Check Request Status610-994-7500

National Cybersecurity Awareness Month: How to Protect Your Online Presence

 

National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.

IT Security Basics for Breach Prevention

Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:

  • Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
  • Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
  • Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.

Phishing

In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.

How can you protect yourself against phishing? Follow these simple, but effective steps:

  • Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
  • Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
  • Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.

Ransomware

Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.

How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.

If that happens, take the following steps:

  • Unplug the power cord from the back of your PC—don’t just turn it off
  • Contact your IT department (via phone) for assistance
  • Contact your supervisor

Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.

Social Engineering Tactics

Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:

  • In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
  • Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
  • Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links

National Cybersecurity Awareness Month: Sobering Stats

Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:

  • 47 percent of American adults have had their personal information exposed by cyber criminals
  • 600,000 Facebook accounts are hacked every single day
  • 65 percent of Americans who went online received at least one online scam offer

Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.

Join our blog mailing list

Read More

Heard at AHIMA 2019: Penn Medicine’s Journey to Enterprise-Wide Disclosure Management

Recently, at the AHIMA Health Data and Information Conference in Chicago, I had the pleasure of presenting with my colleague Sherine Koshy, MHA, RHIA, CCS, Corporate Director of HIM at Penn Medicine, about her experience outsourcing Penn Medicine’s release of information (ROI) function.

Our presentation was held in the HIM Expert Theater where we discussed why enterprise-wide disclosure management is so important in today’s healthcare ecosystem.

We had a great time networking among peers and sharing best practices as well as lessons learned along Sherine’s journey. The conference is a busy time with many opportunities for education. So, if you were unable to make our session, here are highlights of the points discussed:

Healthcare and HIT Environmental Scan

HIPAA is still the standard that sets the floor for the privacy and security of protected health information (PHI), but let’s not forget the other federal and various state laws that also affect PHI safeguards and disclosures. We’ve all heard that HIPAA 2.0—the reboot for a modernized version—is coming to catch up with the continually changing healthcare and HIT environments. As part of the healthcare evolution, patients have become more actively involved in their own care, a trend that demands timely and accurate disclosure management practices.

Why Enterprise-Wide Disclosure Management?

 As outlined in our presentation, the benefits of an enterprise-wide disclosure management approach include the ability to:

  • Standardize workflows
  • Review/update policies and procedures
  • Improve the customer experience
  • Achieve compliance
  • Mitigate risk

Nationwide ROI Survey Results

 We summarized the results of a survey that MRO recently commissioned to a third party, Porter Research, to find out more about current ROI needs and requirements. The survey found that senior HIM professionals experienced two top business challenges:

  • Dissatisfaction with their ROI vendor—including missed service level agreements (SLAs), compliance issues/breaches, and lack of support/poor service quality
  • Need for standardization of the ROI process—due to a high volume of ROI requests, multiple locations and need for one single platform: one EMR and one ROI vendor for consistency

The study also revealed five essential attributes organizations consider when searching for an ROI solution or a new ROI vendor. Those include:

  • Ease of use—a dependable system that is user-friendly
  • Workflow—efficient and effective to ensure timely and accurate disclosures
  • Turnaround time—requirements met according to timelines, if not sooner
  • Industry reputation—customer satisfaction, company integrity, and staff credibility
  • Ability to handle volume—to ensure quality of service does not fluctuate with request volume

 Penn Medicine’s ROI Journey

 Penn Medicine is located in and around the Philadelphia, Pennsylvania area and includes 6 hospitals (7,163 physicians), 10 multispecialty centers, and 800+ physician practice locations. The system is ranked by U.S. News & World Report as No. 1 in the state of Pennsylvania.

Like many other organizations, Penn Medicine faced challenges with their ROI solution and realized the need to evaluate the following:

  • Level of quality—internal issues and patient complaints due to backlog in requests
  • Customer service—lack of partnership and trust in the relationship, and a reactive instead of proactive approach when taking on issues
  • Patient complaints—increase in complaints across the entire health system
  • Staffing—high turnover and inability to keep up with demand for new employees
  • Productivity and turnaround time—compliance risk due to missed deadlines
  • Technology—platform not user-friendly, inability to integrate with the existing EHR

Ultimately, Penn Medicine made the tough decision to change ROI vendors, and focused on top priorities:

  • Ensure excellent customer service and response times to Penn Medicine and, even more important, to the patient
  • Create a one-stop-shop model allowing a patient to request records from anywhere in the enterprise at any one location
  • Decrease privacy and security incident/breach rates
  • Ensure system integration with Penn’s EHR

Many collaborative planning meetings paved the way for MRO to clearly understand Penn’s challenges and to define an effective transition plan for the organization’s future ROI state. A strong partnership was built by creating a team approach, investing in training and resources, and going above and beyond to bring Penn Medicine’s vision to life.

The transition proved to be successful for Penn, measured by the following outcomes:

  • Compliant ROI—quality and accuracy improved, turnaround times were met, and productivity levels kept up with high volumes
  • Customer service—increased satisfaction by allowing requesters to request and obtain any Penn Medicine record at any location
  • Complaints—decreased significantly
  • Staffing—low turnover and well-managed staff
  • EHR integration—streamlined workflows and increased productivity
  • Partnership—mutual trust and transparency between Penn Medicine and MRO

Enterprise-Wide Disclosure Management: Best Practices and Lessons Learned

Along any successful journey, issues must be resolved to achieve success. Partnership is essential. Penn Medicine’s ROI journey provides other healthcare organizations with valuable best practices and lessons learned:

  • RFP—Create a multidisciplinary committee, define the process with timelines and due dates, define the most important criteria and attributes needed for your organization, establish a grading document and scale, and communicate regularly with the vendors
  • Contracts—Ensure accountability and responsibility between parties in your BAAs, know payer contract verbiage and negotiated rates, and create realistic achievable SLAs
  • Technological capabilities and limitations—Ensure ease of use, keep in mind possible integrations such as MROeLink®, maintenance, and downtime
  • Communication—Create checks and balances, hold ongoing meetings to touch base (internally and with vendor), ensure all stakeholders are on the same page and change course if necessary
  • Partnership development—Ensure transparency, team effort, reliability and above all, trust

To learn more about enterprise-wide disclosure management, and Penn Medicine’s ROI journey, fill out the form below to receive a copy of our presentation, originally presented at AHIMA 2019.

Request presentation slides

Read More

Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI

 

 

 

 

 

 

 

 

 

On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.

2019 HIPAA Summit

The HIPAA Summit focused on advances in security technology and increased government cybersecurity initiatives. Considering recent data breaches, healthcare organizations must build cybersecurity awareness programs that ensure HIPAA compliance. Here are four top priorities:

  • Secure executive and board-level buy-in
  • Provide ongoing training and education
  • Perform an annual risk analysis
  • Create a comprehensive incident response plan

The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:

  • Failure to conduct an enterprise-wide risk analysis
  • Insufficient policies and procedures to regularly review information system activity
  • Failure to identify and respond to suspected or known security incidents
  • Failure to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive electronic protected health information (ePHI)

Defense in Depth

In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.

Security Framework

Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:

  • Identification—inventories for asset management, governance and risk management
  • Protection—access controls, awareness and training, protective technologies
  • Detection—tools to detect threats and events, continuous monitoring, manual/automated alerting
  • Response—planning, communications, analysis
  • Recovery—planning, improvements, communications

Relevant Controls for HIM

We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.

The second category is Administrative, Physical and Technical with emphasis on:

  • Data classification—data flow mappings and sensitivity
  • Roles and responsibilities—privacy, security and legal
  • Information security awareness—education, training and policies
  • Information handling—use and disposal
  • Physical access—secure rooms

With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.

Enterprise Engagement

As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.

Resolution Agreements

In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.

Top Cybersecurity Threats in 2019

Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:

  • Third-party misuses or shares of confidential data
  • An attack involving IoT or OT assets
  • A significant disruption to business processes caused by malware
  • A data breach involving 10,000 or more customer or employee records
  • An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment

As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.

The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO’s Cybersecurity Webinar

Read More

AHIMA Conference 2019: Learn from MRO’s Release of Information Experts

As we approach the 2019 AHIMA Health Data and Information Conference in Chicago, September 14-18, 2019, MRO is excited to exhibit for the 16th year in a row.  We are looking forward to mingling, networking, and spending time with our clients, Health Information Management (HIM) partners and friends. Stop by Booth 1102 to say hello to the team, catch up and learn about MRO’s successful ROI solutions.

Our team of ROI experts will be available at the booth to discuss Protected Health Information (PHI) disclosure management topics, including enterprise-wide solutions for ROI, cybersecurity, BA management, payer audit and review strategies, and the compliant management of patient-directed requests.

If you don’t make it to the booth, you can take advantage of MRO’s experts during the conference at the learning opportunities listed below:

AHIMA’s Privacy and Security Institute

Saturday and Sunday, September 14-15
10:30am – 11:45am

Rooms E451A & E353A

MRO is proud to sponsor this year’s Institute, and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, will participate in Sunday’s presentation “Assessing Privacy and Security Compliance.

Enterprise-Wide Disclosure Management: Penn Medicine’s Journey in Outsourcing Release of Information

Monday, September 16
2:20pm – 3:10pm

Exhibit Hall, HIM Expert Theater Andersonville

Join me and my colleague, Sherine Koshy, MHA, RHIA, CCS, Corporate Director of Health Information Management at Penn Medicine, for this presentation on proven practices for outsourcing Release of Information and successful enterprise-wide implementations.

The Next Big Story: BA Management Tips to Keep Your Organization Out of the Headlines

Monday, September 16
7:30am – 8:30am

Don’t miss “The Next Big Story: BA Management Tips to Keep Your Organization Out of the Headlines” given by my fellow teammates and subject matter experts, Rita Bowen and Anthony Murray, MRO’s privacy and security officers. This session takes a deeper dive into BA breaches and the effective strategies necessary to mitigate your organization’s risk.

Patient-Directed Requests: What’s the Elephant in the Room?

Tuesday, September 17
7:30am – 8:30am

Rise and shine!  Let’s talk about the elephant in the room. This Networking Breakfast is sponsored by AHIOS and we are honored to co-present on this industry hot topic.  MRO’s privacy and legal experts, Rita Bowen and Danielle Wesley, Esq., will discuss and analyze the current trends and challenges around the misuse of patient-directed requests by attorneys and record retrieval companies.  Mark it on your calendar and secure your spot today!

Time to Clear the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope

Wednesday, September 18
9:00am – 9:45am

Can’t make it to the breakfast or still want more?  This presentation will be your last chance to listen, learn, or join the discussion on one of the latest threats to one of HIM’s core functions – ROI.  Take advantage of time with MRO’s privacy and legal experts Rita Bowen and Danielle Wesley, Esq. as they discuss the current landscape on the attorney misuse of patient-directed medical record requests under HITECH. Walk away with tips and recommended practices for your organization to ensure compliance and patient satisfaction.

To schedule time with us, please complete the form on this page. We hope to see you there!

Meet us at AHIMA19

Read More

Webinar Recap – Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

On June 27, 2019, MRO presented a webinar as part of our Protected Health Information (PHI) disclosure management educational series. In this presentation titled “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” we covered best practices for standardizing PHI disclosure management policies and procedures, ensuring consistent policy enforcement, and minimizing privacy breach.

The webinar content can be used as a guide for Health Information Management (HIM), privacy and compliance professionals to ensure the highest levels of compliance and prevent breach when disclosing PHI.

PHI Disclosure Management: Risky Business

MRO’s research shows there can be as many as 40 disclosure points across a health system. Most of these disclosure points tend to be managed outside the HIM department by individuals not trained in Release of Information (ROI). This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.

Another risk factor involves gaps in the Quality Assurance (QA) around PHI disclosure. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of those invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some 5 percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, about 0.4 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 400 comingled records. With that, comes substantial risk to a healthcare organization.

Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

As described in the webinar, MRO recommends deploying an enterprise-wide strategy for PHI disclosure management to standardize policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.

Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These quality checks should come from a combination of trained ROI specialists and record integrity technology, such as MRO’s IdentiScan®, that uses optical character recognition to locate and correct comingled records. This combination of people and technology drives improved accuracy and minimizes breach risk.

Breach Prevention: Best Practices for PHI Disclosure Management

The webinar includes eight best practices for minimizing breach in the Release of Information process. Here are six of those practices.

  1. Implement Multiple QA Checks on Requests. It is important to ensure the ROI authorization is legitimate. In reviewing authorizations, certain required information is often missing. A Quality Assurance check-in that involves multiple people helps to avoid a one-point area for failure. This double-check process ensures a complete review of that area for control.
  2. Sync Your ROI Platform to the MPI. It’s imperative to sync your ROI platform to your MPI to avoid manual information entry. This minimizes the possibility of making a mistake when entering information into your ROI platform. MRO offers a tool called MROeLink® that provides this type of integration.
  3. Send Notifications to Requesters. Sending initial notifications of receipt to requesters confirms that requests have been received and indicates who is processing them on your organization’s behalf. If a patient-directed request is obtained, you should notify the patient to let them know a patient-directed request has been received in case they did not direct the request.
  4. Ensure Shipping Integrity. Establish a QA process for shipping copies of medical records, such as a barcoding system that assists distribution center reps in ensuring the right content goes in the correct envelope.
  5. Leverage Secured Delivery. When possible, leverage secure, electronic delivery, including portals and direct interfaces with government agencies such as SSA and CMS.
  6. Hire, Train and Retain Exceptional People. It is essential to hire, train and retain exceptional people who will be touching PHI. These people must be properly trained and knowledgeable about the information they are handling, and understand the penalties involved. People working in the ROI industry must be highly trained and educated.

To get details on all our suggested best practices for breach prevention—and more information on compliant PHI disclosure management—request the playback of the presentation using the form below.

Request Webinar Playback

Read More

MRO Publishes Study—Release of Information: Can You Afford to Ignore Industry Changes?

MRO has released the results of a nationwide survey, “Release of Information: Can You Afford to Ignore Industry Changes?” The survey was conducted by Porter Research, a market intelligence and research group focused on healthcare IT. The survey provides valuable insights from senior HIM professionals concerning Release of Information (ROI) priorities and approaches, including top vendor criteria.

As requests to disclose patient health information rapidly evolve, provider organizations are challenged to apply innovative methods to Protected Health Information (PHI) disclosure management across their health systems. With increasing demands for the exchange of and access to health information, HIM leaders must deal with large volumes of government and commercial payer audits, enterprise-wide compliance and breach prevention, and patient satisfaction. The changing landscape calls HIM leaders to reevaluate their ROI strategies, and the results of our study can be used as a guide for navigating disclosure management.

The executive insights from the report represent 33 hospitals, 1,253 clinics and 620,719 annual ROI requests. The surveyed senior HIM professionals provided feedback regarding PHI disclosure management options and the assessment of ROI vendors. The survey questions included, but were not limited to, the following:

  • When is it time to consider a new strategy and ROI partner? According to the Porter Research survey results, senior HIM leaders indicated that there are two main reasons for seeking better ROI solutions. The first is dissatisfaction with their existing vendor due to inadequate quality and service, including breach occurrences. The second involves the need for more modernized solutions to meet enterprise-wide compliance and operational demands as their systems grow and evolve.
  • What are the essential attributes of an ROI vendor? The survey results found that in most evaluations there were at least three ROI vendors originally deliberated, with two typically making the short list. The respondents revealed five important criteria to consider when looking for an ROI partner: ease of use, workflow, ability to handle volume, turnaround time and industry reputation.
  • What key decision criteria matter the most to healthcare organizations? Once crucial characteristics are examined, it’s vital to complete an analysis of how the aspects of an ROI agreement align with your own organization’s key performance indicators. The respondents revealed the most important decision criteria when choosing a new ROI vender are integration and technical features, compliance and level of service engagement. Of all criteria, price was ranked least important.

The Release of Information needs indicated by the survey show that an enterprise-wide approach to disclosure management is crucial. Healthcare organizations are partnering with strategic ROI vendors to address the intricate requirements of their organizations. When assessing vendors, the top criteria in decision-making are reputation, service, quality, technology and accountability. These survey results will help guide HIM directors who want to transition from an in-house to outsourced ROI model or those who are looking for a new ROI partner, if already outsourced.

To download a copy of “Release of Information: Can You Afford to Ignore Industry Changes?” complete the form below.

DOWNLOAD THE ROI STUDY

Read More

Misuse of Patient-Directed Requests for Copies of Medical Records

 

 

 

 

 

 

 

 

MRO has released the white paper, “Misuse of Patient-Directed Requests for Copies of Medical Records,” authored by two attorneys, Beth Anne Jackson, Esq. and Danielle Wesley, Esq., along with privacy expert Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB. The paper provides insights, education and strategies to help hospitals, health systems and other healthcare provider organizations address issues that arise when attorneys solicit copies of medical records—often through record retrieval companies (RRCs)—under the guise of patient-directed requests.

Essential Guide to Understanding and Mitigating Financial, Legal and Privacy Risk

For Health Information Management (HIM) professionals, in-house attorneys and compliance officers, the tenets set forth in the paper serve as an essential guide to understand and mitigate problems associated with these attorney requests, including the rising financial burden imposed on providers when attorneys shift the costs of medical record production for litigation to providers. The following five areas are covered.

  • Perceived loophole in OCR guidance. The paper delves into the history of HIPAA, HITECH and patients’ right to access their Protected Health Information (PHI). This includes examining the language of 2016 OCR guidance that emphasized removal of financial and other roadblocks to individuals’ access to their information by advocating the imposition of a nominal fee for patients to obtain their PHI for personal use, such as providing records to their primary care physician, a mobile healthcare app or to researchers. Though applying a nominal fee for patient-directed disclosures to these types of entities is reasonable, the OCR’s inclusion of the phrase “and it doesn’t matter who the third party is” opened the door for manipulation by attorneys and RRCs demanding the $6.50 fee suggested in the guidance.
  • Increasing volumes of attorney requests under the guise of patient-directed requests. Submitted as patient-directed requests, attorney requests for medical records have soared with a specific pattern identified, which is described in the white paper. The volume of these types of requests is growing exponentially. MRO metrics show a steady increase in the number of attorney requests demanding the patient rate. Additionally, an increase in page count and a higher demand for “any or all” records from the designated record set (DRS) are consistently noted with these attorney requests.
  • Detrimental impact to healthcare systems and their patients. Neither Congress nor the OCR intended for the individual rights to access under 45 CFR §164.524(c) or the guidance to be interpreted and implemented to (a) shift the costs of obtaining medical records for the purpose of for-profit litigation or other non-healthcare related purposes to providers, (b) subject more PHI than necessary—including sensitive PHI that may or may not be related to the litigation—to disclosure, or (c) remove HIPAA protection resulting from disclosure via RRCs to attorneys. However, healthcare organizations are rightfully concerned about these risks. The paper details the detrimental financial, legal and operational impact to health system enterprises and the risks around patient privacy.
  • Recognizing the misuse of patient-directed requests for medical records. Providers should be aware of red flags when receiving incoming requests, including the following:
    • A template form with filled-in blanks and mismatched pronouns is used.
    • The form is included in a larger packet with other documents—such as a HIPAA-compliant authorization.
    • The patient’s signature appears to be copy-pasted or photoshopped. Attorneys or RRCs may lift the patient signature from a driver’s license or other document.
    • The letter is labeled a “HITECH authorization.” This terminology is only used by attorneys and RRCs that work with them.

    The paper provides a thorough list of signs indicating attorney misuse of patient-directed requests.

  • Steps for combating the issue. To combat this problem, healthcare organizations need a comprehensive game plan that includes education and awareness across HIM, compliance, legal, risk management and finance. New strategies must also be employed at the national level to raise awareness and garner support. In our paper, we offer a step-by-step approach to assist healthcare organizations in building their game plan.

Conclusion: For the Better Good

In summary, the white paper states, “The issue is not about prohibiting authorized access. The issue is about limiting the ability of attorneys and other third parties to manipulate the OCR guidance and patient-directed requests for their own commercial gain. Healthcare organizations that give in to attorney misuse of patient-directed requests may think that they are mitigating legal risk. Instead, they are welcoming negative financial impacts for themselves and potential adverse privacy effects for their patients. Producing thousands of pages of PHI for the nominal patient fee is not a business practice that can be sustained in the long term by any provider. This cost-shifting cannot be tolerated.

The efforts of attorneys and RRCs to obtain PHI via their mischaracterization of the guidance—which, to date, has not been challenged—is well documented and significantly more advanced than a lone provider’s ability to combat it. While providers are steadfast in protecting patient privacy, they also need to protect their fiscal health. They can only do so by taking concrete steps now to stop disreputable attorney and RRC behavior before the issue becomes a more serious problem and a financial crisis for provider organizations.”
The contents within our white paper are approved and endorsed by the Association of Health Information Outsourcing Services (AHIOS), a membership group composed of Health Information Management outsourcing organizations.

Complete the form on this page to request a copy of the white paper “Misuse of Patient-Directed Requests for Copies of Medical Records.”

Request the White Paper

Read More

The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense

 

 

 

 

 

 

 

 

Last month I had the privilege of presenting the first installment of MRO’s 2019 PHI Disclosure Management Webinar Series to healthcare professionals across the country about the rising tide of payer requests for medical records. Judging by the attendance and feedback, it is a topic that garnered a lot of attention. Based on the high level of interest, MRO plans to continue to provide content on this topic. Here is an overview of “The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense” presentation.

Payer Audits vs. Reviews

First, we covered the difference between audits and reviews as it is important to make the distinction and not group them together in the same category. DRG audits (post-payment audits) are not the provider’s friend. As payers attempt to review records for paid claims to recoup payment from the provider, audits occur throughout the year. Payers review the record to make sure the claim and record information match, so they can determine if the claim has been overpaid and recoup funds if necessary. These audits are typically time sensitive and due within 30 to 45 days of the date on the request letter.

The other category, reviews, includes HEDIS (Health Effectiveness Data and Information Set) and Risk Adjustment (Medicare Advantage, Medicaid, and commercial) requests. Review requests are seasonal projects that do benefit payers, but providers are not subject to negative financial impact and requests should be prioritized accordingly. The payer may impose an unrealistic time frame of 10 to 15 days when in reality there’s a broader time frame. Because HEDIS and Risk Adjustment reviews are seasonal, providers have more than 30 to 45 days to produce records.

Payer Requests for Medical Records: Deep Dive into Trends, Issues and Statistics

Next, we examined the current environment, trends, issues and statistics related to rising payer requests for medical records. It is common that audits (year round) and reviews (seasonal) overlap, causing a burden on HIM departments. HEDIS and commercial Risk Adjustment projects overlap with HEDIS, running from January through early May, and commercial Risk Adjustment running from September through mid-April. In addition, Medicare Risk Adjustment projects are beginning earlier every year. MRO has already seen requests come in during April 2019.

In recent years, healthcare organizations have experienced a steady increase in DRG/post-payment audits and HEDIS/Risk Adjustment reviews. According to MRO statistics from 2017 to 2018, overall payer requests increased 70 percent due to a significant upsurge in core categories—DRG audits up 52 percent, HEDIS reviews up 62 percent, and Risk Adjustment reviews up 80 percent.

Handling Large Audit and Review Projects: Recommended ROI Workflows

The growing trend of payer requests for medical records may seem overwhelming at times, but there are solutions to lessen the burden on HIM departments. The presentation also provided the following recommended Release of Information (ROI) workflows for handling large review projects:

  • Build stronger relationships with payers and health plans to better manage the surge in medical ROI. Establish project due dates instead of 30-day completion.
  • To offset the cost burden associated with producing these high-volume review requests for records, ensure the health plans will compensate for the records provided in a timely manner.
  • Ask your ROI vendor to work directly with the health plan to coordinate disclosure management instead of using internal staff or engaging a third-party vendor. Establish project due dates, rates and electronic delivery.
  • Use your ROI vendor’s remote services capabilities to process these large review projects so that HIM labor resources can focus on the daily workload.

Managed Care Contracts: Medical Record Language

Understanding the medical records section of the managed care agreements also plays an important role in how payers request medical records. An organization’s managed care agreement governs the payer/provider relationship and includes a medical records section that specifies the payer cost to audit a healthcare provider. Unfortunately, the medical records section is often a low priority because the managed care team may not understand the burden on HIM or the financial risk for the entire organization. The presentation provided details of recommended language for managed care contracts to ensure optimal outcomes for provider organizations. You can learn more by downloading the slides.

Payer Access to EMRs

The last topic covered the emerging concerns around payer requests for direct access to EMRs. Payers want access to medical records for the aforementioned reasons (post-payment audits, HEDIS, Risk Adjustment) and for initial claims processing. Payers are making a variety of proposals as to the types of access they would like to be granted. These levels of access and aggregation of records have different levels of associated risk. Here are four areas of concern for providers and patients:

  • Financial—Direct, automated access to a wide band of patient records will facilitate the growing trend of post-payment audits, denials and recoupments.
  • Privacy and Consent—Unlike the healthcare community, payers have not earned patients’ trust to serve as custodians of their most personal and private information. Learning of payer aggregation and storage of these records by payers is not a practice patients would approve, and learning of it after the fact could lead to strong patient dissatisfaction.
  • Information Governance (IG)—Automated sharing of full patient records with payers, and aggregating those records for permanent use, raises multiple legal and IG concerns. These include managing distributed health records, meeting HIPAA requirements for minimum use and correction of errors, and inadvertently sharing encounters for which the payer was not the guarantor.
  • Security—Automated access to health data by payers increases a provider’s exposure to cyberattack, and the aggregation and storage of that data in the payer’s IT system widens the potential exposure to large-scale breach.

The presentation included recommendations for payer access to EMRs. For those details, please complete the form below.

Request a copy of the presentation below

Read More

What to Do and Not Do When Changing Health Information Management Vendors

 

 

 

 

 

 

 

 

The April 2019 Journal of AHIMA article “What to Do (and Not Do) When Changing HIM Vendors” served as a virtual roundtable featuring the experiences of three HIM leaders who successfully navigated HIM service vendor transitions. The MRO client panelists were Cindy M. Phelps, RHIA, Sr. Director, TSG Business Relationship Management, Carilion Clinic; Sherine Koshy, MHA, RHIA, CCS, Corporate Director HIM, Penn Medicine; and Kathleen J. Edlund, M.M., RHIA, Director of HIM, Trinity Health.

Topics discussed in the roundtable included challenges, lessons learned and practical strategies that help ensure quality service and a lasting collaborative partnership. As moderator of the discussion, I had an opportunity to focus on each expert’s type of vendor transition: transcription, EHR and Release of Information (ROI).

Challenges

Choosing the right vendor can be a challenging and daunting task, especially if your current service has been in place for a long time. Whether the service being considered for outsourcing options is in-house or with another vendor, the key to a successful transition is in the planning.

Some of the common challenges that prompted the panelists’ organizations to seek a better solution were: the need to have all users on one platform, service and quality issues, communication problems and lack of client support.

Lessons Learned

From their experiences addressing the challenges listed above, each HIM expert offered lessons learned and suggestions for other organizations to consider when transitioning service vendors. Here is a summary of their recommendations:

  • Conduct benchmark, research, and reference checks.
  • Establish key performance indicators (KPIs).
  • Engage multidisciplinary teams.
  • Conduct a pilot test.
  • Communicate and collaborate to build a trusted partnership.
  • Create a project charter.
  • Provide training and education.
  • Complete pre-implementation assessment documentation.
  • Create a visual diagram model of the process flow.
  • Ensure understanding of ancillary departmental (EHR) software systems.
  • Preserve a working relationship with the outgoing vendor.

Strategies to help ensure a lasting collaborative partnership

Each panelist offered components of a strong, collaborative partnership that promotes ongoing optimal outcomes. Here are five essential factors:

  • Monthly review meetings and open communication to discuss successes, concerns and issues with the vendor.
  • Engagement and availability of the vendor in the daily operational business.
  • Vendor sharing latest trends with development and with their other clients.
  • Annual onsite business review to highlight current state and share future state with key stakeholders.
  • Investment in the training and resources necessary to meet the needs of your organization.

The Journal of AHIMA article provides additional details regarding lessons learned, strategies and expert recommendations. To download a copy of the article, fill out the form below.

Download the Journal of AHIMA Article

Read More

2019 HCCA Compliance Institute Recap

 

 

 

 

 

 

 

 

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

  • Current Environment and Statistics Related to Healthcare Breaches
  • Breaches under HIPAA and State Law
  • HIPAA Security Rule Safeguards that Address Incident Response Plans
  • Best Practices for Incident Response Plans
  • The First 24 Hours Following a Breach

Fill out the form below to request a copy of our presentation.

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

  • We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
  • Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
  • Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

  • Patients over Paperwork
  • Interoperability and MyHealthEData
  • Opioid Epidemic
  • Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Continue Your Compliance Education by Attending MRO’s Upcoming Webinar

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

Request HCCA Incident Response Breach Management Slides

Read More