.

Centralization of the Release of Information (ROI) function places the responsibility of disclosing PHI into the hands of highly-trained professionals and offers better control, higher quality and cost savings. Using a single, enterprise-wide system that is overseen by a single department helps organizations standardize processes and enforce policies across the entire healthcare enterprise.

This model allows software and services to be deployed as a common platform, and all departments receive secure technology, comprehensive workflow and quality assurance checks. Best practices place the responsibility for the function with Health Information Management (HIM), which typically has subject matter expertise on health information governance, privacy and PHI disclosure management.

Hospitals that take an enterprise approach through their HIM department find they are able to better manage ROI processes, achieve compliance and reduce liability and financial risk.

Ready to learn more? View MRO’s case study on East Jefferson General Hospital, where HIM leadership standardized PHI disclosure management processes and policies across various hospital departments and 23 physician practices.