Check Request Status610-994-7500

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More

Four tips for Business Associate and subcontractor management

Colleagues in office building

MRO recently sponsored and hosted an AHIMA Virtual Privacy and Security Academy session covering Business Associate (BA) and subcontractor management. BAs perform a wide array of services for healthcare organizations, and in today’s ever-changing regulatory environment, it’s important to ensure they are HIPAA-compliant.

Here are four tips for BA compliance covered in the Virtual Academy session.

1) Inform BAs of expectations

BAs and subcontractors should have knowledge of HIPAA. Healthcare organizations need to properly articulate permitted uses of Protected Health Information (PHI) to their BAs. It is also important to communicate how compliance will be monitored.

2) Hold BAs accountable

When drafting contracts and Business Associate Agreements (BAAs), it’s important to establish accountability. Ensure BAs are held responsible for their use of PHI.

3) Perform ongoing due diligence

Create a risk matrix specific to BAs’ use of PHI. This matrix can and should be used to prioritize risks, characterizing them as high, medium or low. It is also a best practice to receive notification when users associated with terminated BAs access PHI.

4) Perform risk assessments

Healthcare organizations should perform regular privacy and security risk assessments. These assessments should check the nature and extent of PHI involved, including identifiers and likelihood of re-identification. These assessments should also note the unauthorized person to whom PHI was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

The Virtual Academy session concluded with an activity discussing BAAs, in which participants were given a scenario and asked to identify items for inclusion in hypothetical BAAs, putting what they learned into action.

Discover more tips for managing BAs by downloading the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation.”

Receive the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation”

Read More

5 tips for ensuring quality in PHI disclosure management

Concept of poor sensitive data protection, Folder secured with a simple padlock

With a greater demand for Protected Health Information (PHI) comes the potential for a greater number of breaches, especially small breaches due to unintentional improper disclosures. Since 2009, over 180,000 small breaches impacting less than 500 patients at a time have been reported to the Office for Civil Rights (OCR). The escalated demand and risk associated with sharing PHI creates a serious need for improved accuracy and quality.

Here are five tips for ensuring quality in the Release of Information (ROI) process, so you can keep your organization running smoothly and compliantly.

1) Perform multiple Quality Assurance checks

Instituting multiple Quality Assurance (QA) checks on every release will dramatically improve your disclosure accuracy. Leverage technology to catch human error, and have a second set of eyes on everything before it is released. Some items to double-check include:

  • HIPAA-required criteria
  • Accuracy of patient information
  • Dates of treatment against authorization
  • Record content for comingled patient documents
  • Mailing envelope for correct address

2) Send notifications to requesters

Notify requesters of deficiencies in their requests to increase authorization efficiency. Developing a consistent methodology will streamline the authorization process and help prevent disclosure of unauthorized requests.

3) Develop a rules-based application

Developing a rules-based application that evaluates requests for HIPAA compliance and other requirements, like checking subpoenas for quash periods, will increase efficiency by automating previously manual steps.

4) Perform a final review of content and timeframe

Review the content of requested information to ensure there are no comingled records. As a best practice, leverage record integrity applications that utilize optical character recognition technology to assist humans perform these quality checks. Additionally, check that all records included for release fall within the timeframe requested. This is another iteration of “perform multiple QA checks,” but the importance of checking and rechecking cannot be stressed enough.

5) Create a uniform ROI training program

Train and retrain employees in all aspects of ROI. Without well-trained employees, all the cutting-edge technology and expertly crafted workflows will not do much to prevent breach. Revise and update this training at least annually, and be sure to document all training.

By implementing sophisticated ROI workflows and technologies, and employing expertly trained professionals, healthcare organizations can prevent breach. Often an advanced PHI disclosure management firm can provide the right people, technology and services to ensure compliance.

Watch this video detailing MRO’s National Service Center to see these best practices in action, and fill out the form below to download more information about our service teams.

Receive a Copy of our National Service Center Brochure

Read More

Reduce BA risk through due diligence and documentation

Business People Handshake Greeting Deal Concept

MRO wrote an article for the October issue of Journal of AHIMA, exploring why it’s important for healthcare organizations to ensure the HIPAA-compliance of the entities they partner with to help carry out healthcare activities, and what they can do to guarantee that compliance. Entities that create, maintain or transmit Protected Health Information (PHI) on behalf of a provider organization are considered Business Associates (BAs) under HIPAA, and, as of 2013, can be held liable for violations of the HIPAA Security and Breach Notification Rules and certain provisions of the HIPAA Privacy Rule.

These BAs include PHI disclosure management partners like MRO, as well as providers of services less obviously tied to privacy and security compliance, like food services companies. Regardless of a BAs business, provider organizations need to conduct due diligence and execute Business Associate Agreements (BAAs), ensuring BAs have HIPAA-compliant policies and safeguards in place.

BAs have come under increased scrutiny from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) in recent years. This attention stems in part from the large amount of electronic PHI (ePHI) that BAs hold, putting providers and their patients at risk.

Conduct due diligence

While it is very important to conduct due diligence of BAs before beginning a partnership, it should also be part of the provider’s ongoing risk analysis. Providers should create a questionnaire for BAs containing questions about how the BAs protect PHI. If red flags are identified, a more in-depth review or assessment should be conducted.

In addition to these due diligence questionnaires, provider organizations should obtain “satisfactory assurances” from BAs in writing. These “satisfactory assurances,” which state BAs will appropriately safeguard the PHI they receive or create on behalf of the provider organization, are required under the HIPAA Privacy Rule.

Encourage transparency

Additionally, to ensure protection for both the provider organization and the BA, both parties should encourage information and process transparency from the start, beginning with thorough due diligence, which will establish an open relationship and forge a trusting long-term partnership.

To learn more about managing BA risk, join us for AHIMA’s Virtual Privacy and Security Academy. The next session, hosted by MRO, will cover BA and subcontractor management, and will be held on December 14, 2016. Please enter your email address below to receive our special promo code for 15 percent off registration.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

AHIMA Privacy and Security Institute recap: patients and personal representatives

Hospital administrator in archives

AHIMA’s Privacy and Security Institute celebrated its tenth anniversary this year with a two-day event kicking off the AHIMA Convention and Exhibit in Baltimore. This event included a lineup of speakers addressing the latest information, trends and cutting-edge technology affecting how healthcare organizations effectively balance privacy and security to protect confidentiality in health information.

The Institute’s aim is to improve the management of privacy and security programs, promote the understanding of an ever-changing regulatory environment and to discuss the industry’s hottest trends, issues and best practices.

Patients and personal representatives

I had the opportunity to sit on the panel for a roundtable discussion on patient access, amendments and fees, as part of the Institute. We took this opportunity to tackle the elephant in the room and answer questions around assessing fees and the many changes affecting patients and providers alike, and to discuss the operational challenges faced today.

As a panelist, I was surprised to learn of the amount of confusion regarding the Office for Civil Rights’ (OCR) guidance for personal representatives, especially when attorneys are involved in a request. There is a vast difference between attorneys requesting records as attorneys, and attorneys requesting records as authorized personal representatives. After discussing this topic at length, we ultimately agreed that if there is doubt regarding the intent of a patient’s directive, the best practice is to contact the patient directly to determine their wishes before proceeding. While it is important to give patients and personal representatives easy access to Protected Health Information (PHI), it is more important to ensure records are not released to an unauthorized requester.

If you didn’t make it to the Privacy and Security Institute in Baltimore, you can learn more about privacy and security in AHIMA’s Virtual Privacy and Security Academy. The next session, hosted by MRO, will cover Business Associate and subcontractor management, and will be held on December 14, 2016. Please enter your email address below to receive our special promo codes for 15 percent off registration.

Receive a 15% Discount for AHIMA's Privacy and Security Academy

Read More

Four steps to minimize breach risk and liabilities for medical practices

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

As advancements are made in health information technology, allowing for easier access to Protected Health Information (PHI), the risks inevitably grow. This year alone, more than 220 PHI breaches affecting 500 patients or more have been reported. While large breaches caused by cyber attacks are often the center of media discussion, smaller breaches caused by incidents like the improper disclosure of PHI are much more common.

Smaller breaches are gaining more attention from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Earlier this year, the OCR announced the initiation of a new program to more thoroughly investigate breaches impacting 500 individuals or less. These breaches, just like larger ones, are costly, not only in dollars, but in reputational damage as well. Medical practice leaders should to be ready.

Here are four steps medical practices can take to minimize breach when disclosing PHI:

1) Institute multiple levels of Quality Assurance
Instituting multiple levels of Quality Assurance (QA) is a must for breach prevention. An estimated 20 to 30 percent of Release of Information (ROI) authorizations are initially invalid, and 5 percent of EMRs have record integrity issues, such as comingled patient records. Without multiple check points to validate HIPAA compliance and record integrity, medical practices are highly susceptible to human error, which can lead to improper disclosure of health information. The best workflows for releasing medical documentation include having a second set of eyes on every authorization and on the health information being disclosed to lower the likelihood of improper disclosures.

2) Leverage technology to catch human error
Human intervention can only prevent a certain level of error; however, dedicated technologies are available to catch human error and improve accuracy. Innovations like MRO’s IdentiScan® record integrity application, which uses optical character recognition (OCR) technology to assist record integrity specialists in reading every page of requests before release, work to catch human error and minimize the chance of disclosing records of wrong patients. IdentiScan pushes disclosure accuracy to an industry-leading 99.99 percent, well above the 90 percent average.

3) Implement proper training and education
To ensure accuracy and compliance while disclosing PHI, medical practice staff should be highly trained and specialized in HIPAA and state compliance. Since PHI disclosure management is not the core function of medical practice staff tasked with releasing medical records, this can become a tricky area. That’s where a vendor with a high level of expertise comes in.

4) Partner with a dedicated PHI disclosure management firm
Partnering with a knowledgeable and advanced PHI disclosure management firm will help prevent breach. By outsourcing PHI disclosure management processes, medical practices can better standardize their systems for disclosure and allow practice staff to focus time and energy on other priorities, such as patient care. With the right partner in place – such as MRO – practices can achieve industry-leading turnaround times and the highest levels of accuracy, ensuring compliance every step of the way.

To learn more, fill out the form below to download our case study detailing how Lehigh Valley Physician Group partnered with MRO to improve accuracy and minimize breach risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Lehigh Valley Physician Group Case Study

Read More

Updates from the OCR: Phase 2 of the HIPAA Audit Program

Auditor sends file audited financial statements of the Company to executives.

At the recent National HIPAA Summit in Washington, D.C., Jocelyn Samuels, Director of the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR), and Deputy Director Deven McGraw, gave an update on the OCR’s compliance enforcement efforts, including the status of the HIPAA Audit Program, which launched Phase 2 in March 2016.

 

The OCR stated that they plan to complete 200-250 audits of Covered Entities (CEs) and Business Associates (BAs) over the course of three stages during Phase 2 of the HIPAA Audit Program. Currently, the OCR is in the process of evaluating documentation it received from the 167 CEs selected in June 2016 to participate in the first stage of Phase 2. Preliminary draft audit reports will soon be sent to audited CEs for their feedback, before the drafting of final reports. The OCR anticipates completing the first stage of Phase 2 by the end of 2016.

Future Outlook: Second and Third Stages for Phase 2 HIPAA Audits

 

In the meantime, the OCR plans to launch the second stage of Phase 2 – BA desk audits – in October 2016. The OCR will select 40-50 BAs from lists provided by stage one CE auditees to participate in stage two. Those BAs selected for the second stage will be evaluated on CE breach notification and compliance with the HIPAA Security Rule. Prior to the launch of the second stage, selected BAs will be invited to participate in a webinar hosted by the OCR, allowing the BAs to ask questions. Like stage one, selected BAs will have ten days to respond to the OCR’s request for documentation and will be given an opportunity to review and provide feedback on a draft of the report before the final version is completed.

 

In the next few months, the OCR will initiate the third stage, which will consist of onsite audits of select CEs and BAs. The OCR does not yet have an exact number of audits for stage three, but anticipate conducting only a small number.

 

After completing Phase 2 of the HIPAA Audit Program, the OCR will issue a public report, which will aggregate and address “lessons learned,” including best practices for BAs and CEs to implement.

 

Even for organizations not selected for participation in Phase 2, the OCR strongly encourages all CEs and BAs to review and implement the audit protocols, as most organizations that have entered into resolution agreements and civil money penalties with the OCR have been cited for not having proper risk analyses and risk assessments in place.

All of the audit protocols are available on a user-friendly spreadsheet created by MRO to assist with your organization’s preparation. To download the reference tool, please fill out the form below.

 

MRO will hold an informal HIPAA Q&A during the upcoming AHIMA16 convention in Booth #1020. If you’re attending the conference, please stop by.

 

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

SIGN UP TO RECEIVE MRO'S USER-FRIENDLY AUDIT PROTOCOL SPREADSHEET

Read More

Five stellar tips for providing patient access while protecting privacy

Confidential documents

MRO recently hosted a webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” exploring ways Covered Entities (CEs) can provide patients and their personal representatives easy access to Protected Health Information (PHI), while staying compliant with HIPAA and protecting their data from breach.

As the title promised, we offered the following five tips:

1. Do not create patient access barriers

The HIPAA Privacy Rule requires CEs to provide patients and their personal representatives – persons with authority under state or applicable law to make healthcare decisions for a patient – easy access to their PHI for a “reasonable, cost-based” fee within 30 days of request. CEs can require the requests be made in writing and using their own supplied forms, but cannot create barriers or unreasonably delay patients from obtaining PHI.

2. Implement the HIPAA Security Rule’s safeguards

This includes:
a. Administrative Safeguards: Administrative actions to manage security measures to protect electronic PHI (ePHI).
b. Physical Safeguards: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusions.
c. Technical Safeguards: Technology used to protect and control access to ePHI.

3. Standardize and centralize

Standardizing PHI procedures and centralizing Release of Information (ROI) processes reduces the risk of HIPAA violations and decreases the number of PHI disclosure points, lessening the chance of improper disclosure and breach.

4. Educate and train workforce members

Often times, compliance issues are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information. With this in mind, it is important to create a culture of compliance. Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state laws, and the effectiveness of this training should be tested through measures such as phishing exercises and desk audits.

5. Monitor Business Associate compliance with HIPAA

CEs are required to enter into Business Associate Agreements (BAAs) with their Business Associates (BAs), as BAs are now liable for violations of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.

The webinar also included an update on HIPAA Compliance Enforcement, including information on Phase 2 of the Office for Civil Rights (OCR) HIPAA audits, which began in March 2016.

To receive a recording of the webinar, please fill out the form below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Recording of our Webinar

Read More