Record Requests610-994-7500

Virtual Academy recap: Six Tips for Business Associate Compliance

 

Businesspeople Sitting In A Conference Room Looking At Computer Screen

HIPAA compliance for Business Associates (BAs) was the topic of MRO’s AHIMA Virtual Privacy and Security Academy session this month. I presented alongside my colleagues Sara Goldstein, Esq., general counsel and Rita Bowen, MA, RHIA, CHPS, SSGB, vice president of privacy, HIM policy and education.

During this three-credit course, we discussed how BAs must now comply with the HIPAA Security Rule and certain provisions of both the HIPAA Privacy Rule and the HIPAA Breach Notification Rule. We emphasized that BAs can be held liable for violating these rules, as well as for violations by their subcontractors.

We also covered several best practices BAs can follow to stay HIPAA-compliant and avoid liability, which you can learn more about in Sara Goldstein’s recent post.

Although it’s difficult to summarize all of the valuable insight shared during our session, the six major tips offered by our experts included:

1. Check your insurance policy
Verify insurance coverage in the event of a HIPAA violation.

2. Conduct regular internal and third-party audits
Regular internal and third-party technical audits are the foundation of implementing Security Rule administrative, physical and technical safeguards.

3. Consider applying for Health Information Trust Alliance (HITRUST) certification
HITRUST provides an information security framework to harmonize standards and regulations.

4. Implement the right technologies
Utilizing technologies like encryption, access tracking software and record integrity applications, powered by optical character recognition (OCR) software, can also drive BA HIPAA compliance.

5. Document compliance programs
Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

6. Invest in training and education
Workforce members should undergo formal training at least once a year on privacy, security and compliance, as well as on federal and state disclosure laws, and the healthcare organization’s policies and procedures.

After covering these topics, the Virtual Academy session concluded with a fun, educational and impactful group activity where participants were assigned disclosure management case studies that explored how to identify HIPAA violations and breaches. Rita Bowen and I then tested the participants on their knowledge.

MRO’s team will delve more into the topic of BAs in the next session of AHIMA’s Virtual Privacy and Security Academy: “Advanced Business Associate and Subcontractor Management” on November 9, 2016. If you are interested in attending the session, please fill out the form below and you’ll receive MRO’s promo code for a 15 percent discount.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

Five ways Business Associates can reduce breach risk and stay HIPAA-compliant

 

Business meeting with financial advisor

Business Associates (BAs) can be held liable for violations of certain provisions of the HIPAA Security, Privacy and Breach Notification Rules. Therefore, it is essential for BAs to ensure they have the appropriate measures in place, and are properly safeguarding the Protected Health Information (PHI) of Covered Entities (CEs).

As the trusted PHI disclosure management partner and BA of many of the nation’s leading healthcare provider organizations, MRO takes special measures to ensure compliance, and suggests fellow BAs add these tips to their checklists when reviewing their HIPAA compliance programs:

1. Review and update policies and procedures
One great way to verify that a BA has the required and up-to-date policies and procedures is to compare them to the HIPAA Administrative Simplification Rule’s table of contents, making sure the policies and procedures can be “cross-walked” to the applicable provisions of the HIPAA Rules.

2. Conduct a risk analysis on a regular basis
Conducting a thorough risk analysis provides the foundation for implementing many Security Rule safeguards. Additionally, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has cited organizations for failing to conduct proper and complete risk analyses in almost all its HIPAA violation resolution agreements. To help with this crucial process, HHS has published guidance that should be reviewed.

3. Confirm Business Associate Agreements
BAs can be held liable for certain violations of the HIPAA Regulations by their subcontractors—entities to whom the BA delegates a function, activity or service—if they do not have Business Associate Agreements (BAAs) in place. Therefore, it is critical that BAs have up-to-date BAAs with all subcontractors. For more information, HHS has published guidance on BAAs, containing a sample agreement.

4. Train your workforce
Workforce members should undergo formal training at least once a year to ensure they understand PHI use and disclosure requirements under federal and state law, and what policies and procedures the healthcare organization has implemented to ensure compliance.

5. Confirm insurance status
In the past year, organizations across the country have paid more than $16 million as part of resolution agreements and civil money penalties to the OCR for HIPAA violations. Given the cost of HIPAA violations, it is important that BAs confirm they have insurance coverage in the event of a HIPAA violation. This is especially important because many CEs require that their BAs indemnify them in the event of such an incident.

MRO will present on this topic on August 17, 2016 in AHIMA’s Virtual Privacy and Security Academy session “HIPAA Compliance for Business Associates,” worth three credits. Please enter your email address below to receive our special promo codes for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

5 essential tips for avoiding a HIPAA violation

Health Insurance Portability and accountability act HIPAA and stethoscope.

As more health information is stored and transmitted electronically, the risk of such data being compromised or breached is growing. In this environment, Protected Health Information (PHI) obviously must be secure, but also accessible to authorized requesters, as mandated by HIPAA.

I explored all aspects of HIPAA compliance in greater detail in a June 2016 Group Practice Journal article. The following are brief summaries of the five tips discussed in the article:

1. Avoid Patient Access Barriers
HIPAA-compliant authorizations are only required when a third party requests access to a patient’s PHI. Provider organizations can require that patients use a specific form to request their own PHI, but the form cannot create an access obstacle. Another compliance consideration is that patients’ personal representatives have the same rights as the individual to the PHI, provided they can supply information regarding their authority to act on behalf of the patient.

2. Implement HIPAA Security Rule Safeguards
Almost all organizations investigated by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) for complaints or breaches have been cited for not properly conducting a risk analysis. This essential element is one of the technical safeguards that Covered Entities (CEs) and Business Associates (BAs) must comply with under the HIPAA Security Rule. Conducting a risk analysis, as well as assessing the organization’s physical and technical PHI safeguards, should also be considered.

3. Reduce Breach Risk
Standardizing PHI policies and procedures and centralizing Release of Information (ROI) processes can reduce breach risk. In addition, engaging vendors who offer advanced technology, highly trained and knowledgeable staff, and HIPAA-compliant best practices to manage ROI offer providers an enhanced level of breach protection.

4. Train and Audit Staff
As these technologies used to manage PHI evolve, organizations must provide ongoing education and training to staff. This can include ensuring they understand technology, and also that staff follows HIPAA-compliant procedures to prevent breaches and offer unencumbered access to authorized parties. Testing staff year-round, including mock breaches to simulate the response steps, is also important.

5. Assess Business Associates
Ensure your BAs are also in compliance with applicable state and federal privacy and security laws. Periodic vendor assessments will help ensure BA compliance with HIPAA and Business Associate Agreements (BAAs).

To learn about these five steps and more, please fill out the form below to receive a complimentary copy of the Group Practice Journal article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Group Practice Journal Article

Read More

Privacy and security series, part 1: OCR protocols for phase 2 HIPAA audits

Audit photo for OCR audit blog

On March 21, 2016, the Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), Jocelyn Samuels, announced the launch of Phase 2 of its HIPAA compliance audit program for covered entities and business associates. Expanding upon Phase 1 audits conducted in 2012, Phase 2 audits will use newly released audit protocols.

What to expect
Starting this month with limited-scope desk audits until July and on-site full compliance audits later in 2016, Phase 2 of the HIPAA audit program is now in effect. Additional details on what to expect from the audits are outlined in our previous Phase 2 audits blog post, which can be accessed here . In this post, we’ll take a look at the recently announced audit protocols that were not yet released during our last post, and how your organization can ensure it’s prepared.

The new audit protocols are more specific than the previous audit protocols, addressing documentation requirements more comprehensively than the 2012 version. In total, there are 169 audit protocols: 78 for security, 81 for privacy and 10 for breach notification. Approximately one-third of the protocols ask for documentation, which will need to be submitted electronically to the OCR’s new secure online portal. With regard to privacy, the major areas are 1) uses and disclosures, 2) minimum necessary standard, 3) patient rights, 4) notice of privacy practices, 5) business associates and 6) administrative requirements.

How to prepare your organization
The best way to get ready for these compliance audits is to prepare the workforce and assemble an audit team that can communicate effectively with senior management and champion compliance activities. Here’s how to get started:

  • Educate the team: Present information on the audit protocols and inquires, reviewing how and where your organization’s relevant documentation can be accessed for potential audit requests.
  • Conduct internal audits: After the review, a mock audit team could be assembled to simulate complying with some or all of the Phase 2 audit protocols.
  • Address potential gaps: The mock audit should help identify areas where policies and procedures may be lacking or insufficiently documented. Those corrections should be completed before the Phase 2 desk audits begin.

Although the OCR released the protocols prior to soliciting input, they invite the public to submit feedback by emailing OSOCRAudit@hhs.gov.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.

SIGN UP TO RECEIVE MRO'S USER-FRIENDLY AUDIT PROTOCOL SPREADSHEET

Read More

PHI disclosure legal issues, part 5: Removing barriers to patient access, continued

 

FINAL Sara's Blog - Part 4 of 5 picture

In the previous post of our five-part Legal Issues blog series, we explored the FAQs that the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in recent months concerning patient access to Protected Health Information (PHI). The FAQs were generated in response to recent studies and OCR investigations that found patients often face obstacles when trying to access their health information from hospitals and physician practices.

The last post described potential barriers in the request stage of the Release of Information (ROI) process for patients, which you can read here . This post, the final in our Legal Issues series, will focus on the release stage of the process.

Provide patients with access to their “designated record set”
HIPAA entitles patient access to their “designated record set” which consists of a broad array of health information including: medical and billing records; insurance information; clinical laboratory test results; medical imaging; wellness and disease management program files; and clinical case notes. The OCR’s FAQs provide guidance on what should be considered part of a designated record set and should be reviewed by providers to ensure compliance.

Deliver PHI in the requested format
Under HIPAA, patients are entitled to receive copies of their PHI in the form and format they request. If that’s not feasible, the PHI must be in a readable format agreed to by the provider and patient. Thus, if a patient requests copies of their electronically-stored PHI in the same format, a provider should offer the requested PHI copies in an email, on a CD-ROM, or in another electronic method. The same rule applies if the patient requests copies of their PHI be delivered on paper.

Release PHI within 30 days of receipt of their request
A major focus of the OCR’s recent FAQs is the importance of providing patients with access to their PHI within 30 days of receipt of the request. If a rare long turnaround time is unavoidable, the provider must notify the patient of the delay, explain why it has occurred, and when the patient should expect to receive copies of their PHI.

Providers should review their turnaround times and make sure they are in line. Having a form letter prepared in the event that there is a delay is also a good idea.

I hope you enjoyed reading the posts in this Legal Issue series as much as I enjoyed writing them. To be sure you never miss a new post, you can subscribe to MRO’s blog below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

PHI disclosure legal issues, part 4: Removing barriers to patient access

 

FINAL Sara's Blog - Part 4 of 5 picture

Over the past few months, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published several FAQs related to patient access to Protected Health Information (PHI). These FAQs were generated in response to recent studies and OCR investigations that found that patients often face obstacles when trying to access their health information from hospitals and physician practices.

In continuation with our Legal Issues blog series, parts four and five will explore ways providers can avoid patient complaints being filed against them with the OCR regarding PHI access that could lead to investigations and possible enforcement actions. Part four is about removing obstacles from patients requesting their PHI, while part five will look at how providers can properly disclose patients’ information.

HIPAA-compliant authorization not required
HIPAA-compliant authorizations are required when a third party is requesting access to a patient’s PHI. However, a patient or a patient’s authorized representatives (see below) does not need to provide a HIPAA-compliant authorization to obtain access to the patient’s own PHI. A patient can simply submit their request in writing to their healthcare provider, provided that the request contains enough information for the healthcare provider to verify the patient’s identity.

Providers can require that patients use a specific form to request access to their PHI, but the form cannot create an access obstacle. Healthcare providers need to review what documentation they are requiring patients to provide to release their information and ensure that access is not obstructed.

Honor the personal representative’s Release of Information (ROI) request
Under HIPAA, a patient’s personal representative has the same right as the patient to access the patient’s PHI. Examples of personal representatives include healthcare power of attorneys and the parents/guardians of minor children.

Providers should ensure, however, that the personal representative’s request includes information regarding his or her authority to act on behalf of the patient, such as a healthcare power of attorney executed in accordance with applicable state law. Medical providers should make sure their policies do not create a barrier to access for personal representatives.

In light of the OCR’s recent FAQs, healthcare providers should make efforts towards enhancing their patient request policies and procedures to ensure they are providing patients with timely access to their PHI. At MRO, we are dedicated to providing patients with timely access to their PHI and have recently launched a new Patient Advocate Program to guide patients through the ROI process.

In the final segment of our Legal Issues blog series, we’ll take a look at how providers can ensure proper and compliant disclosure of patient information. Don’t want to miss part five? Sign up for future MRO blog posts below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

OCR HIPAA Phase 2 Audits: What to Expect

Audit photo for OCR audit blog

On Monday, March 21, I attended the 24th National HIPAA Summit in Washington, D.C., where Jocelyn Samuels, Director of the HHS Office for Civil Rights (OCR), announced the launch of Phase 2 of its HIPAA audits of Covered Entities (CEs) and Business Associates (BAs). The OCR anticipates conducting approximately 200 audits during Phase 2 of the HIPAA Audit Program, which will be executed in three stages. The first stage will involve desk audits of CEs; desk audits of BAs will be conducted during the second stage; and on-site audits of both CEs and BAs will be performed during the third stage.

What is the HIPAA Audit Program?
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the OCR conduct periodic audits of CEs and BAs to evaluate their compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Completed in 2012, Phase 1 of the HIPAA Audit Program involved approximately 115 audits of CEs. This first phase of audits found that many of the participants lacked awareness of key Privacy and Security Rule requirements, such as the need to provide patients with Notices of Privacy Practices, the proper protocol for providing individuals and their personal representatives with timely access to the individual’s Protected Health Information (PHI), the need to conduct a risk analysis on a regular basis, and the importance of disposing of media containing PHI in a secure manner.

Who will be subject to Phase 2 of the HIPAA Audit Program and how will participants be selected?
Since announcing the launch of Phase 2 of the HIPAA Audit Program, the OCR has started sending emails to CEs to verify contact information. CEs need to check their spam filters to ensure that any emails from the OCR have not been incorrectly identified as junk email.

Those CEs who are asked by the OCR to verify their contact information may eventually be sent a pre-audit questionnaire that will ask recipients a host of questions about their organization, including where they are located, how many employees they have, what services they provide, and who their BAs are. The questionnaires will be used by the OCR to determine which CEs and BAs will be selected to participate in Phase 2 of the HIPAA Audit Program. The OCR wants to audit a diverse selection of CEs and BAs that will range in size, type and location.

All CEs and BAs are eligible for an audit and could be asked to participate in either one or two stages of Phase 2 of the HIPAA Audit Program. However, CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review will not be selected as an audit participant during Phase 2 of the HIPAA Audit Program.

What is the timeline for the three stages?
Stage 1 – Desk Audits of CEs

The first stage of Phase 2 of the HIPAA Audit Program will involve desk audits of CEs. The focus of these desk audits will be on the CE’s compliance with specific requirements of the Privacy, Security or Breach Notification Rules. Audit participants should be prepared to share their risk analyses, policies and procedures and their Notice of Privacy Practices with the OCR. It appears that the OCR will also be interested in learning about how the CE process individuals’ requests for PHI copies. The OCR states that these desk audits will be completed by the end of December 2016.

Stage 2 – Desk Audits of BAs

The second stage of Phase 2 will be very similar to the first stage, except desk audits will be conducted on BAs. The OCR states that these desk audits will also be completed by the end of December 2016.

Stage 3 – On-Site Audits of CEs and BAs

The third stage of Phase 2 will involve on-site audits of select CEs and BAs. These on-site audits will be comprehensive and will likely include a three- to five-day on-site visit by the OCR.

What’s next?
Any day now, the OCR will be publishing audit protocols for Phase 2 of the HIPAA Audit Program. These protocols will provide instructions to CEs and BAs on what the OCR will be evaluating during the various stages of Phase 2.

MRO will be sharing helpful tips to our clients in upcoming email and webinar formats. Stay tuned for more details.

This blog post is made available by MRO’s general counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s general counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

HIMSS16 Reflections

After a busy yet exciting week at HIMSS16, most attendees are settling back into their daily routines, but strong impressions from the event remain. Main takeaways tend to vary from year to year, and this time, privacy and security was a prevailing theme across the HIMSS floor.

Several of MRO’s executive leaders shared insights from the event that reinforced this idea. For example, Charlie Wilson, CIO of MRO, noted, “A security awareness permeated the show, as there were a host of vendors that focused on cybersecurity, encryption, risk management, single sign-on with two-factor authentication; and there was buzz created by recent breach incidents, both domestic and international.” With the potential for both internal and external threats, his comments point out the wide range of issues that underlie security concerns.

Healthcare organizations clearly need to cover many fronts as part of their privacy and security vigilance; chief among them are enforcement of policies and procedures, protection of data integrity and mitigation of risk.

“Privacy, security and compliance are of paramount importance across the spectrum of healthcare products and services,” said Wilson.

Best Practices and Tools
Best practice concepts in managing the secure flow of Protected Health Information (PHI) were among major topics of discussion. Steve Hynes, CEO of MRO, noted that the creation of a Data Governance plan was in the forefront of ideas. Defining procedures and accountability to support stated enterprise-wide policies can help align the various departments of a healthcare group in a common effort to meet privacy and security standards.

Rita Bowen, MA, RHIA, CHPS, SSBG, Vice President of Privacy, HIM Policy and Education for MRO, saw a common focus on meeting these standards as well, saying, “innovation was a key theme.” Bowen noted the use of technology “as an enabling tool to assist in data quality and integrity standards, which are integral components of an organization’s Information Governance program.”

Finding and implementing the right tools can help organizations raise the bar to a higher level of data integrity. One example of such a tool is MRO’s IdentiScan®, introduced as a standalone record integrity application at HIMSS16. At MRO’s exhibit space, Bowen and colleague David Borden, CTO of MRO, demonstrated the tool which uses optical character recognition to review electronic medical records and flag any potentially misfiled records. Ensuring that the correct patient information is maintained in the health record is key to the successful use and exchange of PHI.

The conversations and awareness raised at HIMSS16 can serve to inspire healthcare providers and their business associates to implement new practices and technologies to improve privacy and security efforts. Healthcare organizations can collaborate with partners like MRO to build stronger methodologies and meet the challenges of enforcing compliance across their groups.

Missed MRO at HIMSS? No problem. Schedule your no-obligation demo of IdentiScan today and learn how you can improve record integrity, patient safety and quality of care.

Join our blog mailing list

Read More

Information governance requires technology, consistency and HIM leadership

More Protected Health Information (PHI) and other data is coming in and going out of healthcare organizations than ever before. Electronic medical records (EMRs) and numerous electronic devices make accessing and exchanging information much easier than with paper. But it’s also easier to disclose PHI to an unauthorized recipient, resulting in breach that can be costly financially, but also to an organization’s reputation.

This challenge—among many others—has spurred the adoption of Information Governance (IG) programs across organizations. Protecting patient information and mitigating an organization’s risk, however, are only two reasons why implementing an IG program at your organization is so important.

Crucial to implementing an IG program is having the right technology and a knowledgeable team in place, which we’ll explore in this blog post. But first, a little background about IG.

HIM becoming the IG leaders
In 2014, AHIMA laid out its eight IG principles, described in greater detail here. The overriding theme across these principles is that organizations need to implement consistent, standardized policies and procedures surrounding the access, disclosure and management of information across their enterprises.

To achieve this, collaboration with the CIO, HIT, Compliance and other senior executives is essential, but HIM can lead in helping design and implement an IG program. Why? Because HIM has the most applicable knowledge base and experience in ensuring consistent policies and procedures around managing PHI and other information.

Additional expertise HIM leaders can share are best practices to educate other departments on compliant information access and disclosure. This leadership role should institute a continual effort to address gaps and ensure compliance with the organization’s IG program. HIM leaders also have insight into the technology that can help protect data integrity and prevent breaches.

How technology supports IG
As centralized policies are developed and communicated, technology solutions can be implemented to help manage information in a coordinated manner across the enterprise. One such tool available to support an organization’s IG efforts is MRO’s IdentiScan®, which uses optical character recognition technology to search medical record content to identify and correct comingled records containing information for multiple patients. Correcting comingled records prior to Release of Information (ROI) can prevent a PHI breach, but more importantly, it can protect patient safety and improve quality care by ensuring that providers are reviewing the right data for the right patient.

Eliminating mixed records using this automated validation process can noticeably enhance overall accuracy. For example, one large health system we assisted utilized eight full-time employees just to perform quality reviews of their charts at the point of patient discharge. Even with this extra layer of focused manual checks, IdentiScan detected more than 350 instances of comingled patient records, in addition to what the healthcare organization’s staff found over the course of nearly two and a half years.

Integrity is one of AHIMA’s primary IG principles, focusing on eliminating errors and ensuring accuracy. IdentiScan also supports organizations in helping follow most of AHIMA’s other IG principles, including Protection, Compliance, Availability and Accountability. However, advanced technology alone won’t help organizations achieve their IG goals. Technology is only a tool that supports a knowledgeable, highly trained staff of HIM experts. This staff can help organizations achieve the AHIMA IG goals of helping to improve patient safety, care quality, interoperability and organization-wide efficiency, among others.
Schedule a no-obligation demonstration of MRO’s IdentiScan today to learn how our technology can protect your organization’s data integrity and mitigate its breach risk.

Join our blog mailing list

Read More

PHI privacy and security challenges reign supreme in 2016

Health IT Outcomes reported that 2016 will mark “the end of EHR/MU’s five-year reign as the top health IT initiative with Protected Health Information (PHI) security taking over the top spot.”

I agree with the article author’s assessment that there are multiple PHI security and privacy concerns as we enter the second month of this new year. The top risks I see include:

  • Mobile device protection: Device theft is a major risk, but so is how PHI is exchanged using these devices.
  • Data segmentation: Ensuring disclosed PHI includes only the information the patient has authorized providers to share is an emerging challenge in our electronic age.
  • Data integrity: Errors, redundancies and gaps in the electronic medical record (EMR) can result in inaccurate Release of Information (ROI)—such as including PHI about the wrong patient due to comingled records—which would qualify as a breach under HIPAA.
  • Cybercrime: Hackers are developing new techniques to steal PHI from hospitals.

However, a substantial PHI privacy and security issue that providers have an opportunity to control is the PHI disclosure process occurring within their own organizations. As we will explore in this post, establishing standardized disclosure policies and procedures and partnering with a tech-savvy PHI disclosure management partner can address emerging privacy and security issues and limit breach risk.

Small breach risk escalating
All indicators are pointing toward an increased focus in 2016 on small breaches, defined by the Department of Health and Human Service’s Office for Civil Rights (OCR) as those affecting fewer than 500 individuals. These types of breaches are often the result of an organizational failure to fully implement compliant privacy and security standards around the disclosure of PHI.

Research conducted by news organization ProPublica last year revealed that there were 1,400 large breaches of 500 or more individuals since 2009, but there were also more than 181,000 small breaches. Despite the size, small breaches are just as impactful to providers, carrying similar financial implications. According to a report by the American National Standards Institute, each incident can cost $8,000 to $300,000, not including HIPAA violation civil penalties. These penalties can reach as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.

While cybercrime or device thefts make for sensational headlines, breaches due to employee or organization errors are also reported in the news and can spread virally in social media, resulting in loss of brand value. As these trends continue, patient awareness of privacy and security concerns will increase, as will their expectations when a privacy and/or security event occurs.

Breach prevention tips
To protect your organization, establish and train a privacy and security incident response team before a breach occurs. Standardizing and enforcing policies and procedures around PHI access, use and disclosure in all departments is also important to mitigate breach risk.

In addition, mitigation includes educating your staff on risks, such as how working too fast could cause careless mistakes resulting in improperly disclosing health information. With PHI disclosure, we are called to strike the right balance between efficient workflows and excellence in accuracy.

Another best practice is to leverage technology to make the process secure, reliable and efficient. For example, MRO’s ROI solution includes the cutting-edge IdentiScan® data integrity application that uses optical character recognition technology to check medical documentation to identify comingled records. Errors are flagged and corrected by MRO’s Quality Assurance (QA) team before PHI is disclosed.

Data integrity
MRO is expanding IdentiScan’s capabilities this year to better ensure the data integrity within a health system’s EMR. There are many points at which patient records can become mixed, and by leveraging IdentiScan in this new way, we help identify and correct comingled records at every stage.

At the upcoming HIMSS16 conference in Las Vegas, my colleague David Borden, MRO’s CTO and inventor of IdentiScan, and I will be showcasing IdentiScan at MRO’s booth #6454. In our presentation, we will focus on how this kind of technology can safeguard healthcare organizations against breach and contribute to your Information Governance goals for data integrity.

For more information about our presentation and all the events at MRO’s booth, view our schedule.

Join our blog mailing list

Read More