On June 27, 2019, MRO presented a webinar as part of our Protected Health Information (PHI) disclosure management educational series. In this presentation titled “Enterprise-Wide Disclosure Management: Closing the Compliance Gaps,” we covered best practices for standardizing PHI disclosure management policies and procedures, ensuring consistent policy enforcement, and minimizing privacy breach.

The webinar content can be used as a guide for Health Information Management (HIM), privacy and compliance professionals to ensure the highest levels of compliance and prevent breach when disclosing PHI.

PHI Disclosure Management: Risky Business

MRO’s research shows there can be as many as 40 disclosure points across a health system. Most of these disclosure points tend to be managed outside the HIM department by individuals not trained in Release of Information (ROI). This trend of expanding disclosure points is one of the key factors driving breach risk in the ROI process.

Another risk factor involves gaps in the Quality Assurance (QA) around PHI disclosure. Research shows that approximately 30 percent of all ROI authorizations are initially invalid, and up to 10 percent of those invalid authorizations are processed with errors if ROI workflows lack redundant QA checks. Moreover, some 5 percent of patient data in electronic medical records (EMRs) have integrity issues, including comingled patient records. Without proper QA measures in place, about 0.4 percent of records released will contain mixed patient data, which means an organization releasing 100,000 requests annually could potentially release 400 comingled records. With that, comes substantial risk to a healthcare organization.

Enterprise-Wide Disclosure Management: Closing the Compliance Gaps

As described in the webinar, MRO recommends deploying an enterprise-wide strategy for PHI disclosure management to standardize policies and procedures, as well as technologies, across a health system. Having a streamlined ROI workflow as part of that strategy helps eliminate inefficiencies, distractions and errors.

Additionally, redundant QA checks are vital for disclosure accuracy. Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These quality checks should come from a combination of trained ROI specialists and record integrity technology, such as MRO’s IdentiScan®, that uses optical character recognition to locate and correct comingled records. This combination of people and technology drives improved accuracy and minimizes breach risk.

Breach Prevention: Best Practices for PHI Disclosure Management

The webinar includes eight best practices for minimizing breach in the Release of Information process. Here are six of those practices.

1. Implement Multiple QA Checks on Requests. It is important to ensure the ROI authorization is legitimate. In reviewing authorizations, certain required information is often missing. A Quality Assurance check-in that involves multiple people helps to avoid a one-point area for failure. This double-check process ensures a complete review of that area for control.
2. Sync Your ROI Platform to the MPI. It’s imperative to sync your ROI platform to your MPI to avoid manual information entry. This minimizes the possibility of making a mistake when entering information into your ROI platform. MRO offers a tool called MROeLink® that provides this type of integration.
3. Send Notifications to Requesters. Sending initial notifications of receipt to requesters confirms that requests have been received and indicates who is processing them on your organization’s behalf. If a patient-directed request is obtained, you should notify the patient to let them know a patient-directed request has been received in case they did not direct the request.
4. Ensure Shipping Integrity. Establish a QA process for shipping copies of medical records, such as a barcoding system that assists distribution center reps in ensuring the right content goes in the correct envelope.
5. Leverage Secured Delivery. When possible, leverage secure, electronic delivery, including portals and direct interfaces with government agencies such as SSA and CMS.
6. Hire, Train and Retain Exceptional People. It is essential to hire, train and retain exceptional people who will be touching PHI. These people must be properly trained and knowledgeable about the information they are handling, and understand the penalties involved. People working in the ROI industry must be highly trained and educated.

To get details on all our suggested best practices for breach prevention—and more information on compliant PHI disclosure management—request the playback of the presentation using the form below.

MRO has released the white paper, “Misuse of Patient-Directed Requests for Copies of Medical Records,” authored by two attorneys, Beth Anne Jackson, Esq. and Danielle Wesley, Esq., along with privacy expert Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB. The paper provides insights, education and strategies to help hospitals, health systems and other healthcare provider organizations address issues that arise when attorneys solicit copies of medical records—often through record retrieval companies (RRCs)—under the guise of patient-directed requests.

Essential Guide to Understanding and Mitigating Financial, Legal and Privacy Risk

For Health Information Management (HIM) professionals, in-house attorneys and compliance officers, the tenets set forth in the paper serve as an essential guide to understand and mitigate problems associated with these attorney requests, including the rising financial burden imposed on providers when attorneys shift the costs of medical record production for litigation to providers. The following five areas are covered.

• Perceived loophole in OCR guidance. The paper delves into the history of HIPAA, HITECH and patients’ right to access their Protected Health Information (PHI). This includes examining the language of 2016 OCR guidance that emphasized removal of financial and other roadblocks to individuals’ access to their information by advocating the imposition of a nominal fee for patients to obtain their PHI for personal use, such as providing records to their primary care physician, a mobile healthcare app or to researchers. Though applying a nominal fee for patient-directed disclosures to these types of entities is reasonable, the OCR’s inclusion of the phrase “and it doesn’t matter who the third party is” opened the door for manipulation by attorneys and RRCs demanding the $6.50 fee suggested in the guidance.
• Increasing volumes of attorney requests under the guise of patient-directed requests. Submitted as patient-directed requests, attorney requests for medical records have soared with a specific pattern identified, which is described in the white paper. The volume of these types of requests is growing exponentially. MRO metrics show a steady increase in the number of attorney requests demanding the patient rate. Additionally, an increase in page count and a higher demand for “any or all” records from the designated record set (DRS) are consistently noted with these attorney requests.
• Detrimental impact to healthcare systems and their patients. Neither Congress nor the OCR intended for the individual rights to access under 45 CFR §164.524(c) or the guidance to be interpreted and implemented to (a) shift the costs of obtaining medical records for the purpose of for-profit litigation or other non-healthcare related purposes to providers, (b) subject more PHI than necessary—including sensitive PHI that may or may not be related to the litigation—to disclosure, or (c) remove HIPAA protection resulting from disclosure via RRCs to attorneys. However, healthcare organizations are rightfully concerned about these risks. The paper details the detrimental financial, legal and operational impact to health system enterprises and the risks around patient privacy.
• Recognizing the misuse of patient-directed requests for medical records. Providers should be aware of red flags when receiving incoming requests, including the following:
  • A template form with filled-in blanks and mismatched pronouns is used.
  • The form is included in a larger packet with other documents—such as a HIPAA-compliant authorization.
  • The patient’s signature appears to be copy-pasted or photoshopped. Attorneys or RRCs may lift the patient signature from a driver’s license or other document.
  • The letter is labeled a “HITECH authorization.” This terminology is only used by attorneys and RRCs that work with them.

  The paper provides a thorough list of signs indicating attorney misuse of patient-directed requests.

• Steps for combating the issue. To combat this problem, healthcare organizations need a comprehensive game plan that includes education and awareness across HIM, compliance, legal, risk management and finance. New strategies must also be employed at the national level to raise awareness and garner support. In our paper, we offer a step-by-step approach to assist healthcare organizations in building their game plan.

Conclusion: For the Better Good

In summary, the white paper states, “The issue is not about prohibiting authorized access. The issue is about limiting the ability of attorneys and other third parties to manipulate the OCR guidance and patient-directed requests for their own commercial gain. Healthcare organizations that give in to attorney misuse of patient-directed requests may think that they are mitigating legal risk. Instead, they are welcoming negative financial impacts for themselves and potential adverse privacy effects for their patients. Producing thousands of pages of PHI for the nominal patient fee is not a business practice that can be sustained in the long term by any provider. This cost-shifting cannot be tolerated.

The efforts of attorneys and RRCs to obtain PHI via their mischaracterization of the guidance—which, to date, has not been challenged—is well documented and significantly more advanced than a lone provider’s ability to combat it. While providers are steadfast in protecting patient privacy, they also need to protect their fiscal health. They can only do so by taking concrete steps now to stop disreputable attorney and RRC behavior before the issue becomes a more serious problem and a financial crisis for provider organizations.”
The contents within our white paper are approved and endorsed by the Association of Health Information Outsourcing Services (AHIOS), a membership group composed of Health Information Management outsourcing organizations.

Complete the form on this page to request a copy of the white paper “Misuse of Patient-Directed Requests for Copies of Medical Records.”

In an era of regulatory reform and breach, privacy and security compliance is top of mind for health systems. Healthcare leaders are seeking ways to mitigate risk—including financial penalties, lawsuits, and reputational damage—by improving Protected Health Information (PHI) disclosure management processes. Many are embracing the benefits of taking an enterprise-wide approach and standardizing technology, policies and procedures across points of disclosure within their health systems.

In the December 2018 issue of HCCA’s Compliance Today publication, I authored “Enterprise-wide PHI disclosure management: Closing the compliance gaps,” which covered the following four topics.

Increased Focus on Small Healthcare Breaches

Small breaches affecting fewer than 500 patients at a time have become more frequent than the large cyberattacks we see publicized in the news. A cause of these breaches is improper disclosure of PHI during the Release of Information (ROI) process. With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR.

Small breaches can be just as costly as large ones in terms of penalties and reputational damage. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to direct and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI Disclosure Across the Enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas— including radiology, business offices, and physician practices— increasingly receive requests to release PHI. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

• ROI is not a core responsibility of non-HIM staff—and it is not their top priority.
• Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.
• Specialized training and multi-tiered Quality Assurance are required to properly disclose PHI.

Quality Assurance Gaps in Release of Information

Quality and accuracy are important aspects of compliant PHI disclosure. However, since ROI workflows involve a variety of manual steps and are complex, there is room for error. Some startling statistics outlined in the HCCA article include:

• Approximately 30 percent of all submitted ROI authorizations are initially found to be invalid.
• With more than 100 possible combinations of errors or omission points across a wide variety of request types, up to 10 percent are processed with errors if the only line of defense is the person onsite logging the request.
• 5 percent or more of patient data in EMRs have integrity issues, including comingling of patient records.
• Well-trained ROI specialists will catch most of mixed records. However, with just one level of quality control, 1 in every 200 requests will included comingled records.

As a best practice, ROI authorizations and PHI should be checked for accuracy multiple times by specially trained ROI staff and sophisticated technologies to avoid non-compliant requests and/or comingled records. This can be best achieved if PHI disclosure management processes across a healthcare enterprise are streamlined through HIM.

Enterprise-Wide Approach to PHI Disclosure Management

A centralized, enterprise-wide approach to disclosure management is the optimal solution to the imminent challenges that healthcare professionals face. By standardizing processes throughout an organization and applying best practices under HIM’s expertise across the system, healthcare organizations can ensure a steady enforcement of enterprise disclosure policies, a manageable workflow, Quality Assurance and a consistent experience for patients and requesters of PHI. This approach enables healthcare organizations to have complete confidence in achieving compliance. An enterprise-wide strategy not only protects a patient’s privacy, it also protects the institution against breaches, financial risk, lawsuits, and reputational damage.

For more information on breach prevention and tips to protect your organization download MRO’s eBook “Breach Prevention: Tips and Best Practices to Safeguard your Healthcare Organization”

On Thursday, May 17, 2018 my colleague, Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services and I presented the second part of our four-part healthcare compliance webinar series. In this webinar titled “Healthcare Regulatory Updates and Guidance,” we covered some of the following key points:

Global Data Privacy Rule (GDPR)

The GDPR is current legislation that was proposed by the European Commission to strengthen and unify data protection for individuals in the European Union (EU). The goal of the regulation is to increase protection and enhance privacy rights on how data is collected and used regarding EU residents. This rule also applies to organizations outside the EU, such as the US, if it collects data.

Substance Abuse and Mental Health Services Administration (SAMHSA)

SAMHSA released an update in January 2017, which allows organizations to utilize an inclusive authorization whereby this sensitive information may be shared with an HIE or within an integrated delivery system which affords these patients with the same rights to high-quality care by allowing care givers to review necessary information. The update to the rule permits the disclosure or re-disclosure of this information as necessary to carry out lawful treatment, payment and operations. The required statement on this type of record now reads “Federal law 42 CFR Part 2 prohibits unauthorized disclosure of these records.”

Disclosures for Emergency Preparedness

Emergency preparedness and recovery planners are interested in the availability of information they need to serve people in the event of an emergency. The HIPAA Privacy Rule protects individually identifiable health information from unauthorized or impermissible uses and disclosures. The Rule is carefully designed to protect the privacy of health information, while allowing important health care communications to occur.

Cybersecurity and Ransomware

Ransomware has forced health IT to get more aggressive towards increasing their security safeguards and protections against attacks through infected mails and websites. Attendees were reminded that the best ways to prepare and combat these attacks include:

• Risk analyses and gap analyses
• Ongoing end-user training
• Appropriate and up to date patching
• Utilization of advanced security protection tool

To learn more about this topic, sign up for our next webinar “Cybersecurity: Protecting your Healthcare Enterprise” on Wednesday, August 15, 2018 at 2pm Eastern.

Texting in Healthcare

Texting in healthcare can be a risk if not done so by meeting the technical safeguards of the HIPAA Security Rule. These safeguards include:

• Access to PHI must be limited to authorized users who require the information to do their jobs
• A system must be implemented to monitor the activity of authorized users when accessing PHI
• Those with authorization to access PHI must authenticate their identities with a unique, centrally-issued username and PIN
• Policies and procedures must be introduced to prevent the PHI from being inappropriately altered or destroyed
• Data transmitted beyond an organization’s internal firewall should be encrypted to make it unusable if it is intercepted in transit

Future Outlook

Attendees also received insight on the changes and updates we may expect to see forthcoming in 2018. Some of these included:

• Restitution back to victims who were harmed by a violation of HIPAA
• Consideration to remove NPP signature forms
• Good faith disclosures (related to Opioid crisis)
• Potential changes in the requirement related to accounting of disclosures

Healthcare regulatory updates and government guidance are continuously evolving and can be difficult to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. For more information on these topics, fill out the form below to receive a copy of this webinar.