Check Request Status610-994-7500

HCCA Compliance Institute Hot Topics: Patient Access to Health Information and Privacy Breaches

As patients continue requesting access to their Protected Health Information (PHI) in greater numbers, removing barriers to access continues to be one of the hottest topics in compliance. In addition to adding complexity to the process of disclosing PHI, this increased demand for access, and the accompanying U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) guidelines for providing easy access, has had the negative side effect of increasing breach risk.

To mitigate this rise in breach risk, healthcare organizations can standardize PHI disclosure processes and procedures across their organizations. As we gear up for the annual HCCA Compliance Institute, here are some things to keep in mind:

OCR Guidance Promotes Patient Access to Health Information

Under the new OCR guidance, healthcare organizations cannot create barriers or unreasonably delay patient access to health information. For example, one of the most common compliance mistakes is requiring patients or their personal representatives to submit HIPAA-compliant authorizations when requesting PHI.

Small Scale Privacy Breaches Are Also a Threat

Increased access for patients can also lead to an increase in small scale breaches affecting less than 500 patients at a time. Unlike more attention-grabbing cybercrimes or device thefts, breaches occurring during normal Release of Information (ROI) processes are far more common, and just as devastating to healthcare organizations.

MRO research has found as many as 40 points of disclosure within healthcare organizations, and with the growing number of requests flooding a changing market, risk will continue to rise as organizations attempt to handle the higher volume. Standardizing and centralizing PHI disclosure management is key to combating these breaches.

HIPAA Audits are in Play

OCR Phase 2 HIPAA audits are in motion and include Business Associate desk audits and HIPAA Breach Notification and Security Rule compliance evaluations. HIM and compliance professionals alike are eager to learn the findings of these audits, and we look forward to sharing what we learn as soon as more information is available.

To learn more about these hot compliance topics, visit MRO at booth #325 at this year’s HCCA Compliance Institute. Fill out the form to schedule your meeting.

Attending the HCCA Compliance Institute? Request a Meeting with MRO at Booth #325

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.

Ransomware

Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Sign Up for Future Blog Posts

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Integrating patient-generated health data into electronic medical records

With the advent of healthcare tracking apps and wearable technology, patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”

As this information is incorporated into electronic medical records (EMRs), PGHD can provide a more comprehensive picture, since health information is collected continuously between medical visits. This sharing of PGHD leads to shared decision-making and results in improved care, helping prevent issues from being overlooked, and cutting down the number of redundant or unnecessary tests, which saves money.

As the use of PGHD continues to increase, determining how to incorporate the stream of information into EMRs, as well as how to utilize this newly minted Protected Health Information (PHI), is a top concern.

Information Governance strategies for managing PGHD

Developing a strong Information Governance (IG) plan, including a mapping strategy, is imperative to successfully incorporating PGHD into patient EMRs. Health Information Management (HIM) leaders need to talk to their teams about what PGHD should actually be utilized and how to integrate that information.

Since there are no existing standards for PGHD, healthcare organizations need to be wary of multiple sources of information, which can cause information integrity issues. Ensuring patient data comes from properly calibrated equipment is one concern. Once the information is incorporated into EMRs, the question becomes how best to utilize it.

For example, tracking weight is important for congestive heart failure patients, and sending scale readings to doctors can alert them when significant and dangerous spikes occur, prompting doctors to take action. This is where data mapping becomes key. Identifying what information is relevant will help to avoid burdening physicians with reviewing large amounts of information in a relatively short time, and will help keep patient expectations realistic.

Continued education for providers and patients

It is important to develop site-specific training for incorporating and leveraging PGHD. This ongoing training should keep team members up to date on best practices for maintaining and utilizing PGHD, as well as handling the Release of Information (ROI) for this new data. Additionally, it is important for patients to be informed not only of the benefits of PGHD, but of their responsibilities in the gathering and use of PGHD as well.

MRO will be presenting on the topic of PGHD at the 2017 annual meetings of ASHIMA, MOHIMA/ KLIMA, ILHIMA and TXHIMA. To see a full calendar of tradeshow events at which you can visit with MRO, please view our event listings.

Sign Up for Future Blog Posts

Read More

Implementing an enterprise-wide PHI disclosure management solution at Lexington Medical Center

Lexington Medical Center (LMC), located in West Columbia, South Carolina, consists of a 428-bed hospital and more than 70 clinics. LMC receives more than 35,000 Release of Information (ROI) requests annually. LMC wanted to standardize their ROI workflow and widen the scope of their Health Information Management (HIM) department to encompass both inpatient and outpatient requests.

Implementation

LMC implemented ROI Online®, MRO’s enterprise-wide Protected Health Information (PHI) disclosure management solution, in July 2016. Focusing on efficiency and transparency, MRO worked side-by-side with LMC to ensure a smooth transition to the new platform.

This transition began with a site assessment, allowing MRO to learn LMC’s specific needs. The site assessment was followed up by a series of pre-implementation project planning calls with LMC management to establish implementation goals. MRO’s implementation team was then deployed onsite to facilitate the transition. The process also included 16-20 training sessions for onsite staff.

Innovation

LMC implemented MROeLink® roughly three months after their initial go-live. MROeLink is a suite of interfaces featuring a direct synchronization between the ROI Online platform and Epic’s ROI module. This interface eliminates the need for dual logging in the ROI and EMR systems, effectively cutting LMC’s ROI processing times in half.

LMC also leveraged MRO’s Remote Service’s team for payer audit management when they received a large payer audit. The Remote Services team provided batch logging and bulk processing for the 7,600 request audit, completing the task ahead of schedule and enabling onsite staff to continue operating as normal, leaving turnaround times unaffected.

Results

LMC has seamlessly integrated MRO’s ROI solution across their enterprise, standardizing and centralizing the process, which has led to overall improved processes and patient satisfaction.

Fill out the form below to download our case study detailing the Lexington Medical Center implementation.

Fill Out Form to Receive the Lexington Medical Center Case Study

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

How collaboration and technology helped Lancaster General Health/ Penn Medicine improve PHI disclosure management

Group of people meeting with technology.

This guest post is by Charlotte Walton-Sweeney, RHIT, Director of Health Information Management for Lancaster General Health/ Penn Medicine

I recently co-authored an article for ADVANCE for Health Information Professionals with MRO’s Vice President of Information Technology (IT), Anthony Murray. In the article, we looked at how extensive planning, collaboration and technology helped Lancaster General Health/ Penn Medicine (LG Health/ Penn Medicine) improve accuracy, security and efficiency in our Protected Health Information (PHI) disclosure management processes.

Establishing strong Information Governance

Mergers are set to rise in 2017. These mergers demand not only system integrations, but also standardization of Release of Information (ROI) policies and processes to ensure compliance with HIPAA and internal policies. Strong Information Governance (IG) can help ensure HIPAA compliance, PHI security and data integrity. Collaboration between Health Information Management (HIM) and IT departments is essential in developing an effective IG plan, as each group brings unique expertise to the table.

Collaboration yields benefits for Lancaster General Health/ Penn Medicine

At LG Health/ Penn Medicine, we wanted to use technology to automate processes and improve quality and turnaround times for an estimated 50,000 annual ROI requests. The first step was selecting a new PHI disclosure management partner.

After a request for proposals for ROI services was issued, the new vendor selection process took about 18 months. The search included collaboration between HIM and IT while vetting candidates, presenting options and helping establish realistic implementation timelines.

We selected MRO as our vendor, as they offered high levels of service quality and unique technology, including a seamless integration with our organization’s Epic EMR. MROeLink® offers a direct synchronization between Epic and the ROI Online® platform, eliminating dual data entry and other duplicative processes, and automates typically manual steps. MRO also performs redundant Quality Assurance (QA) checks, including the use of their record integrity application, IdentiScan®.

Since the beginning of our partnership with MRO, approximately 13,000 improper disclosures have been prevented by redundant QA, including through the use of IdentiScan, which uses optical character recognition technology to help identify potential comingling of records within charts prior to PHI disclosure. Additionally, the use of MROeLink has cut LG Health/ Penn Medicine’s processing times by 50 percent.

Offering more than just technical support and expertise, MRO also educated both our HIM and IT departments to understand changes with HIPAA and other regulations, and provides regular, ongoing training programs to help us stay compliant.

We were also so taken with the prompt and effective service MRO delivered to ensure requester satisfaction that we had their education leadership train hospital HIM staff in customer service. We have recognized improvements in our overall customer service and patient satisfaction.

Fill out the form below to receive MRO’s LG Health/ Penn Medicine case study and learn more about how collaboration and technology helped us improve PHI disclosure management.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More

Four tips for Business Associate and subcontractor management

Colleagues in office building

MRO recently sponsored and hosted an AHIMA Virtual Privacy and Security Academy session covering Business Associate (BA) and subcontractor management. BAs perform a wide array of services for healthcare organizations, and in today’s ever-changing regulatory environment, it’s important to ensure they are HIPAA-compliant.

Here are four tips for BA compliance covered in the Virtual Academy session.

1) Inform BAs of expectations

BAs and subcontractors should have knowledge of HIPAA. Healthcare organizations need to properly articulate permitted uses of Protected Health Information (PHI) to their BAs. It is also important to communicate how compliance will be monitored.

2) Hold BAs accountable

When drafting contracts and Business Associate Agreements (BAAs), it’s important to establish accountability. Ensure BAs are held responsible for their use of PHI.

3) Perform ongoing due diligence

Create a risk matrix specific to BAs’ use of PHI. This matrix can and should be used to prioritize risks, characterizing them as high, medium or low. It is also a best practice to receive notification when users associated with terminated BAs access PHI.

4) Perform risk assessments

Healthcare organizations should perform regular privacy and security risk assessments. These assessments should check the nature and extent of PHI involved, including identifiers and likelihood of re-identification. These assessments should also note the unauthorized person to whom PHI was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

The Virtual Academy session concluded with an activity discussing BAAs, in which participants were given a scenario and asked to identify items for inclusion in hypothetical BAAs, putting what they learned into action.

Discover more tips for managing BAs by downloading the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation.”

Receive the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation”

Read More