Check Request Status610-994-7500

What to Do and Not Do When Changing Health Information Management Vendors

 

 

 

 

 

 

 

 

The April 2019 Journal of AHIMA article “What to Do (and Not Do) When Changing HIM Vendors” served as a virtual roundtable featuring the experiences of three HIM leaders who successfully navigated HIM service vendor transitions. The MRO client panelists were Cindy M. Phelps, RHIA, Sr. Director, TSG Business Relationship Management, Carilion Clinic; Sherine Koshy, MHA, RHIA, CCS, Corporate Director HIM, Penn Medicine; and Kathleen J. Edlund, M.M., RHIA, Director of HIM, Trinity Health.

Topics discussed in the roundtable included challenges, lessons learned and practical strategies that help ensure quality service and a lasting collaborative partnership. As moderator of the discussion, I had an opportunity to focus on each expert’s type of vendor transition: transcription, EHR and Release of Information (ROI).

Challenges

Choosing the right vendor can be a challenging and daunting task, especially if your current service has been in place for a long time. Whether the service being considered for outsourcing options is in-house or with another vendor, the key to a successful transition is in the planning.

Some of the common challenges that prompted the panelists’ organizations to seek a better solution were: the need to have all users on one platform, service and quality issues, communication problems and lack of client support.

Lessons Learned

From their experiences addressing the challenges listed above, each HIM expert offered lessons learned and suggestions for other organizations to consider when transitioning service vendors. Here is a summary of their recommendations:

  • Conduct benchmark, research, and reference checks.
  • Establish key performance indicators (KPIs).
  • Engage multidisciplinary teams.
  • Conduct a pilot test.
  • Communicate and collaborate to build a trusted partnership.
  • Create a project charter.
  • Provide training and education.
  • Complete pre-implementation assessment documentation.
  • Create a visual diagram model of the process flow.
  • Ensure understanding of ancillary departmental (EHR) software systems.
  • Preserve a working relationship with the outgoing vendor.

Strategies to help ensure a lasting collaborative partnership

Each panelist offered components of a strong, collaborative partnership that promotes ongoing optimal outcomes. Here are five essential factors:

  • Monthly review meetings and open communication to discuss successes, concerns and issues with the vendor.
  • Engagement and availability of the vendor in the daily operational business.
  • Vendor sharing latest trends with development and with their other clients.
  • Annual onsite business review to highlight current state and share future state with key stakeholders.
  • Investment in the training and resources necessary to meet the needs of your organization.

The Journal of AHIMA article provides additional details regarding lessons learned, strategies and expert recommendations. To download a copy of the article, fill out the form below.

Download the Journal of AHIMA Article

Read More

2019 HCCA Compliance Institute Recap

 

 

 

 

 

 

 

 

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

  • Current Environment and Statistics Related to Healthcare Breaches
  • Breaches under HIPAA and State Law
  • HIPAA Security Rule Safeguards that Address Incident Response Plans
  • Best Practices for Incident Response Plans
  • The First 24 Hours Following a Breach

Fill out the form below to request a copy of our presentation.

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

  • We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
  • Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
  • Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

  • Patients over Paperwork
  • Interoperability and MyHealthEData
  • Opioid Epidemic
  • Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Continue Your Compliance Education by Attending MRO’s Upcoming Webinar

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

Request HCCA Incident Response Breach Management Slides

Read More

Four PHI Disclosure Management Webinars to Catch in 2019

 

 

 

 

 

 

 

 

As we move into 2019, it is important for healthcare professionals to stay up to date on the latest trends and best practices for managing Protected Health Information (PHI) disclosure across healthcare enterprises.

In MRO’s upcoming 2019 “Best Practices in PHI Disclosure Management” webinar series, the latest trends and best practices for organizations to consider will be covered. There are four parts to this webinar series, and each session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics in our webinar series, which MRO’s subject matter experts will go into more detail. To register, click here.

Webinar Watch List: Payer Audits, Compliance, Cybersecurity and Patient-Directed Requests

1) The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense
Payer requests for medical records are challenging, time-consuming undertakings for healthcare organizations, typically requiring the release of hundreds or thousands of patient records. MRO’s payer relations expert Greg Ford, Senior Director of Requester Relations and Receivables Administration, will share tips and best practices to shore up your defenses against the rising tide of payer requests for medical records.

2) Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI by implementing new technology and HIPAA-compliant policies and procedures. In this webinar, I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps.

3) Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI
In an era of evolving cybersecurity threats, healthcare leaders are challenged to be vigilant in their efforts to minimize risk and implement new, robust safeguards to protect the privacy and security of patient data. MRO’s security expert Anthony Murray, CISSP, Vice President of Information Technology and ISSO, and I will provide best practices for safeguarding PHI across your healthcare enterprise.

4) Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding clarification for healthcare providers, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in rising challenges for healthcare providers. MRO’s legal expert Danielle Wesley, Esq., Vice President and General Counsel, and I will provide clarity on the topic and cover strategies and tactics for combatting the related issues.

Register today for our first webinar, on the topic The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense.

Register for "The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense"

Read More

An Enterprise-Wide Approach to PHI Disclosure Management: Closing the Gaps in Compliance


In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
  • Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

  • Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
  • With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
  • 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
  • Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

Download MRO’s eBook "Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization."

Read More

Webinar Recap: Healthcare Regulatory Updates and Guidance

Healthcare Compliance

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

  • Risk analyses and gap analyses
  • Ongoing end-user training
  • Appropriate and up to date patching
  • Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

  • Access to PHI must be limited to authorized users who require the information to do their jobs
  • A system must be implemented to monitor the activity of authorized users when accessing PHI
  • Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
  • Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
  • Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

  • Restitution back to victims who were harmed by a violation of HIPAA
  • Consideration to remove NPP signature forms
  • Good faith disclosures (related to Opioid crisis)
  • Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.

Receive a copy of the part 2 webinar recording and a PDF of the slides

Read More

Privacy Dashboards: A Powerful Tool for Compliant PHI Disclosure Management

Managing the release of Protected Health Information (PHI) is more complex than ever, due to evolving federal regulations, patient access rights, and pressure to manage and exchange health information electronically. With multiple departments releasing PHI, there are concerns and risks across the entire enterprise. For individuals whose primary tasks do not include PHI disclosure, privacy regulations are not foremost in their thoughts. Without ongoing education and process change, the potential for breach risk escalates. To mitigate risk, it is recommended that organizations centralize their Release of Information (ROI) and use privacy dashboards and data analytics technology.

Centralize Release of Information to Improve Privacy Compliance

Healthcare organizations should assign PHI disclosure and ROI tasks to a focused group of professionals who understand the regulations, receive ongoing education on changes, and realize the complexities of the process. This way, one department will have total control and responsibility of maintaining appropriate records of what information has been released, knowing where it’s going, and when to escalate notification issues. Managing information through one department will improve compliance and patient care.

Use Privacy Dashboards to Track Patterns and Trends

Every privacy incident yields valuable data to improve compliance. Privacy dashboards can be used as a powerful tool to show patterns and trends for smaller incidents — now being tracked by OCR — and for large events as well. Regardless of size, an organization’s ability to consistently identify and track trends is essential. You can find a list of all the features an effective compliance tool should provide in “Privacy dashboards: Tracking and reporting for compliant PHI disclosure management,” which appears in the May 2018 issue of HCCA’s Compliance Today.

The most important factors in compliance program management are constant awareness, communication, tracking and reporting through easy access to reliable and actionable data. Privacy dashboards help organizations determine root causes of incidents, so they can take the necessary actions to improve compliance.

Examples of corrective action include:

    • Revising compliance policies and procedures
    • Providing additional staff training on hospital policy and HIPAA regulations
    • Assessing and improving PHI disclosure management processes
    • Ensuring encryption of all devices used by staff

    As the volume of PHI requests continues to increase over time, so does the risk of breach. Using privacy analytics to identify compliance patterns and trends, improve operational processes, and resolve breach issues is increasingly important. Actionable compliance data has become a critical tool for healthcare organizations along the journey to value-based care.

    Learn more about privacy analytics by attending AHIMA’s Live Data Dive Webinar “Privacy Dashboards: What You Should be Tracking & Reporting” on May 9th at 9:30am Eastern. If you cannot make the live session, sign up for the playback webinar recording here.

Sign Up for Future Blog Posts

Read More

How to Ensure Proper PHI Disclosure across your Healthcare Enterprise

PHI Disclosure

When it comes to Protected Health Information (PHI), one of the main duties of Health Information Management (HIM) departments is to protect their patients’ privacy and ensure proper disclosure. HIM departments have had a long-held reputation of being the top disclosers of PHI within a healthcare enterprise. However, recent trends in PHI disclosure management are changing things around. Combined requests from other areas such as radiology, business offices, and physician practices are matching, if not exceeding, the PHI disclosure volumes in HIM. This combination of departments managing PHI disclosure causes high volumes of records and increases risk. Below are a few best practices, as outlined in a Journal of AHIMA article, for how HIM professionals can ensure proper disclosure and mitigate breach.

Know the Risky Spots: Audit your Points of PHI Disclosure

A practical first step is to conduct an enterprise-wide audit of all disclosure points. An audit of all PHI disclosure points should be conducted and updated yearly as part of your organization’s privacy compliance assessment. Auditing your enterprise helps HIM leaders become aware of the risks, which they can then work to mitigate. HIM professionals should audit non-HIM PHI disclosure areas to ensure compliance with relevant laws. During the audit, HIM leaders should review a list of items for disclosures which includes date received, date delivered and more.

Train and Educate Based on Needs

Training is essential for safe and compliant enterprise-wide Release of Information. This goes for the HIM department as well as any other employees that release PHI. Well-trained ROI staff keep the flow of information running smoothly. Based on the individual department’s most common requests, ROI training should be focused on accuracy, include all HIPAA privacy basics, and include the following six PHI disclosure management fundamentals:

  1. Track and monitor each type of request being received.
  2. Define each type of request.
  3. Emphasize accuracy.
  4. Reiterate minimum necessary.
  5. Coach personnel on patient requests.
  6. Direct requests to HIM.

Establish HIM as the Enterprise-wide PHI Gatekeepers

Annual HIM reviews and continuous communication with other departments that release information are essential to mitigate breach risk, expedite payer reimbursement, and prevent a requester dissatisfaction crisis. Non-HIM staff are focused on their core competency areas and are rarely trained in proper PHI disclosure management. The result is often hasty PHI processing and increased risk of breach. To mitigate risk while also ensuring the appropriate ROI, HIM departments should maintain oversight of PHI disclosure management across the entire enterprise—not just within HIM.

Complete the form below to download MRO’s eBook “Breach Risk in Release of Information: Don’t Leave Risk to Chance” and learn strategic, enterprise-wide approaches to PHI disclosure management and mitigating breach risk.

DOWNLOAD MRO’S EBOOK “BREACH RISK IN RELEASE OF INFORMATION: DON’T LEAVE RISK TO CHANCE.”

Read More

Four Healthcare Compliance Webinars to Attend in 2018: Covering Privacy, Security and Information Governance

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

Sign Up for Future Blog Posts

Read More

Breach Prevention: Developing Best Practices from OCR Audits and Enforcement Activities

AHIMA held its 11th Annual Privacy and Security Institute on October 7-8, 2017 in Los Angeles, concurrent with the national convention. As a sponsor of the event, MRO held a breach prevention session titled “Developing Best Practices from OCR Audits and Enforcement Activities.” During the presentation, Rita Bowen and I reviewed the current Office for Civil Rights (OCR) audit and enforcement landscape and provided best practice guidance based on audit and enforcement outcomes.

We discussed some of the biggest cases to date including nine resolution agreements totaling over $17M collected by the OCR. The top five compliance issues (in order of frequency) included (1) impermissible use and disclosures, (2) lack of safeguards, (3) lack of patient access to health information, (4) releasing the minimum necessary, and (5) lack of administrative safeguards to electronic Protected Health Information (PHI). Below are five best practices for breach prevention, as well as a video interview where I recap the presentation.

Video Recap: AHIMA Privacy and Security Institute

 

Five Best Practices for Breach Prevention

1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.

2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for Protected Health Information disclosure management. To avoid this from happening, organizations should provide formal training at least once a year to ensure compliance with applicable federal and state law. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.

Some free helpful tools include:
OCR’s website
OCR’s YouTube channel
AHIMA’s Body of Knowledge

3) Implement HIPAA’s security rules for administrative, physical and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding any potential threats and vulnerabilities. Utilize technologies that strengthen your compliance program and access monitoring software. For HHS guidance on technical safeguards, visit their website.

4) Test the effectiveness of your compliance program.
This can be done a few ways. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls and checking desks for exposed passwords. And lastly, through mock breach exercises.

5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

Complete the form below to download MRO’s eBook on breach prevention “Tips and Best Practices to Safeguard your Healthcare Organization.”

DOWNLOAD MRO’S eBook “Preventing a Breach: Tips and Best Practices to Safeguard your Healthcare Organization.”

Read More

AHIMA Convention Reflections: Business Associate Management and Best Practices for Risk Analysis

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities

 

Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.

DOWNLOAD MRO’S BUSINESS ASSOCIATE MANAGEMENT PRESENTATION

Read More