Record Requests610-994-7500

Preventing Healthcare Breaches, the Costliest of the Breaches

This month, IBM Security and Ponemon Institute released its 2017 Cost of Data Breach Study. It examines the costs experienced by 63 U.S. companies in 16 industry sectors after those companies experienced loss or theft of protected personal data and the notification of breach victims as required by various laws. It is not a healthcare specific study, but it does include healthcare specific statistics.

Healthcare Breach is Most Costly

This study showed that there has been a 4.7 percent increase in the total cost of data breach. The study also revealed that heavily regulated industries, such as healthcare and financial services, had per capita data breach costs well above the overall mean of $225. In contrast, public sector organizations had a per capita cost of data breach below the overall mean.

Moreover, healthcare breach is the costliest across all industries. These costs include credit or identity theft monitoring for breach victims, forensic and legal fees, and loss of goodwill and of business.

Causes of Data Breach

There are many different causes of data breach, but malicious or criminal attacks continue to be the primary and costliest cause. The study states that 52 percent of incidents involve a malicious or criminal attack, 24 percent are caused by system glitches, including both IT and business process failures, and another 24 percent of incidents are caused by negligent employees.

An example of how employee error can result in breach is in the Release of Information (ROI) process, which involves a variety of manual steps. While this type of risk can be minimized with the proper training and education, human error is inevitable. An error can lead to the wrong patient’s records being released to the wrong party, resulting in breach and damage to an organization’s reputation.

While the type of breaches resulting from mistakes in the ROI process may not effect hundreds of patients at a time, the cost can be just as impactful. And, preventing these types of breaches should not be overlooked. Small breaches like this happen far more frequently than large breaches, and the Office for Civil Rights (OCR) is noted as paying closer attention to them.

Preventing Breach in the ROI Process

Although there are many causes of data breach, there are also many ways to prevent it in the ROI process. The combination of highly trained, knowledgeable staff and state-of-the-art technology can improve PHI disclosure accuracy rates. Employees should undergo specialized training on the most up-to-date HIPAA regulations and Protected Health Information (PHI) disclosure requirements at the federal, state and facility level.

Additionally, by partnering with an experienced and knowledgeable PHI disclosure management partner, organizations can achieve near-perfect accuracy rates and prevent breaches in the ROI process. Innovative ROI vendor partners, such as MRO, utilize technology to identify errors at every step of the ROI process, including optical character recognition (OCR) technology like our IdentiScan®, to ensure there are no comingled records before release.

To learn more about preventing small breaches, complete the form to download our white paper “Mitigating Breach Risk in an Era of Expanding PHI Disclosure Points and Requests for Health Information.”

Receive a copy of MRO’s white paper “Mitigating Breach Risk in an Era of Expanding PHI Disclosure Points and Requests for Health Information.”

Read More

Developing Best Practices from OCR Audit Protocols and Issue Resolutions

 

MRO recently hosted a webinar titled “Developing Best Practices from OCR Audit Protocols and Issue Resolutions” as part of our three-part webinar series on privacy and security. The presentation began with a review of the first webinar in the series, “Lessons Learned from OCR Enforcement Actions.”  This set the stage for the discussion of Best Practices that have resulted from the HIPAA Audit Program and resolution agreements.

Developing Best Practices

Most of us have a sense of what is good practice, but this depends on an organization’s perspective, so it is important to understand and document Best Practices that may be developed in response to an event or situational analysis. (Situational analysis is the review of published privacy or security incidents.)

To become a Best Practice, there needs to be theory and research to base and inform its creation. Reflective practice results in Best Practices, thus why audit programs are needed. Audits incorporate the notion that practice is adjusted following the feedback of the audit/evaluation process.

Part of threading Best Practices into your organization is reviewing the audit evaluations that support and reinforce these stated processes into existing practice. You might find that practice has been updated, but the related policy has not. It is important for policy and practice to correlate. When you find that there is a difference, you must determine what the correct statement is, and update documentation accordingly.

Paramount to success of Best Practices is:

  • They must be proven across a range of circumstances, allowing for critical thinking to be applied to each unique situation.
  • Simplicity is required. If people can’t understand the practice, implementation will not be successful.
  • Make them accessible and available for utilization by sharing them. If there is a lot of new information and/or a complete change in process, then education is critical.

Best Practices Based on OCR Enforcement Actions

During our presentation, we reviewed several HIPAA settlement cases, which resulted in an understanding of Best Practice developed through consideration of known facts. Here are some key lessons learned.

  • Require Business Associate Agreements (BAAs) with any vendor or third party that has access to Protected Health Information (PHI).
  • Conduct a risk assessment, followed by thorough analysis of those findings, which would include a project plan schedule for mitigation and/or re-evaluation to accommodate budgetary limitations.
  • Management of identified risks is paramount, which includes the documentation of all discussions and mitigation efforts.
  • Ensure the workforce is aware of external and internal threats, and escalation of privacy or security events via appropriate reporting channels.
  • Be certain that system patches are applied in a timely manner.
  • Pay careful attention to disposal of information. The case of a facility which failed in this area was highlighted in our presentation.
  • Ensure incident response plans are in place, and maintain overall governance of the program.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 2: Developing Best Practices from OCR Audit Protocols and Issue Resolutions.

 

 

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 2

Read More

Field Report: HCCA Compliance Institute and HIPAA Summit

I recently attended the Health Care Compliance Association’s (HCCA) Compliance Institute and the annual HIPAA Summit, both in the Washington, D.C. area, where representatives from the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) delivered remarks on what to expect from their office in 2017. I reported on my experiences at these events in an article for RACmonitor; here are some highlights.

New Director of the OCR

Attendees at the HIPAA Summit had the great honor of hearing the first public remarks from the newly appointed Director of the OCR, Roger Severino, in his new capacity. Prior to his appointment, Severino had a long and distinguished public service career.

In his remarks at the Summit, Severino emphasized the important role of health information privacy and security to the overall functioning of the healthcare system. This focus will lead to increased patient confidence in the system, which, according to the new director, is paramount for the system to function.

OCR Priorities for 2017

Following Severino’s remarks, OCR Deputy Director Deven McGraw shared the OCR’s outlook for 2017. McGraw and her team plan to work with Severino over the coming weeks to identify priorities for policy and guidance.

Update on HIPAA Audit Program

Speaking on Phase 2 of the HIPAA Audit Program, McGraw reiterated that the audits are a tool for learning, not a tool for enforcement, and should eventually yield best practices. She stated that the OCR hopes to develop a continuous compliance monitoring program moving forward, as opposed to the sort of periodic audits enacted currently.

OCR Enforcement

Iliana Peters, Attorney and Senior Advisor at the OCR, spoke on OCR enforcement at both the Compliance Institute and the HIPAA Summit. She highlighted lessons learned from 2016 resolution agreements and civil money penalties, including the need for regular and thorough risk analyses, encryption, access and audit controls, and timely breach notification.

For more information on the OCR, join MRO for the first installment of our free privacy and security webinar series, “Lessons Learned from OCR Enforcement Actions,” Monday, April 17, 1pm Eastern.

Join our blog mailing list

Read More

HCCA Compliance Institute Hot Topics: Patient Access to Health Information and Privacy Breaches

As patients continue requesting access to their Protected Health Information (PHI) in greater numbers, removing barriers to access continues to be one of the hottest topics in compliance. In addition to adding complexity to the process of disclosing PHI, this increased demand for access, and the accompanying U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) guidelines for providing easy access, has had the negative side effect of increasing breach risk.

To mitigate this rise in breach risk, healthcare organizations can standardize PHI disclosure processes and procedures across their organizations. As we gear up for the annual HCCA Compliance Institute, here are some things to keep in mind:

OCR Guidance Promotes Patient Access to Health Information

Under the new OCR guidance, healthcare organizations cannot create barriers or unreasonably delay patient access to health information. For example, one of the most common compliance mistakes is requiring patients or their personal representatives to submit HIPAA-compliant authorizations when requesting PHI.

Small Scale Privacy Breaches Are Also a Threat

Increased access for patients can also lead to an increase in small scale breaches affecting less than 500 patients at a time. Unlike more attention-grabbing cybercrimes or device thefts, breaches occurring during normal Release of Information (ROI) processes are far more common, and just as devastating to healthcare organizations.

MRO research has found as many as 40 points of disclosure within healthcare organizations, and with the growing number of requests flooding a changing market, risk will continue to rise as organizations attempt to handle the higher volume. Standardizing and centralizing PHI disclosure management is key to combating these breaches.

HIPAA Audits are in Play

OCR Phase 2 HIPAA audits are in motion and include Business Associate desk audits and HIPAA Breach Notification and Security Rule compliance evaluations. HIM and compliance professionals alike are eager to learn the findings of these audits, and we look forward to sharing what we learn as soon as more information is available.

To learn more about these hot compliance topics, visit MRO at booth #325 at this year’s HCCA Compliance Institute. Fill out the form to schedule your meeting.

Attending the HCCA Compliance Institute? Request a Meeting with MRO at Booth #325

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Integrating patient-generated health data into electronic medical records

With the advent of healthcare tracking apps and wearable technology, patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”

As this information is incorporated into electronic medical records (EMRs), PGHD can provide a more comprehensive picture, since health information is collected continuously between medical visits. This sharing of PGHD leads to shared decision-making and results in improved care, helping prevent issues from being overlooked, and cutting down the number of redundant or unnecessary tests, which saves money.

As the use of PGHD continues to increase, determining how to incorporate the stream of information into EMRs, as well as how to utilize this newly minted Protected Health Information (PHI), is a top concern.

Information Governance strategies for managing PGHD

Developing a strong Information Governance (IG) plan, including a mapping strategy, is imperative to successfully incorporating PGHD into patient EMRs. Health Information Management (HIM) leaders need to talk to their teams about what PGHD should actually be utilized and how to integrate that information.

Since there are no existing standards for PGHD, healthcare organizations need to be wary of multiple sources of information, which can cause information integrity issues. Ensuring patient data comes from properly calibrated equipment is one concern. Once the information is incorporated into EMRs, the question becomes how best to utilize it.

For example, tracking weight is important for congestive heart failure patients, and sending scale readings to doctors can alert them when significant and dangerous spikes occur, prompting doctors to take action. This is where data mapping becomes key. Identifying what information is relevant will help to avoid burdening physicians with reviewing large amounts of information in a relatively short time, and will help keep patient expectations realistic.

Continued education for providers and patients

It is important to develop site-specific training for incorporating and leveraging PGHD. This ongoing training should keep team members up to date on best practices for maintaining and utilizing PGHD, as well as handling the Release of Information (ROI) for this new data. Additionally, it is important for patients to be informed not only of the benefits of PGHD, but of their responsibilities in the gathering and use of PGHD as well.

MRO will be presenting on the topic of PGHD at the 2017 annual meetings of ASHIMA, MOHIMA/ KLIMA, ILHIMA and TXHIMA. To see a full calendar of tradeshow events at which you can visit with MRO, please view our event listings.

Join our blog mailing list

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

5 tips for ensuring quality in PHI disclosure management

Concept of poor sensitive data protection, Folder secured with a simple padlock

With a greater demand for Protected Health Information (PHI) comes the potential for a greater number of breaches, especially small breaches due to unintentional improper disclosures. Since 2009, over 180,000 small breaches impacting less than 500 patients at a time have been reported to the Office for Civil Rights (OCR). The escalated demand and risk associated with sharing PHI creates a serious need for improved accuracy and quality.

Here are five tips for ensuring quality in the Release of Information (ROI) process, so you can keep your organization running smoothly and compliantly.

1) Perform multiple Quality Assurance checks

Instituting multiple Quality Assurance (QA) checks on every release will dramatically improve your disclosure accuracy. Leverage technology to catch human error, and have a second set of eyes on everything before it is released. Some items to double-check include:

  • HIPAA-required criteria
  • Accuracy of patient information
  • Dates of treatment against authorization
  • Record content for comingled patient documents
  • Mailing envelope for correct address

2) Send notifications to requesters

Notify requesters of deficiencies in their requests to increase authorization efficiency. Developing a consistent methodology will streamline the authorization process and help prevent disclosure of unauthorized requests.

3) Develop a rules-based application

Developing a rules-based application that evaluates requests for HIPAA compliance and other requirements, like checking subpoenas for quash periods, will increase efficiency by automating previously manual steps.

4) Perform a final review of content and timeframe

Review the content of requested information to ensure there are no comingled records. As a best practice, leverage record integrity applications that utilize optical character recognition technology to assist humans perform these quality checks. Additionally, check that all records included for release fall within the timeframe requested. This is another iteration of “perform multiple QA checks,” but the importance of checking and rechecking cannot be stressed enough.

5) Create a uniform ROI training program

Train and retrain employees in all aspects of ROI. Without well-trained employees, all the cutting-edge technology and expertly crafted workflows will not do much to prevent breach. Revise and update this training at least annually, and be sure to document all training.

By implementing sophisticated ROI workflows and technologies, and employing expertly trained professionals, healthcare organizations can prevent breach. Often an advanced PHI disclosure management firm can provide the right people, technology and services to ensure compliance.

Watch this video detailing MRO’s National Service Center to see these best practices in action, and fill out the form below to download more information about our service teams.

Receive a Copy of our National Service Center Brochure

Read More

Updates from the OCR: Phase 2 of the HIPAA Audit Program

Auditor sends file audited financial statements of the Company to executives.

At the recent National HIPAA Summit in Washington, D.C., Jocelyn Samuels, Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and Deputy Director Deven McGraw, gave an update on the OCR’s compliance enforcement efforts, including the status of the HIPAA Audit Program, which launched Phase 2 in March 2016.

 

The OCR stated that they plan to complete 200-250 audits of Covered Entities (CEs) and Business Associates (BAs) over the course of three stages during Phase 2 of the HIPAA Audit Program. Currently, the OCR is in the process of evaluating documentation it received from the 167 CEs selected in June 2016 to participate in the first stage of Phase 2. Preliminary draft audit reports will soon be sent to audited CEs for their feedback, before the drafting of final reports. The OCR anticipates completing the first stage of Phase 2 by the end of 2016.

Future Outlook: Second and Third Stages for Phase 2 HIPAA Audits

 

In the meantime, the OCR plans to launch the second stage of Phase 2 – BA desk audits – in October 2016. The OCR will select 40-50 BAs from lists provided by stage one CE auditees to participate in stage two. Those BAs selected for the second stage will be evaluated on CE breach notification and compliance with the HIPAA Security Rule. Prior to the launch of the second stage, selected BAs will be invited to participate in a webinar hosted by the OCR, allowing the BAs to ask questions. Like stage one, selected BAs will have ten days to respond to the OCR’s request for documentation and will be given an opportunity to review and provide feedback on a draft of the report before the final version is completed.

 

In the next few months, the OCR will initiate the third stage, which will consist of onsite audits of select CEs and BAs. The OCR does not yet have an exact number of audits for stage three, but anticipate conducting only a small number.

 

After completing Phase 2 of the HIPAA Audit Program, the OCR will issue a public report, which will aggregate and address “lessons learned,” including best practices for BAs and CEs to implement.

 

Even for organizations not selected for participation in Phase 2, the OCR strongly encourages all CEs and BAs to review and implement the audit protocols, as most organizations that have entered into resolution agreements and civil money penalties with the OCR have been cited for not having proper risk analyses and risk assessments in place.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.

 

MRO will hold an informal HIPAA Q&A during the upcoming AHIMA16 convention in Booth #1020. If you’re attending the conference, please stop by.

 

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

SIGN UP TO RECEIVE MRO'S USER-FRIENDLY AUDIT PROTOCOL SPREADSHEET

Read More