The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently issued guidance on how providers can contact former COVID-19 patients regarding opportunities for blood and plasma donations. Though healthcare providers can use Protected Health Information (PHI) to identify and contact previous patients, specific guidelines should be followed.

What the guidance outlines

Contacting previous COVID-19 patients to notify them of opportunities for donating blood and plasma is allowed in order to assist healthcare providers in collecting antibodies for treatment of other patients with COVID-19. The use of PHI for this purpose is permitted as a population-based healthcare operations activity, as outlined in the HIPAA Privacy Rule for HIPAA covered entities and their business associates. Furthermore, facilitating the supply of donated blood and plasma is expected to improve the provider’s ability to conduct case management for patients who have been infected with COVID-19.

However, safeguards remain in place when contacting previous COVID-19 patients. The provider can contact its previous patients for this purpose, without authorization, to the extent that the activity is not considered marketing. As defined by HHS, marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. However, under one exception, a covered healthcare provider is permitted to make such a communication for the population-based case management and related healthcare operations activities, provided there is no payment associated with the activities.

Additionally, providers are not permitted to share PHI with third parties. For example, a provider cannot release a patient’s PHI to a blood and plasma donation center so that the center can contact the patient for its own purposes, such as collecting the blood and plasma for a profit. For such a transaction to occur, the provider must receive the patient’s authorization prior to making the disclosure of PHI.

For more information, the complete guidance can be found here.

In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.

What this means for caregivers

Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.

In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.

What this means for business associates

While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.

To learn more, and read the entire HHS release, click here.

MRO and I are proud to announce our 2020 webinar series. I would like to invite you to join me and my colleagues to review, analyze and discuss the hottest topics impacting Protected Health Information (PHI) today.

This year’s webinar series focuses on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of PHI. The sessions address the needs of Health Information Management (HIM), privacy, compliance, risk management, security and other healthcare professionals seeking up-to-date information. Don’t miss the opportunity to learn from seasoned industry experts!

Highlighted below are the four sessions included in our webinar series.

The Right ROI Solution, Information Blocking, Workforce Training, and Privacy and Security Trends

Release of Information: Industry Changes and the Road to the Right Solution

This presentation explores results from a nationwide survey of senior HIM professionals about the ROI challenges, priorities and strategies at the forefront of today’s healthcare ecosystem. The survey was commissioned and published by MRO and conducted by Porter Research. I will guide attendees through a discussion regarding the right time to consider a new strategy and ROI partner, the meaning of transparency in partnership, key criteria for success and more.

Information Blocking Rule: The Impact to HIM

The Information Blocking Rule encourages the flow of information for patient-enhanced management of their own healthcare through the use of health information. As a result, we expect to see increased patient-directed flow of their health information to APIs and other support management tools. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s legal expert, Danielle Wesley, Esq., will discuss how this rule appears to conflict with areas of HIPAA and what that means for HIM departments.

HIM Workforce Training: Developing Tomorrow’s Leaders

The evolving HIM landscape demands new skillsets and expertise for the workforce. MRO’s motivation and development expert, Mariela Twiggs, will provide best practices for training and retaining your employees. Attendees will take away valuable knowledge to develop their staff into tomorrow’s leaders.

Watch List: 2021 Privacy and Security Trends

This presentation recaps 2020 privacy and security trends affecting the HIM industry. The session also focuses on the outlook for HIM in 2021 and how to prepare for the future. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s IT expert and CIO, Anthony Murray, will review watch list resources and provide related links. This timely information is most valuable to HIM directors, compliance and privacy officers, security officers, chief information officers and chief financial officers.

I will present our first webinar, Release of Information: Industry Changes and the Road to the Right Solution, on April 15, 2020 at 2 pm ET. Register today!

I have a fabulous job title: Senior Director of Motivation and Development. When I meet people, they often comment on my title, saying it’s intriguing and then ask what I do. The development aspect of my job at MRO Corp. includes managing all the training content—creating engaging lessons within our learning management system for our large, diverse workforce. But the truly heartwarming and rewarding part of my job is the motivation aspect. It is my responsibility to manage a program that inspires our workforce. I often joke that I get to play MROprah!

Creating Everyday Heroes

The biggest piece of our motivation plan is a program called Everyday Heroes, which celebrates team members who go above and beyond in their job performance. On a bimonthly basis, we produce an Everyday Heroes Newsletter that tells stories about how the actions of a team member touched someone’s life. The stories come from a variety of sources, but each one is about an MRO customer who received outstanding service and took the time to email an employee’s manager. Sometimes these happy customers send a gift of appreciation or call MRO to say they had a wonderful customer service experience. By far, most of these satisfied customers are patients whose lives have been touched.

Additionally, there are customers such as attorneys, insurance company representatives and our clients who write lovely letters to sing someone’s praises. Sometimes a staff member is asked to tell a noteworthy story about their own MRO coworker. Further, the newsletter features a section called “My Manager Cares” where an employee nominates a manager for excellent leadership and an inspirational skillset.

I recently shared with my daughter that one of my career accomplishments I’m most proud of is being able to touch one person’s heart. This is a privilege I treasure. As the Everyday Heroes program begins its fourth year this January, our CEO asked me how we find all the stories. I explained that inspiration is contagious, so team members and managers continue to send me great material.

I like to say, “We don’t just disclose health information, sometimes we save lives.”

Celebrating Great Customer Service at MRO Corp

Many ROI specialists who handle patient walk-in requests often say the most enjoyable part of their job is making a difference in a patient’s life. Our program celebrates these moments and gives people recognition for great customer service. When acknowledged as an Everyday Hero, honorees receive a gift box with a gift card, an MRO Hero frame containing their story, a candygram and a chance to enter a drawing for a big cash prize. Historically, we’ve had around 60 team members per year receive this honor. At the end of each year, we randomly draw three Everyday Heroes and one “My Manager Cares” for the big cash prize.

How We Make a Difference

As I reflect on all the newsletters I’ve written over the years, some memorable stories come to mind. In one case, a patient was in the middle of surgery when a report from an old chart was needed. Our staff member made the request a top priority and walked the report to the surgery area.

In another case, a husband came in to obtain his wife’s report, explaining that she was in the car because she had difficulty walking. To make things easier, our staff member walked to the requester’s car to obtain the patient’s signature on the authorization form.

Another story that comes to mind featured a manager who stayed at work in the Distribution Center during a blizzard because many employees were unable to get to work. It’s so great to hear, “I have been working for many years with many bosses, but I have never had a manager make a difference in my life the way my MRO Manager has done.” Heartwarming, inspirational, making a difference. We care!

Here are some photos of gifts that have been received by staff members:

To stay updated on our heartwarming and inspirational “Everyday Heroes” sign up to receive MRO’s newsletters. 

During the week of November 11, 2019, I visited Capitol Hill with colleagues from the Association of Health Information Outsourcing Services (AHIOS) to address concerns regarding patient access to medical records. As many HIM professionals are aware, in February 2016 the Office for Civil Rights (OCR) released guidance on patient access to health information that is being misused by third parties. During our time on Capitol Hill, we met with staffers from the offices of senators and state representatives of both parties to voice our opinions.

Protected Health Information: Help Make a Difference in Patient-Directed Requests

While this trip to Washington, D.C. was very successful, we will continue to make many trips in 2020 to voice our concerns to policymakers. One critical takeaway is that constituents (both hospitals and patients) need to reach out statewide to the people who can make a difference with regard to this issue. Constituents need to contact their senators and state representatives to express the struggles and hardships related to patient access in their respective states, growing privacy concerns, and in the case of hospitals, cost shifts back to your facility.

If a constituent’s state has a U.S. senator serving on the Health, Education, Labor and Pensions (HELP) Committee, then they should especially reach out to share their patient access concerns. MRO’s legal, privacy and compliance teams are available to all clients to assist in identifying HELP committee members, as well as other key senators and state representatives in their respective states.

Learn More About Protected Health Information

MRO is currently working alongside industry experts to make a difference on Capitol Hill.

To learn more about our visit and our 2020 initiatives, join me and my colleague, Rita Bowen, for our upcoming webinar by registering below.

National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.

IT Security Basics for Breach Prevention

Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:

• Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
• Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
• Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.

Phishing

In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.

How can you protect yourself against phishing? Follow these simple, but effective steps:

• Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
• Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
• Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.

Ransomware

Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.

How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.

If that happens, take the following steps:

• Unplug the power cord from the back of your PC—don’t just turn it off
• Contact your IT department (via phone) for assistance
• Contact your supervisor

Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.

Social Engineering Tactics

Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:

• In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
• Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
• Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links

National Cybersecurity Awareness Month: Sobering Stats

Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:

• 47 percent of American adults have had their personal information exposed by cyber criminals
• 600,000 Facebook accounts are hacked every single day
• 65 percent of Americans who went online received at least one online scam offer

Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.