Record Requests610-994-7500

MRO’s 2017 AHIMA Product World: Panel of HIM Directors Cover Best Practices for Release of Information

MRO’s 2017 Product World Presentation

During the 2017 AHIMA Convention and Exhibit, I hosted MRO’s Product World presentation. During this session, myself along with four other panelists of Health Information Management (HIM) Directors reviewed the current environment in which HIM departments operate, and the associated challenges related to Protected Health Information (PHI) disclosure management. We then explored best practices for PHI disclosure management.

The four panelists in this session included Cindy Zak, Executive Director of Corporate HIM for Yale New Haven Health, Sandra Allen, Director of HIM for Ochsner Health System, Kyle McElroy, Assistant Vice President of HIM for IASIS Healthcare which is now a part of Steward Health, and Sheila Bowlds, Director of HIM and Hospital Coding for Henry Ford Health System. Below are some of the best practices that were discussed during the panel.

Implement Multiple Layers of Quality Assurance

Quality measures need to be highest priority to help ensure Release of Information (ROI) processing for healthcare organizations is compliant, secure and efficient.  It is important that multiple levels of Quality Assurance (QA) are applied to both the request authorization, and the health information to be released.

According to panelist Kyle McElroy, AVP of HIM for IASIS Healthcare/Steward Health, MRO’s QA technology enabled his organization to improve accuracy and compliance, and safeguard their health system against breach. The technology he referenced, called IdentiScan®, uses optical character recognition (OCR) verification technology to examine each page in a medical record for patient-identifying information before PHI is released.

Utilize Remote ROI Staff and Services

ROI vendors with advanced capabilities will offer remote ROI services to manage the ROI process for a healthcare organization from end-to-end, remotely. Additionally, such remote services may also be used to provide supplemental audit support through batch logging audits, pulling electronic records and releasing records remotely.

According to Cindy Zak, Executive Director of Corporate HIM for Yale New Haven Health, one of the biggest challenges her organization faced with ROI was that their staff handled too many tasks and were not able to receive proper ongoing training. By taking advantage of MRO’s remote services and implementing MRO’s MROeLink® Epic integration technology, Zak said her organization was able to utilize MRO’s highly-trained ROI specialists to streamline processing efforts, plus reduce paper transactions, improve their billing process and attain a consistent disclosure process.

Sandra Allen, HIM Director for Ochsner Health System, echoed Zak’s remarks about the improvements her organization realized through implementing remote services and MRO’s technology for automating Release of Information. Read the case study to learn more.

Consider a Patient Advocate

A Patient Advocate can provide targeted assistance to patients experiencing confusion, frustration or perceived difficulty regarding the medical record request process. Having a patient advocate in place shows patients that you care about them and provides them with an extra set of helping hands. During the AHIMA presentation, we discussed MRO’s award-winning Patient Advocate Program that provides specialized support to patients, with a heightened sense of compassion and empathy, by identifying and resolving urgent issues, while also simplifying and facilitating navigation through the ROI process.

Provide Ongoing Training and Education

To stay ahead of breach threats, healthcare organizations need employees who are trained on the most up-to-date HIPAA regulations and ROI requirements at the federal, state and facility level. Investing in the hiring, training and education of your employees is critical for ensuring the best client experience.

MRO’s training and education programs are powered through MRO Academy, a rigorous and required online educational curriculum for all MRO employees. Additionally, the company can provide custom trainings on ROI policies and procedures to hospital HIM staff. During the panel presentation at AHIMA, Sheila Bowlds, Director of HIM and Hospital Coding for Henry Ford Health System, said that MRO provided education for her staff, which helped improve her organization’s ROI process tremendously.

Release of Information Best Practices

Other ROI best practices that were discussed include: electronic request receipt and distribution capabilities, the needs for requester notification processes, interface connectivity with an EMR (specifically Epic), ease of implementation and onboarding processes, reporting transparency and management responsiveness.

To download MRO’s Best Practices Worksheet, complete the form below.

For additional information about our Product World presentation at AHIMA, watch our video, which touches on additional topics we covered like the impact of payer audits to HIM and the OCR’s initiatives around patient access. This video also recaps some themes from the AHIMA Convention, and some commentary about my favorite parts of the annual event.

Download ROI Best Practices Worksheet

Read More

2017 National AHIMA Convention: Takeaways for Health Information Management Professionals

The American Health Information Management Association (AHIMA) held its annual convention and exhibit in Los Angeles, October 7-11. This year’s event delivered a renewed focus on the profession’s responsibility to protect and govern Protected Health Information (PHI). During the convention, updates for privacy, security, interoperability and information governance were provided. Here is a quick overview of lessons learned at the conference. You can read more in my recent post to HIM Scene’s blog, titled Heard at #AHIMACon17: Lessons Learned for HIM.

Privacy and Security Institute

This year was the 11th anniversary of AHIMA’s Privacy and Security Institute. Speakers from the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR), Federal Bureau of Investigations (FBI) and Health Information Trust Alliance (or HITRUST) joined privacy and HIM consultants for a two-day seminar.

Additionally, MRO’s Angela Rose, MHA, RHIA, CHPS, FAHIMA, Director of Client Relations and Account Management, and I co-presented a session titled, “Developing Best Practices from OCR Audits and Enforcement Activities.” In this session, we offered best practices for HIM professionals based on lessons learned from the OCR’s patient access guidance, resolution agreements and HIPAA Audit Program protocols. You can download a copy of our presentation by completing the form at the bottom of this blog post.

Cutbacks Underway

The position of Chief Privacy Officer (CPO) at the Office of the National Coordinator for Health Information Technology (ONC) has been vacant for the past year, and during this time Deven McGraw, Deputy Director of Health Information Privacy at the OCR, successfully served as acting CPO. Her recent departure, along with other cutbacks, will have a trickle-down impact for privacy compliance in 2018.

Onsite Audits Cease

Yun-kyung (Peggy) Lee, Deputy Regional Manager for the OCR, informed attendees that onsite HIPAA audits would no longer be conducted for Covered Entities or Business Associates due to staffing cutbacks in Washington, D.C. The concern here is that whatever doesn’t get regulatory attention, may not get done.

Interoperability Advances HIPAA

The national push for greater interoperability is an absolute necessity to improve healthcare delivery. However, 30 years of new technology and communication capabilities must be incorporated into HIPAA rules. Old guidelines block us from addressing new goals. We expect more fine-tuning of HIPAA in 2018 to achieve the greater good of patient access and health information exchange.

In an article published shortly before the AHIMA convention, OCR Director Roger Severino touched on the need to modify HIPAA in light of technology advancements and cyber threats saying, “I’ve gotten up to speed on HIPAA, and as the threats evolve, we have to evolve in how we approach it – and we have to be smart about who we target. At most I will say the big, juicy case is going to be my priority and the methods for finding it – stay tuned.”

Luminary Healthcare Panel

This session was a very relevant discussion for my role as Vice President of Privacy, Compliance and HIM Policy at MRO. Panelists provided a glimpse into the future of healthcare while reiterating HIM’s destiny—data integrity and information governance.

Final Takeaway

There is no doubt that HIM’s role is expanding. We have the underlying knowledge of the importance of data and the information it yields. More technology leads to more data and an increased need for sophisticated health information management and governance. Our history of protecting patient information opens the door to our future in the healthcare industry.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

To download slides from MRO’s Privacy and Security Institute presentation “Developing Best Practices from OCR Audits and Enforcement Activities,” complete the form below.

Read More

MRO Celebrates its Foundational Roots of Customer Service by Taking Part in National Customer Service Week

MRO’s team is proud and excited to celebrate National Customer Service Week during the week of October 2, 2017. We gladly give special recognition to our team members who are directly involved in servicing our greatest resource: our customers.

All of our team members are involved in client service and satisfaction to some degree, regardless of function or job title, as we strive to live up to our Mission, Vision and Values as an organization. This year’s theme for National Customer Service Week—“Building Trust”—perfectly aligns with our core value of Trust.

MRO’s Mission, Vision and Values

Our Mission
MRO’s mission is to disclose the right Protected Health Information (PHI) to the right requesters in a secure and compliant fashion, with an unwavering focus on client success.

Our Vision
MRO’s vision is to transform the way health information is used and exchanged through innovation, technology and unparalleled service.

Our Values
MRO is committed to being the trusted PARTNER for PHI disclosure management. Our core values are not just MRO’s philosophy; they are what our clients and employees experience every day.

It all starts with our people. MRO’s values are driven by employees who are passionate about serving others and providing value to our clients. At MRO, we are propelled by a zeal for excellence and client satisfaction. We love what we do.

MRO’s team takes great pride in our work. Our employees maintain the highest standards of integrity, ownership, work ethic, quality focus and service excellence. We have people and processes you can count on.

MRO respects clients’ needs, goals and expectations. We work with our client partners and each other in a spirit of cooperation, goodwill and understanding. When you interact with an MRO representative, you can expect a genuine, caring and empathetic response.

MRO is dedicated to being transparent with our clients and delivering on our promises. We put our clients’ needs first. You can count on MRO to represent your organization in the best light, through high levels of commitment, competence and professionalism.

Our team works in a dynamic and nurturing environment that provides the necessary tools to building the best and brightest staff. MRO invests in industry-leading education and training, and fosters career advancement.  We promote a culture that inspires our employees to be the best they can be.

Great isn’t good enough at MRO. We aim to exceed expectations in all that we do. MRO is driven to be the nimble, responsive and proactive partner that delivers only the highest levels of quality, accuracy and innovation.

MRO is the partner and employer of choice, and our reputation precedes us.  We are honored to be the acknowledged industry leader for PHI disclosure management solutions.

Celebrating Service Excellence
At MRO, we function as one, collaborative, excellence-driven structure. We work to fulfill the needs of our clients and requesters of PHI. Additionally, those who seek to obtain information from our client partners should expect their questions and concerns answered and addressed timely and informatively, all while effective and efficient request fulfillment remains our top priority.

Please join us in recognizing service professionals around you!

Join our blog mailing list

Read More

Five Ways CEs can Mitigate Breach Risk Associated with BAs

As advancements in health information technology allow increased access to Protected Health Information (PHI), the risk of breach is on the rise. In 2017 alone, there have been 233 reported data breaches, which have impacted 3,159,236 patients. This steady climb suggests that Covered Entities (CEs) and Business Associates (BAs) are still struggling to establish the measures needed to protect patient data and confidentiality.

CEs must be vigilant about the risks and threats directly related to their activities. And now more than ever, they need to focus on the additional threat vector presented by their BAs. As you would expect, the types of breaches encountered by BAs are similar to the threats facing CEs. The causes of breaches include malware/ransomware incidents, accidental disclosures, loss or theft of media containing sensitive data, physical loss of records, application and system vulnerabilities, social engineering exploits and payment fraud. While there are many different culprits of breach, improper and accidental disclosure of PHI is the most common cause of data security incidents. These improper disclosures of PHI include a wide range of errors such as comingled records and misdirected faxes and emails.

The impact of BA breaches on patients of a CE can run deep—from cases of identity theft to exposure of sensitive information regarding a condition, treatment or test that could lead to harm, embarrassment or discrimination. If fines are levied, sanctions and actions will be held against the CE as well.

In an upcoming AHIMA Convention educational session titled “Essentials for Business Associate Management: Due Diligence and Ongoing Risk Analysis,” my colleague Rita Bowen, MA, RHIA, CHPC, CHPS, SSGB, and I will review ways CEs can mitigate breach risk associated with BAs. The following is a sampling of what we will discuss.

    1. Perform initial due diligence. Identify what services are being performed, where the services are being performed, and what contracts should be in place including Master Service Agreements (MSAs), Business Associate Agreements (BAAs), Nondisclosure Agreements (NDAs), Data Use and Reciprocal Support Agreement (DURSA) and others.
    2. Get your security and compliance teams on board early in the process to avoid delayed services or rushed assessments. I cannot tell you how many meetings I’ve attended with our prospective client’s security and compliance teams, when we are just days away from finalizing a contract, and their opening statement is: “Well this is the first time we’re hearing of this. Let’s start from the beginning.” So, we just lost two weeks getting a project started, and the client needs us to go live in seven days. To avoid these types of delays, it’s recommended to have security and compliance teams involved in the onboarding of new partner services and technologies early in the process.
    3. Have a standard assessment. Have an equal way to measure the risk associated with the various services BAs can provide. No one shoe fits all, but attempting to keep the assessment process as standardized as possible allows for better assessments of risk. This assessment should cover all the applicable administrative, physical and technical controls associated with the services provided—all shoe sizes!
    4. Confirm cyber insurance. Make sure your BAs have adequate cyber insurance protections in the event of a breach—based on the services being delivered and the associated risk.
    5. Perform annual reviews and third-party assessments. Healthcare organizations should implement a formal program to review their BAs on an appropriate schedule. This would include your typical or an abridged assessment and any third-party certifications, accreditations or audits your BA has achieved.

    Complete the form to download the HCPro HIPAA Briefings article “Managing HIPAA Business Associate Relationships.”

Download "Managing HIPAA Business Associate Relationships”

Read More

15 Things to Look for in a Release of Information Partner

At MRO, our greatest honor is our loyal and satisfied clients. MRO is the Release of Information (ROI) partner of choice and we are proud to be the acknowledged industry leader. MRO respects clients’ needs, goals and expectations. We work with our client partners and each other in a spirit of cooperation, goodwill and understanding.

To continue our celebration of MRO’s 15th anniversary, we have collected a list, through a voluntary client survey, of the “top 15” reasons MRO clients enjoy working with us. If you are evaluating ROI vendors, you can look to this list as a guide.

15 Reasons Health Information Management Leaders Choose MRO

1. Advanced Technology – At MRO, we pride ourselves as technology experts and innovators, and our services are driven by leading-edge technologies that streamline workflows, ensure accuracy and drive compliance. Special technologies that we are best known for include the IdentiScan® record integrity application and MROeLink®, a suite of interfaces used to automate ROI.
2. Expertise – MRO keeps our clients informed by staying up-to-date on HIPAA regulations and Release of Information (ROI) requirements at the federal, state and facility level. Our industry-acknowledged experts regularly provide updates to our client base through blogs, articles, webinars, trainings and in-person meetings.
3. Accuracy –Our clients have grown to rely on MRO for our Quality Assurance (QA) program, which drives high levels of accuracy. Our accuracy rate is a near-perfect 99.99 percent. At MRO, we have a dual set of eyes that look and check behind key steps of our workflow. With knowledge staff and sophisticated technology supporting a quality-infused workflow, we get the right information to the right requesters, at the right time.
4. Compliance Support – MRO clients can rely on consistent privacy updates regarding regulations and reporting guidelines. MRO’s Data Protection Steering Committee (DPSC) routinely reviews current regulation agreements and privacy and security events to assure our readiness in support to our business partners.
5. Customer Service – As part of the support we offer clients and requesters from MRO’s National Service Center, we have a dedicated customer service program, as well as a Patient Advocate program, that handles patient requests and calls. In 2017, MRO won a Stevie® Award for Innovation in Customer Service for the Patient Advocate program.
6. Reporting – MRO’s suite of reports is tailored for key information that is typically needed by HIM leaders to track request volumes, revenue generated, etc. Our clients can see all the data and revenue that we post for them by the hour.
7. Shared Liability – As a Business Associate of our Covered Entity clients, MRO shares liability from a coverage standpoint.
8. Dedicated Implementation Team – MRO has a dedicated implementation team, which handles the initial onboarding of new clients, along with the onboarding of new facilities that have been acquired through client mergers and acquisitions. Our implementation, training and support teams work side-by-side with our clients during the transition to MRO’s systems.
9. Company’s Reputation – KLAS has named MRO the Category Leader for the ROI services market segment four years in a row, as part of the 2013, 2014, 2015/2016 and 2017 Best in KLAS: Software & Services reports respectively. Additionally, MRO is noted as offering the highest levels of quality, best overall performance and fastest turnaround in KLAS’s 2015 HIM Services report. Our clients are proud to partner with the No. 1 rated vendor.
10. Client Training and Education Opportunities – Not only do we have dedicated implementation teams responsible for initial training, but we also have ongoing training and education through an online learning management tool called MRO Academy.
11. Values – Our core values are not just MRO’s philosophy; they are what our clients and employees experience every day. Our values are: Passion, Accountability, Respect, Trust, Nurture, Excellence and Reputation.
12. Partnership – MRO is committed to being the trusted partner for Protected Health Information (PHI) disclosure management, and that is reflected in our values. In fact, the first letter of each core value spells out PARTNER. That was intentional, as our mission is focused to enabling client success through our partnership.
13. Knowledgeable ROI Specialists – At MRO, we heavily invest in the hiring, training and education of our staff who, using our state-of-the-art technology, takes the ROI burden off the shoulders of our clients.
14. Communication – We have very direct communication with our clients. We meet monthly with them and sometimes even weekly. Strong communication helps establish and maintain the relationships we have with our clients.
15. Client Engagement – At MRO, we are dedicated to staying involved with our clients as much as possible. We ask for feedback regularly and adapt our solutions to meet their needs. We are passionate about serving our clients and providing value to them.

Other reasons MRO clients listed as why they enjoy working with us included our flexible service offerings, reliable call center, local presence and our passion.

Join our blog mailing list

Read More

Preventing Healthcare Breaches, the Costliest of the Breaches

This month, IBM Security and Ponemon Institute released its 2017 Cost of Data Breach Study. It examines the costs experienced by 63 U.S. companies in 16 industry sectors after those companies experienced loss or theft of protected personal data and the notification of breach victims as required by various laws. It is not a healthcare specific study, but it does include healthcare specific statistics.

Healthcare Breach is Most Costly

This study showed that there has been a 4.7 percent increase in the total cost of data breach. The study also revealed that heavily regulated industries, such as healthcare and financial services, had per capita data breach costs well above the overall mean of $225. In contrast, public sector organizations had a per capita cost of data breach below the overall mean.

Moreover, healthcare breach is the costliest across all industries. These costs include credit or identity theft monitoring for breach victims, forensic and legal fees, and loss of goodwill and of business.

Causes of Data Breach

There are many different causes of data breach, but malicious or criminal attacks continue to be the primary and costliest cause. The study states that 52 percent of incidents involve a malicious or criminal attack, 24 percent are caused by system glitches, including both IT and business process failures, and another 24 percent of incidents are caused by negligent employees.

An example of how employee error can result in breach is in the Release of Information (ROI) process, which involves a variety of manual steps. While this type of risk can be minimized with the proper training and education, human error is inevitable. An error can lead to the wrong patient’s records being released to the wrong party, resulting in breach and damage to an organization’s reputation.

While the type of breaches resulting from mistakes in the ROI process may not effect hundreds of patients at a time, the cost can be just as impactful. And, preventing these types of breaches should not be overlooked. Small breaches like this happen far more frequently than large breaches, and the Office for Civil Rights (OCR) is noted as paying closer attention to them.

Preventing Breach in the ROI Process

Although there are many causes of data breach, there are also many ways to prevent it in the ROI process. The combination of highly trained, knowledgeable staff and state-of-the-art technology can improve PHI disclosure accuracy rates. Employees should undergo specialized training on the most up-to-date HIPAA regulations and Protected Health Information (PHI) disclosure requirements at the federal, state and facility level.

Additionally, by partnering with an experienced and knowledgeable PHI disclosure management partner, organizations can achieve near-perfect accuracy rates and prevent breaches in the ROI process. Innovative ROI vendor partners, such as MRO, utilize technology to identify errors at every step of the ROI process, including optical character recognition (OCR) technology like our IdentiScan®, to ensure there are no comingled records before release.

To learn more about preventing small breaches, complete the form to download our white paper “Mitigating Breach Risk in an Era of Expanding PHI Disclosure Points and Requests for Health Information.”

Receive a copy of MRO’s white paper “Mitigating Breach Risk in an Era of Expanding PHI Disclosure Points and Requests for Health Information.”

Read More

Audits vs. Reviews: The Difference between Payer Requests for Medical Documentation

It’s no secret to most HIM professionals that the volume of health plan medical record requests continues to increase significantly. These requests vary in purpose, and there can be some confusion in regard to which are actually audits versus which are reviews, e.g. HEDIS and Risk Adjustment.  Here are some helpful tips for telling the difference.

Telling the Difference between Payer Audits and Reviews

Typically, the purpose of post payment audits is to confirm correct coding and sequencing as billed on the claim to determine if payment was made to the provider correctly; the health plan’s intention is to recoup funds on overpaid claims, which benefits them.

So what is the difference between an audit and a review? HEDIS and Risk Adjustment (Medicare and commercial) reviews do benefit the payers; the main difference is there is no potential negative financial impact to providers.

HEDIS reviews can actually benefit providers during contract negotiations because the HEDIS performance rankings can be used to gauge the quality and effectiveness of different health plans for potential participation with the facility.

With Risk Adjustment reviews, health plans have to prove the needs of the population to CMS so they are able to continue to provide services for higher risk patients, and ultimately pay providers for the care of this population. In both cases, medical records are needed to perform this analysis.

Payer Audit and Review Requests are Chargeable

In 2015, 85 percent of audit and review requests came from third party vendors representing the health plans. Both post payment audit and review requests are typically chargeable to the requesting party, and they are willing to pay due to the importance of collecting the records. It is not uncommon for these vendors to apply pressure to providers to send records by a faux deadline and/or at no cost. A provider’s Release of Information vendor should be able to work directly with these requesters to ensure payment for and timely delivery of records.

To learn about MRO’s Payer Audit and Review solutions, visit the MRO website or visit us at the HFMA ANI convention June 25-28, 2017 in Orlando, Florida – Booth #1150.

Sign Up for Future Blog Posts

Read More

Case Study: Outsourcing Release of Information Increased Efficiency, Reduced Risk and Improved Patient Satisfaction Across One Health System

On June 15, 2017, MRO Area Manager, Kaylin Alexander, RHIA, and MRO client Patsy Raworth, RHIA, Director of HIM, RAC Coordinator and Privacy Officer for Mississippi Baptist Health System, will be co-presenting a session at the MSHIMA annual meeting in Hattiesburg, Mississippi.

The presentation will cover best practices for Release of Information (ROI) and dive into the details of how Mississippi Baptist increased efficiency, reduced risk and improved patient satisfaction across the health system enterprise by moving to an outsourced model for Protected Health Information (PHI) disclosure management.

Outsourcing Yields Benefits for Mississippi Baptist

Mississippi Baptist, a 629-bed healthcare organization, which includes four hospitals and 37 clinics, receives 43,000 ROI requests annually not including walk-in requests. The organization’s Health Information Management (HIM) department, led by Raworth, historically handled all ROI processing in-house.

In 2015, Raworth looked to an outsourced solution with more sophisticated workflows and technology, as well as additional staff resources, to meet the challenges of an evolving HIM space including the rising tide of government and commercial payer audits. She, along with other stakeholders within the healthcare organization, selected to partner with MRO.

By adding MRO staff onsite and utilizing the support teams at our National Service Center, Mississippi Baptist saw a huge improvement in quality and productivity.  Some of the highlights include:

  • MRO handled nearly 5,500 patient and requester calls in 2016.
  • IdentiScan®, MRO’s record integrity application, assisted in preventing 60 improper disclosures in a one year time frame.
  • Potential breach risk lowered from $97,000 annually to just $39.
  • MRO’s tracking capabilities justified payment for $180,000 of inaccurately denied claims.

Learn more at the upcoming MSHIMA meeting, or download MRO’s Mississippi Baptist Health Case Study by completing the form.

Request the Mississippi Baptist Release of Information Case Study

Read More