Record Requests610-994-7500

Maintaining Compliance and Privacy Amid COVID-19


In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.

What this means for caregivers

Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.

In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.

What this means for business associates

While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.

To learn more, and read the entire HHS release, click here.

Read More

Announcing MRO’s 2020 Webinar Series









MRO and I are proud to announce our 2020 webinar series. I would like to invite you to join me and my colleagues to review, analyze and discuss the hottest topics impacting Protected Health Information (PHI) today.

This year’s webinar series focuses on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of PHI. The sessions address the needs of Health Information Management (HIM), privacy, compliance, risk management, security and other healthcare professionals seeking up-to-date information. Don’t miss the opportunity to learn from seasoned industry experts!

Highlighted below are the four sessions included in our webinar series.

The Right ROI Solution, Information Blocking, Workforce Training, and Privacy and Security Trends

Release of Information: Industry Changes and the Road to the Right Solution

This presentation explores results from a nationwide survey of senior HIM professionals about the ROI challenges, priorities and strategies at the forefront of today’s healthcare ecosystem. The survey was commissioned and published by MRO and conducted by Porter Research. I will guide attendees through a discussion regarding the right time to consider a new strategy and ROI partner, the meaning of transparency in partnership, key criteria for success and more.

Information Blocking Rule: The Impact to HIM

The Information Blocking Rule encourages the flow of information for patient-enhanced management of their own healthcare through the use of health information. As a result, we expect to see increased patient-directed flow of their health information to APIs and other support management tools. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s legal expert, Danielle Wesley, Esq., will discuss how this rule appears to conflict with areas of HIPAA and what that means for HIM departments.

HIM Workforce Training: Developing Tomorrow’s Leaders

The evolving HIM landscape demands new skillsets and expertise for the workforce. MRO’s motivation and development expert, Mariela Twiggs, will provide best practices for training and retaining your employees. Attendees will take away valuable knowledge to develop their staff into tomorrow’s leaders.

Watch List: 2021 Privacy and Security Trends

This presentation recaps 2020 privacy and security trends affecting the HIM industry. The session also focuses on the outlook for HIM in 2021 and how to prepare for the future. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s IT expert and CIO, Anthony Murray, will review watch list resources and provide related links. This timely information is most valuable to HIM directors, compliance and privacy officers, security officers, chief information officers and chief financial officers.

I will present our first webinar, Release of Information: Industry Changes and the Road to the Right Solution, on April 15, 2020 at 2 pm ET. Register today!

Read More

PHI Disclosure Management Webinar Recap: Attorney Misuse of Patient-Directed Record Requests and How to Cope


On December 11, 2019, I joined my colleague Danielle Wesley, Esq., Vice President and General Counsel, to present the fourth and final installment of MRO’s PHI Disclosure Management Webinar Series. In this webinar titled “Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope,” we reviewed trends and national efforts underway, discussed how the health system is impacted and formulated tactics to combat the confusion.

Patient-Directed Request Trends

The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding more clarification for healthcare provider organizations, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in mounting challenges for healthcare providers. Recently, we have begun to see the following trends:

  • Attorneys and other third parties have increased the number of “patient-directed” requests and are using the records for their own for-profit activities—such as litigation or data sharing/selling.
  • Such requests demand that records be sent directly to the third party but be billed at the patient rate under the HITECH Act.
  • Use of the phrase “any and all” has led to a rise in page count per request. This phrase is used as an attempt to receive all PHI regarding a patient, not just the specific encounters or visits that are relevant to the litigation.
  • An increase in the submission of meritless complaints to release of information companies such as MRO, their clients, and the OCR has resulted in more time and effort to respond to baseless complaints, which ultimately generates greater operational costs.

These trends are concerning for release of information companies and their clients because attorneys and record retrieval companies are able to obtain large volumes of essentially unrestricted, unregulated PHI at lower fees by using generic, template forms. Furthermore, patients are unaware of the risks associated with the documents they are signing and are not actually providing “informed consent.” Such risks include:

  • No acknowledgement of HIPAA rights
  • No expiration date, allowing third parties to copy and use the “patient-directed” request letter indefinitely
  • No restriction on sensitive information regarding HIV, sexually transmitted diseases, psychotherapy notes, substance abuse and more

Health System Impacts

As the misuse of patient-directed requests grows, so does the impact across health system departments. Not only does this issue directly affect the Health Information Management (HIM) department, it also affects the Compliance and Legal/Risk Management departments.

HIM departments must mitigate patient privacy risks while managing an increase in volume, workload, costs and staffing.

Compliance departments are concerned about OCR incrimination, which results in knee-jerk responses versus well-informed actions. There is also a lack of time and resources to appropriately push back on meritless attorney complaints and threats.

Legal and Risk Management departments face OCR complaints and outside attorney pressure, and lack understanding of the steps and costs required to fulfill requests for medical records. For all parties involved, proper training is needed to mitigate risk and take appropriate action in response to attorney requests and patient-directed requests.

PHI Disclosure Management: Recommendations for Organizations

All health systems and organizations should have a plan in place to combat attorney misuse of patient-directed requests. Here are four simple, yet effective tactics:

  • Provide HIPAA training and education throughout your organization, particularly focused on patient access and patient privacy. Include departments such as HIM, Legal, Compliance, Risk Management, Finance, etc.
  • Recognize this as a long-term problem that cannot be resolved effectively by short-term solutions. Consistency is essential, begin by understanding your responsibilities set forth in your organization’s HIPAA compliant Notice of Privacy Practices.
  • Don’t be afraid to push back. Engage with the OCR whenever possible since it is critical that they hear from your organization directly. MRO’s most successful clients have taken a strong stance for their patients and against third parties misusing patient access.
  • Contact your representatives and senators to share your concerns regarding misuse and abuse of patient-directed requests from attorneys, record retrieval companies and other third parties. Specifically, contact members of the Health, Education, Labor and Pensions (HELP) Committee.

Continuing Education for the Misuse of Patient-Directed Requests

As we begin the New Year, Danielle and I will continue to educate our client base by hosting webinars, publishing additional content and visiting Capitol Hill alongside other industry experts. Stay connected and view the latest updates by following us on our social media platforms.

To learn more about the misuse of patient-directed record requests, fill out the form below to receive a copy of this webinar.


Receive a copy of the webinar "Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope"

Read More

MRO’s Everyday Heroes: A Motivational Initiative

I have a fabulous job title: Senior Director of Motivation and Development. When I meet people, they often comment on my title, saying it’s intriguing and then ask what I do. The development aspect of my job at MRO Corp. includes managing all the training content—creating engaging lessons within our learning management system for our large, diverse workforce. But the truly heartwarming and rewarding part of my job is the motivation aspect. It is my responsibility to manage a program that inspires our workforce. I often joke that I get to play MROprah!

Creating Everyday Heroes

The biggest piece of our motivation plan is a program called Everyday Heroes, which celebrates team members who go above and beyond in their job performance. On a bimonthly basis, we produce an Everyday Heroes Newsletter that tells stories about how the actions of a team member touched someone’s life. The stories come from a variety of sources, but each one is about an MRO customer who received outstanding service and took the time to email an employee’s manager. Sometimes these happy customers send a gift of appreciation or call MRO to say they had a wonderful customer service experience. By far, most of these satisfied customers are patients whose lives have been touched.

Additionally, there are customers such as attorneys, insurance company representatives and our clients who write lovely letters to sing someone’s praises. Sometimes a staff member is asked to tell a noteworthy story about their own MRO coworker. Further, the newsletter features a section called “My Manager Cares” where an employee nominates a manager for excellent leadership and an inspirational skillset.

I recently shared with my daughter that one of my career accomplishments I’m most proud of is being able to touch one person’s heart. This is a privilege I treasure. As the Everyday Heroes program begins its fourth year this January, our CEO asked me how we find all the stories. I explained that inspiration is contagious, so team members and managers continue to send me great material.

I like to say, “We don’t just disclose health information, sometimes we save lives.”

Celebrating Great Customer Service at MRO Corp

Many ROI specialists who handle patient walk-in requests often say the most enjoyable part of their job is making a difference in a patient’s life. Our program celebrates these moments and gives people recognition for great customer service. When acknowledged as an Everyday Hero, honorees receive a gift box with a gift card, an MRO Hero frame containing their story, a candygram and a chance to enter a drawing for a big cash prize. Historically, we’ve had around 60 team members per year receive this honor. At the end of each year, we randomly draw three Everyday Heroes and one “My Manager Cares” for the big cash prize.

How We Make a Difference

As I reflect on all the newsletters I’ve written over the years, some memorable stories come to mind. In one case, a patient was in the middle of surgery when a report from an old chart was needed. Our staff member made the request a top priority and walked the report to the surgery area.

In another case, a husband came in to obtain his wife’s report, explaining that she was in the car because she had difficulty walking. To make things easier, our staff member walked to the requester’s car to obtain the patient’s signature on the authorization form.

Another story that comes to mind featured a manager who stayed at work in the Distribution Center during a blizzard because many employees were unable to get to work. It’s so great to hear, “I have been working for many years with many bosses, but I have never had a manager make a difference in my life the way my MRO Manager has done.” Heartwarming, inspirational, making a difference. We care!

Here are some photos of gifts that have been received by staff members:








To stay updated on our heartwarming and inspirational “Everyday Heroes” sign up to receive MRO’s newsletters. 

Stay updated on our heartwarming and inspirational "Every Heroes" by signing up to receive MRO's Newsletters.

Read More

Heard on the Hill: A Call for Regulation of Attorney Misuse of Patient-Directed Requests










During the week of November 11, 2019, I visited Capitol Hill with colleagues from the Association of Health Information Outsourcing Services (AHIOS) to address concerns regarding patient access to medical records. As many HIM professionals are aware, in February 2016 the Office for Civil Rights (OCR) released guidance on patient access to health information that is being misused by third parties. During our time on Capitol Hill, we met with staffers from the offices of senators and state representatives of both parties to voice our opinions.

Protected Health Information: Help Make a Difference in Patient-Directed Requests

While this trip to Washington, D.C. was very successful, we will continue to make many trips in 2020 to voice our concerns to policymakers. One critical takeaway is that constituents (both hospitals and patients) need to reach out statewide to the people who can make a difference with regard to this issue. Constituents need to contact their senators and state representatives to express the struggles and hardships related to patient access in their respective states, growing privacy concerns, and in the case of hospitals, cost shifts back to your facility.

If a constituent’s state has a U.S. senator serving on the Health, Education, Labor and Pensions (HELP) Committee, then they should especially reach out to share their patient access concerns. MRO’s legal, privacy and compliance teams are available to all clients to assist in identifying HELP committee members, as well as other key senators and state representatives in their respective states.

Learn More About Protected Health Information

MRO is currently working alongside industry experts to make a difference on Capitol Hill.

To learn more about our visit and our 2020 initiatives, join me and my colleague, Rita Bowen, for our upcoming webinar by registering below.

Register for our webinar "Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope" on December 11, 2019 at 2pm EST

Read More

National Cybersecurity Awareness Month: How to Protect Your Online Presence


National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.

IT Security Basics for Breach Prevention

Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:

  • Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
  • Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
  • Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.


In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.

How can you protect yourself against phishing? Follow these simple, but effective steps:

  • Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
  • Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
  • Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.


Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.

How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.

If that happens, take the following steps:

  • Unplug the power cord from the back of your PC—don’t just turn it off
  • Contact your IT department (via phone) for assistance
  • Contact your supervisor

Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.

Social Engineering Tactics

Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:

  • In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
  • Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
  • Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links

National Cybersecurity Awareness Month: Sobering Stats

Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:

  • 47 percent of American adults have had their personal information exposed by cyber criminals
  • 600,000 Facebook accounts are hacked every single day
  • 65 percent of Americans who went online received at least one online scam offer

Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.

Join our blog mailing list

Read More

Heard at AHIMA 2019: Penn Medicine’s Journey to Enterprise-Wide Disclosure Management

Recently, at the AHIMA Health Data and Information Conference in Chicago, I had the pleasure of presenting with my colleague Sherine Koshy, MHA, RHIA, CCS, Corporate Director of HIM at Penn Medicine, about her experience outsourcing Penn Medicine’s release of information (ROI) function.

Our presentation was held in the HIM Expert Theater where we discussed why enterprise-wide disclosure management is so important in today’s healthcare ecosystem.

We had a great time networking among peers and sharing best practices as well as lessons learned along Sherine’s journey. The conference is a busy time with many opportunities for education. So, if you were unable to make our session, here are highlights of the points discussed:

Healthcare and HIT Environmental Scan

HIPAA is still the standard that sets the floor for the privacy and security of protected health information (PHI), but let’s not forget the other federal and various state laws that also affect PHI safeguards and disclosures. We’ve all heard that HIPAA 2.0—the reboot for a modernized version—is coming to catch up with the continually changing healthcare and HIT environments. As part of the healthcare evolution, patients have become more actively involved in their own care, a trend that demands timely and accurate disclosure management practices.

Why Enterprise-Wide Disclosure Management?

 As outlined in our presentation, the benefits of an enterprise-wide disclosure management approach include the ability to:

  • Standardize workflows
  • Review/update policies and procedures
  • Improve the customer experience
  • Achieve compliance
  • Mitigate risk

Nationwide ROI Survey Results

 We summarized the results of a survey that MRO recently commissioned to a third party, Porter Research, to find out more about current ROI needs and requirements. The survey found that senior HIM professionals experienced two top business challenges:

  • Dissatisfaction with their ROI vendor—including missed service level agreements (SLAs), compliance issues/breaches, and lack of support/poor service quality
  • Need for standardization of the ROI process—due to a high volume of ROI requests, multiple locations and need for one single platform: one EMR and one ROI vendor for consistency

The study also revealed five essential attributes organizations consider when searching for an ROI solution or a new ROI vendor. Those include:

  • Ease of use—a dependable system that is user-friendly
  • Workflow—efficient and effective to ensure timely and accurate disclosures
  • Turnaround time—requirements met according to timelines, if not sooner
  • Industry reputation—customer satisfaction, company integrity, and staff credibility
  • Ability to handle volume—to ensure quality of service does not fluctuate with request volume

 Penn Medicine’s ROI Journey

 Penn Medicine is located in and around the Philadelphia, Pennsylvania area and includes 6 hospitals (7,163 physicians), 10 multispecialty centers, and 800+ physician practice locations. The system is ranked by U.S. News & World Report as No. 1 in the state of Pennsylvania.

Like many other organizations, Penn Medicine faced challenges with their ROI solution and realized the need to evaluate the following:

  • Level of quality—internal issues and patient complaints due to backlog in requests
  • Customer service—lack of partnership and trust in the relationship, and a reactive instead of proactive approach when taking on issues
  • Patient complaints—increase in complaints across the entire health system
  • Staffing—high turnover and inability to keep up with demand for new employees
  • Productivity and turnaround time—compliance risk due to missed deadlines
  • Technology—platform not user-friendly, inability to integrate with the existing EHR

Ultimately, Penn Medicine made the tough decision to change ROI vendors, and focused on top priorities:

  • Ensure excellent customer service and response times to Penn Medicine and, even more important, to the patient
  • Create a one-stop-shop model allowing a patient to request records from anywhere in the enterprise at any one location
  • Decrease privacy and security incident/breach rates
  • Ensure system integration with Penn’s EHR

Many collaborative planning meetings paved the way for MRO to clearly understand Penn’s challenges and to define an effective transition plan for the organization’s future ROI state. A strong partnership was built by creating a team approach, investing in training and resources, and going above and beyond to bring Penn Medicine’s vision to life.

The transition proved to be successful for Penn, measured by the following outcomes:

  • Compliant ROI—quality and accuracy improved, turnaround times were met, and productivity levels kept up with high volumes
  • Customer service—increased satisfaction by allowing requesters to request and obtain any Penn Medicine record at any location
  • Complaints—decreased significantly
  • Staffing—low turnover and well-managed staff
  • EHR integration—streamlined workflows and increased productivity
  • Partnership—mutual trust and transparency between Penn Medicine and MRO

Enterprise-Wide Disclosure Management: Best Practices and Lessons Learned

Along any successful journey, issues must be resolved to achieve success. Partnership is essential. Penn Medicine’s ROI journey provides other healthcare organizations with valuable best practices and lessons learned:

  • RFP—Create a multidisciplinary committee, define the process with timelines and due dates, define the most important criteria and attributes needed for your organization, establish a grading document and scale, and communicate regularly with the vendors
  • Contracts—Ensure accountability and responsibility between parties in your BAAs, know payer contract verbiage and negotiated rates, and create realistic achievable SLAs
  • Technological capabilities and limitations—Ensure ease of use, keep in mind possible integrations such as MROeLink®, maintenance, and downtime
  • Communication—Create checks and balances, hold ongoing meetings to touch base (internally and with vendor), ensure all stakeholders are on the same page and change course if necessary
  • Partnership development—Ensure transparency, team effort, reliability and above all, trust

To learn more about enterprise-wide disclosure management, and Penn Medicine’s ROI journey, fill out the form below to receive a copy of our presentation, originally presented at AHIMA 2019.

Request presentation slides

Read More

Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI










On August 14, 2019, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part PHI Disclosure Management webinar series. In this webinar titled “Cybersecurity in Health IT: Trend and Tips for Safeguarding PHI,” we discussed updates from the 2019 HIPAA Summit, the concept of “defense in depth,” security frameworks, top security threats and best practices for protecting your organization.

2019 HIPAA Summit

The HIPAA Summit focused on advances in security technology and increased government cybersecurity initiatives. Considering recent data breaches, healthcare organizations must build cybersecurity awareness programs that ensure HIPAA compliance. Here are four top priorities:

  • Secure executive and board-level buy-in
  • Provide ongoing training and education
  • Perform an annual risk analysis
  • Create a comprehensive incident response plan

The Summit featured a panel discussion including a representative from Anthem, Inc. who spoke about the company’s cyberattack and resolution agreement, the single largest individual HIPAA settlement in history of $16 million. The breach report filed with the HHS Office for Civil Rights (OCR) indicated that cyberattackers had gained access to Anthem’s IT system via an undetected continuous and targeted cyberattack for the apparent purpose of extracting data, otherwise known as an advanced persistent threat attack. The investigation revealed the following risk factors:

  • Failure to conduct an enterprise-wide risk analysis
  • Insufficient policies and procedures to regularly review information system activity
  • Failure to identify and respond to suspected or known security incidents
  • Failure to implement adequate minimum access controls to prevent the cyberattackers from accessing sensitive electronic protected health information (ePHI)

Defense in Depth

In the traditional sense, defense in depth means applying a layered approach to protecting your assets, including a variety of techniques and technologies. The potential for leaving gaps in protection and the adoption of newer concepts such as zero trust should be reviewed. It is important to incorporate and execute on your security frameworks and risk management programs to ensure alignment while addressing cyber risks and threats.

Security Framework

Understanding your organization’s approach to security and risk management is critical. According to NIST, an effective security framework is based on five core tenets:

  • Identification—inventories for asset management, governance and risk management
  • Protection—access controls, awareness and training, protective technologies
  • Detection—tools to detect threats and events, continuous monitoring, manual/automated alerting
  • Response—planning, communications, analysis
  • Recovery—planning, improvements, communications

Relevant Controls for HIM

We highlighted focus areas for HIM in two categories. The first is Access/Account Management which includes workforce security, information access and auditing. HIM has great visibility into these sensitive workflows along with a deep understanding of where, why and how information is being shared. They must work closely with other departments—human resources, IT and compliance to establish policies and controls that prevent improper access to PHI.

The second category is Administrative, Physical and Technical with emphasis on:

  • Data classification—data flow mappings and sensitivity
  • Roles and responsibilities—privacy, security and legal
  • Information security awareness—education, training and policies
  • Information handling—use and disposal
  • Physical access—secure rooms

With the rise in requests for access to PHI by payers, attorneys and patients, ensuring secure rooms for access to electronic health records is essential.

Enterprise Engagement

As providers apply new technologies, workflows and practices to gain more efficiencies and secure operations, it’s important to engage privacy, security and legal teams early in the process. Help them understand the risks and identify any necessary corrective action plans (CAPs) up front.

Resolution Agreements

In addition to lessons learned from the Anthem breach, attendees gained insights from other examples in which failure to conduct enterprise-wide risk analysis was a major contributor to cybersecurity breach. Understanding how OCR judged and accounted for those activities promotes effective privacy and security programs.

Top Cybersecurity Threats in 2019

Based on a survey of 2,400 cybersecurity and IT professionals, a recent Ponemon Institute Cyber Risk Report revealed the top five cybersecurity threats organizations are most concerned about in 2019:

  • Third-party misuses or shares of confidential data
  • An attack involving IoT or OT assets
  • A significant disruption to business processes caused by malware
  • A data breach involving 10,000 or more customer or employee records
  • An attack against the company’s OT infrastructure resulting in downtime to plant and/or operational equipment

As healthcare organizations face increased risk of cybersecurity breach, third-party risk management is more important than ever. Rigorous due diligence is part of the risk analysis conducted by covered entities to ensure partners have HIPAA-compliant policies in place to safeguard PHI. Whether internal or outsourced, a standardized approach to understanding third-party security frameworks and policies is recommended.

The most important lesson learned for 2019 and years to come is clear: Perform an annual risk analysis and follow best practices for creating an appropriate incident response plan.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO’s Cybersecurity Webinar

Read More

AHIMA Conference 2019: Learn from MRO’s Release of Information Experts

As we approach the 2019 AHIMA Health Data and Information Conference in Chicago, September 14-18, 2019, MRO is excited to exhibit for the 16th year in a row.  We are looking forward to mingling, networking, and spending time with our clients, Health Information Management (HIM) partners and friends. Stop by Booth 1102 to say hello to the team, catch up and learn about MRO’s successful ROI solutions.

Our team of ROI experts will be available at the booth to discuss Protected Health Information (PHI) disclosure management topics, including enterprise-wide solutions for ROI, cybersecurity, BA management, payer audit and review strategies, and the compliant management of patient-directed requests.

If you don’t make it to the booth, you can take advantage of MRO’s experts during the conference at the learning opportunities listed below:

AHIMA’s Privacy and Security Institute

Saturday and Sunday, September 14-15
10:30am – 11:45am

Rooms E451A & E353A

MRO is proud to sponsor this year’s Institute, and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, will participate in Sunday’s presentation “Assessing Privacy and Security Compliance.

Enterprise-Wide Disclosure Management: Penn Medicine’s Journey in Outsourcing Release of Information

Monday, September 16
2:20pm – 3:10pm

Exhibit Hall, HIM Expert Theater Andersonville

Join me and my colleague, Sherine Koshy, MHA, RHIA, CCS, Corporate Director of Health Information Management at Penn Medicine, for this presentation on proven practices for outsourcing Release of Information and successful enterprise-wide implementations.

The Next Big Story: BA Management Tips to Keep Your Organization Out of the Headlines

Monday, September 16
7:30am – 8:30am

Don’t miss “The Next Big Story: BA Management Tips to Keep Your Organization Out of the Headlines” given by my fellow teammates and subject matter experts, Rita Bowen and Anthony Murray, MRO’s privacy and security officers. This session takes a deeper dive into BA breaches and the effective strategies necessary to mitigate your organization’s risk.

Patient-Directed Requests: What’s the Elephant in the Room?

Tuesday, September 17
7:30am – 8:30am

Rise and shine!  Let’s talk about the elephant in the room. This Networking Breakfast is sponsored by AHIOS and we are honored to co-present on this industry hot topic.  MRO’s privacy and legal experts, Rita Bowen and Danielle Wesley, Esq., will discuss and analyze the current trends and challenges around the misuse of patient-directed requests by attorneys and record retrieval companies.  Mark it on your calendar and secure your spot today!

Time to Clear the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope

Wednesday, September 18
9:00am – 9:45am

Can’t make it to the breakfast or still want more?  This presentation will be your last chance to listen, learn, or join the discussion on one of the latest threats to one of HIM’s core functions – ROI.  Take advantage of time with MRO’s privacy and legal experts Rita Bowen and Danielle Wesley, Esq. as they discuss the current landscape on the attorney misuse of patient-directed medical record requests under HITECH. Walk away with tips and recommended practices for your organization to ensure compliance and patient satisfaction.

To schedule time with us, please complete the form on this page. We hope to see you there!

Meet us at AHIMA19

Read More

Webinar Recap – Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

On June 27, 2019, MRO presented a webinar as part of our Protected Health Information (PHI) disclosure management educational series. In this presentation titled “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” we covered best practices for standardizing PHI disclosure management policies and procedures, ensuring consistent policy enforcement, and minimizing privacy breach.

The webinar content can be used as a guide for Health Information Management (HIM), privacy and compliance professionals to ensure the highest levels of compliance and prevent breach when disclosing PHI.

PHI Disclosure Management: Risky Business

MRO’s research shows there can be as many as 40 disclosure points across a health system. Most of these disclosure points tend to be managed outside the HIM department by individuals not trained in Release of Information (ROI). This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.

Another risk factor involves gaps in the Quality Assurance (QA) around PHI disclosure. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of those invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some 5 percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, about 0.4 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 400 comingled records. With that, comes substantial risk to a healthcare organization.

Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

As described in the webinar, MRO recommends deploying an enterprise-wide strategy for PHI disclosure management to standardize policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.

Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These quality checks should come from a combination of trained ROI specialists and record integrity technology, such as MRO’s IdentiScan®, that uses optical character recognition to locate and correct comingled records. This combination of people and technology drives improved accuracy and minimizes breach risk.

Breach Prevention: Best Practices for PHI Disclosure Management

The webinar includes eight best practices for minimizing breach in the Release of Information process. Here are six of those practices.

  1. Implement Multiple QA Checks on Requests. It is important to ensure the ROI authorization is legitimate. In reviewing authorizations, certain required information is often missing. A Quality Assurance check-in that involves multiple people helps to avoid a one-point area for failure. This double-check process ensures a complete review of that area for control.
  2. Sync Your ROI Platform to the MPI. It’s imperative to sync your ROI platform to your MPI to avoid manual information entry. This minimizes the possibility of making a mistake when entering information into your ROI platform. MRO offers a tool called MROeLink® that provides this type of integration.
  3. Send Notifications to Requesters. Sending initial notifications of receipt to requesters confirms that requests have been received and indicates who is processing them on your organization’s behalf. If a patient-directed request is obtained, you should notify the patient to let them know a patient-directed request has been received in case they did not direct the request.
  4. Ensure Shipping Integrity. Establish a QA process for shipping copies of medical records, such as a barcoding system that assists distribution center reps in ensuring the right content goes in the correct envelope.
  5. Leverage Secured Delivery. When possible, leverage secure, electronic delivery, including portals and direct interfaces with government agencies such as SSA and CMS.
  6. Hire, Train and Retain Exceptional People. It is essential to hire, train and retain exceptional people who will be touching PHI. These people must be properly trained and knowledgeable about the information they are handling, and understand the penalties involved. People working in the ROI industry must be highly trained and educated.

To get details on all our suggested best practices for breach prevention—and more information on compliant PHI disclosure management—request the playback of the presentation using the form below.

Request Webinar Playback

Read More