Check Request Status610-994-7500

PHI Disclosure Management Blog | MRO

MRO Publishes Study—Release of Information: Can You Afford to Ignore Industry Changes?

July 11, 2019
Angela Rose, MHA, RHIA, CHPS, FAHIMA
No comments
Categories: PHI Disclosure Management Blog | MRO, Release of Information

MRO has released the results of a nationwide survey, “Release of Information: Can You Afford to Ignore Industry Changes?” The survey was conducted by Porter Research, a market intelligence and research group focused on healthcare IT. The survey provides valuable insights from senior HIM professionals concerning Release of Information (ROI) priorities and approaches, including top vendor criteria.

As requests to disclose patient health information rapidly evolve, provider organizations are challenged to apply innovative methods to Protected Health Information (PHI) disclosure management across their health systems. With increasing demands for the exchange of and access to health information, HIM leaders must deal with large volumes of government and commercial payer audits, enterprise-wide compliance and breach prevention, and patient satisfaction. The changing landscape calls HIM leaders to reevaluate their ROI strategies, and the results of our study can be used as a guide for navigating disclosure management.

The executive insights from the report represent 33 hospitals, 1,253 clinics and 620,719 annual ROI requests. The surveyed senior HIM professionals provided feedback regarding PHI disclosure management options and the assessment of ROI vendors. The survey questions included, but were not limited to, the following:

  • When is it time to consider a new strategy and ROI partner? According to the Porter Research survey results, senior HIM leaders indicated that there are two main reasons for seeking better ROI solutions. The first is dissatisfaction with their existing vendor due to inadequate quality and service, including breach occurrences. The second involves the need for more modernized solutions to meet enterprise-wide compliance and operational demands as their systems grow and evolve.
  • What are the essential attributes of an ROI vendor? The survey results found that in most evaluations there were at least three ROI vendors originally deliberated, with two typically making the short list. The respondents revealed five important criteria to consider when looking for an ROI partner: ease of use, workflow, ability to handle volume, turnaround time and industry reputation.
  • What key decision criteria matter the most to healthcare organizations? Once crucial characteristics are examined, it’s vital to complete an analysis of how the aspects of an ROI agreement align with your own organization’s key performance indicators. The respondents revealed the most important decision criteria when choosing a new ROI vender are integration and technical features, compliance and level of service engagement. Of all criteria, price was ranked least important.

The Release of Information needs indicated by the survey show that an enterprise-wide approach to disclosure management is crucial. Healthcare organizations are partnering with strategic ROI vendors to address the intricate requirements of their organizations. When assessing vendors, the top criteria in decision-making are reputation, service, quality, technology and accountability. These survey results will help guide HIM directors who want to transition from an in-house to outsourced ROI model or those who are looking for a new ROI partner, if already outsourced.

To download a copy of “Release of Information: Can You Afford to Ignore Industry Changes?” complete the form below.

Blog sign up

Recent Blog Posts

DOWNLOAD THE ROI STUDY

Read More

Misuse of Patient-Directed Requests for Copies of Medical Records

June 20, 2019
Danielle Wesley, Esq.
No comments
Categories: Compliance, PHI Disclosure Management Blog | MRO

 

 

 

 

 

 

 

 

MRO has released the white paper, “Misuse of Patient-Directed Requests for Copies of Medical Records,” authored by two attorneys, Beth Anne Jackson, Esq. and Danielle Wesley, Esq., along with privacy expert Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB. The paper provides insights, education and strategies to help hospitals, health systems and other healthcare provider organizations address issues that arise when attorneys solicit copies of medical records—often through record retrieval companies (RRCs)—under the guise of patient-directed requests.

Essential Guide to Understanding and Mitigating Financial, Legal and Privacy Risk

For Health Information Management (HIM) professionals, in-house attorneys and compliance officers, the tenets set forth in the paper serve as an essential guide to understand and mitigate problems associated with these attorney requests, including the rising financial burden imposed on providers when attorneys shift the costs of medical record production for litigation to providers. The following five areas are covered.

  • Perceived loophole in OCR guidance. The paper delves into the history of HIPAA, HITECH and patients’ right to access their Protected Health Information (PHI). This includes examining the language of 2016 OCR guidance that emphasized removal of financial and other roadblocks to individuals’ access to their information by advocating the imposition of a nominal fee for patients to obtain their PHI for personal use, such as providing records to their primary care physician, a mobile healthcare app or to researchers. Though applying a nominal fee for patient-directed disclosures to these types of entities is reasonable, the OCR’s inclusion of the phrase “and it doesn’t matter who the third party is” opened the door for manipulation by attorneys and RRCs demanding the $6.50 fee suggested in the guidance.
  • Increasing volumes of attorney requests under the guise of patient-directed requests. Submitted as patient-directed requests, attorney requests for medical records have soared with a specific pattern identified, which is described in the white paper. The volume of these types of requests is growing exponentially. MRO metrics show a steady increase in the number of attorney requests demanding the patient rate. Additionally, an increase in page count and a higher demand for “any or all” records from the designated record set (DRS) are consistently noted with these attorney requests.
  • Detrimental impact to healthcare systems and their patients. Neither Congress nor the OCR intended for the individual rights to access under 45 CFR §164.524(c) or the guidance to be interpreted and implemented to (a) shift the costs of obtaining medical records for the purpose of for-profit litigation or other non-healthcare related purposes to providers, (b) subject more PHI than necessary—including sensitive PHI that may or may not be related to the litigation—to disclosure, or (c) remove HIPAA protection resulting from disclosure via RRCs to attorneys. However, healthcare organizations are rightfully concerned about these risks. The paper details the detrimental financial, legal and operational impact to health system enterprises and the risks around patient privacy.
  • Recognizing the misuse of patient-directed requests for medical records. Providers should be aware of red flags when receiving incoming requests, including the following:
    • A template form with filled-in blanks and mismatched pronouns is used.
    • The form is included in a larger packet with other documents—such as a HIPAA-compliant authorization.
    • The patient’s signature appears to be copy-pasted or photoshopped. Attorneys or RRCs may lift the patient signature from a driver’s license or other document.
    • The letter is labeled a “HITECH authorization.” This terminology is only used by attorneys and RRCs that work with them.

    The paper provides a thorough list of signs indicating attorney misuse of patient-directed requests.

  • Steps for combating the issue. To combat this problem, healthcare organizations need a comprehensive game plan that includes education and awareness across HIM, compliance, legal, risk management and finance. New strategies must also be employed at the national level to raise awareness and garner support. In our paper, we offer a step-by-step approach to assist healthcare organizations in building their game plan.

Conclusion: For the Better Good

In summary, the white paper states, “The issue is not about prohibiting authorized access. The issue is about limiting the ability of attorneys and other third parties to manipulate the OCR guidance and patient-directed requests for their own commercial gain. Healthcare organizations that give in to attorney misuse of patient-directed requests may think that they are mitigating legal risk. Instead, they are welcoming negative financial impacts for themselves and potential adverse privacy effects for their patients. Producing thousands of pages of PHI for the nominal patient fee is not a business practice that can be sustained in the long term by any provider. This cost-shifting cannot be tolerated.

The efforts of attorneys and RRCs to obtain PHI via their mischaracterization of the guidance—which, to date, has not been challenged—is well documented and significantly more advanced than a lone provider’s ability to combat it. While providers are steadfast in protecting patient privacy, they also need to protect their fiscal health. They can only do so by taking concrete steps now to stop disreputable attorney and RRC behavior before the issue becomes a more serious problem and a financial crisis for provider organizations.”
The contents within our white paper are approved and endorsed by the Association of Health Information Outsourcing Services (AHIOS), a membership group composed of Health Information Management outsourcing organizations.

Complete the form on this page to request a copy of the white paper “Misuse of Patient-Directed Requests for Copies of Medical Records.”

Blog sign up

Recent Blog Posts

Request the White Paper

Read More

The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense

May 30, 2019
Greg Ford
No comments
Categories: Compliance, Payer, PHI Disclosure Management Blog | MRO

 

 

 

 

 

 

 

 

Last month I had the privilege of presenting the first installment of MRO’s 2019 PHI Disclosure Management Webinar Series to healthcare professionals across the country about the rising tide of payer requests for medical records. Judging by the attendance and feedback, it is a topic that garnered a lot of attention. Based on the high level of interest, MRO plans to continue to provide content on this topic. Here is an overview of “The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense” presentation.

Payer Audits vs. Reviews

First, we covered the difference between audits and reviews as it is important to make the distinction and not group them together in the same category. DRG audits (post-payment audits) are not the provider’s friend. As payers attempt to review records for paid claims to recoup payment from the provider, audits occur throughout the year. Payers review the record to make sure the claim and record information match, so they can determine if the claim has been overpaid and recoup funds if necessary. These audits are typically time sensitive and due within 30 to 45 days of the date on the request letter.

The other category, reviews, includes HEDIS (Health Effectiveness Data and Information Set) and Risk Adjustment (Medicare Advantage, Medicaid, and commercial) requests. Review requests are seasonal projects that do benefit payers, but providers are not subject to negative financial impact and requests should be prioritized accordingly. The payer may impose an unrealistic time frame of 10 to 15 days when in reality there’s a broader time frame. Because HEDIS and Risk Adjustment reviews are seasonal, providers have more than 30 to 45 days to produce records.

Payer Requests for Medical Records: Deep Dive into Trends, Issues and Statistics

Next, we examined the current environment, trends, issues and statistics related to rising payer requests for medical records. It is common that audits (year round) and reviews (seasonal) overlap, causing a burden on HIM departments. HEDIS and commercial Risk Adjustment projects overlap with HEDIS, running from January through early May, and commercial Risk Adjustment running from September through mid-April. In addition, Medicare Risk Adjustment projects are beginning earlier every year. MRO has already seen requests come in during April 2019.

In recent years, healthcare organizations have experienced a steady increase in DRG/post-payment audits and HEDIS/Risk Adjustment reviews. According to MRO statistics from 2017 to 2018, overall payer requests increased 70 percent due to a significant upsurge in core categories—DRG audits up 52 percent, HEDIS reviews up 62 percent, and Risk Adjustment reviews up 80 percent.

Handling Large Audit and Review Projects: Recommended ROI Workflows

The growing trend of payer requests for medical records may seem overwhelming at times, but there are solutions to lessen the burden on HIM departments. The presentation also provided the following recommended Release of Information (ROI) workflows for handling large review projects:

  • Build stronger relationships with payers and health plans to better manage the surge in medical ROI. Establish project due dates instead of 30-day completion.
  • To offset the cost burden associated with producing these high-volume review requests for records, ensure the health plans will compensate for the records provided in a timely manner.
  • Ask your ROI vendor to work directly with the health plan to coordinate disclosure management instead of using internal staff or engaging a third-party vendor. Establish project due dates, rates and electronic delivery.
  • Use your ROI vendor’s remote services capabilities to process these large review projects so that HIM labor resources can focus on the daily workload.

Managed Care Contracts: Medical Record Language

Understanding the medical records section of the managed care agreements also plays an important role in how payers request medical records. An organization’s managed care agreement governs the payer/provider relationship and includes a medical records section that specifies the payer cost to audit a healthcare provider. Unfortunately, the medical records section is often a low priority because the managed care team may not understand the burden on HIM or the financial risk for the entire organization. The presentation provided details of recommended language for managed care contracts to ensure optimal outcomes for provider organizations. You can learn more by downloading the slides.

Payer Access to EMRs

The last topic covered the emerging concerns around payer requests for direct access to EMRs. Payers want access to medical records for the aforementioned reasons (post-payment audits, HEDIS, Risk Adjustment) and for initial claims processing. Payers are making a variety of proposals as to the types of access they would like to be granted. These levels of access and aggregation of records have different levels of associated risk. Here are four areas of concern for providers and patients:

  • Financial—Direct, automated access to a wide band of patient records will facilitate the growing trend of post-payment audits, denials and recoupments.
  • Privacy and Consent—Unlike the healthcare community, payers have not earned patients’ trust to serve as custodians of their most personal and private information. Learning of payer aggregation and storage of these records by payers is not a practice patients would approve, and learning of it after the fact could lead to strong patient dissatisfaction.
  • Information Governance (IG)—Automated sharing of full patient records with payers, and aggregating those records for permanent use, raises multiple legal and IG concerns. These include managing distributed health records, meeting HIPAA requirements for minimum use and correction of errors, and inadvertently sharing encounters for which the payer was not the guarantor.
  • Security—Automated access to health data by payers increases a provider’s exposure to cyberattack, and the aggregation and storage of that data in the payer’s IT system widens the potential exposure to large-scale breach.

The presentation included recommendations for payer access to EMRs. For those details, please complete the form below.

Blog sign up

Recent Blog Posts

Request a copy of the presentation below

Read More

What to Do and Not Do When Changing Health Information Management Vendors

May 16, 2019
Angela Rose, MHA, RHIA, CHPS, FAHIMA
No comments
Categories: Compliance, PHI Disclosure Management Blog | MRO, Privacy and Security

 

 

 

 

 

 

 

 

The April 2019 Journal of AHIMA article “What to Do (and Not Do) When Changing HIM Vendors” served as a virtual roundtable featuring the experiences of three HIM leaders who successfully navigated HIM service vendor transitions. The MRO client panelists were Cindy M. Phelps, RHIA, Sr. Director, TSG Business Relationship Management, Carilion Clinic; Sherine Koshy, MHA, RHIA, CCS, Corporate Director HIM, Penn Medicine; and Kathleen J. Edlund, M.M., RHIA, Director of HIM, Trinity Health.

Topics discussed in the roundtable included challenges, lessons learned and practical strategies that help ensure quality service and a lasting collaborative partnership. As moderator of the discussion, I had an opportunity to focus on each expert’s type of vendor transition: transcription, EHR and Release of Information (ROI).

Challenges

Choosing the right vendor can be a challenging and daunting task, especially if your current service has been in place for a long time. Whether the service being considered for outsourcing options is in-house or with another vendor, the key to a successful transition is in the planning.

Some of the common challenges that prompted the panelists’ organizations to seek a better solution were: the need to have all users on one platform, service and quality issues, communication problems and lack of client support.

Lessons Learned

From their experiences addressing the challenges listed above, each HIM expert offered lessons learned and suggestions for other organizations to consider when transitioning service vendors. Here is a summary of their recommendations:

  • Conduct benchmark, research, and reference checks.
  • Establish key performance indicators (KPIs).
  • Engage multidisciplinary teams.
  • Conduct a pilot test.
  • Communicate and collaborate to build a trusted partnership.
  • Create a project charter.
  • Provide training and education.
  • Complete pre-implementation assessment documentation.
  • Create a visual diagram model of the process flow.
  • Ensure understanding of ancillary departmental (EHR) software systems.
  • Preserve a working relationship with the outgoing vendor.

Strategies to help ensure a lasting collaborative partnership

Each panelist offered components of a strong, collaborative partnership that promotes ongoing optimal outcomes. Here are five essential factors:

  • Monthly review meetings and open communication to discuss successes, concerns and issues with the vendor.
  • Engagement and availability of the vendor in the daily operational business.
  • Vendor sharing latest trends with development and with their other clients.
  • Annual onsite business review to highlight current state and share future state with key stakeholders.
  • Investment in the training and resources necessary to meet the needs of your organization.

The Journal of AHIMA article provides additional details regarding lessons learned, strategies and expert recommendations. To download a copy of the article, fill out the form below.

Blog sign up

Recent Blog Posts

Download the Journal of AHIMA Article

Read More

2019 HCCA Compliance Institute Recap

May 02, 2019
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
No comments
Categories: Compliance, PHI Disclosure Management Blog | MRO, Privacy and Security

 

 

 

 

 

 

 

 

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

  • Current Environment and Statistics Related to Healthcare Breaches
  • Breaches under HIPAA and State Law
  • HIPAA Security Rule Safeguards that Address Incident Response Plans
  • Best Practices for Incident Response Plans
  • The First 24 Hours Following a Breach

Fill out the form below to request a copy of our presentation.

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

  • We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
  • Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
  • Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

  • Patients over Paperwork
  • Interoperability and MyHealthEData
  • Opioid Epidemic
  • Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Continue Your Compliance Education by Attending MRO’s Upcoming Webinar

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

Blog sign up

Recent Blog Posts

Request HCCA Incident Response Breach Management Slides

Read More

MRO Celebrates Health Information Professionals Week

March 26, 2019
Stephen Hynes
No comments
Categories: PHI Disclosure Management Blog | MRO, Privacy and Security, Release of Information

 

 

 

 

 

 

 

 

During Health Information Professionals (HIP) Week, MRO enjoys celebrating our Health Information Management (HIM) partners and staff, who perform their duties masterfully throughout the year. We have the pleasure of working with the industry’s most dedicated professionals whose expertise upholds high standards of integrity.

With appreciation for this year’s HIP Week theme “Health Information Professionals Driven by Health Data,” MRO affirms its commitment to protecting client data. This core responsibility is reflected in our recent HITRUST CSF Certification and SOC 2 Type II audit.

MRO’s expert Protected Health Information (PHI) disclosure management teams equip our HIM partners with the safeguards, services and resources needed to sustain a superior reputation for compliance, service quality and patient satisfaction. Resources include guidance from renowned industry experts, along with passionate teams of Release of Information (ROI) specialists eager to provide high levels of customer care.

HIM’s Everyday Heroes

At MRO, our mission is simple. We aim to share the right PHI with the right requesting parties, in the most compliant, efficient and secure way. And, we do more than share medical records. We make a difference in the lives of patients—sometimes we even save lives.

The work of HIM matters, especially Release of Information. Proper ROI enables better coordination of care, helps patients secure disability benefits, and supports patients through insurance claims or lawsuits when medical records are required. The fast and accurate sharing of medical records can make a lasting impact for a patient in need.

Many MRO employees have been recognized as personal heroes to patients and other requesters of health information whom we have had the privilege of helping. They email us, send cards and gifts, and make phone calls to share their positive experiences with MRO. We regularly highlight these exceptional HIM professionals in an employee development and recognition program fittingly called MRO’s “Everyday Heroes.” We are proud to have our heroes serving over 8,500 healthcare locations and their patients across the U.S.

HIM Expert Resources

HIM leaders at many of the nation’s top health systems trust and rely on MRO’s KLAS-rated #1 Release of Information services and team of renowned experts. Our leadership team was skillfully assembled to provide our HIM partners with the best guidance and support possible, as together we navigate the complex world of compliant PHI disclosure.

Throughout the next year, you will have the opportunity to learn more about MRO’s experts in advertisements appearing on the back cover of the Journal of AHIMA. Each issue will feature a different expert resource provided to MRO clients.

Just released, the April issue of the Journal features MRO’s Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy. An HIM superstar and Past President of AHIMA, Rita has over 40 years of experience and expertise. She and her team empower HIM professionals through consultative reviews of PHI disclosure policies and procedures, privacy analytics, and a variety of HIPAA compliance resources and tools. Be sure to check out each issue of the Journal and visit our accompanying website to learn more about MRO’s HIM experts.

2019 Webinars: Supporting Your HIM Continuing Education

To support the ongoing education of MRO’s clients, our many credentialed employees, and all HIM professionals, we recently launched a complimentary PHI disclosure management webinar series, led by our industry experts.

The series consists of four sessions throughout 2019, each pre-approved by AHIMA for one CEU in the privacy and security domain.

Wednesday, April 10

The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense >>Register

Thursday, June 27

Enterprise-wide Disclosure Management: Closing the Compliance Gaps >>Register

Wednesday, August 14

Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI >>Register

Wednesday, November 13

Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope >>Register

Happy HIP Week

We hope all Health Information Professionals enjoy this special week. Thank you to our clients and our employees for all that you do, and Happy HIP Week from all of us at MRO!

Blog sign up

Recent Blog Posts

Sign Up for Future Blog Posts

Read More

Five Takeaways from the 28th National HIPAA Summit

March 21, 2019
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
No comments
Categories: PHI Disclosure Management Blog | MRO

 

 

 

 

 

 

 

 

The month of March holds important projections for the healthcare industry—especially for those involved in privacy, security and patient access to health information. It is when the annual National HIPAA Summit is held every year in Washington, D.C., and this year was no exception.

The 28th National HIPAA Summit was held March 4 – 6 at the Grand Hyatt Washington. Thousands of healthcare professionals gathered to discuss current challenges, future goals and expert predictions for our industry. This year’s event focused on the changing landscape of healthcare privacy, security, HIPAA and Protected Health Information (PHI). Here are my five top takeaways from the National HIPAA Summit 2019.

  1. Beacons of Change: GDPR and CCPA

Passage of both the European General Data Protection Rule (GDPR) and the California Consumer Protection Act (CCPA) is paving the way for stricter standards and expansion of HIPAA. GDPR and CCPA serve as the new measuring sticks for 2019 privacy conversations in healthcare. With this shift come increased compliance risks for providers and business associates (BAs), alongside greater privacy right of action for individuals. For example, presenters at the HIPAA Summit suggested that all stakeholders should be governed by revised guidelines including those currently carved out of the HIPAA rule.

  1. Uptick in Audits

Speakers also suggested there will be an increase in third-party audits to assure a culture of compliance within organizations and BAs. Audits currently conducted reveal four ongoing concerns in healthcare privacy and security:

  1. Lack of BA agreements
  2. Incomplete or inaccurate risk analysis
  3. Impermissible disclosure of PHI
  4. Recurring compliance issue—gaps from risk register not closed

Significant attention remains focused on network servers compromised by hackers and malware. However, smaller breach incidents where patterns are identified but no mitigation efforts occurred will also be investigated.

  1. New Approach to BA Assessments

With regard to BA assessments, generic risk assessments completed by BAs at the request of covered entities (CEs) have become obsolete. A new approach suggests that BAs provide information specific to three aspects of risk:

  1. Describe delivery of the BA’s services
  2. Identify the BA’s risk components
  3. Detail how the BA works to close privacy and security gaps

In addition, HIPAA Summit attendees reiterated that best-practice criteria for vetting BAs include compliance with HITRUST and SOC 2 certification.

  1. Push for Greater Patient Access to Health Information

From HIMSS to the HIPAA Summit in 2019, the healthcare industry is squarely focused on the patient. Patient engagement, patient satisfaction and patient access to health information are top goals for most healthcare provider organizations in the year ahead. Similar to a call for better patient access, heard during a December 2018 congressional briefing, summit presenters pushed for specific improvements for the healthcare consumer:

  • Harmonize information across all states for easier patient access
  • Give the patient (or directed requester) information from the designated record set (DRS)
  • Ensure right of access to the requester (patient and/or their representative)—a primary audit focus with penalties associated with any type of information blocking or hindrance to obtaining health information

Unless providers have contacted the patient and the patient states otherwise, requests for information should be processed by the CE in accordance with existing guidance. Proper alignment of processes to policy helps mitigate breach risk when processing patient-directed requests (PDRs) for information. For example, a specific individual must be named to receive information.

Greater patient access to information is an important step to improve patient satisfaction and create positive patient experiences. In fact, it is one of three key results highlighted in a recent blog post about MRO’s partnership with Saint Luke’s Health System.

  1. Interoperability Promotes Data Sharing, Streamlines the Business of Healthcare

My final takeaway from the HIPAA Summit 2019 was renewed emphasis on interoperability in an effort to streamline the business of healthcare—especially data sharing between providers and payers. Both the OCR and ONC have announced initiatives around interoperability. Two areas in particular were discussed.

Electronic claims. An electronic claims attachments rule was passed in 2012, but has not been widely adopted or enforced. Enforcement of electronic remittance advice (ERA) will reduce paperwork between providers and clearinghouses, with the potential to save $8 billion annually. Facilities will be reviewed for compliance via the “optimization program” versus process audits.

Health plans. Getting data back to health plans is vital to success under value-based reimbursement. Our patients are health plan members. We all have the same purpose—to improve the health of those we serve. Direct exchange of information between CE, provider and plan support this goal while streamlining processes across all stakeholders. The ability for patients to also contribute electronic health data for better patient care coordination is the industry’s audacious goal.

HIPAA was first signed into law in 1996. Today, 22 years and 28 HIPAA summits later, I still learn and advance in concert with healthcare industry changes. Keeping abreast of predictions, such as those listed above, ensures every healthcare professional gains the knowledge they need to deliver high-quality care while protecting privacy, security and patient access to health information.

MRO is committed to keeping our clients and the HIM industry up to date on the latest happenings. To receive updates from MRO when we release new blog posts, complete the form below. You can also learn more in our upcoming PHI disclosure management webinar series, which kicks off April 10, 2019 with a session focused on payer requests for medical records, including audits and reviews.

Blog sign up

Recent Blog Posts

Sign Up for Future Blog Posts

Read More

Four PHI Disclosure Management Webinars to Catch in 2019

March 14, 2019
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
No comments
Categories: Compliance, PHI Disclosure Management Blog | MRO, Privacy and Security

 

 

 

 

 

 

 

 

As we move into 2019, it is important for healthcare professionals to stay up to date on the latest trends and best practices for managing Protected Health Information (PHI) disclosure across healthcare enterprises.

In MRO’s upcoming 2019 “Best Practices in PHI Disclosure Management” webinar series, the latest trends and best practices for organizations to consider will be covered. There are four parts to this webinar series, and each session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics in our webinar series, which MRO’s subject matter experts will go into more detail. To register, click here.

Webinar Watch List: Payer Audits, Compliance, Cybersecurity and Patient-Directed Requests

1) The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense
Payer requests for medical records are challenging, time-consuming undertakings for healthcare organizations, typically requiring the release of hundreds or thousands of patient records. MRO’s payer relations expert Greg Ford, Senior Director of Requester Relations and Receivables Administration, will share tips and best practices to shore up your defenses against the rising tide of payer requests for medical records.

2) Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI by implementing new technology and HIPAA-compliant policies and procedures. In this webinar, I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps.

3) Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI
In an era of evolving cybersecurity threats, healthcare leaders are challenged to be vigilant in their efforts to minimize risk and implement new, robust safeguards to protect the privacy and security of patient data. MRO’s security expert Anthony Murray, CISSP, Vice President of Information Technology and ISSO, and I will provide best practices for safeguarding PHI across your healthcare enterprise.

4) Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding clarification for healthcare providers, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in rising challenges for healthcare providers. MRO’s legal expert Danielle Wesley, Esq., Vice President and General Counsel, and I will provide clarity on the topic and cover strategies and tactics for combatting the related issues.

Register today for our first webinar, on the topic The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense.

Blog sign up

Recent Blog Posts

Register for "The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense"

Read More

How Saint Luke’s Health System Enhanced Release of Information Workflows and Improved the Customer Experience

February 07, 2019
Don Hardwick
No comments
Categories: PHI Disclosure Management Blog | MRO, Release of Information, Success Stories

Saint Luke’s Health System (SLHS) includes 16 hospitals, home care, hospice, behavioral health services, and physician practices across Missouri and Kansas. The health system receives 49,200 Release of Information (ROI) requests annually. As SLHS continues to expand, their HIM management team, led by Sharon Korzdorfer, Health Information Management (HIM) Director, is committed to delivering the highest quality health information services to its patients, who may request information concerning care provided by SLHS.

In 2018, Korzdorfer realized that in order to respond to a rise in monthly ROI request volumes compliantly and efficiently, they needed advanced technology and services. After evaluating multiple vendors, SLHS selected MRO to handle Protected Health Information (PHI) disclosure management across the enterprise. Their decision was based on several factors, including MRO’s dedication to clients, patients and other third-party requesters, layers of support from responsive teams of experts, and the ability to leverage technology to improve workflow. MRO’s reputation as a true partner to providers was also a key factor.

“Reputation goes a long way,” said Korzdorfer. “Sales teams can sell anything, but what I have heard consistently from my HIM peers is that MRO always comes to the table prepared to meet and exceed expectations.”

Enhanced Release of Information Workflows: Leveraging MRO’s Technology

SLHS implemented MRO’s flagship Release of Information platform, ROI Online®, along with MROeLink®, a bidirectional interface between the ROI solution and the health system’s Epic EHR.

The MROeLink tool automates manual steps for working in both an ROI system and the Epic EHR. Eliminating manual processes reduces the time needed to process requests and minimizes human error. SLHS leadership knew a system integration method would be a vital component in improving efficiencies and accuracy.

In addition to enhancing the ROI workflow through MROeLink, MRO introduced ways to further improve productivity and service quality, including implementing new processes for responding to the rising tide of payer audits and reviews, such as HEDIS and Medicare Risk Adjustment, by shifting requester relations and correspondence to MRO’s National Service Center.

Improved Customer Experience

As a result of improved workflows, technology integrations, and moving requester relations to MRO’s service center, SLHS reports reduced requester complaints, reflecting improvements in the patient and requester experience.

The Results

Through a partnership with MRO, SLHS saw impressive results, including improvements to turnaround times for ambulatory requests, continued high accuracy levels and an improved customer experience for patients and other requesters of PHI.

Korzdorfer said, “Throughout my experience with the company—from sales, through implementation and training, to the current operational partnership—MRO’s industry experts have been accessible, responsive, communicative and eager to help. It is so refreshing that MRO cares.”

To learn more, download MRO’s Saint Luke’s Health System Case Study by completing the form below.

Blog sign up

Recent Blog Posts

Receive a copy of our Saint Luke’s Health System case study

Read More

An Enterprise-Wide Approach to PHI Disclosure Management: Closing the Gaps in Compliance

January 03, 2019
Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB
No comments
Categories: Compliance, PHI Disclosure Management Blog | MRO


In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
  • Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

  • Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
  • With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
  • 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
  • Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

Blog sign up

Recent Blog Posts

Download MRO’s eBook "Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization."

Read More