Check Request Status610-994-7500

Enterprise-Wide PHI Disclosure Management—Six Strategies Guided by Information Governance Principles

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

  1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
  2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
  3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
  4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
  5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
  6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

Read More

MRO at the 90th Annual AHIMA Convention and Exhibit in Miami, FL

As we approach the 2018 AHIMA National Convention and Exhibit in Miami, held September 22-26, 2018 in Miami, MRO is very excited to exhibit and have the chance to mingle with our Health Information Management (HIM) partners and friends.

During exhibit hall hours, members of MRO’s leadership will be available at Booth 437 to discuss topics surrounding Protected Health Information (PHI) disclosure management, including industry trends, breach risk mitigation and MRO’s KLAS #1-rated Release of Information (ROI) solutions. We will also have a mentalist/magician performing in our booth on Monday and Tuesday, September 24 and 25.

Some other places you can find MRO during the convention include:

AHIMA’s Privacy, Cybersecurity, and Information Governance Institute

Saturday and Sunday, September 22-23
Miami Beach Convention Center, Art Deco Ballroom, Room 228 AB

AHIMA is committed to remaining the leader in privacy, cybersecurity, and Information Governance (IG) throughout healthcare. Because of this commitment and healthcare’s evolution—which requires continued education on the most current topics and trends in the industry—AHIMA’s annual Privacy and Security Institute is evolving. This year AHIMA is introducing the Privacy, Cybersecurity, and Information Governance (PCIG) Institute.

MRO is proud to sponsor this year’s PCIG Institute, and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO will participate in Sunday’s 10:55am – 11:45am Eastern panel discussion “Privacy and Security Competency Gaps: How to Navigate Your Way to Success.

Case Study for Business Office ROI: Yale New Haven Health

Monday, September 24
Miami Beach Convention Center, Exhibit Hall, Theater C
12:15pm – 1:05pm Eastern

Join Kim Charland, RHIT, CCS, Director of Revenue Cycle Services for MRO, and Cindy Zak, MS, RHIA, PMP, FAHIMA, Executive Director of Corporate HIM for Yale New Haven Health, for a presentation on exploring ways MRO’s Medical Record Attachment Services for the Business Office can help HIM leaders improve interdepartmental collaborative efforts to efficiently and compliantly fulfill ROI requests that support claim payments.

ROI Networking Roundtable

Monday, September 25
Miami Beach Convention Center, Room 209
3:30pm – 4:15pm Eastern

Attend the presentation “The Modern Age of ROI – Are You Up to Date?” to network with HIM peers and experts in the field, including MRO’s Rita Bowen and Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services. Bring to the table any issues or challenges faced in ROI and discuss best practices.

Educational Session: Project Management in HIM Implementations

Monday, September 25
Miami Beach Convention Center, Ocean Drive Ballroom A-D
4:30pm – 5:15pm Eastern

To learn best practices for utilizing project management skills in enterprise-wide HIM implementations, join Angela Rose and Emilie Sturm, Sr. Revenue Management Consultant for Trinity Health, for this exploratory session.

Meet MRO at AHIMA

MRO has been exhibiting at this convention every year since 2004. In our 15th year at the event, we anticipate this to be our best year yet. I am looking forward to learning about the latest industry trends and being able to see and spend time with all our clients and friends in attendance. We hope to see you there!

Schedule a PHI disclosure management consultation at AHIMA.

Read More

Webinar Recap: Cybersecurity- Protecting Your Healthcare Enterprise

On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.

Access Management

Policies and Procedures

HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.

• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.

Threat Prevention, Detection and Response

Prevention

Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:

• End user education and social engineering testing
• Strong passwords and account creation steps
• Malicious software protection
• System hardening practices

Detection

If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.

Response

In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?

At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.

Information Governance

Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.

Risk Register

A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.

Cyber Extortion

With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO's Cybersecurity Webinar

Read More

DOs and DON’Ts of Outsourcing Release of Information

DOs and DON’Ts of Outsourcing Release of Information

Managing the disclosure of Protected Health Information (PHI) from within a healthcare organization has become increasingly complex. As the volume of medical Release of Information (ROI) continues to rise, multiple disclosure points place organizations at risk for privacy breach. Many have turned to outsourcing Release of Information to promote proper PHI disclosure. Choosing the right vendor can be a challenge if you don’t know where to start. Here are some suggestions to make the process easier.

DO—Use HIM peer feedback

The best way to begin is by seeking feedback from HIM peers who have experience with ROI vendors. Trusted peers can help with steps to identify vendors that offer high levels of service quality, accuracy and compliance.

Ensure the vendor is equipped to handle a health system your size

In today’s environment, there are fewer independent hospitals than in the past. Increased consolidation among hospital groups adds a new level of complexity due to size of the organization. It’s important to conduct a thorough evaluation to ensure the vendor can accommodate the size of your organization.

Over the years, many independent hospitals have used small local ROI companies that served them well at the time. But as these organizations grow to include multiple facilities with hundreds of clinics, ROI becomes a more complicated process. Vendor reassessment involves two critical considerations—scalability and expertise. Does the vendor have the scalability to meet the needs of all facilities and the expertise to conduct the implementation from a proven project management perspective?

Scalability is especially important for organizations acquiring physician practices. For one organization, we are currently hiring 40 people to serve five hospitals and 300 physician practice locations. Few vendors are equipped to manage a project of that size. Organizations should consider the scope of the project and the vendor’s ability to conduct a smooth and seamless implementation. Best practice is to engage a dedicated implementation team of trained specialists to onboard staff and ensure a successful implementation.

Assess the vendor’s ability to offer high levels of service quality, accuracy and compliance

Your organization must have confidence in the vendor’s ability to measure quality and accuracy to ensure compliance. While seeking feedback from peers, review the company’s resources to assess quality standards, documentation processes, areas of priority and methods of measurement. What is the success rate in terms of service delivery and accuracy? What internal quality measures are in place to ensure proper disclosure of PHI and prevent breach? Also, look for independent measures of quality and reputation of a vendor you’re considering. One of those measures is KLAS, a third-party group that rates companies based on customer ratings.

DO—Visit the vendor

As part of the evaluation process, schedule an onsite visit. At MRO, we welcome the opportunity to show and tell what we do. Showing tells a lot about an organization. Take a tour of the workflow to see ROI processes firsthand. That’s where you’ll see those crucial quality checks.

DO—Leverage the latest technology innovations

Advanced technology is essential to provide optimal ROI services. Top priorities include EMR integration, electronic delivery, optical character recognition (OCR) technology for Quality Assurance, and IT expertise and leadership.

EMR integration

Look for technology with the capability to integrate with most EMR systems. Some ROI companies have built interfaces between their ROI platforms and EMRs to enhance workflows through automation. For example, MRO’s MROeLink® interface with Epic’s ROI module has the capability to automate typically manual and redundant steps in the ROI process to improve efficiency and reduce errors.

Electronic delivery

Organizations today need import and export capabilities that extend beyond extraction of information.

Look for the ability to receive requests and deliver information via electronic interchange. At MRO, we have thousands of portals set up with different organizations around the country to securely receive and deliver information. Additionally, our proprietary interface with SSA’s Disability Determination Services (DDS) and esMD for CMS enables healthcare organizations to enhance revenue, improve efficiency and drive compliance.

OCR technology for Quality Assurance

Quality Assurance requires the right people, processes and technology. The most effective programs offer technology and human intervention to review documents at various points within information management workflows. For example, we suggest a combination of OCR technology and specially trained staff to perform multiple quality checks during the ROI process. MRO’s IdentiScan® OCR validation technology checks for patient identifiers to catch comingled records. Any detected errors are quickly corrected and documented by Quality Assurance experts.

IT expertise and leadership

Finally, consider the vendor’s future plans for investment on the IT side of the ROI process. Many times smaller vendors can’t make large investments required to be on the leading edge of IT. Is the vendor forward thinking regarding IT? What capabilities are in place? Recommended practice is to have extensive internal IT resources backed by plans for future investment. Look for progressive companies with IT knowledge, experience and leadership.

DO—Consider an enterprise-wide approach

A centralized, enterprise-wide approach to PHI disclosure management is the recommended strategy to have complete confidence in achieving compliance. This approach guards a patient’s privacy while also protecting the organization against breach, financial risk and reputational harm. The benefits across the health system include:

  • Standardized policies and procedures
  • Consistent policy enforcement
  • Improved patient and third-party requester experience
  • Heightened PHI disclosure accuracy through quality-infused workflows

DON’T—Prioritize low cost over quality

Prioritizing low cost over quality and compliance will cost your organization more in the long run. Everyone wants the most economical deal, but not at the expense of quality. Noncompliance and associated costs are too great a risk. When evaluating a vendor, shop for accuracy and quality.

MRO is proud to be KLAS-rated #1 for outsourced Release of Information services, offering scalability, expertise, innovative technologies, and the highest levels of accuracy, quality and service. To request a demo of our ROI Online® solution, complete the form.

Request a Demo

Read More

Onboarding a New Release of Information Vendor: Six Strategies to Ensure a Smooth Transition Process

Begin with the end in mind.  – Stephen Covey

Stephen Covey will long be remembered as the author of The Seven Habits of Highly Effective People. The wisdom of those habits is applicable to organizations as well. When onboarding a new Release of Information (ROI) vendor, the end goal is to standardize policies and processes across the enterprise for timely, accurate and efficient disclosure of Protected Health Information (PHI).

Partnering with a new vendor for outsourcing Release of Information doesn’t have to be a daunting task. Whether your organization is managing ROI in house or considering a change from one outsourcing vendor to another, making a smooth transition across the enterprise is critical. Defined tasks and activities are required to successfully bring a new ROI vendor on board and resume normal operations as efficiently and effectively as possible. A seamless process begins with a dedicated implementation team to facilitate the transition, keeping the end goal in mind.

In our experience, organizations often encounter challenges that are difficult to overcome without the expertise of an implementation team. Here are some of the most common pitfalls:

  • Lack of executive ownership
  • Resistance from stakeholders, no buy-in
  • Lack of process knowledge/ownership
  • Scope creep—project not well defined, documented, controlled
  • Communication issues
  • Insufficient staffing, training and other resources
  • Multiple technology platforms/EMR

Setting the Stage for PHI Disclosure Management Success: Six Strategies to Ensure a Smooth Transition

When evaluating an ROI vendor, be sure the vendor has a dedicated implementation team to facilitate a smooth transition. That is your first priority. The team will guide the implementation through the following six strategies:

Define the Project. Define the project scope, goals and objectives. Identify the project owner, executive sponsor and all stakeholders. Set expectations and accountability. Develop a timeline with milestones and phases.

Manage Contracts. Monitor and manage the terms of the contract to ensure contractual obligations are met. Deliver to the client exactly as specified in the contract. Proper management prevents scope creep.

Communicate. Provide ways to communicate with senior management and all stakeholders across the enterprise. Communication tools include internal memos, email templates, press releases, onsite meetings, workflow tips, helpline, monthly updates to senior management on timelines and milestones, and post-implementation touch-point calls. Communication builds trust.

Plan. Planning and communication go hand in hand. Otherwise, the project implementation plan won’t leave the conference room. To assist with planning, here at MRO, we provide new clients with a detailed overview of our implementation planning process including the following:

  • Pre-Implementation Activities
  • Implementation Timeline
  • Go-Live Activities
  • Post Implementation Activities

Planning is everything. Proper planning presents the opportunity to identify and address issues up front, setting the stage to achieve optimal results.

Document. Comprehensive documentation clearly defines the project desired outcomes. Transparency and accountability are essential. One of our practices is to send welcome packets introducing what we do and what’s going to happen during the implementation period, along with escalation pathways and MRO contact information. Throughout the transition, we provide a detailed agenda for every meeting, minutes following each meeting, training documentation, videos, monthly updates and project monitoring reports. The entire process is documented from the beginning.

Train and Educate. In preparation for go-live, an effective training and education program promotes successful outcomes. The recommended strategy is to begin training after the planning phase and continue throughout go-live. At MRO, our implementation specialists provide training on MRO ROI policies and procedures, current and legacy EMR systems, HIPAA privacy and security, ROI Online® system use and best practices.

Best Practices Yield Optimal Outcomes

Beginning with the end in mind, providers and vendors should work together to help organizations achieve timely, accurate and efficient ROI outcomes.  At MRO, our dedicated implementation team guides you every step of the way with proven strategies to ensure a seamless transition.

Sign Up for Future Blog Posts

Read More

Five Takeways from the HFMA 2018 Conference

“Efficiency is doing things right; effectiveness is doing the right things.” Peter Drucker

Peter Drucker, world-renowned business management guru, reminds us to focus on both efficiency and effectiveness to improve long-standing processes, procedures or policies. Healthcare finance leaders and revenue cycle professionals were charged with the same goal—creating efficiencies and building effectiveness—during the recent HFMA 2018 Annual Conference held in Las Vegas, June 24-27, 2018.

For central business offices (CBOs) and patient financial services (PFS) departments, the need to address stubborn problems and improve performance is paramont to cut costs and reduce risk. One way to achieve these goals is by fostering innovation.

This blog shares HFMA’s call for innovation, summarizes four other takeaways from the 2018 event and lays out an important MRO strategy to improve business office efficiency and CBO effectiveness.

Foster Innovation for Business Office Efficiency and Better Outcomes

Kevin Brennan, FHFMA, CPA, the new chair of HFMA’s 2018-2019 board of directors and recently retired Executive VP, Finance and CFO at Geisinger Health System, welcomed attendees by discussing the importance of promoting experimentation and new ideas to bolster efficiency in revenue cycle workflow and operations. Brennan encouraged revenue cycle leaders to resist the fear of failing and build new business models to promote performance. As Brennan stated, a good new motto to follow might be “Never be fearful of making new mistakes.”

Build Collaboration through Better Tools and Workflows

By coupling innovation with collaboration, Brennan urged HFMA attendees to build new bridges with other departments, providers, payers, consumers and the government. The call for better collaboration was reiterated by Tuesday’s keynote speaker, Dr. Rubin Pillay, medical futurist, physician and professor.

With collaboration as the central theme of this year’s event, revenue cycle professionals were encouraged to “try new tools and make existing workflows work better” as one pathway to foster collaboration and improve business office efficiency within CBOs and PFS departments.

Go to a New Level in Healthcare Delivery

Dr. Pillay also discussed the role of artificial intelligence and technological innovation in spurring healthcare collaboration. Pillay provided examples of growing organs for corneal transplants and using robotics to help paraplegics walk as important ways healthcare organizations can take patient care to a new level. According to Pillay, “Technology and data, their convergence with policy, and provider and payer strategies are driving major trends to transform healthcare.”

Enhance the Patient’s Financial Experience

The final takeaway from the HFMA 2018 Conference was a continued cry to improve the patient’s financial experience. Best practices from HFMA’s 2017 MAP winners were referenced as innovative ways to make steady, incremental changes and improve performance. In reviewing these MAP winner strategies, we are reminded of the need to continually speed processes and streamline operations—this is especially true for CBOs.

Improve Business Office Efficiency by Reducing Biller Distractions

Consistent with HFMA’s themes of efficiency, effectiveness, innovation and collaboration, MRO is laser focused on improving business office performance. For most CBOs and PFS departments, biller distraction is an important issue—one we intend to reduce for MRO clients. We continue to hear from clients that billers and collectors become distracted with trying to process payer requests for medical records. Our latest service was discussed with HFMA attendees during the conference and received rave reviews.

Challenge:

Business office personnel release millions of medical records annually to commercial health plans and government payers to expedite payment of claims, appeal denials or fulfill auditor requests. However, it doesn’t make sense for these business office staff—billers or collectors—to handle payer requests for medical records when they should be focused on reimbursement. There are also HIPAA risks to consider when billers release Protected Health Information (PHI) versus having Health Information Management (HIM) professionals manage this task.

Receiving, processing and managing payer requests for health information is what MRO does best. So we’re applying this expertise to cut cost and reduce risk for CBOs and PFS departments.

Solution:

Instead of distracting billers and collectors from their core objective of collecting revenue, MRO disclosure management experts apply new workflows and HIM collaboration to the process of Release of Information (ROI) in the business office. Here is a high-level summary of how the new MRO service works.

  • Business office logs requests and attaches billing documents
  • MRO adds medical record documentation
  • MRO quality checks and releases billing and medical documentation to the payer
  • MRO sends documentation by payer-requested delivery method

Results:

MRO clients who are using this service from MRO are achieving both efficiency and effectiveness in their CBOs and PFS departments. Specific improvements include:

  • Heightened efficiency and cost savings
  • Minimized breaches and more compliant PHI exchange
  • Payer request trackability for analytics
  • Enhanced collaboration between HIM and the business office
  • Maximized production by keeping teams focused on what they do best
  • Improved visibility and transparency for both teams

Request information about MRO’s business office ROI services

Read More

How to Improve PHI Disclosure Efficiency in the Business Office

PHI Disclosure

Releasing medical records from a healthcare organization’s business office can be accomplished in a more efficient and cost-effective method. Instead of distracting billers and collectors from their main duties of collecting revenue, business offices should consider the following options to improve efficiency and ensure proper tracking of Protected Health Information (PHI). I provide more detailed information in an HFMA blog “PHI Disclosure Management in the Business Office.”

Centralize all Requests for Records

If the business office wishes to continue to process using their staff, the function should be centralized and assigned to a core group of processors to fulfill all requests. This will help minimize administrative burden from the billers and collectors. Centralization also promotes consistent, standardized processes. These dedicated business office staff should be thoroughly trained in proper PHI disclosure management to maximize efficiency, eliminate redundancy and mitigate risk of HIPAA breach for requests that may fall outside of TPO such as itemized bills for outside attorney requests.

Transfer the Work to HIM

HIM staff are well trained in processing requests for information. They have the knowledge and skills to complete requests efficiently and in compliance with HIPAA guidelines. Nevertheless, some organizations fear delegating this function to HIM because of concerns regarding timeliness and payer deadlines. To reduce turnaround time fears, the following four best practices should be implemented:

  1. Ensure open and ongoing communication between the business office and HIM
  2. Optimize the use of EHR and PHI disclosure management technologies to route requests and share information
  3. Assign dedicated Release of Information (ROI) experts to support the business office and process requests
  4. Conduct regular meetings to discuss new trends in payer requests and proactively improve turnaround time through SFTP delivery

Outsource Business Office PHI Disclosures

A number of national firms, including MRO, provide Release of Information services to process payer requests. MRO’s services for business office disclosure management ensure timely delivery of information to payers, full compliance with HIPAA guidelines, and around-the-clock staffing to avoid backlogs or delays.

Careful and strategic tracking of information released, to whom and why, will make the PHI disclosure process more efficient. If your organization needs to improve this process, you should consider: centralization, delegating work to HIM or outsourcing PHI disclosure management. By implementing these alternative workflow options, your organization will be taking the right steps towards improving billing processes and decreasing denials.

Sign Up for Future Blog Posts

Read More

How to Lead Enterprise-Wide Projects: HIM Expert Advice

From encoders to Electronic Health Records (EHRs), Health Information Management (HIM) professionals are often tasked with enterprise-wide project management including new technologies, changing workflows and centralized operations. These massive projects require strong HIM skills, expanded partnerships and greater collaboration among vendors, HIM, IT and others. With leadership skills, specialized education, and peer-to-peer relationships, HIM professionals are perfectly positioned to promote collaboration among all stakeholders, secure executive support, ensure timelines are met and cover every detail of an enterprise-wide initiative.

A few months ago, I moderated a roundtable discussion with three HIM experts: consultant, Pat Biesboer, RHIA, MSS, PMP; Susan Carey, MHI, RHIT, PMP, FAHIMA, System Director of HIM for Norton Healthcare; and Emilie Sturm, MA, RHIA, CHPS, Senior Revenue Management Consultant for Trinity Health. They each discussed mapping out enterprise-wide projects, such as PHI disclosure management and how to meet milestones and resolve common challenges. You can find the full discussion, “Using HIM Skills to Lead Enterprise-Wide Projects: An Expert Roundtable,” in the February 2018 issue of Journal of AHIMA.

During the roundtable, all three HIM experts provided their main lessons learned from their experiences as enterprise-wide project managers. If you are an HIM professional, you may benefit from reviewing the lessons below:

    1. Provide concise, timely, and honest communication. Keep people motivated by injecting fun into your discussions. Keep the current status in front of stakeholders according to a regular schedule, providing the degree of detail they need.
    2. Have realistic expectations and transparency. If difficulties are expected, prepare the team ahead of time. This will help build trust.
    3. Follow stated goals. Guide your team toward the goals you established. When you run into blockers, review your options. Objectively provide the background, options, rationale and a recommended direction to maintain forward progress.
    4. Avoid bringing assumptions to the table. Remain open-minded and validate your expectations. Susan Carey reflected, “When I was the project manager for our EHR’s operating room, nursing and HIM modules, I mistakenly assumed that IT resources understood HIM. Looking back, I should have educated my peers who were managing other parts of the project regarding the tenets of HIM. This would have facilitated HIM operations leaders’ attempts to maintain decision-making regarding the electronic record configurations and policy.”
    5. Conduct reference calls with organizations using any technology you are considering. HIM needs differ from those of other departments. Current users can suggest ways to configure applications to best meet your needs and save valuable implementation time and resources.
    6. Perform as a project manager with HIM knowledge. Project managers are valuable when they have subject matter expertise and can develop subsidiary plans within the overall project management plan.
    7. Have the right stakeholders at the table when starting a project. Due diligence should be conducted to map out all areas of the project and determine vested parties. Having the right team on board provides for a productive group of multidisciplinary professionals with varying expertise.
    8. Identify lessons learned during each phase of a multiphase project. With a multiphase project, such as a system rollout, identify lessons learned during each phase. When possible, incorporate those lessons into the next phase for a stronger outcome. As your timeline allows, be flexible and don’t hesitate to post-pone a go-live if critical goals are not yet achieved.
    9. Communicate often with your project team and stakeholders. For HIM-driven projects, it’s critical that the local HIM director communicates with key constituents or peers. Establish regular meetings over the course of each project or expand your schedule if necessary. Disseminate project management tools such as timelines and meeting minutes to the project team. Regularly review the project plan to monitor progress compared with the overall timelines.

    Though HIM professionals have always managed projects, enterprise-wide endeavors raise the bar for communication, organization and leadership. HIM professionals have unique abilities to manage enterprise-wide projects. More importantly, HIM professionals can help team members solve problems, achieve their goals and enjoy the journey.

    If you are interested in learning more about this topic, come join me and Emilie Sturm, MA, RHIA, CHPS, Senior Revenue Management Consultant for Trinity Health, at the 2018 AHIMA National Convention in Miami, for our presentation titled “Project Management in Enterprise-Wide HIM Implementations.”

Sign Up for Future Blog Posts

Read More

Webinar Recap: Healthcare Regulatory Updates and Guidance

Healthcare Compliance

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

  • Risk analyses and gap analyses
  • Ongoing end-user training
  • Appropriate and up to date patching
  • Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs
  • A system must be implemented to monitor the activity of authorized users when accessing PHI
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
  • Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
  • Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

  • Restitution back to victims who were harmed by a violation of HIPAA
  • Consideration to remove NPP signature forms
  • Good faith disclosures (related to Opioid crisis)
  • Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.

Receive a copy of the part 2 webinar recording and a PDF of the slides

Read More

Privacy Dashboards: A Powerful Tool for Compliant PHI Disclosure Management

Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.

Centralize Release of Information to Improve Privacy Compliance

Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.

Use Privacy Dashboards to Track Patterns and Trends

Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.

The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.

Examples of corrective action include:

    • Revising compliance policies and procedures
    • Providing additional staff training on hospital policy and HIPAA regulations
    • Assessing and improving PHI disclosure management processes
    • Ensuring encryption of all devices used by staff

    As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.

    Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.

Sign Up for Future Blog Posts

Read More