Record Requests610-994-7500

CEO Spotlight, Part 2: Steve Hynes describes how MRO will lead the way amid the changing health information marketplace

Last week, we featured part 1 of our discussion with MRO’s CEO Steve Hynes where he described how the company evolved since its founding in 2002. In part 2 of that discussion, Steve looks to the future to explain how MRO’s technology will continue to innovate in the increasingly complex world of health information management (HIM) and exchange (HIE), and how healthcare organizations will be able to continue to rely on MRO’s technology, service and expertise to ensure their Protected Health Information (PHI) is safeguarded.

Q: Why do you think MRO continues to lead the industry in regards to its technology and innovation?
We put a lot of focus and resources into our technology vision in terms of making PHI exchange in the electronic age more secure, efficient and compliant with HIPAA and state regulations. David Borden, our chief technology officer, has done an excellent job of being our visionary in terms of technology. As provider and requester IT needs evolve, it is important for MRO to evolve with them. While we are in the service business, technology is a critical tool for delivering quality service.

Q: What do you see as the most pressing challenges facing healthcare provider organizations in 2016 and beyond in regards to exchanging health information?
A few of the challenges include merging disparate systems from within healthcare organizations and maintaining patient privacy as certain types of disclosures become more automated via HIE and interoperability. Having privacy and security experts, such as MRO, in their corner is essential in facing these challenges. We will continue to evolve our service and technology offerings to help healthcare organizations meet these challenges.

Q: Do you have any examples?
Sure, in 2016, we are rolling out a suite of health information technology (HIT) integrations called MROeLink® to streamline ROI workflows and improve accuracy through automation of the process. Additionally, we are expanding the capabilities of IdentiScan®, our proprietary Quality Assurance (QA) application that identifies comingled patient records. Soon, it will assist in quality checking every page of released documentation, ensuring the highest levels of accuracy; we are also exploring additional use cases to leverage this technology for data integrity purposes outside of the release process.

Q: How will you measure success for MRO?
In many, many ways, but in the end I have two primary metrics: our client retention rate and our KLAS rating. I don’t mean to minimize other metrics, but if we get those right, which we have thus far, then we will be successful.

To learn more about Steve’s vision for MRO and health information exchange, please watch the video below.

Join our blog mailing list

Read More

CEO Spotlight, Part 1: Steve Hynes discusses MRO’s steadfast adherence to innovation, compliance and client service

When MRO was founded in 2002, the healthcare industry was significantly different than it is today. Electronic medical records (EMRs) were in their infancy, and faxing and postal mail were the primary methods of compliantly exchanging Protected Health Information (PHI).

Fast-forward to 2016, and electronic PHI (ePHI) exchange is everywhere. While more efficient to manage, ePHI also raises new challenges and risks for healthcare provider organizations. With the start of the New Year, it is the ideal time to discuss the evolving state of PHI exchange with MRO’s co-founder and CEO, Steve Hynes, and how MRO will help clients rise to the challenges and mitigate those risks. In the first part of this discussion, Steve describes how MRO has evolved since its founding. In part two, Steve will describe what he sees for the future of MRO and the healthcare industry.

Q: How has your vision for MRO evolved since the company was founded in 2002?
When we founded MRO, our focus was on building a Release of Information (ROI) platform that would enable healthcare providers to process ROI in-house while partnering with MRO to provide Quality Assurance (QA), requester customer service and fulfillment, such as billing, collections and distribution. This is still what MRO offers as our ROI Shared Services model today. Since then, we have evolved our platform to be leveraged in fully-outsourced Staffed and Centralized Remote Services models that provide flexibility to meet client needs. We’ve also enhanced the platform to include new technology features that enable clients to exchange PHI at the highest accuracy and efficiency rates.

With a continued focus on innovation, technology and unparalleled service, MRO’s vision has expanded beyond ROI to address the many privacy and security compliance challenges healthcare organizations face in today’s age of information exchange and interoperability.

Q: What changes in the healthcare industry and/or MRO caused your vision to evolve?
EMR systems and health information exchange (HIE) have fundamentally changed the way healthcare organizations manage and share PHI. Health information management (HIM) and a myriad of other departments in a healthcare enterprise are accessing and exchanging ePHI with more requesters than ever before. There are several reasons behind the increased demand for medical records from patients and third-party requesters, such as the rising tide of payer audits that may require providers to share thousands of records at a time.

MRO was ahead of the curve in addressing these issues by enhancing our technology and expanding our service offerings so we could help organizations manage and share PHI more efficiently and productively, while improving HIPAA compliance in their exchange processes.

Q: What are some aspects of the vision that haven’t changed?
We set out to build the best PHI disclosure management platform in the industry and that remains an important component of our value proposition. In 2016 and the coming years, we will continue to enhance the platform with additional functionality and safeguards as ePHI exchange continues to expand across the industry. However, our vision will always include an unwavering focus on exceptional service quality.

Q: To what do you attribute MRO’s significant growth over the years, particularly in 2015 when the company was named to Inc. magazine’s 5000 fastest-growing companies?
We have built a client-first culture that cuts across our entire organization. This enables us to be responsive to client needs and drives a high client retention rate. You can’t grow if you don’t retain your clients! Our move in November 2015 to our new larger National Service Center near our former corporate offices demonstrates that commitment to our culture.

To learn more about how our National Service Center serves our clients, watch our facility video here.

Join our blog mailing list

Read More

PHI disclosure legal issues, part 3: Adopting ROI policies that are stricter than HIPAA and state laws

Sara Goldstein Blog 3

It comes as a surprise to many requesters of medical records that healthcare providers can implement policies that are stricter than both HIPAA and state law. This is because HIPAA was designed to permit the adoption of more stringent federal and state laws, as well as healthcare provider policies, to further safeguard Protected Health Information (PHI).

As Health Information Management (HIM) professionals are aware, the HIPAA privacy rule serves as a “federal floor” of privacy protections for patients’ PHI, meaning that it sets the minimum standards that healthcare providers must follow for disclosure.

States can enact laws that provide additional protections for PHI as long as they are not contrary to HIPAA, meaning that it should not be impossible for a healthcare provider to comply with both HIPAA and the state law; state law should not be an obstacle to accomplishing the purposes and objectives of HIPAA. Most states have adopted laws to further protect certain types of PHI from disclosure that are not specifically addressed by HIPAA or other federal laws, such as mental health records and PHI related to a patient’s treatment for AIDS/HIV.

Additionally, many healthcare providers have implemented their own disclosure policies that are more restrictive than both HIPAA and applicable state laws. For example, HIPAA and some states permit the disclosure of PHI when subpoenaed as long as it is accompanied by “satisfactory assurance” – documentation that the patient subject to the subpoena was notified and was given opportunity to object to the disclosure. A healthcare provider, however, can choose to adopt a more restrictive policy in the interest of protecting patient privacy, such as requiring that subpoenas be accompanied by a HIPAA-compliant authorization or a court order signed by a judge.

Facilities, however, should be cautious before adopting policies that are more stringent than HIPAA and state law because such policies may be seen as restricting a patient’s access to PHI. For example, it may seem more secure to only process requests for copies of PHI with a healthcare provider’s authorization. However, if such a policy was adopted and a HIPAA-compliant authorization were rejected, the facility may be subject to a complaint with the Office of Civil Rights (OCR) for restricting a patient’s access to their PHI. Thus, healthcare providers need to make sure that their policies do not run contrary to the objectives of HIPAA and the applicable state laws.

Given the myriad of federal and state laws related to disclosure of PHI, it is important that healthcare providers and their HIM staff adopt Release of Information (ROI) policies that do not contradict the applicable federal and state laws. MRO’s ROI specialists who work at our clients’ facilities are trained on how to disclose PHI according to the applicable federal and state laws and facility policies to ensure they remain compliant with all relevant rules and regulations.

This is the third post of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

Reputational damage of data breach the most lingering consequence

Data Breach - Steves Blog

Few other industries emphasize and value reputation more than healthcare, especially when it concerns patient care quality and experience. When a provider organization discloses Protected Health Information (PHI) to an unauthorized party, that organization’s reputation can suffer significant damage. Reputational damage is just one of the elements that I described in my last post about the financial risks of a PHI breach, but I wanted to focus on it exclusively in this post because the consequences are so far reaching beyond financial penalties.

I also want to emphasize that healthcare organizations can help prevent the lingering reputational damage associated with a breach by partnering with a PHI disclosure management vendor that offers state-of-the-art technology and a highly trained and knowledgeable staff who are experts in HIPAA compliance and avoiding breaches.

Patients key stakeholders for reputational risk

A “negative reputation event,” such as a data breach, can cause a “loss of brand value” for healthcare providers, according to a group of healthcare and life sciences executives who were surveyed recently by consulting firm Deloitte.

The survey also found that customers (patients for healthcare organizations) were the “most important stakeholders for managing reputational risk.” Although patients can easily find out about a PHI breach in the news, smaller breaches, which are much more common, can also be damaging to hospitals’ reputations. Word of a breach can spread online through social media, such as Facebook and Twitter, through consumer rating sites, such as Yelp, and even through Google results when someone searches for the hospital. These online assessments are increasingly influencing patients’ expectations, Deloitte reported.

Patients sharing experiences with others online about hospitals and providers is also another reflection of how patients are even more so becoming healthcare consumers with much more mobility and choice over where they seek their care. If patients don’t trust providers with their PHI, they are more likely than ever before to move their healthcare dollars elsewhere.

Establishing a culture of compliance

Decreased patient volume due to reputational damage is just one of the financial impacts of a PHI breach. But the lingering effects of reputational damage, I believe, are more long lasting and difficult to quantify in terms of dollars and cents. Apart from the loss of patient trust, breaches can impact employee morale, providers’ confidence, and degrade the overall culture of the organization to one of instability and confusion.

By instilling a culture of adherence to HIPAA-compliant PHI disclosure policies and procedures, and offering employees the support and tools they need to comply, organizations can avoid these breach-caused negative reputation events and their impacts.

A trusted PHI disclosure management partner that has already established a culture of HIPAA compliance and knowledge, supported by technology to prevent improper disclosures, can be a significant advantage to an organization in protecting its reputation and its bottom line.

To learn more about the financial and reputational impacts of a PHI breach, please download our white paper: “Mitigating breach risk in an era of expanding PHI disclosure points and requests for health information.”

Join our blog mailing list

Read More

PHI disclosure legal issues, Part 2: Obtaining deceased patients’ records

Sara's Blog 2

After a loved one dies, there are numerous situations where families might need copies of the deceased patient’s medical records. For example, records are needed when the family submits a life insurance death claim or if they plan to file any sort of lawsuit related to the patient’s death.

But after a patient dies, HIPAA and state laws can complicate the process of obtaining these records, especially if the patient dies without a will, which is called “intestate.” Given the myriad of state and federal laws related to disclosure of deceased patients’ Protected Health Information (PHI), it is important that healthcare providers and their HIM staff establish a policy for what type of documentation must be provided by a requester in order to disclose their PHI. For example, unless an authorization signed by the deceased patient’s “Personal Representative” is provided, HIPAA prohibits the disclosure of PHI belonging to a deceased patient (decedent).

The person who qualifies as the Personal Representative under HIPAA changes when the patient dies. Durable healthcare powers of attorney, for instance, are revoked upon a patient’s death, meaning that without other documentation, the durable healthcare power of attorney is no longer the decedent’s Personal Representative. Adding to the complexity, while some states have adopted HIPAA’s definition of Personal Representative, many state laws list other people, such as family members, who can be identified as the decedent’s Personal Representative, if there is no will.

Complying with all applicable state and federal laws is certainly essential, but many healthcare providers adopt policies that are even more stringent. While state law may only require a copy of the decedent’s will, healthcare providers in that state may choose to require additional documentation proving executorship, such as Letters Testamentary. In other cases, if a patient died intestate, a hospital may require the person claiming to be the Personal Representative to petition the court to obtain Letters of Administration, a laborious process that can be made even more complicated if the decedent’s spouse, children, or another interested party objects to that appointment.

Rest assured, MRO staff who work at our clients’ facilities are trained on how to disclose deceased patients’ PHI according to the applicable federal and state laws and facility policies to ensure legal compliance.

To learn more about how MRO’s highly trained employees protect their clients through their PHI disclosure expertise and support, check out our clients’ experiences.

This is the second of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

Information Governance was the buzz at AHIMA

Mariela Blog 2 - Lock

The 87th Annual AHIMA Convention and Exhibit in New Orleans was a resounding success, despite the coinciding industry-wide transition to ICD-10, which occurred just a day after the event ended on October 1.

Not surprisingly, ICD-10 was a major topic of discussion during the conference. Other topics addressed were emerging issues surrounding data privacy and security including confidentiality, integrity and availability; interoperability; Release of Information (ROI); health information exchanges (HIEs); cyber security; and the Department of Health and Human Services’ Office for Civil Rights audit readiness, as we approach the launch of desk audits.

Information Governance (IG), however, was the most covered topic at the event. AHIMA defines IG as “an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

To help navigate this increasingly complex issue, AHIMA released an IG tool kit that urges HIM professionals to take leadership in data sharing, budget allocation and collaboration with other departments for an IG plan. To ensure this collaboration is successful, HIM needs to delegate some IG responsibilities to other departments, which can be difficult, but allows the opportunity for HIM to integrate and oversee data silos it wouldn’t have had access to in years past.

This is just one of the emerging IG challenges that our chief technology officer, David Borden, discussed during the educational session he co-presented at AHIMA with Susan Carey, MHI, RHIT, PMP, the system director of HIM for Norton Healthcare in Louisville, Ky., a not-for-profit system comprised of five hospitals, 19 outpatient centers and 140 practice sites. In their session, Borden and Carey urged HIM professionals to “get in the HIE boat” to ensure their voice is heard and considered during HIE planning.

HIM professionals, who are typically the Protected Health Information (PHI) privacy and HIPAA experts within healthcare organizations, need to be integral in this planning because HIE was not created with HIPAA in mind, and has not been updated since. Organizational compliance has taken a backseat to the technical requirements of HIE, as David also told in a dual interview with Susan at AHIMA. This means that without the proper policies, procedures and safeguards, breaches can occur on a larger scale and much easier than in the past — with only a few keystrokes and mouse clicks — which exponentially increases risk and liability for healthcare organizations.

“Very often, it’s not well understood that security and privacy are two very distinct knowledge domains,” David told the publication, as well as AHIMA attendees. “IT is very good at security, and sometimes they may think that means they’re also good at privacy, without realizing that’s just as naïve as someone who’s trained in privacy thinking they understand all the ins and outs of security.”

As David and Susan’s presentation discussed, with the growth of electronic HIE, patient-identity matching is becoming a growing patient safety issue and workflow challenge that usually requires HIM to design a solution, but one that requires IT input and assistance. Patient identity is also one of the many data integrity issues that organizations face including accurately and reliably integrating PHI from other providers into the legal record.

Other emerging issues that David and Susan explored in their presentation include sharing of sensitive and “super-protected information”, such as mental health, AIDS/HIV and substance abuse information; patient consent management, such as opt-in, opt-out, and patient education; and managing the minimum necessary standard requirements for payers in a query-based HIE.

As HIEs expand and connect with other information networks, the rules-of-the-road may change without sufficient input from participants, which is why HIM needs to be ever vigilant in having its voice heard. “I feel like we’re in a good place with HIEs, but there’s a lot more work to be done,” Susan told “…[K]eeping those avenues open between IT and HIM is really want you want to strive for. We have to understand the roles we all play and what the use cases are.”

For information on these important IG issues that are impacting healthcare organizations, please download the slides from David and Susan’s AHIMA educational session by clicking here.

Join our blog mailing list

Read More

Reducing PHI breach risk essential for physician groups

For many physician groups, Protected Health Information (PHI) disclosure policies and procedures can vary greatly between practice locations. This variability and limited administrative oversight increases the risk of a PHI breach, which can be costly in terms of reputational damage and financial consequences.

Transitioning a physician group from multiple different Release of Information (ROI) processes to a single ROI technology platform, with the help of an experienced and knowledgeable PHI disclosure management partner, can help identify errors before records are released and avoid these costly breaches. A standardized process across any size practice through a single platform ensures that consistent and compliant ROI policies and procedures are enforced and safeguards are established to prevent a breach.

Practices face same improper disclosure liability as hospitals

Physician practices carry the same PHI disclosure liability as hospitals, although many groups lack the resources of a large health system to recover from a significant breach. HIPAA financial penalties can be as much as $50,000 per breach or $1.5 million annually for repeated occurrences. In addition to such penalties, there are soft costs associated with each breach, ranging from $8,000 to $300,000, according to the results of an American National Standards Institute (ANSI) survey of organizations that had been affected by a PHI breach. Those figures do not include the HIPAA violation civil penalties, but rather costs such as credit or identity-theft monitoring for breach victims, forensic and legal fees, and reputational harm, including loss of goodwill and of business, according to survey respondents. In addition, the reputational harm suffered by practices due a breach may be more significant than a hospital due to the group’s more narrow patient population.

Just because practices typically have fewer overall ROI requests than hospitals or health systems doesn’t mean a breach is any less likely. MRO’s research shows there are more than 100 error types found across ROI authorizations and that 20 to 30 percent of authorizations are initially invalid. Plus, the PHI disclosure processes that many practices follow are highly susceptible to human error. These errors could include disclosing the wrong patient records due to co-mingled records, which affect at least 0.7 percent of releases.

Practices may not even be aware of how many unauthorized ROI requests are approved, or have tools to identify and prevent the release of comingled records. And without safeguards to mitigate risk, practices may facing the matter of “when” rather than “if” a breach will occur.

Reduce risk, increase efficiency

Standardizing PHI disclosure across physician practices with a centralized ROI solution can help reduce this risk by ensuring consistently enforced policies and procedures. With a single technology platform and an experienced, knowledgeable PHI disclosure management team than can offer best practices and tools, a physician group’s procedures can become compliant faster while reliving practice staff of the burdens of ROI, including Quality Assurance and billing.

Best of all, centralizing and standardizing ROI processes through an outsourced partner can give practices more time and resources to concentrate on revenue-generating activities, and most importantly, focus on patient care. The liability of establishing safeguards to mitigate breach risk should be a business partner’s concern so practice staff can focus on what truly matters: patients and their care.

To learn more how your group can reduce breach risk and increase efficiency, please read about Lehigh Valley Physician Group’s experience with centralizing their PHI disclosure here.

Join our blog mailing list

Read More

PHI Disclosure Legal Issues, Part 1: Healthcare Power of Attorney

Power of Attorney Photo

PHI Disclosure Legal Issues, Part 1: Healthcare Power of Attorney

Just before our first wedding anniversary this August, my husband and I agreed to finalize our last wills and testaments, durable healthcare powers of attorney and living wills. A durable healthcare power of attorney is a legal document that allows you to authorize a representative to make your healthcare decisions if you become incapacitated, while a living will provides instructions on whether life-prolonging measures should be taken. It may not sound like the most romantic thing to do—I don’t think that signed legal documents count for the gift of “paper” that is traditionally given on a first anniversary—but it is hard to think of a more meaningful gesture as we begin our second year of marriage.

As MRO’s Privacy and Compliance Counsel, I am frequently reminded of the importance of these documents because the Health Information Management (HIM) departments in our healthcare-provider client organizations often encounter situations where a family member requests a patient’s Protected Health Information (PHI) with a general or durable power of attorney. Unfortunately, unless those documents explicitly grant the authority to make healthcare decisions or to access to the patient’s health information, the requester is not the patient’s personal representative under HIPAA and without other documentation, they may not be able to access the records. If records were released, the provider organization would be disclosing PHI to an unauthorized person, which is considered to be a breach under HIPAA.

It is best practice for HIM staff handling Release of Information to be specially trained on how to review these types of legal documents, because some durable or general powers of attorney do grant the authority to make these specific healthcare decisions, but many do not. Finalizing my durable healthcare power of attorney and living will gives me peace of mind that if the unthinkable were to happen, my husband would have proper guidance to manage my care in accordance with my wishes. That is definitely something worth celebrating.

For more information on ensuring your regulatory compliance and improving the workflow efficiency of your PHI disclosure process, check out MRO’s Vice President of Client Relations and Compliance Don Hardwick’s thoughts in this piece from For the Record.

This is the first of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

Preparing Your Healthcare Enterprise for Phase 2 OCR Audits

Are You Ready

Earlier this year, MRO published a white paper, A Proactive Approach to PHI Disclosure Management: Strategies to Prepare Your Healthcare Enterprise for Phase 2 Audits. In the white paper, we shared the most-up-to-date information about Phase 2 of Office of Civil Rights (OCR) HIPAA compliance audits and offered tips to prepare for them by implementing an enterprise-wide approach to disclosure management.

While OCR’s widely anticipated Phase 2 audits are still pending, there has been some activity since publication of the white paper. Here are some updates:

Myth Busted

AHIMA’s June 4, 2015 E-Alert quoted from a FierceHealthIT article that pre-audit screening questionnaires had been sent to potential Covered Entity (CE) auditees. In preparation for an MRO presentation at the MSHIMA annual convention, we reached out to an OCR contact, who replied on June 12, 2015 via email: “The report is misleading. OCR has started verifying contact information of CEs. Pre-audit screening questionnaires have not been sent out.”

Sneak Peek

We also contacted attorney Adam Greene, a nationally recognized authority on HIPAA and the HITECH Act, who provided a link (look for the survey PDF titled “Survey 03 13 2015” under “Instrument File”) to the screening questionnaire. The web page suggests they are seeking 500 respondents.

Audit Focus

OCR’s presentation at the HCCA Compliance Institute in April confirmed that “desk audits” will focus on privacy, security and breach notification. The speaker also emphasized that the OCR will conduct onsite audits, as funds permit, in addition to desk audits. Key focuses by audit type are expected to be:

  • Privacy Rule audits: Notice of Privacy Practices and Patient’s Right to Access
  • Breach Notification audits: Breach Notification Policy, Breach Notifications to Patients, instances where Breach Risk Assessment concluded no breach, and timeline from discovery to notification
  • Security Rule audits: Security Risk Analysis and Risk Management Plan

It’s important to remember that complaints can trigger an investigation that may lead to full-scale audits. Thus, it’s important to be ready for an onsite audit by reviewing the protocol on OCR’s website. The website states: “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule.” OCR is reportedly working on the audit protocol update now. Another task they are tackling is a method for sharing penalty amounts with harmed individuals. We suspect that will encourage more people to file more complaints to the OCR due to possible payouts

Being Prepared

What steps can you take now to prepare?

  • Make sure all documentation is up-to-date
  • Implement an enterprise-wide PHI disclosure management strategy
  • Invest in security technologies
  • Train your workforce (we can help)

The Ponemon Institute’s 2015 State of Endpoint Report: User-Centric Risk states that 78 percent of organizations cited employee negligence as the biggest security threat. Privacy and security compliance and breach prevention training are critical. It’s also key to make sure employees fully understand your policies and procedures for PHI disclosure. If an onsite auditor wants to evaluate your privacy and security culture, he’ll solicit information from non-management staff.

To learn more about OCR audits and tips for audit preparation, download our white paper today.

Join our blog mailing list

Read More

Mind the Gap – Enterprise-Wide Disclosure Management

Mind the gap

It’s hard to believe that only two decades ago there were not significant penalties for improperly disclosing Protected Health Information (PHI), especially when regulations and oversight seem to become more stringent by the day.

Since the HIPAA breach notification requirement was instituted in 2009, there have been 1,185 breaches of more than 500 records each reported, compromising more than 133 million patient records. Hospitals are subject to penalties of up to $1.5 million per incident per calendar year, and criminal penalties include fines and up to 10 years in prison. There are currently pending judgments of $3-4 billion each in two class action lawsuits, and these figures don’t include the damage to a hospital’s reputation.

The migration to electronic medical records (EMR) systems may improve patient care, but it also makes it more difficult for hospitals to control access and manage patient privacy. According to MRO’s research, hospitals may have more than 40 PHI disclosure points through various departments such as billing, lab and radiology as well as hospital-owned clinics and physician practices.

With that many access points – which do not include HIEs, patient portals and other interfaces – the question becomes whether every employee at each of these disclosure points has been properly trained on PHI access and disclosure guidelines.

Centralization of the Release of Information (ROI) function places the responsibility of disclosing PHI into the hands of highly-trained professionals and offers better control, higher quality and cost savings. Using a single, enterprise-wide system that is overseen by a single department helps organizations standardize processes and enforce policies across the entire healthcare enterprise.

This model allows software and services to be deployed as a common platform, and all departments receive secure technology, comprehensive workflow and quality assurance checks. Best practices place the responsibility for the function with Health Information Management (HIM), which typically has subject matter expertise on health information governance, privacy and PHI disclosure management.

Hospitals that take an enterprise approach through their HIM department find they are able to better manage ROI processes, achieve compliance and reduce liability and financial risk.

Ready to learn more? View MRO’s case study on East Jefferson General Hospital, where HIM leadership standardized PHI disclosure management processes and policies across various hospital departments and 23 physician practices.

Join our blog mailing list

Read More