As part of the MRO webinar series this year, I recently presented HIM Workforce Training: Developing an Engaged Team. During this presentation, I discussed best practices for training and retaining your employees based on the evolving health information management (HIM) landscape which demands new skill sets and coping with the new normal for the workforce.

Health Information Management: New Hire Checklist

Since the first step of an employee’s journey with a company is the onboarding process, using a new-hire checklist is critical. This document should include facility orientation topics, a job description, policies and procedures, systems, and any important forms. Other areas of consideration throughout the employee’s entire journey with the company are HIPAA, compliance, customer service, department functions and record lifecycles.

Lesson Plans Through Video and Slides

Creating lesson plans based on specific employee roles is an easy way to stay organized and keep a record of what employees are learning. For example, a lesson plan on “The Medical Record” designed to cover topics such as encounters, common documents, corrections and amendments, confidentiality and legal issues, and legal health record versus designated record set can be a good start for an overview of HIM topics. Switching it up with slides, documents, and videos across categories helps to keep the employees engaged and interested in the content. When confronted with a decision about how to teach a topic, always choose a video because people enjoy them the most. Also, don’t forget to quiz your employees along the way to make sure they retain what they are learning.

Training Video Content on HIM and ROI

I encourage you and your staff members to create your own videos. If you have an employee expert on a topic, engage them to produce a video for you. It engages the team and they will feel connected through their coworker. Other organizations, such as OCR and AHIOS, provide excellent video content. It’s a good idea to continually check such sites for updated training videos that you can use for your own workforce. Many videos covering HIM topics, especially customer service, are available on YouTube.

Create Relatable Stories for More Memorable Lessons

When teaching employees about important topics, telling a story that is easily remembered can be helpful. For example, to drive the point about HIPAA and confidentiality, talk about finding out your neighbor had a baby. If your neighbor’s husband tells you she had a baby, you can tell the world, because her husband told you directly. If you find out your neighbor had a baby because you see her name on the hospital admissions list, then you cannot share that information because you learned it through your job, making it confidential per HIPAA. I find that employees are more likely to remember a simple yet impactful story.

Mixing up the trainings with games, quizzes, and anything fun is a good way to engage employees to enjoy learning. For example, have employees play a security game where a hacker is trying to get to an unsecured computer before they do, or perhaps play HIPAA Jeopardy.

Stronger Training Programs for Stronger Future Leaders

As employees continue to work for your organization, it is important to create training programs that further develop their skills. These programs will vary depending on specific job functions. Create plans, especially leadership development plans, to grow your future leaders.

During the webinar presentation, I provided valuable videos and resources that can be used for employee development and engagement activities. To get the most from these valuable resources, I encourage you to request the playback along with the slides.

To learn more about developing an engaged workforce, complete the form below to request playback.

MRO recently kicked off the 2020 webinar series, focusing on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of protected health information (PHI). My colleague Angela Rose and I recently presented the first webinar of the series, Optimizing and Maintaining Operations and Workflows: HIM Life in a COVID World. During this presentation, we explored the new normal for health information management (HIM) professionals during the ongoing pandemic.

Current Health Information Management Environment

Since the beginning of COVID-19, many things have changed in the healthcare environment. More people are working from home, telehealth visits have skyrocketed, and there has been increased demand on hospitals and health systems. Moreover, shortages of supplies and resources, as well as exhausted and limited staff, have put the healthcare industry to the test.

We have also seen many laws and restrictions put into place, or changed altogether, resulting in the need to stay up to date with the latest changes. For instance, many organizations need to review what disclosures are permitted when releasing PHI during a pandemic. Some of those permitted disclosures include the following:

• To provide treatment
• To notify a public health authority to prevent or control spread of disease
• To alert first responders at risk of infection
• To prevent/lessen the threat to the health and safety of a person or the public
• To assist a law enforcement official or correctional institution – Only when the PHI is needed for: providing healthcare to the individual or protecting the health and safety of other individuals present including the person transferring the individual, the law enforcement on site, and the administration at the site
• When required by law

Recently, the HHS released statements regarding the release of PHI to the media, as well as contacting former COVID-19 patients about blood and plasma donations. There has been absolutely no change to the rule that PHI cannot be disclosed to the media, including film footage where patients’ faces are blurred or masked. However, the HHS did release a statement that contacting a patient about blood and plasma donations is permitted under HIPAA as a population-based healthcare operations activity, provided it does not constitute marketing. I recently wrote a blog post about that topic, which you can read here.

Telehealth – Changing Environment

In February 2020, prior to the COVID-19 outbreak, only 0.1% of Medicare primary visits were via telehealth. Fast forward to April 2020, and telehealth accounted for 43.5% of those visits. Another survey of about 300 practitioners, including primary care and specialists, indicated that prior to the pandemic, only 9% of patient interactions were via telehealth. That number jumped to 51% during quarantine, and increased across many specialties including psychiatry, gastroenterology and neurology. In July 2020, the HHS published a comprehensive study on Medicare beneficiary use of telehealth visits, including early data from the start of the pandemic.

Looking forward, there will be a permanent place for telehealth. As patients use telehealth, which is easy and convenient, it will become increasingly difficult to take that option away. Therefore, policies and procedures must be put into place to appropriately account for telehealth. Business associate agreements should be reevaluated as part of that process. Many thought leaders in the healthcare industry predict the need for a new executive position within hospitals and health systems—Chief Telehealth Officer.

Release of Information

We are now about six months into the pandemic, and half of the walk-in windows at hospitals are closed. While some had reopened, many closed again. As a result, many alternative workflows are still in place. To receive record requests, facilities are using secure onsite drop boxes and mail as well as virtual electronic options including fax, email and portals. For delivering requests, options include minimal-contact, in-person appointments and virtual electronic options—fax, email, portals and electronic submission such as esMD, SFTP and ERE.

While most workforces are still temporarily operating remotely, many will remain that way permanently. Ensuring your teams are ready means having policies and procedures for the following areas:

• Home workspace requirements
• Devices and connectivity
• Use and disclosure of PHI
• Reporting incidents
• Work days/hours
• Expenses
• Help
• Sanctions

Readiness also requires proper education and training. For instance, there has been a major uptick in fraudulent emails, phone calls and even text messages. Organizations must make sure that all employees know what fraud looks like, and how they can maintain a safe working environment while at home. In fact, my colleagues Angela Rose and Anthony Murray will be presenting Security in a Virtual Environment: Protecting Your Workforce at Home on October 21, 2020.

Thought Leadership

If you are looking to be a thought leader within your organization during the pandemic, there are important factors to keep in mind. Know your environment by understanding your organization’s policies and protocols including response times, action items, workforce exposure protocols, sanitization schedules and contamination controls. Knowing how to communicate both internally and externally regarding these procedures is also essential to becoming a thought leader.

Another important piece is thinking outside the box to achieve success. Adjust KPIs and benchmarks based on realistic, attainable goals. Look at your KPIs pre-pandemic, measure what is going on now and then re-identify appropriate benchmarks. Also be sure to hold regular meetings and touch base with your workforce. To make your meetings more interactive, include video so you can connect with your teams more personally, and make sure they’re engaged and productive during the calls.

Above all, communicate and stay current on what’s going on in the industry. Continue to attend webinars and learn more from other thought leaders in your field. Here at MRO, we will continue to provide thought leadership and educational sessions to keep you up to date on current events.

To learn more about HIM life in a COVID world, complete the form below to request playback.

Recently, MRO hosted a webinar series on the 21st Century Cures Act focusing on the Information Blocking Rule and Interoperability. I joined other industry experts to provide highlights of the rule, take a closer look at the technical requirements, and analyze the impacts on HIPAA.

While the series has come to an end, the recorded playbacks of each session are still available for download, and to earn 1 CEU per session. For those who did attend, this blog is a recap of the entire series. And for those who did not attend, below is a sneak peek at the information you can learn from the recordings. Our goal is to help clear up some of the current confusion related to the rules.

How did we get here?

In order to understand where the rule originated, we must first look at the history of information blocking according to the Office of the National Coordinator (ONC). Complaints received at health IT developers included fees for sending, receiving or exporting electronic health information (EHI), charging for common interfaces and pricing designed to deter connectivity, to name a few. On the other side, complaints against providers included instances of controlling referrals to enhance market dominance, and the reference of HIPAA to deny the exchange of EHI.

Due to these unsolicited complaints, the ONC decided to release key recommendations in April 2015. These recommendations included the following:

• Constrain standards and implementation specifications
• Ensure greater transparency in certified health IT products and services
• Provide governance rules that deter information blocking
• Improve understanding of HIPAA privacy rule and security standards related to information sharing
• Work with CMS to coordinate healthcare payment initiatives and leverage other market drivers that reward interoperability and discourage information blocking
• Promote competition and innovation in health IT and healthcare

As a result, the 21st Century Cures Act was created. The key objectives include accelerating drug and medical device development, addressing the opioid crisis, improving mental health service delivery and enhancing nationwide interoperability of EHRs.

To download our infographic explaining the rule, click here. 

Information Blocking Rule Details

While this rule does impact healthcare providers, health IT developers of certified health IT and health information networks/health information exchanges, it does not necessarily impact business associates. It is imperative that business associates determine whether they are considered an “actor” and required to comply. Impacted entities must certify that they:

• Do not engage in information blocking
• Provide assurances that developer or entity will not engage in information blocking
• Do not prohibit or restrict certain communications
• Publish APIs and allow health information to be accessed, used and exchanged without special effort through the use of APIs
• Conduct real world testing
• Ensure attestation is completed

As defined by the rule, the above applies to electronic health information (EHI)—all electronic information regarding the patient’s health information as defined in the facility-specific electronic designated record set (DRS). The definition of EHI is based on how an organization defines their DRS. If it’s not properly defined, the definition is left open to interpretation.

Defining the DRS is a requirement under HIPAA and is a key component to ensuring the patient has appropriate access to their healthcare. Beginning in 2022, the scope of EHI will be broadened so it’s important to understand the rule and its requirements.

Some Exceptions

The rule did finalize eight exceptions, divided into two categories. The first category involves not fulfilling requests to access, exchange or use EHI, and includes:

• Preventing harm – aligns with HIPAA’s harm exception but must be consistent with organizational policy
• Privacy – protecting an individual’s privacy
• Security – protecting the security of EHI
• Infeasibility – meeting one of the requirements noted in the rule with a response provided to the requester within 10 business days of request receipt specifying the infeasibility exception
• Health IT performance – scheduled maintenance or downtime due to a security risk

The second category involves fulfilling requests to access, exchange or use EHI, and includes:

• Content and manner – fulfilling a request in an alternative manner if unable to fulfill as requested
• Fees exception – charging fees related to costs, which is not to be based on competition with another actor, but instead based on objective and verifiable data uniformly applied
• Licensing – actors protecting the value of their innovations and charge reasonable royalties in order to earn returns on the investments they have made to develop, maintain and update those innovations

Actions to Consider

Now that the rule is final and the first pieces of compliance are approaching in November 2020, organizations must consider the best course of action forward. A great resource that I highly recommend is The Sequoia Project, which is continually updating its resources page for the HealthIT community. They are providing additional webinars, toolkits and reports.

MRO will also continue to publish relevant content around the information blocking rule and interoperability. My colleague Rita Bowen will present Information Blocking Rule: The Impact to HIM later this year on November 18, 2020. Be sure to mark your calendar!

Above all else, remember the basics for creating or updating a compliance program. Begin with the end in mind. What are your goals? Determine whether your organization is considered an actor. Review your current program and determine what modifications or new items are needed to remain ahead of the game. Make the changes and implement them through education and training.

To learn more about the information blocking rule from our panel of industry experts, complete the form below to request playback for the entire series.

The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently issued guidance on how providers can contact former COVID-19 patients regarding opportunities for blood and plasma donations. Though healthcare providers can use Protected Health Information (PHI) to identify and contact previous patients, specific guidelines should be followed.

What the guidance outlines

Contacting previous COVID-19 patients to notify them of opportunities for donating blood and plasma is allowed in order to assist healthcare providers in collecting antibodies for treatment of other patients with COVID-19. The use of PHI for this purpose is permitted as a population-based healthcare operations activity, as outlined in the HIPAA Privacy Rule for HIPAA covered entities and their business associates. Furthermore, facilitating the supply of donated blood and plasma is expected to improve the provider’s ability to conduct case management for patients who have been infected with COVID-19.

However, safeguards remain in place when contacting previous COVID-19 patients. The provider can contact its previous patients for this purpose, without authorization, to the extent that the activity is not considered marketing. As defined by HHS, marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. However, under one exception, a covered healthcare provider is permitted to make such a communication for the population-based case management and related healthcare operations activities, provided there is no payment associated with the activities.

Additionally, providers are not permitted to share PHI with third parties. For example, a provider cannot release a patient’s PHI to a blood and plasma donation center so that the center can contact the patient for its own purposes, such as collecting the blood and plasma for a profit. For such a transaction to occur, the provider must receive the patient’s authorization prior to making the disclosure of PHI.

For more information, the complete guidance can be found here.

In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.

What this means for caregivers

Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.

In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.

What this means for business associates

While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.

To learn more, and read the entire HHS release, click here.

MRO and I are proud to announce our 2020 webinar series. I would like to invite you to join me and my colleagues to review, analyze and discuss the hottest topics impacting Protected Health Information (PHI) today.

This year’s webinar series focuses on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of PHI. The sessions address the needs of Health Information Management (HIM), privacy, compliance, risk management, security and other healthcare professionals seeking up-to-date information. Don’t miss the opportunity to learn from seasoned industry experts!

Highlighted below are the four sessions included in our webinar series.

The Right ROI Solution, Information Blocking, Workforce Training, and Privacy and Security Trends

Release of Information: Industry Changes and the Road to the Right Solution

This presentation explores results from a nationwide survey of senior HIM professionals about the ROI challenges, priorities and strategies at the forefront of today’s healthcare ecosystem. The survey was commissioned and published by MRO and conducted by Porter Research. I will guide attendees through a discussion regarding the right time to consider a new strategy and ROI partner, the meaning of transparency in partnership, key criteria for success and more.

Information Blocking Rule: The Impact to HIM

The Information Blocking Rule encourages the flow of information for patient-enhanced management of their own healthcare through the use of health information. As a result, we expect to see increased patient-directed flow of their health information to APIs and other support management tools. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s legal expert, Danielle Wesley, Esq., will discuss how this rule appears to conflict with areas of HIPAA and what that means for HIM departments.

HIM Workforce Training: Developing Tomorrow’s Leaders

The evolving HIM landscape demands new skillsets and expertise for the workforce. MRO’s motivation and development expert, Mariela Twiggs, will provide best practices for training and retaining your employees. Attendees will take away valuable knowledge to develop their staff into tomorrow’s leaders.

Watch List: 2021 Privacy and Security Trends

This presentation recaps 2020 privacy and security trends affecting the HIM industry. The session also focuses on the outlook for HIM in 2021 and how to prepare for the future. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s IT expert and CIO, Anthony Murray, will review watch list resources and provide related links. This timely information is most valuable to HIM directors, compliance and privacy officers, security officers, chief information officers and chief financial officers.

I will present our first webinar, Release of Information: Industry Changes and the Road to the Right Solution, on April 15, 2020 at 2 pm ET. Register today!