Check Request Status610-994-7500

Heard at AHIMA 2018—Privacy, Cybersecurity and Information Governance Institute and ROI Roundtable

AHIMA’s 2018 Privacy, Cybersecurity and Information Governance (PCIG) Institute took place September 22-23 at the 2018 AHIMA National Convention & Exhibit in Miami. True to its aim to enhance knowledge regarding current trends and issues, the event focused on protecting patient information across all healthcare settings and business operations—essential to ensuring patients’ trust in our healthcare system. Protected Health Information (PHI) disclosure management is at the heart of building that trust—and Information Governance (IG) is a critical component.

This year’s institute focused on industry adoption of IG, citing AHIMA’s Information Governance Adoption Model (IGAM)™ as a guide to advance IG practices toward achieving Level 5 maturity. Here are the five levels:

1—Unaware, IG concerns not addressed

2—Limited progress, early stage

3—Defined policies and procedures

4—Proactive program throughout operations

5—Fully integrated into overall infrastructure and business processes

Most attendees indicated their organizations were either at Level 2 or somewhere between Levels 2 and 3—making limited progress and beginning to define policies. This feedback means there’s much work to be done within the HIM domain to successfully measure and achieve IG maturity.

PHI Disclosure Management and IG Connection

A common question posed to HIM leaders on this topic is: What is the relationship between PHI disclosure and IG? First of all, proper disclosure of PHI cannot be achieved without adherence to IG principles—particularly privacy and security. AHIMA describes IG as an enterprise-wide framework for managing information throughout its lifecycle—from the inception of a patient’s record to its eventual destruction. An analogy that comes to mind is the story of a person’s life, the stewardship required from birth to death.

From an IG perspective, HIM professionals must know where information originates, where it flows, how it is released, when it dies—and all risk factors along the way. In our experience, one of the most critical areas of risk is the business office. Implementation of a centralized, enterprise-wide approach to PHI disclosure—aligned with IG principles—reduces risk related to ROI practices.

Modern Age of ROI Roundtable

Following the two-day PCIG institute, I joined my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and other experts to discuss Release of Information (ROI) challenges and best practices during the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?”

The hottest topic that emerged was patient-directed requests. Many in the industry are seeing inappropriate attorney behavior such as having the patient sign a blank form that the attorney then uses to request patient information. When a form is questionable, the patient should be contacted to clarify and confirm consent.

In the audience was Jim Bailey, President of the Association of Health Information Outsourcing Services (AHIOS), who suggested that states come together to address the issue. Here are four recommended strategies:

  • Raise awareness with your legislators
  • Hold conversations with other hospitals in your area
  • Don’t be afraid of meeting with the OCR
  • Exercise the right to question and verify any request

A valid patient-directed request must clearly reflect the patient’s intent—type of information requested, who should receive the information, for what purpose and method of delivery.

HIM Leadership

Overall, the PCIG Institute, ROI Roundtable and many other informative sessions during the AHIMA Convention reaffirmed that HIM professionals play a crucial role in promoting stronger privacy, security and Information Governance. Trust in the healthcare system depends on our leadership.

Sign Up for Future Blog Posts

Read More

Enterprise-Wide PHI Disclosure Management—Six Strategies Guided by Information Governance Principles

On September 1, 2018, the Journal of AHIMA published MRO’s article “Enterprise-Wide PHI Disclosure Management—Why Information Governance Matters,” featuring a virtual roundtable with health information management (HIM) leaders from MRO client organizations Ardent Health Services, Ochsner Health System and WellSpan Health.

As moderator of the discussion, I had an opportunity to explore valuable insights gained from their experiences along the journey to enterprise-wide Protected Health Information (PHI) disclosure management. Here is a summary of common challenges they faced and successful strategies guided by Information Governance (IG) principles.

Common Challenges

As integrated health systems grow through partnerships and acquisitions, one of the most significant challenges is managing multiple points of PHI disclosure during the Release of Information (ROI) process. Keeping up with evolving regulations requires evaluation of ROI requirements including ongoing review of policies and procedures with a goal of establishing standardized, compliant processes across the enterprise. This has become even more critical with the rise in small breaches, often due to errors in ROI.

With any major process change, some resistance can be expected. Not everyone will be on board to hand off ROI responsibilities. Reluctance to make the transition to enterprise-wide disclosure is often related to loss of control and personal touch, particularly in physician practices. Communicating the benefits to all departments and practices is critical to the success of a centralized, enterprise approach.

Six Successful Strategies—People, Processes and Technology

Overall, the combination of policies and procedures supporting legal medical record content, consistent record retention and standardized workflows enables the implementation of enterprise-wide PHI disclosure. Establishing compliant ROI practices aligned with IG concepts must be a top priority to reduce liabilities and protect patient information.

Here are six strategies for HIM professionals to initiate, support or sustain enterprise-wide PHI disclosure management:

  1. Engage executive leadership, including compliance, privacy and legal teams. Present a business case for enterprise-wide ROI, with emphasis on the benefits of centralization including cost savings, compliance and patient satisfaction.
  2. Proactively address PHI disclosure management in the acquisition and partnership strategy. Create a consistent approach to managing any ROI transition.
  3. Consider your available human, technical and system resources. Evaluate the ability to implement a model that is self-sufficient, outsourced or a combination of the two options.
  4. Create an enterprise-wide inventory of health records/designated record sets. Include the format, locations and retention timeframe.
  5. Determine the right balance of onsite versus remote management. Create a standard list of common documents requested by patients as a guide to onsite processing.
  6. Establish a collaborative relationship with your ROI vendor partner. Work together to develop and sustain a PHI disclosure management process. Having a dedicated ROI team supports the commitment to provide accurate and timely records to customers and patients.

To download a PDF copy of the full Journal of AHIMA article, complete the form on this page.

MRO at AHIMA Convention & Exhibit

To meet MRO’s teams and network with HIM peers using our services, visit us at the upcoming AHIMA Convention & Exhibit in Miami, September 22-26. Review a list of MRO events in advance to learn more about where you can find us during the convention. Highlighting Monday’s agenda is the ROI Networking Roundtable “The Modern Age of ROI—Are You Up to Date?” where my colleague Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services for MRO, and I will join other experts in the field to discuss ROI challenges and best practices. We look forward to seeing you there!

Receive a copy of the full Journal of AHIMA article

Read More

Webinar Recap: Cybersecurity- Protecting Your Healthcare Enterprise

On August 15, 2018, my colleague Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy and I presented the third part of our four-part healthcare compliance webinar series. In this webinar titled “Cybersecurity: Protecting Your Healthcare Enterprise,” we covered points that healthcare organizations should consider to safeguard Protected Health Information (PHI) and increase their overall security posture.

Access Management

Policies and Procedures

HIPAA requires a number of administrative safeguards to protect PHI, specifically ePHI. Policies and procedures must be in place to ensure implementation and maintenance of appropriate protection.

• Workforce security is a critical piece to guide the proper use of PHI by anyone who is allowed access—including physicians, employees, volunteers and BAs.
• Information access authorization specifies who has access and why, based on minimum necessary guidelines.
• Ongoing security training supports accountability and access management.

Threat Prevention, Detection and Response

Prevention

Even with the most advanced technology, granting people access to systems remains one of the highest risks of introducing the possibility of serious incident. Attendees were reminded that policies and technologies must have additional controls in place:

• End user education and social engineering testing
• Strong passwords and account creation steps
• Malicious software protection
• System hardening practices

Detection

If something goes awry, it is important to have alert mechanisms in place—automated, manual or a combination of the two. For example, manual alerting includes 24-hour hotlines to report suspicious behavior. Technology applications such as FairWarning automatically trigger alerts to potential privacy violations. System log reviews are a good indicator of behavioral anomalies. Best practice is to leverage technology to automate data protection and ensure proper detection.

Response

In the event of an alert across the enterprise, a tested and documented incident response plan is necessary to ensure immediate response to a breach. The plan should include defined roles and responsibilities, testing scenarios and cyber insurance impacts. How will your organization ensure breach prevention considering the penalties being levied for high-exposure incidents?

At MRO, we have a dedicated incident response team. Part of their responsibility is to know state specifications, timeline controls and documentation requirements for proper reporting to the right people at the right time.

Information Governance

Information Governance is integral to an effective data security program. Incident response should be part of an enterprise information governance program—policies, procedures, tools and techniques that an organization applies to safeguard information and systems. Data classification and data mapping are essential tools to guide system impact assessments. Think about how and where your data goes and the importance of protection throughout its life cycle in your custody.

Risk Register

A risk register is a vital tool that lists all identified risks along with your organization’s risk score, responses, triggers, consequences and related information. Unlike a one-and-done document, this register is a fluid living document that must be constantly updated to reflect an accurate assessment of risk management and your security posture.

Cyber Extortion

With ransomware on the rise, user awareness training is more important than ever before. Additional protection measures include a formal ransomware policy and use of sophisticated technology to minimize attacks. Attendees received insights based on various types of cyber extortion including email and texting, along with examples of protection activities to promote cybersecurity.

To learn more about strategies to protect your healthcare enterprise, fill out the form below to receive a copy of this webinar.

Request MRO's Cybersecurity Webinar

Read More

MRO Celebrates the 29th Health Information Professionals Week

2018 HIP Week

During Health Information Professionals (HIP) Week, MRO always enjoys celebrating the wonderful work of our Health Information Management (HIM) partners. It is an honor to work with these dedicated and hard-working professionals who perform their duties skillfully throughout the year.

MRO’s 2018 Healthcare Compliance Webinar Series Launches During HIP Week

To celebrate HIP Week and continue with our efforts to educate and support the HIM profession, MRO has launched a complimentary healthcare compliance webinar series. To show our appreciation, we would like to invite you to register and earn four AHIMA CEU’s on us.

This four-part series will cover these latest privacy, security and information governance trends impacting healthcare professionals:

  • Part 1: Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield 
    Thursday, March 22, 2018 – 2pm Eastern – Register Here.
  • Part 2: Healthcare Regulatory Updates and Guidance 
    Thursday, May 17, 2018 – 2pm Eastern – Register Here.
  • Part 3: Cybersecurity: Protecting your Healthcare Enterprise 
    Wednesday, August 15, 2018 – 2pm Eastern – Register Here.
  • Part 4: 2019 Healthcare Privacy and Security Compliance Predictions
    Wednesday, November 7, 2018 – 2pm Eastern – Register Here.

Looking Ahead: MRO’s Future is Bright

HIP Week’s theme “Our Future is Bright” is appreciated by MRO. As the HIM landscape evolves, we will continue to grow and adapt our services and technology to step up to the challenge. MRO is committed to delivering the highest levels of accuracy and quality while servicing healthcare organizations across the country with the best Release of Information solution available.

In the beginning of this year, MRO was named KLAS Category Leader for ROI services in the 2018 Best in KLAS report. This is the fifth consecutive year that MRO was rated #1, and another year in which our focus on service quality was recognized by KLAS. With each passing year, MRO continues to grow and advance because of the valued business, support and partnership we receive from our HIM partners. As we continue on this journey together, our future is indeed bright.

At MRO’s National Service Center in Norristown, Pennsylvania and across our client sites throughout the nation, we are all enjoying a week filled with festivities and celebrations for the HIM profession. We hope all Health Information Professionals are enjoying this special week, too. Thank you to our clients and our employees for all that you do, and Happy HIP Week from all of us at MRO!

Sign Up for Future Blog Posts

Read More

Four Healthcare Compliance Webinars to Attend in 2018: Covering Privacy, Security and Information Governance

As we move into 2018, healthcare professionals should be up to date on the latest Privacy, Security and Information Governance trends. It is important to be aware of what’s on the horizon and how to prepare your organization for the future.

In MRO’s upcoming 2018 healthcare compliance webinar series, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I will co-present on the latest industry trends and discuss best practices for organizations to consider. There are four parts to this webinar series, and we are in process of having each session pre-approved by AHIMA for one (1) CEU in the privacy and security domain.

Below are the four session topics, which Angela and I will go into more detail on in our webinar series. To register, click here.

Webinar Watch List: Privacy, Security and Information Governance

1) Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield
The Global Data Privacy Rule (GDPR) is compelling every organization to consider how it will respond to today’s security and compliance challenges. This may require significant changes to how your business gathers, uses and governs data if you serve individuals from the United Kingdom. Much of the discussion about the GDPR has focused on the law’s privacy-centric requirements, such as mandatory record keeping, the right to be forgotten, and data portability.

March 22, 2018 – 2pm Eastern – Register Here.

2) Healthcare Regulatory Updates and Guidance
Healthcare regulatory updates and government guidance are continuously evolving and can be hard to interpret and understand. The implementation and management of those changing guidelines is vital for meeting compliance in any organization. When we hold this webinar, the session will review the regulatory updates and guidance that must be implemented to achieve regulatory compliance.

May 17, 2018 – 2pm Eastern – Register Here.

3) Cybersecurity: Protecting your Healthcare Enterprise
Although cyber attackers constantly create new versions of malicious software and search for new vulnerabilities to exploit, healthcare organizations must continue to be vigilant in their efforts to combat cyber extortion. This webinar will share lessons learned and actions for consideration to remain diligent and ready for potential threats.

August 15, 2018 – 2pm Eastern – Register Here.

4) 2019 Healthcare Privacy and Security Compliance Predictions
This session will briefly summarize the prior sessions in MRO’s four-part webinar series on healthcare privacy and security compliance, including lessons learned in 2018— and then shift focus to 2019. We will do our best, utilizing our crystal ball, to predict focus areas for 2019.

November 7, 2018 – 2pm Eastern – Register Here.

Health Information Professionals Week

MRO will launch our healthcare compliance webinar series, which covers these topics, on March 22, 2018, during Health Information Professionals (HIP) Week. HIP Week will coincide with AHIMA’s Advocacy Summit and Hill Day, events where AHIMA members receive education specific to advocacy and visit Capitol Hill to share the importance of advancing HIM. Privacy, security and Information Governance continue to be key issues for HIM professionals. AHIMA has stated it will continue to provide guidance to the healthcare industry and government leaders seeking expertise and counsel, and MRO looks forward to continuing in our efforts to educate and support the HIM profession, as well.

Register today for our first webinar, on the topic of Compliance with the Global Data Privacy Rule (GDPR) and Privacy Shield.

Sign Up for Future Blog Posts

Read More

Training Business Office Staff on PHI Disclosure Management

Millions of payer requests for medical records are sent to hospital business offices every day. Business office staff are often tasked with gathering and releasing Protected Health Information (PHI) to payers in a very short amount of time to get claims paid. During this rush to meet payer deadlines and expedite claims, human mistakes can be made. Critical steps of the Release of Information (ROI) process may be skipped or accidentally omitted. This increases PHI breach risk.

To ensure business office disclosures are kept safe and secure, organizations should train their staff on disclosure management using the same information, curriculum and courses presented to Health Information Management (HIM) teams. Below is a video where I discuss MRO’s unique approach for training and educating employees, as well as five PHI disclosure management topics to train your business office staff on.

PHI Disclosure Management Training/Education at MRO Corp.

Five PHI Disclosure Management Topics to Train Your Business Office Employees On

1) ROI and HIPAA Basics

Ensure employees understand the definition of HIPAA (Health Insurance Portability and Accountability Act), the privacy rule, ARRA HITECH Omnibus, PHI and differences between federal versus state law. This distinction is especially important for business offices that process requests for care locations across different states.

Another important topic to cover is the Health and Human Services (HHS) minimum necessary guidance under the HIPAA privacy rule. This guidance helps organizations determine what information can be used, disclosed or requested by payers for a specific purpose. Business office staff need to know which parts of the record to send to the payer. By training business office staff to fully understand and apply the minimum necessary guidance, organizations tighten privacy and mitigate breach risk.

2) Medical Record Components

Make sure to define the various components of the medical record to business office staff. These components include: common documents, various types of encounters, properly documented corrections and amendments.

3) Confidentiality and Legal Issues

Outline the legal health record concept and what it includes for your organization. Additionally, all the various confidentiality and legal issues should be explained in full detail.

4) Types of Requests

List all the various types of requests that might be received in the business office. For each category, differentiate which are part of Treatment, Payment and Healthcare operations (TPO) and which are not. Those that fall outside of TPO require a patient authorization and should be forwarded to HIM for processing. For a list of types of requests to discuss, read this article.

5) Sensitive Records and Special Situations

Identify and describe specific PHI disclosure management practices related to sensitive records. These cases can include information on genetics, HIV/AIDS, STDs, mental/behavioral health, substance abuse, deceased patients, minors and other sensitive issues. Federal and state legal issues may be involved with these and business office employees should be aware of them.

If you’re concerned about the ability of business office or other staff to properly and securely process requests, a centralized ROI model may be your organization’s safest approach.

To sign up for future blog posts, complete the form below.

Sign Up for Future Blog Posts

Read More

Breach Prevention: Developing Best Practices from OCR Audits and Enforcement Activities

AHIMA held its 11th Annual Privacy and Security Institute on October 7-8, 2017 in Los Angeles, concurrent with the national convention. As a sponsor of the event, MRO held a breach prevention session titled “Developing Best Practices from OCR Audits and Enforcement Activities.” During the presentation, Rita Bowen and I reviewed the current Office for Civil Rights (OCR) audit and enforcement landscape and provided best practice guidance based on audit and enforcement outcomes.

We discussed some of the biggest cases to date including nine resolution agreements totaling over $17M collected by the OCR. The top five compliance issues (in order of frequency) included (1) impermissible use and disclosures, (2) lack of safeguards, (3) lack of patient access to health information, (4) releasing the minimum necessary, and (5) lack of administrative safeguards to electronic Protected Health Information (PHI). Below are five best practices for breach prevention, as well as a video interview where I recap the presentation.

Video Recap: AHIMA Privacy and Security Institute

 

Five Best Practices for Breach Prevention

1) Create a patient data protection committee.
This committee should oversee the organization’s patient privacy compliance program and conduct quarterly risk analyses and assessments. Serving as the incident response team, each committee member should review policies and procedures annually. In addition to these responsibilities, a patient data protection committee should perform mock HIPAA audits using Phase 2 protocols from the OCR.

2) Provide ongoing education and training for workforce members.
Many breaches are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for Protected Health Information disclosure management. To avoid this from happening, organizations should provide formal training at least once a year to ensure compliance with applicable federal and state law. Provide reminders of policies and procedures through emails, posters, and patient privacy awareness activities.

Some free helpful tools include:
OCR’s website
OCR’s YouTube channel
AHIMA’s Body of Knowledge

3) Implement HIPAA’s security rules for administrative, physical and technical safeguards.
Make sure your organization’s risk analysis is current and complete. This is the key to avoiding any potential threats and vulnerabilities. Utilize technologies that strengthen your compliance program and access monitoring software. For HHS guidance on technical safeguards, visit their website.

4) Test the effectiveness of your compliance program.
This can be done a few ways. Through internal, external and penetration audits. Through social engineering, which involves fake phishing emails, fake phone calls and checking desks for exposed passwords. And lastly, through mock breach exercises.

5) Assess your Business Associates’ compliance.
With proper due diligence and periodic vendor assessments, healthcare providers can safeguard their organizations against breach by way of their BAs. Additionally, Business Associate Agreements (BAAs) can ensure HIPAA compliance, and hold subcontractors liable for potential violations.

Complete the form below to download MRO’s eBook on breach prevention “Tips and Best Practices to Safeguard your Healthcare Organization.”

DOWNLOAD MRO’S eBook “Preventing a Breach: Tips and Best Practices to Safeguard your Healthcare Organization.”

Read More

AHIMA Convention Reflections: Business Associate Management and Best Practices for Risk Analysis

At the 2017 AHIMA National Convention and Exhibit, Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, and I co-presented a session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis.” In this presentation, we discussed ways to manage risk associated with Business Associates (BAs) for Covered Entities (CEs).

Rita and I reviewed industry trends around the renewed focus on vendor relationships and compliance, and the Office for Civil Rights’ (OCR) increased scrutiny of BAs. We covered many key components of thorough due diligence when evaluating BAs, and the necessary ongoing risk analysis once partnered.

The audience learned best practices that they can incorporate into their risk assessment process, which will make Business Associate management more bearable. Below is a video interview where I recap the presentation.

Video Recap: Managing Risk Associated with Business Associates for Covered Entities

 

Video Transcript

Anthony: I am Anthony Murray, Vice President of Information Technology for MRO.

Question: Tell us a little bit more about your presentation and the topic of BA Management.

Anthony: Today, Rita Bowen and myself presented on managing risks associated with Business Associates for Covered Entities. I think primarily what we were trying to drive home was a consistent approach to assessing risk when doing business with Business Associates within the Covered Entity space. It is a broad and deep topic. We covered a lot of different ways and concepts, so hopefully they came away with some ideas that they can incorporate into their risk assessment process to hopefully make their dealing with BAAs (Business Associate Agreements) a little bit more bearable.

Question: What best practices did you discuss during your presentation?

Anthony: We talked a lot about access controls, understanding the governance that’s in place, and trying to read the maturity scales of the Business Associates. What it really boiled down to was hopefully distilling down and understanding the services that the vendor is providing and associating the appropriate risk level to them. Based on the risk level, you hope to identify how deep into the privacy and security controls that they have in place are important to you as a company.

Question: What is MRO doing to address this topic?

Anthony: MRO is doing a number of things to help address this topic. One, is we have ongoing certifications to help augment what our CEs are going to do to assess us from a risk perspective. So, we’re trying to achieve things like HITRUST and perform our SSAE 16 and SOC type 2 audits. In addition, we also employ a number of very transparent controls that we talk about from the very onset of our relationship with our clients. How we manage access controls, how we report incidences and privacy threats all the way down to even giving access to our end user ongoing training seminars.

Question: What are some of the biggest trends and themes you’ve noticed at this year’s convention?

Anthony: I actually think this was one of the bigger topics between cyber and general privacy concerns with some of the changes in legislation. What you’re seeing is a continued focus on the business associates and risk they present. We saw a lot of good traction that we’re getting the paper work done when it comes to managing your business associates, but continuing to develop and look at the threat profile of the BAs continues to be a hot topic here.

Question: What is your favorite part about AHIMA?

Anthony: My favorite part of AHIMA is being around people who are all sharing the same struggles, challenges and opportunities that I’m facing. As a Business Associate, I’m confronted with CEs and other other agencies like ourselves that provide services to these hospitals all dealing with the same problems and being able to come together as a community and discuss it is just so reassuring that we’re not left out on an island.

To download slides from MRO’s Business Associate Management presentation, complete the form below.

DOWNLOAD MRO’S BUSINESS ASSOCIATE MANAGEMENT PRESENTATION

Read More

2017 National AHIMA Convention: Takeaways for Health Information Management Professionals

The American Health Information Management Association (AHIMA) held its annual convention and exhibit in Los Angeles, October 7-11. This year’s event delivered a renewed focus on the profession’s responsibility to protect and govern Protected Health Information (PHI). During the convention, updates for privacy, security, interoperability and information governance were provided. Here is a quick overview of lessons learned at the conference. You can read more in my recent post to HIM Scene’s blog, titled Heard at #AHIMACon17: Lessons Learned for HIM.

Privacy and Security Institute

This year was the 11th anniversary of AHIMA’s Privacy and Security Institute. Speakers from the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Federal Bureau of Investigations (FBI) and Health Information Trust Alliance (or HITRUST) joined privacy and HIM consultants for a two-day seminar.

Additionally, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I co-presented a session titled, “Developing Best Practices from OCR Audits and Enforcement Activities.” In this session, we offered best practices for HIM professionals based on lessons learned from the OCR’s patient access guidance, resolution agreements and HIPAA Audit Program protocols. You can download a copy of our presentation by completing the form at the bottom of this blog post.

Cutbacks Underway

The position of Chief Privacy Officer (CPO) at the Office of the National Coordinator for Health Information Technology (ONC) has been vacant for the past year, and during this time Deven McGraw, Deputy Director of Health Information Privacy at the OCR, successfully served as acting CPO. Her recent departure, along with other cutbacks, will have a trickle-down impact for privacy compliance in 2018.

Onsite Audits Cease

Yun-kyung (Peggy) Lee, Deputy Regional Manager for the OCR, informed attendees that onsite HIPAA audits would no longer be conducted for Covered Entities or Business Associates due to staffing cutbacks in Washington, D.C. The concern here is that whatever doesn’t get regulatory attention, may not get done.

Interoperability Advances HIPAA

The national push for greater interoperability is an absolute necessity to improve healthcare delivery. However, 30 years of new technology and communication capabilities must be incorporated into HIPAA rules. Old guidelines block us from addressing new goals. We expect more fine-tuning of HIPAA in 2018 to achieve the greater good of patient access and health information exchange.

In an article published shortly before the AHIMA convention, OCR Director Roger Severino touched on the need to modify HIPAA in light of technology advancements and cyber threats saying, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target. At most I will say the big, juicy case is going to be my priority and the methods for finding it – stay tuned.”

Luminary Healthcare Panel

This session was a very relevant discussion for my role as Vice President of Privacy, Compliance and HIM Policy at MRO. Panelists provided a glimpse into the future of healthcare while reiterating HIM’s destiny—data integrity and information governance.

Final Takeaway

There is no doubt that HIM’s role is expanding. We have the underlying knowledge of the importance of data and the information it yields. More technology leads to more data and an increased need for sophisticated health information management and governance. Our history of protecting patient information opens the door to our future in the healthcare industry.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

Read More

Lessons Learned from OCR Enforcement Actions

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More