The April 2019 Journal of AHIMA article “What to Do (and Not Do) When Changing HIM Vendors” served as a virtual roundtable featuring the experiences of three HIM leaders who successfully navigated HIM service vendor transitions. The MRO client panelists were Cindy M. Phelps, RHIA, Sr. Director, TSG Business Relationship Management, Carilion Clinic; Sherine Koshy, MHA, RHIA, CCS, Corporate Director HIM, Penn Medicine; and Kathleen J. Edlund, M.M., RHIA, Director of HIM, Trinity Health.

Topics discussed in the roundtable included challenges, lessons learned and practical strategies that help ensure quality service and a lasting collaborative partnership. As moderator of the discussion, I had an opportunity to focus on each expert’s type of vendor transition: transcription, EHR and Release of Information (ROI).

Challenges

Choosing the right vendor can be a challenging and daunting task, especially if your current service has been in place for a long time. Whether the service being considered for outsourcing options is in-house or with another vendor, the key to a successful transition is in the planning.

Some of the common challenges that prompted the panelists’ organizations to seek a better solution were: the need to have all users on one platform, service and quality issues, communication problems and lack of client support.

Lessons Learned

From their experiences addressing the challenges listed above, each HIM expert offered lessons learned and suggestions for other organizations to consider when transitioning service vendors. Here is a summary of their recommendations:

• Conduct benchmark, research, and reference checks.
• Establish key performance indicators (KPIs).
• Engage multidisciplinary teams.
• Conduct a pilot test.
• Communicate and collaborate to build a trusted partnership.
• Create a project charter.
• Provide training and education.
• Complete pre-implementation assessment documentation.
• Create a visual diagram model of the process flow.
• Ensure understanding of ancillary departmental (EHR) software systems.
• Preserve a working relationship with the outgoing vendor.

Strategies to help ensure a lasting collaborative partnership

Each panelist offered components of a strong, collaborative partnership that promotes ongoing optimal outcomes. Here are five essential factors:

• Monthly review meetings and open communication to discuss successes, concerns and issues with the vendor.
• Engagement and availability of the vendor in the daily operational business.
• Vendor sharing latest trends with development and with their other clients.
• Annual onsite business review to highlight current state and share future state with key stakeholders.
• Investment in the training and resources necessary to meet the needs of your organization.

The Journal of AHIMA article provides additional details regarding lessons learned, strategies and expert recommendations. To download a copy of the article, fill out the form below.

The 23rd Annual HCCA Compliance Institute provided a wonderful learning experience focused on compliance in various areas of healthcare delivery. MRO was fortunate to have several representatives attending informative sessions and engaging in meaningful conversations with other attendees.

I was pleased to have the opportunity to co-present with our client, Melissa Landry, RHIA, Assistant Vice President of Health Information Management (HIM), Ochsner Health System on “Incident Response: Best Practices in Breach Management.” We covered the following topics during our presentation:

• Current Environment and Statistics Related to Healthcare Breaches
• Breaches under HIPAA and State Law
• HIPAA Security Rule Safeguards that Address Incident Response Plans
• Best Practices for Incident Response Plans
• The First 24 Hours Following a Breach

Fill out the form below to request a copy of our presentation.

Session Takeaways

Of the numerous breakout sessions and learning tracks I attended, there were two in particular that I found to be very informative and insightful—updates from the U.S. Department of Health and Human Services (HHS) Office of Inspector General (OIG) and the Center for Medicare and Medicaid Services (CMS).

OIG Update

Joanne Chiedi, Principal Deputy Inspector General, HHS OIG, provided an enlightening keynote address. Her presentation encouraged compliance professionals to be bold and take action. Chiedi shared that at this time of disruptive innovation in healthcare, compliance must engage in these innovative conversations. Here are a few of her other key points:

• We cannot oversee what we do not understand. Effective oversight requires understanding how healthcare is delivered today and how it will be delivered in the future.
• Give Compliance the data. If anyone in your organization has data, Compliance should have access to it.
• Compliance and innovation must advance together. Compliance can and should play a big part in getting innovation right in healthcare.

This presentation offered a comprehensive overview of the current healthcare ecosystem along with a description of the role compliance professionals play in upholding quality standards and processes.

CMS Update

Kimberly Brandt, Principal Deputy Administrator for Operations, CMS, joined the conference to deliver this update. Here is a preview of announcements that we can expect from CMS:

• Patients over Paperwork
• Interoperability and MyHealthEData
• Opioid Epidemic
• Program Integrity

This presentation provided attendees with the inside scoop and a great overview of what is on the horizon with CMS.

Continue Your Compliance Education by Attending MRO’s Upcoming Webinar

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI through new technology and HIPAA-compliant policies and procedures.

In MRO’s upcoming webinar “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps. This session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain. Secure your spot today by registering here.

As we move into 2019, it is important for healthcare professionals to stay up to date on the latest trends and best practices for managing Protected Health Information (PHI) disclosure across healthcare enterprises.

In MRO’s upcoming 2019 “Best Practices in PHI Disclosure Management” webinar series, the latest trends and best practices for organizations to consider will be covered. There are four parts to this webinar series, and each session is pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics in our webinar series, which MRO’s subject matter experts will go into more detail. To register, click here.

Webinar Watch List: Payer Audits, Compliance, Cybersecurity and Patient-Directed Requests

1) The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense
Payer requests for medical records are challenging, time-consuming undertakings for healthcare organizations, typically requiring the release of hundreds or thousands of patient records. MRO’s payer relations expert Greg Ford, Senior Director of Requester Relations and Receivables Administration, will share tips and best practices to shore up your defenses against the rising tide of payer requests for medical records.

2) Enterprise-Wide Disclosure Management: Closing the Compliance Gaps
Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk and ensure proper disclosure of PHI by implementing new technology and HIPAA-compliant policies and procedures. In this webinar, I will cover the benefits of implementing an enterprise-wide PHI disclosure management strategy to close compliance gaps.

3) Cybersecurity in Health IT: Trends and Tips for Safeguarding PHI
In an era of evolving cybersecurity threats, healthcare leaders are challenged to be vigilant in their efforts to minimize risk and implement new, robust safeguards to protect the privacy and security of patient data. MRO’s security expert Anthony Murray, CISSP, Vice President of Information Technology and ISSO, and I will provide best practices for safeguarding PHI across your healthcare enterprise.

4) Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding clarification for healthcare providers, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in rising challenges for healthcare providers. MRO’s legal expert Danielle Wesley, Esq., Vice President and General Counsel, and I will provide clarity on the topic and cover strategies and tactics for combatting the related issues.

Register today for our first webinar, on the topic The Rising Tide of Payer Requests for Medical Records: How to Shore Up Your Defense.

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

AHIMA held its 11th Annual Privacy and Security Institute on October 7-8, 2017 in Los Angeles, concurrent with the national convention. As a sponsor of the event, MRO held a breach prevention session titled “Developing Best Practices from OCR Audits and Enforcement Activities.” During the presentation, Rita Bowen and I reviewed the current Office for Civil Rights (OCR) audit and enforcement landscape and provided best practice guidance based on audit and enforcement outcomes.

We discussed some of the biggest cases to date including nine resolution agreements totaling over $17M collected by the OCR. The top five compliance issues (in order of frequency) included (1) impermissible use and disclosures, (2) lack of safeguards, (3) lack of patient access to health information, (4) releasing the minimum necessary, and (5) lack of administrative safeguards to electronic Protected Health Information (PHI). Below are five best practices for breach prevention, as well as a video interview where I recap the presentation.

Video Recap: AHIMA Privacy and Security Institute

Five Best Practices for Breach Prevention

1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.

2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for Protected Health Information disclosure management. To avoid this from happening, organizations should provide formal training at least once a year to ensure compliance with applicable federal and state law. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.

Some free helpful tools include:
• OCR’s website
• OCR’s YouTube channel
• AHIMA’s Body of Knowledge

3) Implement HIPAA’s security rules for administrative, physical and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding any potential threats and vulnerabilities. Utilize technologies that strengthen your compliance program and access monitoring software. For HHS guidance on technical safeguards, visit their website.

4) Test the effectiveness of your compliance program.
This can be done a few ways. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls and checking desks for exposed passwords. And lastly, through mock breach exercises.

5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

Complete the form below to download MRO’s eBook on breach prevention “Tips and Best Practices to Safeguard your Healthcare Organization.”

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities

Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.