What is HITRUST?

Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.

For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.

HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.

Why HITRUST Is Important to BA Risk Management

As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.

Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.

With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online^® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.

As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.

To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”

On November 7, 2018, I joined my colleagues Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services, and Anthony Murray, CISSP, Vice President of Information Technology, to present the fourth and final installment of MRO’s healthcare compliance webinar series. In this webinar titled “Healthcare Privacy and Security—Predictions for 2019,” we highlighted privacy and security trends and predictions to help Health Information Management (HIM) and other healthcare leaders navigate compliance in the coming year.

Patient-Directed Requests

Attorney misinterpretation of patient-directed requests (PDRs) was front and center in 2018 and will continue to require clarification and guidance in 2019. When the validity of a PDR is questionable, the patient should be contacted to clarify and confirm consent. Here are additional strategies for handling attorney requests submitted under the guise of a PDR:

• Inform your state legislators of this questionable attorney behavior
• Discuss the issue with HIM peers in your area
• Hold meetings with your OCR representative to determine the best course of action
• Question and verify (with the patient) any suspicious PDR

We welcome a dialogue with the Office for Civil Rights (OCR) for clarification of the guidance to ensure requests are made for the purpose of assisting the patient with continuity of care—the original intent of the guidance. At MRO, we use the criteria provided by the guidance. The request must be made by the patient, written in the first person and signed by the patient. It must clearly state who is to receive the information and provide the address of that person.

Global Data Protection Rule (GDPR)

Released in May 2018 in the EU, the GDPR provided information on breach protection and response, which could affect guidance in the U.S. regarding notification timelines, documentation controls and data protection rules. The focus in 2019 will likely increase, prompting healthcare organizations to determine changes needed to strengthen privacy and security programs. Also, be aware of state action that is patterning to this rule.

Increased Information Collection

Technology will continue to advance through 2019—becoming faster and safer. With more apps and sophisticated technology, patients must be able to trust that their data is safe and secure. Here are several considerations:

• What data will you protect?
• What policies and procedures need to be reviewed?
• Do you have a complete inventory of your data?

Digital mobile engagement is center stage—wearable devices, home monitors, patient portals, patient generated health data (PGHD) and ongoing technology innovation. The goal is for patients to have a connected, fluid experience throughout the healthcare journey.

Increased Access to Care

The patient experience has changed over the past several decades—from the focus on where patients receive care to where patients search for and choose to receive care. Increased access to care includes urgent care, virtual care, retail settings and nontraditional players such as Amazon and Google. All use some type of technology involving Protected Health Information (PHI) that must be documented and protected.

Population Health, Data and Analytics

Total consumer health requires awareness of educational needs, especially considering the aging population and proactive management of healthcare. Consumers will benefit from initiatives that promote informed decision-making through awareness of available resources and rights regarding PHI. Those efforts demand emphasis on data collection, protection and analytics to improve population health and ensure compliance.

AHIMA’s Vision for 2019

AHIMA recently released its vision for 2019 as the year of transformation. Based on a back-to-basics strategy, AHIMA will emphasize core strengths and services to move HIM forward:

• Coding/clinical documentation improvement
• Advocacy/AHIMA World Congress
• Privacy and security
• Operational effectiveness—patient-focused access, quality improvement, artificial intelligence, precision medicine, privacy demands

The top three drivers will be security risks, business needs and evolving industry changes.

Technology and Cybersecurity

In 2019, advancements in technology will remain centered on interoperability and cybersecurity. Interoperability is critical to patient engagement and optimal EHR investment required for proper PHI disclosure management.

Additionally, cybersecurity must be a top priority to ensure effective information security programs. Organizations must clarify policies regarding:

• Risk assessments versus gap assessments
• Incident response
• External support
• Business Associates
• Third-party assessments
• Certifications, audits, standards

The evolution of cybersecurity threats means increasingly sophisticated ransomware and other attacks including cryptojacking and whaling. In case of a technology incident, the best strategy is a layered security model to protect, detect, identify and respond.

To learn more about privacy and security predictions for 2019, fill out the form below to receive a copy of this webinar.

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

This year’s institute focused on industry adoption of IG, citing AHIMA’s Information Governance Adoption Model (IGAM)™ as a guide to advance IG practices toward achieving Level 5 maturity. Here are the five levels:

1—Unaware, IG concerns not addressed

2—Limited progress, early stage

3—Defined policies and procedures

4—Proactive program throughout operations

5—Fully integrated into overall infrastructure and business processes

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

In the audience was Jim Bailey, President of the Association of Health Information Outsourcing Services (AHIOS), who suggested that states come together to address the issue. Here are four recommended strategies:

• Raise awareness with your legislators
• Hold conversations with other hospitals in your area
• Don’t be afraid of meeting with the OCR
• Exercise the right to question and verify any request

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!