Check Request Status610-994-7500

Lessons Learned from OCR Enforcement Actions

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More

Insights from MRO’s Legal Expert: Best Practices for Incident Response Plans

Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement.

Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices.

Create a Patient Data Protection Committee

Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually.

Provide On-Going Education and Training

Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches.

As part of this culture of compliance, workforce members should undergo formal training at least once a year.


Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach.

Test the Effectiveness of Compliance Program

Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance.

Assess BA Compliance

It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.

This blog’s author, Sara Goldstein, Esq., will give presentations on the topic of breach management and incident response at upcoming NCHIMA, MDHIMA, and FHIMA annual meetings.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Sign Up for Future Blog Posts

Read More

HCCA Compliance Institute Hot Topics: Patient Access to Health Information and Privacy Breaches

As patients continue requesting access to their Protected Health Information (PHI) in greater numbers, removing barriers to access continues to be one of the hottest topics in compliance. In addition to adding complexity to the process of disclosing PHI, this increased demand for access, and the accompanying U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) guidelines for providing easy access, has had the negative side effect of increasing breach risk.

To mitigate this rise in breach risk, healthcare organizations can standardize PHI disclosure processes and procedures across their organizations. As we gear up for the annual HCCA Compliance Institute, here are some things to keep in mind:

OCR Guidance Promotes Patient Access to Health Information

Under the new OCR guidance, healthcare organizations cannot create barriers or unreasonably delay patient access to health information. For example, one of the most common compliance mistakes is requiring patients or their personal representatives to submit HIPAA-compliant authorizations when requesting PHI.

Small Scale Privacy Breaches Are Also a Threat

Increased access for patients can also lead to an increase in small scale breaches affecting less than 500 patients at a time. Unlike more attention-grabbing cybercrimes or device thefts, breaches occurring during normal Release of Information (ROI) processes are far more common, and just as devastating to healthcare organizations.

MRO research has found as many as 40 points of disclosure within healthcare organizations, and with the growing number of requests flooding a changing market, risk will continue to rise as organizations attempt to handle the higher volume. Standardizing and centralizing PHI disclosure management is key to combating these breaches.

HIPAA Audits are in Play

OCR Phase 2 HIPAA audits are in motion and include Business Associate desk audits and HIPAA Breach Notification and Security Rule compliance evaluations. HIM and compliance professionals alike are eager to learn the findings of these audits, and we look forward to sharing what we learn as soon as more information is available.

To learn more about these hot compliance topics, visit MRO at booth #325 at this year’s HCCA Compliance Institute. Fill out the form to schedule your meeting.

Attending the HCCA Compliance Institute? Request a Meeting with MRO at Booth #325

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.


Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Sign Up for Future Blog Posts

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Integrating patient-generated health data into electronic medical records

With the advent of healthcare tracking apps and wearable technology, patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”

As this information is incorporated into electronic medical records (EMRs), PGHD can provide a more comprehensive picture, since health information is collected continuously between medical visits. This sharing of PGHD leads to shared decision-making and results in improved care, helping prevent issues from being overlooked, and cutting down the number of redundant or unnecessary tests, which saves money.

As the use of PGHD continues to increase, determining how to incorporate the stream of information into EMRs, as well as how to utilize this newly minted Protected Health Information (PHI), is a top concern.

Information Governance strategies for managing PGHD

Developing a strong Information Governance (IG) plan, including a mapping strategy, is imperative to successfully incorporating PGHD into patient EMRs. Health Information Management (HIM) leaders need to talk to their teams about what PGHD should actually be utilized and how to integrate that information.

Since there are no existing standards for PGHD, healthcare organizations need to be wary of multiple sources of information, which can cause information integrity issues. Ensuring patient data comes from properly calibrated equipment is one concern. Once the information is incorporated into EMRs, the question becomes how best to utilize it.

For example, tracking weight is important for congestive heart failure patients, and sending scale readings to doctors can alert them when significant and dangerous spikes occur, prompting doctors to take action. This is where data mapping becomes key. Identifying what information is relevant will help to avoid burdening physicians with reviewing large amounts of information in a relatively short time, and will help keep patient expectations realistic.

Continued education for providers and patients

It is important to develop site-specific training for incorporating and leveraging PGHD. This ongoing training should keep team members up to date on best practices for maintaining and utilizing PGHD, as well as handling the Release of Information (ROI) for this new data. Additionally, it is important for patients to be informed not only of the benefits of PGHD, but of their responsibilities in the gathering and use of PGHD as well.

MRO will be presenting on the topic of PGHD at the 2017 annual meetings of ASHIMA, MOHIMA/ KLIMA, ILHIMA and TXHIMA. To see a full calendar of tradeshow events at which you can visit with MRO, please view our event listings.

Sign Up for Future Blog Posts

Read More

Implementing an enterprise-wide PHI disclosure management solution at Lexington Medical Center

Lexington Medical Center (LMC), located in West Columbia, South Carolina, consists of a 428-bed hospital and more than 70 clinics. LMC receives more than 35,000 Release of Information (ROI) requests annually. LMC wanted to standardize their ROI workflow and widen the scope of their Health Information Management (HIM) department to encompass both inpatient and outpatient requests.


LMC implemented ROI Online®, MRO’s enterprise-wide Protected Health Information (PHI) disclosure management solution, in July 2016. Focusing on efficiency and transparency, MRO worked side-by-side with LMC to ensure a smooth transition to the new platform.

This transition began with a site assessment, allowing MRO to learn LMC’s specific needs. The site assessment was followed up by a series of pre-implementation project planning calls with LMC management to establish implementation goals. MRO’s implementation team was then deployed onsite to facilitate the transition. The process also included 16-20 training sessions for onsite staff.


LMC implemented MROeLink® roughly three months after their initial go-live. MROeLink is a suite of interfaces featuring a direct synchronization between the ROI Online platform and Epic’s ROI module. This interface eliminates the need for dual logging in the ROI and EMR systems, effectively cutting LMC’s ROI processing times in half.

LMC also leveraged MRO’s Remote Service’s team for payer audit management when they received a large payer audit. The Remote Services team provided batch logging and bulk processing for the 7,600 request audit, completing the task ahead of schedule and enabling onsite staff to continue operating as normal, leaving turnaround times unaffected.


LMC has seamlessly integrated MRO’s ROI solution across their enterprise, standardizing and centralizing the process, which has led to overall improved processes and patient satisfaction.

Fill out the form below to download our case study detailing the Lexington Medical Center implementation.

Fill Out Form to Receive the Lexington Medical Center Case Study

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

How collaboration and technology helped Lancaster General Health/ Penn Medicine improve PHI disclosure management

Group of people meeting with technology.

This guest post is by Charlotte Walton-Sweeney, RHIT, Director of Health Information Management for Lancaster General Health/ Penn Medicine

I recently co-authored an article for ADVANCE for Health Information Professionals with MRO’s Vice President of Information Technology (IT), Anthony Murray. In the article, we looked at how extensive planning, collaboration and technology helped Lancaster General Health/ Penn Medicine (LG Health/ Penn Medicine) improve accuracy, security and efficiency in our Protected Health Information (PHI) disclosure management processes.

Establishing strong Information Governance

Mergers are set to rise in 2017. These mergers demand not only system integrations, but also standardization of Release of Information (ROI) policies and processes to ensure compliance with HIPAA and internal policies. Strong Information Governance (IG) can help ensure HIPAA compliance, PHI security and data integrity. Collaboration between Health Information Management (HIM) and IT departments is essential in developing an effective IG plan, as each group brings unique expertise to the table.

Collaboration yields benefits for Lancaster General Health/ Penn Medicine

At LG Health/ Penn Medicine, we wanted to use technology to automate processes and improve quality and turnaround times for an estimated 50,000 annual ROI requests. The first step was selecting a new PHI disclosure management partner.

After a request for proposals for ROI services was issued, the new vendor selection process took about 18 months. The search included collaboration between HIM and IT while vetting candidates, presenting options and helping establish realistic implementation timelines.

We selected MRO as our vendor, as they offered high levels of service quality and unique technology, including a seamless integration with our organization’s Epic EMR. MROeLink® offers a direct synchronization between Epic and the ROI Online® platform, eliminating dual data entry and other duplicative processes, and automates typically manual steps. MRO also performs redundant Quality Assurance (QA) checks, including the use of their record integrity application, IdentiScan®.

Since the beginning of our partnership with MRO, approximately 13,000 improper disclosures have been prevented by redundant QA, including through the use of IdentiScan, which uses optical character recognition technology to help identify potential comingling of records within charts prior to PHI disclosure. Additionally, the use of MROeLink has cut LG Health/ Penn Medicine’s processing times by 50 percent.

Offering more than just technical support and expertise, MRO also educated both our HIM and IT departments to understand changes with HIPAA and other regulations, and provides regular, ongoing training programs to help us stay compliant.

We were also so taken with the prompt and effective service MRO delivered to ensure requester satisfaction that we had their education leadership train hospital HIM staff in customer service. We have recognized improvements in our overall customer service and patient satisfaction.

Fill out the form below to receive MRO’s LG Health/ Penn Medicine case study and learn more about how collaboration and technology helped us improve PHI disclosure management.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More