On Wednesday, December 5, 2018, I visited Capitol Hill with colleagues from AHIMA and the American Medical Informatics Association (AMIA) to address challenges around patient access to health information and to propose ways to modernize HIPAA to better support patient care. As HIM and privacy professionals are aware, the Office for Civil Rights (OCR) released guidance on patient access to health information in February 2016. However, healthcare leaders have been calling for an upgrade to the 22-year-old HIPAA regulation for some time. The recommendations from AHIMA and AMIA were as follows.

Converge HIPAA with Health IT Certification

We recommended creating a new term, Health Data Set (HDS), which would encompass all clinical, biomedical and claims data maintained by the covered entity (CE) or business associate (BA). The data set would be supported through the certification program at the federal Office of the National Coordinator for Health Information Technology (ONCHIT), enabling individuals to view, download or transmit this information electronically to a third party and access this information via API.

We also suggested the revision of the HIPAA Designated Record Set (DRS) and the requirement that Certified Health IT provide the amended DRS to patients electronically while maintaining computability. This revision would give providers and patients greater clarity and predictability regarding what constitutes the DRS.

Extend the HIPAA Individual Right of Access to Non-Covered Entities

In an effort to provide uniformity of health data access, we suggested establishing a uniform health data access policy that would apply not only to CEs and BAs, but also to non-covered entities such as developers of applications/technologies including mHealth and healthcare-based social media.

Encourage Note Sharing with Patients in Real Time

To enhance patient access to health information, we recommended promoting communications efforts such as OpenNotes through Medicare and Medicaid payment programs, such as the Merit-based Incentive Payment System.

Clarify Existing Regulatory Guidance on Third-Party Access to Patient Data

This especially relates to third-party legal requests that seek information without appropriate patient direction and beyond what is part of the DRS. I reported that ROI vendors and providers continue to be challenged with the discernment of third-party versus patient requests for transmittal to a third party. Third-party requesters demand the patient pricing, and the documentation does not always provide assurances that the requester is the patient or that the patient is aware of the request.

Our experience with some high-volume third-party requesters includes their demand for patient pricing and threats of, or actual submission of, OCR complaints. While we are steadfast in our commitment to patients’ privacy, the ongoing dispute by third-party requesters declining to provide reimbursement for healthcare costs in responding to these requests increases the administrative burden on both the health systems and the OCR.

We are asking that the 2016 guidance be updated to specify the original intent that a patient may direct their information to a third party who is specifically “acting on their behalf regarding a healthcare decision.”

MRO is presently working alongside industry experts to construct a white paper that will delve deeper into this topic and provide recommendations. We will share the paper on our blog once it is released.

Additional Resources and Media Coverage:

HealthIT Security – AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access

MedPage Today – Rules Needed for Better Patient Record Access, Say Experts

AHIMA and AMIA – Full Recommendation

Health Information Management (HIM) and healthcare compliance professionals will concur that there is heightened awareness of small breaches across the healthcare industry. And though small privacy breaches affecting fewer than 500 patients per incident are not usually publicized as widely as large-scale cyberattacks, the impact can be just as detrimental to healthcare organizations.

A small breach can be as simple as making an error in the Release of Information (ROI) process, involving a patient’s Protected Health Information (PHI) mistakenly sent to the wrong person—or the wrong patient’s PHI sent to the correct requesting party.

When you look at the stats, there is plenty of room for those types of errors. MRO’s research shows there are as many as 40 disclosure points across a single healthcare system. Most of those disclosure points tend to be outside of the HIM department, where individuals not trained in proper PHI disclosure management are handling the release of PHI. This trend of expanding disclosure points is one of the key factors driving breach risk in the Release of Information process.

Another risk factor involves gaps in the Quality Assurance (QA) processes. Research shows that roughly 30 percent of all Release of Information authorizations are initially invalid. And if Release of Information workflows lack redundant QA checks, up to 10 percent of those invalid authorizations are processed with errors.

Moreover, 5 percent of patient information in electronic medical records (EMRs) have integrity issues, including comingled patient records. MRO’s research shows that without proper QA measures in place, 1 in 200 records released will contain mixed patient information—which means an organization releasing 100,000 requests annually could potentially release 500 comingled records. That’s 500 potential breaches by way of errors in the Release of Information process.

Filling the Gaps in ROI Workflow to Minimize Breaches

Given the potential risk of breach due to improper PHI disclosure, healthcare leaders should closely review gaps in their PHI disclosure management processes and consider ways to enhance workflows to improve accuracy and quality. Here are some recommendations.

First, deploying an enterprise-wide strategy for PHI disclosure management will standardize policies, procedures and technologies across a health system. As part of that strategy, a streamlined Release of Information workflow helps eliminate inconsistencies, inefficiencies, distractions and errors.

Second, redundant QA checks are vital for PHI disclosure accuracy. Even the most experienced ROI specialists are subject to human error. Multiple layers of QA are needed throughout the lifecycle of an Release of Information request, from receipt through delivery, to ensure accuracy and compliance—and prevent a privacy breach. Best practice is to bolster workflows to ensure multiple teams review both the authorizations and medical records associated with each Release of Information request prior to release.

Providing a “second set of eyes” on all authorizations and PHI before release helps reduce improper disclosures. These additional quality checks should come from a combination of trained ROI specialists and record integrity technology that uses optical character recognition to locate and correct comingled records. For example, MRO offers its patented IdentiScan® record integrity application to ensure PHI disclosure accuracy. This tool scans records for patient identifiers throughout the record set, helping ROI specialists identify and correct mixed patient information prior to release. The right combination of people and technology promotes improved accuracy and minimizes breach risk.

Patent Issued to MRO for IdentiScan Application

Learn more about the benefits of IdentiScan® by watching our video. Complete the form below to request a demo of MRO’s ROI solution, which ensures 99.99% disclosure accuracy.

In September 2018, KLAS published the performance report “Release of Information 2018: Who Delivers Most Consistently Across Customers?” With a track record of being the KLAS “Category Leader” for ROI, as designated in 2013-2018 “Best in KLAS” reports, we were eager to dig into the latest research to see if MRO had again received the highest performance ratings.

We were not disappointed. I’m pleased to report that KLAS named MRO the overall highest performing ROI services vendor, outperforming the two other vendors included in the report. Only three ROI service providers had statistically adequate client bases to be included.

Key Findings: 2018 Release of Information KLAS Report

Key findings centered on MRO’s ROI services are:

• On a 100-point scale, MRO’s reported overall performance score is 90.4.
• MRO’s performance ratings for overall satisfaction, quality of service staff and turnaround time are rated highest among the vendors.
• MRO is noted as the consistent high performer and well-rounded firm with good communication, good employees and strong delivery of ROI services.
• 95 percent of MRO’s clients say they would hire the company again, a percentage much higher than the other vendors.
• MRO has the proven scalability to meet large client needs and implementations.

As I read through the report, it was apparent that quality is a key theme related to MRO’s services. Our “top notch employees and outstanding customer service” are highlighted, and KLAS’s research finds that MRO clients appreciate the responsiveness of our customer service, especially the ease of speaking with someone when needed.

Reflecting a bit, I felt the emphasis on high-quality service within this report echoed findings in the last KLAS report to feature a deep dive into ROI: “HIM Services Performance 2015: Coding, Transcription, Release of Information.” In the 2015 report, MRO was recognized for the best overall performance, highest quality and fastest turnaround times.

Since the 2015 HIM report was released, MRO has grown to be one of the largest ROI vendors, serving more than 7,500 locations nationwide. It is rewarding to see that our clients continue to recognize our work as the highest quality service in the industry as we continue to expand.

That brings me to another topic. Scalability. MRO’s ability to scale to provide quality ROI services to both large and small clients is also noted in the 2018 report. One surveyed HIM director said, “We don’t see any issues with MRO being able to scale to meet our needs. When we asked to amend our contract, we were asking for a couple of FTE equivalents, and since that time we have lost some key staff members. So, MRO is ready to expand. Our experiences with them have all been either very good or excellent. They are very reputable.”

I personally believe MRO client feedback provided to KLAS is a strong indicator of high-level client satisfaction. As we onboard more of the nation’s top health systems, we are making the necessary investments in technology and people to ensure we continue delivering the best service quality while meeting the needs and expectations of our clients.

Video: MRO: KLAS-rated #1 for Release of Information

In 2012, MRO became the first rated vendor in KLAS’s Release of Information services market segment. Since then, MRO has been consistently rated #1 for ROI, and we closely monitor our performance scores to ensure MRO clients receive the best service possible.  Watch the video to learn more.

I am proud that MRO’s people, technology and uncompromising commitment to our clients’ success are recognized by KLAS, not only in relation to the other ROI vendors, but also on an objective performance scale.

To read more about KLAS’s research on Release of Information, complete the form below.

As we approach the 2018 AHIMA National Convention and Exhibit in Miami, held September 22-26, 2018 in Miami, MRO is very excited to exhibit and have the chance to mingle with our Health Information Management (HIM) partners and friends.

During exhibit hall hours, members of MRO’s leadership will be available at Booth 437 to discuss topics surrounding Protected Health Information (PHI) disclosure management, including industry trends, breach risk mitigation and MRO’s KLAS #1-rated Release of Information (ROI) solutions. We will also have a mentalist/magician performing in our booth on Monday and Tuesday, September 24 and 25.

Some other places you can find MRO during the convention include:

AHIMA’s Privacy, Cybersecurity, and Information Governance Institute

Saturday and Sunday, September 22-23
Miami Beach Convention Center, Art Deco Ballroom, Room 228 AB

AHIMA is committed to remaining the leader in privacy, cybersecurity, and Information Governance (IG) throughout healthcare. Because of this commitment and healthcare’s evolution—which requires continued education on the most current topics and trends in the industry—AHIMA’s annual Privacy and Security Institute is evolving. This year AHIMA is introducing the Privacy, Cybersecurity, and Information Governance (PCIG) Institute.

MRO is proud to sponsor this year’s PCIG Institute, and Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO will participate in Sunday’s 10:55am – 11:45am Eastern panel discussion “Privacy and Security Competency Gaps: How to Navigate Your Way to Success.”

Case Study for Business Office ROI: Yale New Haven Health

Monday, September 24
Miami Beach Convention Center, Exhibit Hall, Theater C
12:15pm – 1:05pm Eastern

Join Kim Charland, RHIT, CCS, Director of Revenue Cycle Services for MRO, and Cindy Zak, MS, RHIA, PMP, FAHIMA, Executive Director of Corporate HIM for Yale New Haven Health, for a presentation on exploring ways MRO’s Medical Record Attachment Services for the Business Office can help HIM leaders improve interdepartmental collaborative efforts to efficiently and compliantly fulfill ROI requests that support claim payments.

ROI Networking Roundtable

Monday, September 25
Miami Beach Convention Center, Room 209
3:30pm – 4:15pm Eastern

Attend the presentation “The Modern Age of ROI – Are You Up to Date?” to network with HIM peers and experts in the field, including MRO’s Rita Bowen and Angela Rose, MHA, RHIA, CHPS, FAHIMA, Vice President of Implementation Services. Bring to the table any issues or challenges faced in ROI and discuss best practices.

Educational Session: Project Management in HIM Implementations

Monday, September 25
Miami Beach Convention Center, Ocean Drive Ballroom A-D
4:30pm – 5:15pm Eastern

To learn best practices for utilizing project management skills in enterprise-wide HIM implementations, join Angela Rose and Emilie Sturm, Sr. Revenue Management Consultant for Trinity Health, for this exploratory session.

Meet MRO at AHIMA

MRO has been exhibiting at this convention every year since 2004. In our 15th year at the event, we anticipate this to be our best year yet. I am looking forward to learning about the latest industry trends and being able to see and spend time with all our clients and friends in attendance. We hope to see you there!

Managing the disclosure of Protected Health Information (PHI) from within a healthcare organization has become increasingly complex. As the volume of medical Release of Information (ROI) continues to rise, multiple disclosure points place organizations at risk for privacy breach. Many have turned to outsourcing Release of Information to promote proper PHI disclosure. Choosing the right vendor can be a challenge if you don’t know where to start. Here are some suggestions to make the process easier.

DO—Use HIM peer feedback

The best way to begin is by seeking feedback from HIM peers who have experience with ROI vendors. Trusted peers can help with steps to identify vendors that offer high levels of service quality, accuracy and compliance.

Ensure the vendor is equipped to handle a health system your size

In today’s environment, there are fewer independent hospitals than in the past. Increased consolidation among hospital groups adds a new level of complexity due to size of the organization. It’s important to conduct a thorough evaluation to ensure the vendor can accommodate the size of your organization.

Over the years, many independent hospitals have used small local ROI companies that served them well at the time. But as these organizations grow to include multiple facilities with hundreds of clinics, ROI becomes a more complicated process. Vendor reassessment involves two critical considerations—scalability and expertise. Does the vendor have the scalability to meet the needs of all facilities and the expertise to conduct the implementation from a proven project management perspective?

Scalability is especially important for organizations acquiring physician practices. For one organization, we are currently hiring 40 people to serve five hospitals and 300 physician practice locations. Few vendors are equipped to manage a project of that size. Organizations should consider the scope of the project and the vendor’s ability to conduct a smooth and seamless implementation. Best practice is to engage a dedicated implementation team of trained specialists to onboard staff and ensure a successful implementation.

Assess the vendor’s ability to offer high levels of service quality, accuracy and compliance

Your organization must have confidence in the vendor’s ability to measure quality and accuracy to ensure compliance. While seeking feedback from peers, review the company’s resources to assess quality standards, documentation processes, areas of priority and methods of measurement. What is the success rate in terms of service delivery and accuracy? What internal quality measures are in place to ensure proper disclosure of PHI and prevent breach? Also, look for independent measures of quality and reputation of a vendor you’re considering. One of those measures is KLAS, a third-party group that rates companies based on customer ratings.

DO—Visit the vendor

As part of the evaluation process, schedule an onsite visit. At MRO, we welcome the opportunity to show and tell what we do. Showing tells a lot about an organization. Take a tour of the workflow to see ROI processes firsthand. That’s where you’ll see those crucial quality checks.

DO—Leverage the latest technology innovations

Advanced technology is essential to provide optimal ROI services. Top priorities include EMR integration, electronic delivery, optical character recognition (OCR) technology for Quality Assurance, and IT expertise and leadership.

EMR integration

Look for technology with the capability to integrate with most EMR systems. Some ROI companies have built interfaces between their ROI platforms and EMRs to enhance workflows through automation. For example, MRO’s MROeLink® interface with Epic’s ROI module has the capability to automate typically manual and redundant steps in the ROI process to improve efficiency and reduce errors.

Electronic delivery

Organizations today need import and export capabilities that extend beyond extraction of information.

Look for the ability to receive requests and deliver information via electronic interchange. At MRO, we have thousands of portals set up with different organizations around the country to securely receive and deliver information. Additionally, our proprietary interface with SSA’s Disability Determination Services (DDS) and esMD for CMS enables healthcare organizations to enhance revenue, improve efficiency and drive compliance.

OCR technology for Quality Assurance

Quality Assurance requires the right people, processes and technology. The most effective programs offer technology and human intervention to review documents at various points within information management workflows. For example, we suggest a combination of OCR technology and specially trained staff to perform multiple quality checks during the ROI process. MRO’s IdentiScan® OCR validation technology checks for patient identifiers to catch comingled records. Any detected errors are quickly corrected and documented by Quality Assurance experts.

IT expertise and leadership

Finally, consider the vendor’s future plans for investment on the IT side of the ROI process. Many times smaller vendors can’t make large investments required to be on the leading edge of IT. Is the vendor forward thinking regarding IT? What capabilities are in place? Recommended practice is to have extensive internal IT resources backed by plans for future investment. Look for progressive companies with IT knowledge, experience and leadership.

DO—Consider an enterprise-wide approach

A centralized, enterprise-wide approach to PHI disclosure management is the recommended strategy to have complete confidence in achieving compliance. This approach guards a patient’s privacy while also protecting the organization against breach, financial risk and reputational harm. The benefits across the health system include:

• Standardized policies and procedures
• Consistent policy enforcement
• Improved patient and third-party requester experience
• Heightened PHI disclosure accuracy through quality-infused workflows

DON’T—Prioritize low cost over quality

Prioritizing low cost over quality and compliance will cost your organization more in the long run. Everyone wants the most economical deal, but not at the expense of quality. Noncompliance and associated costs are too great a risk. When evaluating a vendor, shop for accuracy and quality.

MRO is proud to be KLAS-rated #1 for outsourced Release of Information services, offering scalability, expertise, innovative technologies, and the highest levels of accuracy, quality and service. To request a demo of our ROI Online® solution, complete the form.

Begin with the end in mind.  – Stephen Covey

Stephen Covey will long be remembered as the author of The Seven Habits of Highly Effective People. The wisdom of those habits is applicable to organizations as well. When onboarding a new Release of Information (ROI) vendor, the end goal is to standardize policies and processes across the enterprise for timely, accurate and efficient disclosure of Protected Health Information (PHI).

Partnering with a new vendor for outsourcing Release of Information doesn’t have to be a daunting task. Whether your organization is managing ROI in house or considering a change from one outsourcing vendor to another, making a smooth transition across the enterprise is critical. Defined tasks and activities are required to successfully bring a new ROI vendor on board and resume normal operations as efficiently and effectively as possible. A seamless process begins with a dedicated implementation team to facilitate the transition, keeping the end goal in mind.

In our experience, organizations often encounter challenges that are difficult to overcome without the expertise of an implementation team. Here are some of the most common pitfalls:

• Lack of executive ownership
• Resistance from stakeholders, no buy-in
• Lack of process knowledge/ownership
• Scope creep—project not well defined, documented, controlled
• Communication issues
• Insufficient staffing, training and other resources
• Multiple technology platforms/EMR

Setting the Stage for PHI Disclosure Management Success: Six Strategies to Ensure a Smooth Transition

When evaluating an ROI vendor, be sure the vendor has a dedicated implementation team to facilitate a smooth transition. That is your first priority. The team will guide the implementation through the following six strategies:

Define the Project. Define the project scope, goals and objectives. Identify the project owner, executive sponsor and all stakeholders. Set expectations and accountability. Develop a timeline with milestones and phases.

Manage Contracts. Monitor and manage the terms of the contract to ensure contractual obligations are met. Deliver to the client exactly as specified in the contract. Proper management prevents scope creep.

Communicate. Provide ways to communicate with senior management and all stakeholders across the enterprise. Communication tools include internal memos, email templates, press releases, onsite meetings, workflow tips, helpline, monthly updates to senior management on timelines and milestones, and post-implementation touch-point calls. Communication builds trust.

Plan. Planning and communication go hand in hand. Otherwise, the project implementation plan won’t leave the conference room. To assist with planning, here at MRO, we provide new clients with a detailed overview of our implementation planning process including the following:

• Pre-Implementation Activities
• Implementation Timeline
• Go-Live Activities
• Post Implementation Activities

Planning is everything. Proper planning presents the opportunity to identify and address issues up front, setting the stage to achieve optimal results.

Document. Comprehensive documentation clearly defines the project desired outcomes. Transparency and accountability are essential. One of our practices is to send welcome packets introducing what we do and what’s going to happen during the implementation period, along with escalation pathways and MRO contact information. Throughout the transition, we provide a detailed agenda for every meeting, minutes following each meeting, training documentation, videos, monthly updates and project monitoring reports. The entire process is documented from the beginning.

Train and Educate. In preparation for go-live, an effective training and education program promotes successful outcomes. The recommended strategy is to begin training after the planning phase and continue throughout go-live. At MRO, our implementation specialists provide training on MRO ROI policies and procedures, current and legacy EMR systems, HIPAA privacy and security, ROI Online® system use and best practices.

Best Practices Yield Optimal Outcomes

Beginning with the end in mind, providers and vendors should work together to help organizations achieve timely, accurate and efficient ROI outcomes.  At MRO, our dedicated implementation team guides you every step of the way with proven strategies to ensure a seamless transition.

Releasing medical records from a healthcare organization’s business office can be accomplished in a more efficient and cost-effective method. Instead of distracting billers and collectors from their main duties of collecting revenue, business offices should consider the following options to improve efficiency and ensure proper tracking of Protected Health Information (PHI). I provide more detailed information in an HFMA blog “PHI Disclosure Management in the Business Office.”

Centralize all Requests for Records

If the business office wishes to continue to process using their staff, the function should be centralized and assigned to a core group of processors to fulfill all requests. This will help minimize administrative burden from the billers and collectors. Centralization also promotes consistent, standardized processes. These dedicated business office staff should be thoroughly trained in proper PHI disclosure management to maximize efficiency, eliminate redundancy and mitigate risk of HIPAA breach for requests that may fall outside of TPO such as itemized bills for outside attorney requests.

Transfer the Work to HIM

HIM staff are well trained in processing requests for information. They have the knowledge and skills to complete requests efficiently and in compliance with HIPAA guidelines. Nevertheless, some organizations fear delegating this function to HIM because of concerns regarding timeliness and payer deadlines. To reduce turnaround time fears, the following four best practices should be implemented:

1. Ensure open and ongoing communication between the business office and HIM
2. Optimize the use of EHR and PHI disclosure management technologies to route requests and share information
3. Assign dedicated Release of Information (ROI) experts to support the business office and process requests
4. Conduct regular meetings to discuss new trends in payer requests and proactively improve turnaround time through SFTP delivery

Outsource Business Office PHI Disclosures

A number of national firms, including MRO, provide Release of Information services to process payer requests. MRO’s services for business office disclosure management ensure timely delivery of information to payers, full compliance with HIPAA guidelines, and around-the-clock staffing to avoid backlogs or delays.

Careful and strategic tracking of information released, to whom and why, will make the PHI disclosure process more efficient. If your organization needs to improve this process, you should consider: centralization, delegating work to HIM or outsourcing PHI disclosure management. By implementing these alternative workflow options, your organization will be taking the right steps towards improving billing processes and decreasing denials.