Check Request Status610-994-7500

An Enterprise-Wide Approach to PHI Disclosure Management: Closing the Gaps in Compliance


In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
  • Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

  • Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
  • With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
  • 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
  • Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

Download MRO’s eBook "Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization."

Read More

HITRUST—What It Is and Why It Matters

What is HITRUST?

Founded in 2007, the Health Information Trust Alliance (HITRUST) evolved in response to the growing privacy and security challenges faced by the healthcare industry. Aligned with its mission to “champion programs that safeguard sensitive information and manage information risk for organizations,” HITRUST provides broad access to common risk and compliance management frameworks.

For example, the HITRUST CSF®, the cybersecurity framework, is a certifiable framework that provides a comprehensive, flexible and efficient approach to regulatory compliance and risk management. Established in 2015, it is a widely recognized security framework focused on the healthcare industry in the U.S. To ensure an inclusive set of baseline security controls, the HITRUST CSF leveraged nationally and internationally acceptable standards including ISO, NIST, PCI and HIPAA. As a result, the framework has been used successfully to demonstrate HIPAA compliance.

HITRUST regularly updates the CSF to incorporate new standards and regulations to make sure the framework remains relevant and current. As new regulations and security risks are introduced, provider organizations and third parties that adhere to the CSF can be well prepared with optimal security based on quarterly updates and annual audit changes.

Why HITRUST Is Important to BA Risk Management

As healthcare organizations face increased risk of privacy and security breach, recognizing the significant role played by their Business Associates (BAs) is critical. Conducting due diligence is essential before the partnership begins, and is part of the provider’s ongoing risk analysis to ensure partners have HIPAA-compliant policies in place to safeguard the privacy and security of protected health information (PHI). In recent years, many provider organizations have incorporated the HITRUST CSF as part of their third-party assurance process—requiring that BAs obtain CSF certification. This is largely due to the increased number of breaches involving third-party vendors.

Healthcare organizations that entrust PHI to a BA must ensure that sensitive information is properly safeguarded. Best practice is for providers to partner with compliant, secure BAs that offer compliance knowledge, guidance and value beyond the standard contracted services. Obtaining CFS certification demonstrates integrity and commitment to privacy and security practices aligned with stringent regulatory requirements and expectations of the healthcare industry.

With those priorities top of mind, MRO announced in May 2018 that its Release of Information platform ROI Online® had earned HITRUST CSF Certified status for information security. HITRUST incorporates a risk-based approach that includes federal and state regulations and standards to help organizations address challenges through a comprehensive framework of prescriptive and scalable security controls.

As healthcare’s most widely adopted security framework, HITRUST provides an industry standard for BA risk management and compliance. Covered entities can look to HITRUST certification for assurance that the foundation for implementing a framework with security controls required to safeguard PHI is already in place.

To learn more about the importance of HITRUST CSF and MRO’s journey to achieve certification, watch our video “MRO’s PHI Disclosure Management Platform ROI Online® Earns HITRUST CSF® Certification.”

Sign Up for Future Blog Posts

Read More

Heard on the Hill: AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

AHIMA and AMIA Call for Better Patient Access to Health Information in Congressional Briefing

On Wednesday, December 5, 2018, I visited Capitol Hill with colleagues from AHIMA and the American Medical Informatics Association (AMIA) to address challenges around patient access to health information and to propose ways to modernize HIPAA to better support patient care. As HIM and privacy professionals are aware, the Office for Civil Rights (OCR) released guidance on patient access to health information in February 2016. However, healthcare leaders have been calling for an upgrade to the 22-year-old HIPAA regulation for some time. The recommendations from AHIMA and AMIA were as follows.

Converge HIPAA with Health IT Certification

We recommended creating a new term, Health Data Set (HDS), which would encompass all clinical, biomedical and claims data maintained by the covered entity (CE) or business associate (BA). The data set would be supported through the certification program at the federal Office of the National Coordinator for Health Information Technology (ONCHIT), enabling individuals to view, download or transmit this information electronically to a third party and access this information via API.

We also suggested the revision of the HIPAA Designated Record Set (DRS) and the requirement that Certified Health IT provide the amended DRS to patients electronically while maintaining computability. This revision would give providers and patients greater clarity and predictability regarding what constitutes the DRS.

Extend the HIPAA Individual Right of Access to Non-Covered Entities

In an effort to provide uniformity of health data access, we suggested establishing a uniform health data access policy that would apply not only to CEs and BAs, but also to non-covered entities such as developers of applications/technologies including mHealth and healthcare-based social media.

Encourage Note Sharing with Patients in Real Time

To enhance patient access to health information, we recommended promoting communications efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.

Clarify Existing Regulatory Guidance on Third-Party Access to Patient Data

This especially relates to third-party legal requests that seek information without appropriate patient direction and beyond what is part of the DRS. I reported that ROI vendors and providers continue to be challenged with the discernment of third-party versus patient requests for transmittal to a third party. Third-party requesters demand the patient pricing, and the documentation does not always provide assurances that the requester is the patient or that the patient is aware of the request.

Our experience with some high-volume third-party requesters includes their demand for patient pricing and threats of, or actual submission of, OCR complaints. While we are steadfast in our commitment to patients’ privacy, the ongoing dispute by third-party requesters declining to provide reimbursement for healthcare costs in responding to these requests increases the administrative burden on both the health systems and the OCR.

We are asking that the 2016 guidance be updated to specify the original intent that a patient may direct their information to a third party who is specifically “acting on their behalf regarding a healthcare decision.”

MRO is presently working alongside industry experts to construct a white paper that will delve deeper into this topic and provide recommendations. We will share the paper on our blog once it is released.

 

Additional Resources and Media Coverage:

HealthIT Security – AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access

MedPage Today – Rules Needed for Better Patient Record Access, Say Experts

AHIMA and AMIA – Full Recommendation

Sign Up for Future Blog Posts

Read More

Breach Prevention: Bolstering Quality Assurance in Release of Information Workflows

Health Information Management (HIM) and healthcare compliance professionals will concur that there is heightened awareness of small breaches across the healthcare industry. And though small privacy breaches affecting fewer than 500 patients per incident are not usually publicized as widely as large-scale cyberattacks, the impact can be just as detrimental to healthcare organizations.

A small breach can be as simple as making an error in the Release of Information (ROI) process, involving a patient’s Protected Health Information (PHI) mistakenly sent to the wrong person—or the wrong patient’s PHI sent to the correct requesting party.

When you look at the stats, there is plenty of room for those types of errors. MRO’s research shows there are as many as 40 disclosure points across a single healthcare system. Most of those disclosure points tend to be outside of the HIM department, where individuals not trained in proper PHI disclosure management are handling the release of PHI. This trend of expanding disclosure points is one of the key factors driving breach risk in the Release of Information process.

Another risk factor involves gaps in the Quality Assurance (QA) processes. Research shows that roughly 30 percent of all Release of Information authorizations are initially invalid. And if Release of Information workflows lack redundant QA checks, up to 10 percent of those invalid authorizations are processed with errors.

Moreover, 5 percent of patient information in electronic medical records (EMRs) have integrity issues, including comingled patient records. MRO’s research shows that without proper QA measures in place, 1 in 200 records released will contain mixed patient information—which means an organization releasing 100,000 requests annually could potentially release 500 comingled records. That’s 500 potential breaches by way of errors in the Release of Information process.

Filling the Gaps in ROI Workflow to Minimize Breaches

Given the potential risk of breach due to improper PHI disclosure, healthcare leaders should closely review gaps in their PHI disclosure management processes and consider ways to enhance workflows to improve accuracy and quality. Here are some recommendations.

First, deploying an enterprise-wide strategy for PHI disclosure management will standardize policies, procedures and technologies across a health system. As part of that strategy, a streamlined Release of Information workflow helps eliminate inconsistencies, inefficiencies, distractions and errors.

Second, redundant QA checks are vital for PHI disclosure accuracy. Even the most experienced ROI specialists are subject to human error. Multiple layers of QA are needed throughout the lifecycle of an Release of Information request, from receipt through delivery, to ensure accuracy and compliance—and prevent a privacy breach. Best practice is to bolster workflows to ensure multiple teams review both the authorizations and medical records associated with each Release of Information request prior to release.

Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These additional quality checks should come from a combination of trained ROI specialists and record integrity technology that uses optical character recognition to locate and correct comingled records. For example, MRO offers its patented IdentiScan® record integrity application to ensure PHI disclosure accuracy. This tool scans records for patient identifiers throughout the record set, helping ROI specialists identify and correct mixed patient information prior to release. The right combination of people and technology promotes improved accuracy and minimizes breach risk.

Patent Issued to MRO for IdentiScan Application

Learn more about the benefits of IdentiScan® by watching our video. Complete the form below to request a demo of MRO’s ROI solution, which ensures 99.99% disclosure accuracy.

Request a Demo of MRO’s KLAS-rated #1 ROI Solution

Read More

Webinar Recap: Healthcare Privacy and Security—Predictions for 2019

On November 7, 2018, I joined my colleagues Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services, and Anthony Murray, CISSP, Vice President of Information Technology, to present the fourth and final installment of MRO’s healthcare compliance webinar series. In this webinar titled “Healthcare Privacy and Security—Predictions for 2019,” we highlighted privacy and security trends and predictions to help Health Information Management (HIM) and other healthcare leaders navigate compliance in the coming year.

Patient-Directed Requests

Attorney misinterpretation of patient-directed requests (PDRs) was front and center in 2018 and will continue to require clarification and guidance in 2019. When the validity of a PDR is questionable, the patient should be contacted to clarify and confirm consent. Here are additional strategies for handling attorney requests submitted under the guise of a PDR:

  • Inform your state legislators of this questionable attorney behavior
  • Discuss the issue with HIM peers in your area
  • Hold meetings with your OCR representative to determine the best course of action
  • Question and verify (with the patient) any suspicious PDR

We welcome a dialogue with the Office for Civil Rights (OCR) for clarification of the guidance to ensure requests are made for the purpose of assisting the patient with continuity of care—the original intent of the guidance. At MRO, we use the criteria provided by the guidance. The request must be made by the patient, written in the first person and signed by the patient. It must clearly state who is to receive the information and provide the address of that person.

Global Data Protection Rule (GDPR)

Released in May 2018 in the EU, the GDPR provided information on breach protection and response, which could affect guidance in the U.S. regarding notification timelines, documentation controls and data protection rules. The focus in 2019 will likely increase, prompting healthcare organizations to determine changes needed to strengthen privacy and security programs. Also, be aware of state action that is patterning to this rule.

Increased Information Collection

Technology will continue to advance through 2019—becoming faster and safer. With more apps and sophisticated technology, patients must be able to trust that their data is safe and secure. Here are several considerations:

  • What data will you protect?
  • What policies and procedures need to be reviewed?
  • Do you have a complete inventory of your data?

Digital mobile engagement is center stage—wearable devices, home monitors, patient portals, patient generated health data (PGHD) and ongoing technology innovation. The goal is for patients to have a connected, fluid experience throughout the healthcare journey.

Increased Access to Care

The patient experience has changed over the past several decades—from the focus on where patients receive care to where patients search for and choose to receive care. Increased access to care includes urgent care, virtual care, retail settings and nontraditional players such as Amazon and Google. All use some type of technology involving Protected Health Information (PHI) that must be documented and protected.

Population Health, Data and Analytics

Total consumer health requires awareness of educational needs, especially considering the aging population and proactive management of healthcare. Consumers will benefit from initiatives that promote informed decision-making through awareness of available resources and rights regarding PHI. Those efforts demand emphasis on data collection, protection and analytics to improve population health and ensure compliance.

AHIMA’s Vision for 2019

AHIMA recently released its vision for 2019 as the year of transformation. Based on a back-to-basics strategy, AHIMA will emphasize core strengths and services to move HIM forward:

  • Coding/clinical documentation improvement
  • Advocacy/AHIMA World Congress
  • Privacy and security
  • Operational effectiveness—patient-focused access, quality improvement, artificial intelligence, precision medicine, privacy demands

The top three drivers will be security risks, business needs and evolving industry changes.

Technology and Cybersecurity

In 2019, advancements in technology will remain centered on interoperability and cybersecurity. Interoperability is critical to patient engagement and optimal EHR investment required for proper PHI disclosure management.

Additionally, cybersecurity must be a top priority to ensure effective information security programs. Organizations must clarify policies regarding:

  • Risk assessments versus gap assessments
  • Incident response
  • External support
  • Business Associates
  • Third-party assessments
  • Certifications, audits, standards

The evolution of cybersecurity threats means increasingly sophisticated ransomware and other attacks including cryptojacking and whaling. In case of a technology incident, the best strategy is a layered security model to protect, detect, identify and respond.

To learn more about privacy and security predictions for 2019, fill out the form below to receive a copy of this webinar.

Receive a copy of our webinar "Healthcare Privacy and Security—Predictions for 2019.”

Read More

AHIMA Convention Product World Presentation—PHI Disclosure Efficiency in the Business Office


During the 2018 Annual AHIMA Convention & Exhibit in Miami, MRO hosted the Product World presentation “A Case Study for PHI Disclosure Efficiency in the Business Office—Yale New Haven Health.” I was fortunate to have the opportunity to co-present the session with Cindy Zak, Executive Director of Corporate Health Information Management, Yale New Haven Health.

In her position, Zak is well aware of the challenges HIM professionals face in response to the rising volume of Release of Information (ROI) requests made to business offices to support payment of claims. Business office personnel can spend up to 40 to 45 percent of their day pulling and attaching medical records, taking them away from their core responsibilities. Mostly billers and collectors, these staff typically lack expertise in ROI and Protected Health Information (PHI) disclosure management. And, whenever medical records are handled, HIPAA concerns must be top priority, such as the minimum necessary requirement. Other industry challenges include:

  • Increased backlogs
  • High-priority requests requiring timely fulfillment
  • Complicated/disparate processes
  • Incomplete and inconsistent data collection and trackability
  • Convoluted issue resolution processes
  • Lack of transparency
  • Strained relations among business office, HIM and payers

Together we explored new PHI disclosure management technologies and workflows for improving collaboration between HIM and the business office when fulfilling additional documentation/claim attachment requests.

Addressing PHI Disclosure Challenges in the Business Office

Yale New Haven Health experienced many of the common industry challenges, especially the need for transparency in HIM and an efficient HIM procedure for billing releases. Because the business office maintained ownership of payer requests, HIM was uninformed, serving as a middleman to process thousands of pages. Averaging 20 cases of paper a week resulted in an additional $3,000 per month expense just in paper costs. And, once records were pulled and copied—often including more than the minimum necessary—the information was sent back to the business office for shipping to payers.

As an early adopter of MRO’s business office medical record attachment solution, Yale New Haven Health has already achieved positive outcomes:

    • Business office staff is focused on billing and collecting.
    • HIM staff is focused on pulling the requested medical records.
    • Only the portion of the medical record that is requested is being sent.
    • Paper processes have shifted to electronic delivery.
    • Workflows are based on payer specifications.
    • Medical record claims attachments are sent within 24 hours of receipt.
    • Requests are now trackable to promote transparency.

According to Zak, “Our system business office and HIM personnel collaborate more effectively, focusing on their core responsibilities to maximize productivity and efficiency. The new technology and workflows have reduced paper processes, creating significant cost savings and enhancing enterprise-wide compliance.”

As MRO extends its expertise for health information exchange into business office functions that support revenue cycle management, health systems can benefit from improved efficiency, cost savings, reduced financial risk, trackable delivery, and enhanced interdepartmental and payer collaboration.

To learn more about strategies to improve PHI disclosure efficiency in the business office, fill out the form below to receive a copy of AHIMA’s 2018 Product World Presentation

Receive a copy of "A Case Study for PHI Disclosure Efficiency in the Business Office—Yale New Haven Health.”

Read More

Heard at AHIMA 2018—Privacy, Cybersecurity and Information Governance Institute and ROI Roundtable

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

This year’s institute focused on industry adoption of IG, citing AHIMA’s Information Governance Adoption Model (IGAM)™ as a guide to advance IG practices toward achieving Level 5 maturity. Here are the five levels:

1—Unaware, IG concerns not addressed

2—Limited progress, early stage

3—Defined policies and procedures

4—Proactive program throughout operations

5—Fully integrated into overall infrastructure and business processes

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

In the audience was Jim Bailey, President of the Association of Health Information Outsourcing Services (AHIOS), who suggested that states come together to address the issue. Here are four recommended strategies:

  • Raise awareness with your legislators
  • Hold conversations with other hospitals in your area
  • Don’t be afraid of meeting with the OCR
  • Exercise the right to question and verify any request

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

Sign Up for Future Blog Posts

Read More

MRO Is Top Performer in 2018 KLAS Report that Compares Release of Information Vendors

In September 2018, KLAS published the performance report “Release of Information 2018: Who Delivers Most Consistently Across Customers?” With a track record of being the KLAS “Category Leader” for ROI, as designated in 2013-2018 “Best in KLAS” reports, we were eager to dig into the latest research to see if MRO had again received the highest performance ratings.

We were not disappointed. I’m pleased to report that KLAS named MRO the overall highest performing ROI services vendor, outperforming the two other vendors included in the report. Only three ROI service providers had statistically adequate client bases to be included.

Key Findings: 2018 Release of Information KLAS Report

Key findings centered on MRO’s ROI services are:

  • On a 100-point scale, MRO’s reported overall performance score is 90.4.
  • MRO’s performance ratings for overall satisfaction, quality of service staff and turnaround time are rated highest among the vendors.
  • MRO is noted as the consistent high performer and well-rounded firm with good communication, good employees and strong delivery of ROI services.
  • 95 percent of MRO’s clients say they would hire the company again, a percentage much higher than the other vendors.
  • MRO has the proven scalability to meet large client needs and implementations.

As I read through the report, it was apparent that quality is a key theme related to MRO’s services. Our “top notch employees and outstanding customer service” are highlighted, and KLAS’s research finds that MRO clients appreciate the responsiveness of our customer service, especially the ease of speaking with someone when needed.

Reflecting a bit, I felt the emphasis on high-quality service within this report echoed findings in the last KLAS report to feature a deep dive into ROI: “HIM Services Performance 2015: Coding, Transcription, Release of Information.” In the 2015 report, MRO was recognized for the best overall performance, highest quality and fastest turnaround times.

Since the 2015 HIM report was released, MRO has grown to be one of the largest ROI vendors, serving more than 7,500 locations nationwide. It is rewarding to see that our clients continue to recognize our work as the highest quality service in the industry as we continue to expand.

That brings me to another topic. Scalability. MRO’s ability to scale to provide quality ROI services to both large and small clients is also noted in the 2018 report. One surveyed HIM director said, “We don’t see any issues with MRO being able to scale to meet our needs. When we asked to amend our contract, we were asking for a couple of FTE equivalents, and since that time we have lost some key staff members. So, MRO is ready to expand. Our experiences with them have all been either very good or excellent. They are very reputable.”

I personally believe MRO client feedback provided to KLAS is a strong indicator of high-level client satisfaction. As we onboard more of the nation’s top health systems, we are making the necessary investments in technology and people to ensure we continue delivering the best service quality while meeting the needs and expectations of our clients.

Video: MRO: KLAS-rated #1 for Release of Information

In 2012, MRO became the first rated vendor in KLAS’s Release of Information services market segment. Since then, MRO has been consistently rated #1 for ROI, and we closely monitor our performance scores to ensure MRO clients receive the best service possible.  Watch the video to learn more.

I am proud that MRO’s people, technology and uncompromising commitment to our clients’ success are recognized by KLAS, not only in relation to the other ROI vendors, but also on an objective performance scale.

To read more about KLAS’s research on Release of Information, complete the form below.

Request MRO’s Summary of KLAS Reports

Read More

Enterprise-Wide PHI Disclosure Management—Six Strategies Guided by Information Governance Principles

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

  1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
  2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
  3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
  4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
  5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
  6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

Read More

MRO at the 90th Annual AHIMA Convention and Exhibit in Miami, FL

As we approach the 2018 AHIMA National Convention and Exhibit in Miami, held September 22-26, 2018 in Miami, MRO is very excited to exhibit and have the chance to mingle with our Health Information Management (HIM) partners and friends.

During exhibit hall hours, members of MRO’s leadership will be available at Booth 437 to discuss topics surrounding Protected Health Information (PHI) disclosure management, including industry trends, breach risk mitigation and MRO’s KLAS #1-rated Release of Information (ROI) solutions. We will also have a mentalist/magician performing in our booth on Monday and Tuesday, September 24 and 25.

Some other places you can find MRO during the convention include:

AHIMA’s Privacy, Cybersecurity, and Information Governance Institute

Saturday and Sunday, September 22-23
Miami Beach Convention Center, Art Deco Ballroom, Room 228 AB

AHIMA is committed to remaining the leader in privacy, cybersecurity, and Information Governance (IG) throughout healthcare. Because of this commitment and healthcare’s evolution—which requires continued education on the most current topics and trends in the industry—AHIMA’s annual Privacy and Security Institute is evolving. This year AHIMA is introducing the Privacy, Cybersecurity, and Information Governance (PCIG) Institute.

MRO is proud to sponsor this year’s PCIG Institute, and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO will participate in Sunday’s 10:55am – 11:45am Eastern panel discussion “Privacy and Security Competency Gaps: How to Navigate Your Way to Success.

Case Study for Business Office ROI: Yale New Haven Health

Monday, September 24
Miami Beach Convention Center, Exhibit Hall, Theater C
12:15pm – 1:05pm Eastern

Join Kim Charland, RHIT, CCS, Director of Revenue Cycle Services for MRO, and Cindy Zak, MS, RHIA, PMP, FAHIMA, Executive Director of Corporate HIM for Yale New Haven Health, for a presentation on exploring ways MRO’s Medical Record Attachment Services for the Business Office can help HIM leaders improve interdepartmental collaborative efforts to efficiently and compliantly fulfill ROI requests that support claim payments.

ROI Networking Roundtable

Monday, September 25
Miami Beach Convention Center, Room 209
3:30pm – 4:15pm Eastern

Attend the presentation “The Modern Age of ROI – Are You Up to Date?” to network with HIM peers and experts in the field, including MRO’s Rita Bowen and Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services. Bring to the table any issues or challenges faced in ROI and discuss best practices.

Educational Session: Project Management in HIM Implementations

Monday, September 25
Miami Beach Convention Center, Ocean Drive Ballroom A-D
4:30pm – 5:15pm Eastern

To learn best practices for utilizing project management skills in enterprise-wide HIM implementations, join Angela Rose and Emilie Sturm, Sr. Revenue Management Consultant for Trinity Health, for this exploratory session.

Meet MRO at AHIMA

MRO has been exhibiting at this convention every year since 2004. In our 15th year at the event, we anticipate this to be our best year yet. I am looking forward to learning about the latest industry trends and being able to see and spend time with all our clients and friends in attendance. We hope to see you there!

Schedule a PHI disclosure management consultation at AHIMA.

Read More