In these unprecedented times, there is much talk of the novel coronavirus (COVID-19) as it relates to HIPAA and the privacy of patient information. The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently provided a statement to ensure all parties are aware of how patient information can be shared during an infectious disease outbreak. The purpose of the statement was to remind business associates and other entities covered by HIPAA that the Privacy Rule is not set aside during an emergency.

What this means for caregivers

Anyone who has been recognized by the patient will be allowed to continue receiving patient information. Additionally, HIPAA-covered entities are permitted to share the information in order to identify or locate a patient, and to notify the family members, guardians, or other caregivers of the patient’s general health condition or death. Furthermore, the information can be disclosed to law enforcement, the press or the public at large if necessary, to identify or locate the patient.

In any of the above cases, verbal permission from the patient should be obtained prior to the disclosure of information. However, the HIPAA minimum necessary standard does apply. This means that healthcare providers should make a reasonable effort to ensure any disclosed PHI is protected and restricted to the minimum necessary information, and only used to achieve the intended purpose.

What this means for business associates

While caregivers involved may share information as needed for public health purposes, business associates may not release the information without express authorization. If there is a legitimate need for public health authorities, or others responsible for ensuring public health and safety, to access protected health information required to carry out their public health mission, then and only then may the covered entity release the information. For example, should a facility ask that a business associate, such as MRO, release information verbally, the business associate is required to obtain a waiver of protection to do so. This is because the rule specifically indicates that business associates are to continue with the use of the protected information as outlined in the business associate agreement.

To learn more, and read the entire HHS release, click here.

MRO and I are proud to announce our 2020 webinar series. I would like to invite you to join me and my colleagues to review, analyze and discuss the hottest topics impacting Protected Health Information (PHI) today.

This year’s webinar series focuses on best practices related to industry trends and challenges, leadership development and regulatory changes that affect the secure and compliant exchange of PHI. The sessions address the needs of Health Information Management (HIM), privacy, compliance, risk management, security and other healthcare professionals seeking up-to-date information. Don’t miss the opportunity to learn from seasoned industry experts!

Highlighted below are the four sessions included in our webinar series.

The Right ROI Solution, Information Blocking, Workforce Training, and Privacy and Security Trends

Release of Information: Industry Changes and the Road to the Right Solution

This presentation explores results from a nationwide survey of senior HIM professionals about the ROI challenges, priorities and strategies at the forefront of today’s healthcare ecosystem. The survey was commissioned and published by MRO and conducted by Porter Research. I will guide attendees through a discussion regarding the right time to consider a new strategy and ROI partner, the meaning of transparency in partnership, key criteria for success and more.

Information Blocking Rule: The Impact to HIM

The Information Blocking Rule encourages the flow of information for patient-enhanced management of their own healthcare through the use of health information. As a result, we expect to see increased patient-directed flow of their health information to APIs and other support management tools. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s legal expert, Danielle Wesley, Esq., will discuss how this rule appears to conflict with areas of HIPAA and what that means for HIM departments.

HIM Workforce Training: Developing Tomorrow’s Leaders

The evolving HIM landscape demands new skillsets and expertise for the workforce. MRO’s motivation and development expert, Mariela Twiggs, will provide best practices for training and retaining your employees. Attendees will take away valuable knowledge to develop their staff into tomorrow’s leaders.

Watch List: 2021 Privacy and Security Trends

This presentation recaps 2020 privacy and security trends affecting the HIM industry. The session also focuses on the outlook for HIM in 2021 and how to prepare for the future. MRO’s privacy and compliance expert, Rita Bowen, and MRO’s IT expert and CIO, Anthony Murray, will review watch list resources and provide related links. This timely information is most valuable to HIM directors, compliance and privacy officers, security officers, chief information officers and chief financial officers.

I will present our first webinar, Release of Information: Industry Changes and the Road to the Right Solution, on April 15, 2020 at 2 pm ET. Register today!

I have a fabulous job title: Senior Director of Motivation and Development. When I meet people, they often comment on my title, saying it’s intriguing and then ask what I do. The development aspect of my job at MRO Corp. includes managing all the training content—creating engaging lessons within our learning management system for our large, diverse workforce. But the truly heartwarming and rewarding part of my job is the motivation aspect. It is my responsibility to manage a program that inspires our workforce. I often joke that I get to play MROprah!

Creating Everyday Heroes

The biggest piece of our motivation plan is a program called Everyday Heroes, which celebrates team members who go above and beyond in their job performance. On a bimonthly basis, we produce an Everyday Heroes Newsletter that tells stories about how the actions of a team member touched someone’s life. The stories come from a variety of sources, but each one is about an MRO customer who received outstanding service and took the time to email an employee’s manager. Sometimes these happy customers send a gift of appreciation or call MRO to say they had a wonderful customer service experience. By far, most of these satisfied customers are patients whose lives have been touched.

Additionally, there are customers such as attorneys, insurance company representatives and our clients who write lovely letters to sing someone’s praises. Sometimes a staff member is asked to tell a noteworthy story about their own MRO coworker. Further, the newsletter features a section called “My Manager Cares” where an employee nominates a manager for excellent leadership and an inspirational skillset.

I recently shared with my daughter that one of my career accomplishments I’m most proud of is being able to touch one person’s heart. This is a privilege I treasure. As the Everyday Heroes program begins its fourth year this January, our CEO asked me how we find all the stories. I explained that inspiration is contagious, so team members and managers continue to send me great material.

I like to say, “We don’t just disclose health information, sometimes we save lives.”

Celebrating Great Customer Service at MRO Corp

Many ROI specialists who handle patient walk-in requests often say the most enjoyable part of their job is making a difference in a patient’s life. Our program celebrates these moments and gives people recognition for great customer service. When acknowledged as an Everyday Hero, honorees receive a gift box with a gift card, an MRO Hero frame containing their story, a candygram and a chance to enter a drawing for a big cash prize. Historically, we’ve had around 60 team members per year receive this honor. At the end of each year, we randomly draw three Everyday Heroes and one “My Manager Cares” for the big cash prize.

How We Make a Difference

As I reflect on all the newsletters I’ve written over the years, some memorable stories come to mind. In one case, a patient was in the middle of surgery when a report from an old chart was needed. Our staff member made the request a top priority and walked the report to the surgery area.

In another case, a husband came in to obtain his wife’s report, explaining that she was in the car because she had difficulty walking. To make things easier, our staff member walked to the requester’s car to obtain the patient’s signature on the authorization form.

Another story that comes to mind featured a manager who stayed at work in the Distribution Center during a blizzard because many employees were unable to get to work. It’s so great to hear, “I have been working for many years with many bosses, but I have never had a manager make a difference in my life the way my MRO Manager has done.” Heartwarming, inspirational, making a difference. We care!

Here are some photos of gifts that have been received by staff members:

To stay updated on our heartwarming and inspirational “Everyday Heroes” sign up to receive MRO’s newsletters. 

During the week of November 11, 2019, I visited Capitol Hill with colleagues from the Association of Health Information Outsourcing Services (AHIOS) to address concerns regarding patient access to medical records. As many HIM professionals are aware, in February 2016 the Office for Civil Rights (OCR) released guidance on patient access to health information that is being misused by third parties. During our time on Capitol Hill, we met with staffers from the offices of senators and state representatives of both parties to voice our opinions.

Protected Health Information: Help Make a Difference in Patient-Directed Requests

While this trip to Washington, D.C. was very successful, we will continue to make many trips in 2020 to voice our concerns to policymakers. One critical takeaway is that constituents (both hospitals and patients) need to reach out statewide to the people who can make a difference with regard to this issue. Constituents need to contact their senators and state representatives to express the struggles and hardships related to patient access in their respective states, growing privacy concerns, and in the case of hospitals, cost shifts back to your facility.

If a constituent’s state has a U.S. senator serving on the Health, Education, Labor and Pensions (HELP) Committee, then they should especially reach out to share their patient access concerns. MRO’s legal, privacy and compliance teams are available to all clients to assist in identifying HELP committee members, as well as other key senators and state representatives in their respective states.

Learn More About Protected Health Information

MRO is currently working alongside industry experts to make a difference on Capitol Hill.

To learn more about our visit and our 2020 initiatives, join me and my colleague, Rita Bowen, for our upcoming webinar by registering below.

National Cybersecurity Awareness Month, initiated by the National Cybersecurity Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, is observed in October. The purpose is to raise awareness about the importance of cybersecurity, which is essential to the business operations of MRO. As our company’s information systems security officer, I saw an opportunity to review some important cybersecurity points to protect your online presence this month and beyond.

IT Security Basics for Breach Prevention

Though sophisticated measures are an important part of an effective cybersecurity plan, it is essential to always remember the basics:

• Use passwords – Not only should you have one, you should create one that includes numbers, symbols, and upper- and lower-case letters. And never use your name, birthday or an existing password. Use different passwords across systems, so that if a hacker accesses one system, they cannot easily access all the others. Finally, never share your password. Just because you trust someone does not mean they will protect your password.
• Lock your device – When you are away from your device, lock it to prevent people from viewing sensitive information or using the device. This goes for computers, mobile devices, tablets, etc. Set your device to lock automatically after a certain period of inactivity for stronger data breach prevention.
• Use a secure WIFI connection – Connections at hotels, coffee shops, airports and other public places are not secure. Even if a password is required to use the WIFI at a trusted business or location, those connections are by no means secure and are vulnerable to hacking.

Phishing

In a phishing attack, cyber criminals use an email to lure you into giving them more information. These emails usually look real and are excellently designed to trick you. They will try to collect financial information, login credentials or other sensitive data. Sometimes these criminals use malicious web links, attachments or fraudulent data-entry forms to install harmful software called malware on your device. Falling for a phishing attempt can have serious long-term impacts on your work and home life. Many companies have had billions of confidential personal data leaked, and many people have had their bank accounts cleared out, all due to successful phishing by cyber criminals.

How can you protect yourself against phishing? Follow these simple, but effective steps:

• Think before you click – Does it sound too good to be true? Do you know the sender? Does it have any links or attachments? Does it ask for money, credentials or any other sensitive information that you would not give to a stranger?
• Verify attachments and links before you open them – Hover over the link to see where it is taking you. Do you know that site? Visit the site on your web browser (NOT by clicking the link, but by doing a quick search), and then call the number on the site to inquire about the email message.
• Double and triple check – Email addresses can be “spoofed” meaning they appear to be from a trustworthy source, when in fact they are not. Brands and logos can be copied and pasted from the real, reputable site. Even links can be disguised as legitimate when they are not. Before you do anything, you need to be 100 percent sure that everything is legitimate. When in doubt, simply do not open, click or respond. Report it to your IT security team.

Ransomware

Ransomware is a malicious software that cyber criminals use to deny access to your system or data. These criminals will hold your system/data hostage until ransom is paid. After the initial infection, there will be attempts to spread the ransomware to shared drives and systems. If the demands are not met, the system could remain unavailable or even be deleted altogether.

How do you know if you have ransomware on your computer? A window will pop up telling you that you have XX amount of time to pay a certain amount of money to avoid losing your system or data.

If that happens, take the following steps:

• Unplug the power cord from the back of your PC—don’t just turn it off
• Contact your IT department (via phone) for assistance
• Contact your supervisor

Ultimately, the best way to ensure this does not happen is to avoid unknown links, ads and websites. Do not download unverified attachments or applications. At home, keep your software up to date, and back up data files to a secure location daily. As always, if it looks suspicious, simply do not open, click or respond.

Social Engineering Tactics

Social engineering attacks are directed specifically at human beings. Hacking a human is much easier than hacking a business, so be on the lookout! There are three basic tactics used in this type of hacking. Be aware, and don’t fall for these common tricks:

• In person – Someone gains access through an open door or pretends to be a service technician, someone buys you a drink and tries to extract information, someone looks at your unattended device, or someone is left unattended to use your computer, perhaps during a troubleshooting session
• Phone – Someone calls you pretending to be from an organization asking for donations, pretending to be your bank with a pre-recorded message and asks you to call back to confirm information, or pretending to be a person in authority who intimidates you to give them information
• Digital – Someone uses phishing, someone mimics a trusted social media page to get you to click on malicious links, or someone uses common typos for brand URLs to make you think it’s the real site and click on malicious links

National Cybersecurity Awareness Month: Sobering Stats

Homeland Security recently published some sobering statistics about cybersecurity. Don’t fall victim and be a part of these statistics:

• 47 percent of American adults have had their personal information exposed by cyber criminals
• 600,000 Facebook accounts are hacked every single day
• 65 percent of Americans who went online received at least one online scam offer

Though National Cybersecurity Awareness Month is observed during October, the advice and resources provided above can and should be used all year round to improve cybersecurity in the office and at home. Be a strong link in the cybersecurity chain and practice what you have learned every day.

Recently, at the AHIMA Health Data and Information Conference in Chicago, I had the pleasure of presenting with my colleague Sherine Koshy, MHA, RHIA, CCS, Corporate Director of HIM at Penn Medicine, about her experience outsourcing Penn Medicine’s release of information (ROI) function.

Our presentation was held in the HIM Expert Theater where we discussed why enterprise-wide disclosure management is so important in today’s healthcare ecosystem.

We had a great time networking among peers and sharing best practices as well as lessons learned along Sherine’s journey. The conference is a busy time with many opportunities for education. So, if you were unable to make our session, here are highlights of the points discussed:

Healthcare and HIT Environmental Scan

HIPAA is still the standard that sets the floor for the privacy and security of protected health information (PHI), but let’s not forget the other federal and various state laws that also affect PHI safeguards and disclosures. We’ve all heard that HIPAA 2.0—the reboot for a modernized version—is coming to catch up with the continually changing healthcare and HIT environments. As part of the healthcare evolution, patients have become more actively involved in their own care, a trend that demands timely and accurate disclosure management practices.

Why Enterprise-Wide Disclosure Management?

 As outlined in our presentation, the benefits of an enterprise-wide disclosure management approach include the ability to:

• Standardize workflows
• Review/update policies and procedures
• Improve the customer experience
• Achieve compliance
• Mitigate risk

Nationwide ROI Survey Results

 We summarized the results of a survey that MRO recently commissioned to a third party, Porter Research, to find out more about current ROI needs and requirements. The survey found that senior HIM professionals experienced two top business challenges:

• Dissatisfaction with their ROI vendor—including missed service level agreements (SLAs), compliance issues/breaches, and lack of support/poor service quality
• Need for standardization of the ROI process—due to a high volume of ROI requests, multiple locations and need for one single platform: one EMR and one ROI vendor for consistency

The study also revealed five essential attributes organizations consider when searching for an ROI solution or a new ROI vendor. Those include:

• Ease of use—a dependable system that is user-friendly
• Workflow—efficient and effective to ensure timely and accurate disclosures
• Turnaround time—requirements met according to timelines, if not sooner
• Industry reputation—customer satisfaction, company integrity, and staff credibility
• Ability to handle volume—to ensure quality of service does not fluctuate with request volume

 Penn Medicine’s ROI Journey

 Penn Medicine is located in and around the Philadelphia, Pennsylvania area and includes 6 hospitals (7,163 physicians), 10 multispecialty centers, and 800+ physician practice locations. The system is ranked by U.S. News & World Report as No. 1 in the state of Pennsylvania.

Like many other organizations, Penn Medicine faced challenges with their ROI solution and realized the need to evaluate the following:

• Level of quality—internal issues and patient complaints due to backlog in requests
• Customer service—lack of partnership and trust in the relationship, and a reactive instead of proactive approach when taking on issues
• Patient complaints—increase in complaints across the entire health system
• Staffing—high turnover and inability to keep up with demand for new employees
• Productivity and turnaround time—compliance risk due to missed deadlines
• Technology—platform not user-friendly, inability to integrate with the existing EHR

Ultimately, Penn Medicine made the tough decision to change ROI vendors, and focused on top priorities:

• Ensure excellent customer service and response times to Penn Medicine and, even more important, to the patient
• Create a one-stop-shop model allowing a patient to request records from anywhere in the enterprise at any one location
• Decrease privacy and security incident/breach rates
• Ensure system integration with Penn’s EHR

Many collaborative planning meetings paved the way for MRO to clearly understand Penn’s challenges and to define an effective transition plan for the organization’s future ROI state. A strong partnership was built by creating a team approach, investing in training and resources, and going above and beyond to bring Penn Medicine’s vision to life.

The transition proved to be successful for Penn, measured by the following outcomes:

• Compliant ROI—quality and accuracy improved, turnaround times were met, and productivity levels kept up with high volumes
• Customer service—increased satisfaction by allowing requesters to request and obtain any Penn Medicine record at any location
• Complaints—decreased significantly
• Staffing—low turnover and well-managed staff
• EHR integration—streamlined workflows and increased productivity
• Partnership—mutual trust and transparency between Penn Medicine and MRO

Enterprise-Wide Disclosure Management: Best Practices and Lessons Learned

Along any successful journey, issues must be resolved to achieve success. Partnership is essential. Penn Medicine’s ROI journey provides other healthcare organizations with valuable best practices and lessons learned:

• RFP—Create a multidisciplinary committee, define the process with timelines and due dates, define the most important criteria and attributes needed for your organization, establish a grading document and scale, and communicate regularly with the vendors
• Contracts—Ensure accountability and responsibility between parties in your BAAs, know payer contract verbiage and negotiated rates, and create realistic achievable SLAs
• Technological capabilities and limitations—Ensure ease of use, keep in mind possible integrations such as MROeLink®, maintenance, and downtime
• Communication—Create checks and balances, hold ongoing meetings to touch base (internally and with vendor), ensure all stakeholders are on the same page and change course if necessary
• Partnership development—Ensure transparency, team effort, reliability and above all, trust

To learn more about enterprise-wide disclosure management, and Penn Medicine’s ROI journey, fill out the form below to receive a copy of our presentation, originally presented at AHIMA 2019.