Record Requests610-994-7500

A Lesson in Staff Retention: 15 Reasons Why MRO’s Employees Stay

On May 1, 2017, MRO celebrated our 15th anniversary. As the company continues to grow and evolve, we keep a focus on our “people” – hiring, training and retaining the best and brightest in the industry. Employee retention isn’t an easy feat in the Release of Information (ROI) industry – in fact, the average turnover rate for ROI staff is around 40 percent. At MRO, we keep our turnover at an impressively low 15 percent.

To celebrate our 15th anniversary, we collected a list, through a voluntary employee survey, of the top 15 reasons MRO employees love their release of information jobs. Any employer can learn a lesson or two from the results.

15 Reasons MRO Employees Love Their Release of Information Jobs

  1. Great managers – Managers are a huge indication of employee job satisfaction, and a major reason employees stay or go. At MRO, we have programs to develop enthusiastic managers who coach team members to be successful.
  2. Flexible scheduling – People cherish the ability to maintain work life balance.
  3. Enjoyable work – When work is fun and meaningful, employees tend to go the extra mile. I heard an anecdote that really encapsulates this idea. It goes like this: three people were crushing rocks side by side at a construction job, when they were asked, “What is your job?” The first person answered, “My job is to do whatever I am told so I can get a check.” The second person replied, “My job is to crush rocks.” The third person said, “My job is to build a temple.”  Ask yourself, which of these workers do you think is the happiest?
  4. Coworkers – They’re the best! At MRO, we treat coworkers with the same level of customer service as anyone else.
  5. Growing company – MRO has been listed on Inc. 5000’s fastest growing companies list for two years in a row. When a company is growing, not only is it exciting, but it’s an indication of stability.
  6. Fast-paced and exciting jobs – Fast-paced jobs make the day go by. Nobody wants to be bored with all the time we spend on the job!
  7. Making a difference – We are all in search of a clear and driving purpose for our lives, and want to contribute to something bigger than ourselves. At MRO, our work world offers a great opportunity for people to connect with a purpose. We make a difference in the lives of patients, requesters and our clients by getting the right PHI to the right requesters, on time. We remind our teams regularly that they are “everyday heroes.”
  8. Career advancement and promotion opportunities – Developing employees, and promoting within, support a positive culture. That’s our approach at MRO. We also encourage our credentialed health information management (HIM) staff to pursue their educational goals by contributing towards membership dues to the American Health Information Management Association (AHIMA).
  9. Team culture – When everyone is in harmony, working towards a team mission, employees tend to be fulfilled. At MRO, we take pride in our culture, which is based on MRO’s core values of passion, accountability, respect, trust, nurture, excellence and reputation.
  10. Valued ideas and opinions – Everyone wants to be heard, and employees with great ideas can make a huge impact on a company’s success, from improving efficiency with technology ideas, to enhancing quality and service through recommending adjustments to workflow.
  11. Leadership that cares – Leaders, from executive management to direct managers, can cheer staff to achieve their highest levels of excellence.
  12. Stability – When a company is stable, employees have one less thing to worry about. Employees can rest assure with job security, benefits, wages, etc.
  13. Great benefits – Employees don’t take these for granted! Healthcare insurance, personal time off, etc., all support an employee’s wellbeing, attitude and commitment to the company.
  14. Company reputation – MRO has been rated #1 by KLAS for four years in a row, and noted for having both the highest quality and fastest turnaround times in the ROI industry. It’s inspiring to be part of a company that is rated top in its field!
  15. Training programs – People want fun, interactive and easily accessible training – not a boring, old PowerPoint template that has been in use for ten years. MRO Academy is MRO’s primary training tool, offered via a web-based learning management system. Training is continuously updated and offered through the virtual platform.

Other reasons MRO employees listed for loving their jobs included competitive wages, educational opportunities, employee recognition, fun events and charity activities.

In an incredibly competitive business environment, hiring and retaining top talent can be challenging. However, if you listen carefully to what your employees say they love about working for your company – and continue to do more of that – chances are you’ll keep the best of the best working for your organization.

Sign Up for Future Blog Posts

Read More

Celebrating MRO’s 15th Anniversary

On May 1, 2017, MRO celebrated our 15th anniversary. As a co-founder of the company, I have had the great honor and privilege of watching the organization evolve and grow. There have been both exciting and interesting times throughout MRO’s history, including major milestones that helped transform the organization into the industry-recognized leader for Protected Health Information (PHI) disclosure management, including Release of Information (ROI).

Company History

When we formed MRO in 2002, our initial business plan was to design an easy-to-use document management application that could scan medical records into a burgeoning internet environment. This became Chart Online®. Along the way, we began looking at ROI, as typical ROI workflows were not efficient or convenient for requesters, and we believed we could build a better platform.

Over the course of time, we have used innovation, creativity and a passion for service excellence to build a leading platform for disclosure management. Some milestones follow.

15 Milestones in Health Information Management

1. The company was founded as Medical Records Online. We later changed to the acronym MRO – 2002

2. The Pennsylvania-based orthopedic care group Rothman Institute became MRO’s first ROI client – 2002

3. Delaware’s St. Francis Medical Center became MRO’s first hospital client – 2003

4. Mercy Fitzgerald Hospital, in southeast Pennsylvania, became the first client to use MRO’s staffed service model for ROI – 2004

5. Lehigh Valley Health Network became the first client to leverage MRO’s remote model for ROI services – 2005

6. MRO established a proprietary interface with the U.S. Social Security Administration for automating Disability Determination Services request processes – 2008

7. MRO became one of the first certified Health Information Handlers (HIHs) and participated in the Centers for Medicare and Medicaid Services (CMS) electronic submission of medical documentation (esMD) gateway pilot program – 2011

8. MRO became the first ROI company to be rated by KLAS. We went on to win the KLAS Category Leader designation for ROI, four years in a row! – 2012 through 2017

9. The company announced the launch of IdentiScan®, our record integrity application, which leverages optical character recognition technology to review documentation to locate and correct comingled records – 2013

10. Imperial Capital Group, Ltd. became the majority owner of MRO – 2014

11. We relocated our headquarters and National Service Center to a larger facility in historic Valley Forge, Pennsylvania – 2015

12. Inc. magazine named MRO one of the fastest growing private companies in the nation two years in a row – 2015 and 2016

13. MROeLink®, a suite of HIT integrations for automating ROI, was launched, offering Epic electronic health record (EHR) users integration capabilities to improve ROI efficiency and quality – 2016

14. Our Patient Advocate program was launched from MRO’s National Service Center to offer additional support to patient requesters. The program won a Stevie® Award for innovation in customer service – 2016 and 2017

15. named MRO the No. 34 midsize company on a list of Top Workplaces in Philadelphia – 2017

Congratulations to all MRO employees and clients who have participated in our 15-year adventure in Health Information Management! To learn about the pillars of MRO’s success, watch our video.

Join our blog mailing list

Read More

Lessons Learned from OCR Enforcement Actions

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More

Insights from MRO’s Legal Expert: Best Practices for Incident Response Plans

Data breaches cost companies an average of $221 per compromised record. Heavily-regulated industries, like healthcare, tend to have per capita data breach costs substantially higher than the overall mean. In fact, according to an American National Standards Institute (ANSI) survey of institutions who experienced a reported breach, healthcare breaches can cost $8,000 to $300,000, in addition to any U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) penalty or settlement.

Healthcare data contains a wide range of identifying information, including social security numbers, birthdates and home addresses. This makes health information very valuable, necessitating effective breach prevention and incident response plans. Here are five best practices.

Create a Patient Data Protection Committee

Everyone involved in protecting Protected Health Information (PHI) at a healthcare organization must communicate with each other regularly. Creating a patient data protection committee will facilitate this communication. This committee should conduct some privacy functions for the organization, like overseeing patient privacy and security programs, performing quarterly risk analyses and assessments, and reviewing policies and procedures annually.

Provide On-Going Education and Training

Many breaches are caused by unintentional employee actions during the normal Release of Information (ROI) process. Unfamiliarity with proper policies and procedures for the use and disclosure of health information is frequently to blame. With this in mind, fostering a culture of compliance is key to stopping these breaches.

As part of this culture of compliance, workforce members should undergo formal training at least once a year.


Utilizing technology to strengthen compliance is a must. Electronic PHI (ePHI) should always be encrypted before distribution, fortifying the data against breach.

Test the Effectiveness of Compliance Program

Keep your compliance program current by performing regular effectiveness tests. Mock breach exercises and the use of fake phishing emails are great ways to keep employees up to date on compliance.

Assess BA Compliance

It is important that Business Associates (BAs) are compliant. Conducting regular due diligence and periodic vendor audits will ensure BA compliance. Make sure Business Associate Agreements (BAAs) are in place.

This blog’s author, Sara Goldstein, Esq., will give presentations on the topic of breach management and incident response at upcoming NCHIMA, MDHIMA, and FHIMA annual meetings.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Join our blog mailing list

Read More

HCCA Compliance Institute Hot Topics: Patient Access to Health Information and Privacy Breaches

As patients continue requesting access to their Protected Health Information (PHI) in greater numbers, removing barriers to access continues to be one of the hottest topics in compliance. In addition to adding complexity to the process of disclosing PHI, this increased demand for access, and the accompanying U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) guidelines for providing easy access, has had the negative side effect of increasing breach risk.

To mitigate this rise in breach risk, healthcare organizations can standardize PHI disclosure processes and procedures across their organizations. As we gear up for the annual HCCA Compliance Institute, here are some things to keep in mind:

OCR Guidance Promotes Patient Access to Health Information

Under the new OCR guidance, healthcare organizations cannot create barriers or unreasonably delay patient access to health information. For example, one of the most common compliance mistakes is requiring patients or their personal representatives to submit HIPAA-compliant authorizations when requesting PHI.

Small Scale Privacy Breaches Are Also a Threat

Increased access for patients can also lead to an increase in small scale breaches affecting less than 500 patients at a time. Unlike more attention-grabbing cybercrimes or device thefts, breaches occurring during normal Release of Information (ROI) processes are far more common, and just as devastating to healthcare organizations.

MRO research has found as many as 40 points of disclosure within healthcare organizations, and with the growing number of requests flooding a changing market, risk will continue to rise as organizations attempt to handle the higher volume. Standardizing and centralizing PHI disclosure management is key to combating these breaches.

HIPAA Audits are in Play

OCR Phase 2 HIPAA audits are in motion and include Business Associate desk audits and HIPAA Breach Notification and Security Rule compliance evaluations. HIM and compliance professionals alike are eager to learn the findings of these audits, and we look forward to sharing what we learn as soon as more information is available.

To learn more about these hot compliance topics, visit MRO at booth #325 at this year’s HCCA Compliance Institute. Fill out the form to schedule your meeting.

Attending the HCCA Compliance Institute? Request a Meeting with MRO at Booth #325

Read More

HIMSS17 Reflection: Security Driven to Forefront of Compliance

It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.

My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).

Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:

General Threat Detection

As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.


Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.

Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.

Third Party Vendor Management

Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.

The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.

HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.

Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”

Join our blog mailing list

Read More

Insights from MRO’s Legal Expert: Release of Information – Risky Business

While cyberattacks and device theft make good news stories, it’s far more likely for Protected Health Information (PHI) breaches to occur during routine Release of Information (ROI) requests. These improper disclosures are just as damaging to healthcare organizations as larger breaches. With this in mind, safeguarding health organizations against breach should be a top priority.

Factors driving breach risk

As PHI disclosure points and ROI requests increase, the likelihood of breaches occurring during the ROI process will also increase. Differing electronic medical record (EMR) systems and a lack of standardized policies and procedures contribute to the rise in breach risk associated with the recent surge in healthcare mergers and acquisitions. Another factor is the growing volume of requests in a changing market.

An emphasis on value and quality care means more commercial and government payer audits. Additionally, more and more patients wish to be directly involved in healthcare decisions and thus want greater access to their records. This larger number of requests, along with the faster and more frequent exchange of PHI, will logically lead to increased risk.

Unintentional employee actions cause breach

MRO research shows 20-30 percent of ROI authorizations are initially invalid, and without a second review, up to 10 percent of these invalid authorizations are processed. Additionally, five percent of data in EMRs have data integrity issues, such as comingled records, which can lead to improper disclosures. This is likely due to employee negligence. According to a May 2016 Ponemon Institute survey, 36 percent of PHI data breaches were caused by “unintentional employee action.”

The cost of PHI breach

Breaches are costly. Each breach costs between $8,000 and $300,000, according to the American National Standards Institute, not including HIPAA violation civil penalties, which can be as much as $50,000 per breach, and up to $1.5 million for recurrence. But the cost isn’t just monetary – breach also means loss of brand value.

According to Ponemon, 89 percent of surveyed healthcare organizations reported a PHI breach between May 2014 and May 2016, and 45 percent reported more than five in that same timeframe. As of January 2017, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has assessed approximately $58.51 million in settlement agreement fines or civil money penalties for data breaches.

ROI is a risky business. In today’s changing HIM landscape, the need for safeguarding health organizations against breach has grown exponentially. Standardizing policies and procedures by implementing an enterprise-wide strategy for PHI disclosure management, ensuring multiple layers of Quality Assurance are applied throughout the release process, and employing a well-trained and knowledgeable workforce are best practices for preventing small breaches that could potentially occur during the ROI process.

To learn more, fill out the form and read our eBook, Breach Risk in Release of Information: Don’t Leave Risk to Chance.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed attorney in your state.

Receive MRO's eBook: "Breach Risk in Release of Information: Don't Leave Risk to Chance"

Read More

Integrating patient-generated health data into electronic medical records

With the advent of healthcare tracking apps and wearable technology, patients are now playing a more active role in their healthcare. This phenomenon is known as patient-generated health data (PGHD), which the US Department of Health and Human Services’ (HHS) Office of the National Coordinator of Health Information Technology (ONC) defines as “health-related data created, recorded, or gathered by or from patients (or family members or caregivers) to help address a health concern.”

As this information is incorporated into electronic medical records (EMRs), PGHD can provide a more comprehensive picture, since health information is collected continuously between medical visits. This sharing of PGHD leads to shared decision-making and results in improved care, helping prevent issues from being overlooked, and cutting down the number of redundant or unnecessary tests, which saves money.

As the use of PGHD continues to increase, determining how to incorporate the stream of information into EMRs, as well as how to utilize this newly minted Protected Health Information (PHI), is a top concern.

Information Governance strategies for managing PGHD

Developing a strong Information Governance (IG) plan, including a mapping strategy, is imperative to successfully incorporating PGHD into patient EMRs. Health Information Management (HIM) leaders need to talk to their teams about what PGHD should actually be utilized and how to integrate that information.

Since there are no existing standards for PGHD, healthcare organizations need to be wary of multiple sources of information, which can cause information integrity issues. Ensuring patient data comes from properly calibrated equipment is one concern. Once the information is incorporated into EMRs, the question becomes how best to utilize it.

For example, tracking weight is important for congestive heart failure patients, and sending scale readings to doctors can alert them when significant and dangerous spikes occur, prompting doctors to take action. This is where data mapping becomes key. Identifying what information is relevant will help to avoid burdening physicians with reviewing large amounts of information in a relatively short time, and will help keep patient expectations realistic.

Continued education for providers and patients

It is important to develop site-specific training for incorporating and leveraging PGHD. This ongoing training should keep team members up to date on best practices for maintaining and utilizing PGHD, as well as handling the Release of Information (ROI) for this new data. Additionally, it is important for patients to be informed not only of the benefits of PGHD, but of their responsibilities in the gathering and use of PGHD as well.

MRO will be presenting on the topic of PGHD at the 2017 annual meetings of ASHIMA, MOHIMA/ KLIMA, ILHIMA and TXHIMA. To see a full calendar of tradeshow events at which you can visit with MRO, please view our event listings.

Join our blog mailing list

Read More

Implementing an enterprise-wide PHI disclosure management solution at Lexington Medical Center

Lexington Medical Center (LMC), located in West Columbia, South Carolina, consists of a 428-bed hospital and more than 70 clinics. LMC receives more than 35,000 Release of Information (ROI) requests annually. LMC wanted to standardize their ROI workflow and widen the scope of their Health Information Management (HIM) department to encompass both inpatient and outpatient requests.


LMC implemented ROI Online®, MRO’s enterprise-wide Protected Health Information (PHI) disclosure management solution, in July 2016. Focusing on efficiency and transparency, MRO worked side-by-side with LMC to ensure a smooth transition to the new platform.

This transition began with a site assessment, allowing MRO to learn LMC’s specific needs. The site assessment was followed up by a series of pre-implementation project planning calls with LMC management to establish implementation goals. MRO’s implementation team was then deployed onsite to facilitate the transition. The process also included 16-20 training sessions for onsite staff.


LMC implemented MROeLink® roughly three months after their initial go-live. MROeLink is a suite of interfaces featuring a direct synchronization between the ROI Online platform and Epic’s ROI module. This interface eliminates the need for dual logging in the ROI and EMR systems, effectively cutting LMC’s ROI processing times in half.

LMC also leveraged MRO’s Remote Service’s team for payer audit management when they received a large payer audit. The Remote Services team provided batch logging and bulk processing for the 7,600 request audit, completing the task ahead of schedule and enabling onsite staff to continue operating as normal, leaving turnaround times unaffected.


LMC has seamlessly integrated MRO’s ROI solution across their enterprise, standardizing and centralizing the process, which has led to overall improved processes and patient satisfaction.

Fill out the form below to download our case study detailing the Lexington Medical Center implementation.

Fill Out Form to Receive the Lexington Medical Center Case Study

Read More

Insights from MRO’s legal expert: Mitigating risk through HIPAA risk analysis

The Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that Illinois-based Presence Health agreed to settle potential HIPAA Breach Notification Rule violations by paying $475,000 and implementing a corrective action plan. This is the OCR’s first settlement based on the untimely reporting of a breach of Protected Health Information (PHI), and signals a new direction in HIPAA enforcement.

There are many ways healthcare organizations can ensure compliance to HIPAA Security, Privacy and Breach Notification Rules, and in this blog post, we will focus on consistently conducting HIPAA risk analyses.

Risk analysis is a process used to develop a firm understanding of the location of PHI and electronic PHI (ePHI) across an enterprise. Completing this process can also help identify potential points of disclosure and improve breach management.

Here are three key points about risk analysis:

1. Risk analysis must be a living document

Regularly conducting accurate and thorough assessments of potential risks and vulnerabilities is imperative. As stated, this assessment should identify the location of all PHI and list potential threats, including its vulnerability to impermissible use and disclosure. Additionally, the assessment should list corrective actions for such instances. The Office of the National Coordinator for Health Information Technology (ONC) website offers an interactive tool for conducting risk analysis, and helps determine if and when organizations need to take corrective action.

2. Conduct Business Associate risk analysis

Healthcare organizations need to assess risks for all Business Associates (BAs) that can share or access PHI. During this analysis, organizations need to ensure Business Associate Agreements (BAAs) are in place with all BAs, including partners in the Health Information Management (HIM) space, and other vendors less directly involved with health information, like food service operations or revenue cycle management partners. Inquiring about BAs’ risk analyses, risk management plans and breach notification plans should be a major focus of BA reviews.

3. Ensure breach notification compliance

Risk analyses should include a review of breach notification compliance. In general, incidents involving less than 500 patients need to be reported to the OCR within 60 days after the end of the year; incidents involving more than 500 patients need to be reported within 60 days of the incident.

If it is concluded that no unauthorized PHI was disclosed in a suspected breach, organizations must justify the findings of the breach risk assessment concluding the risk of compromise was low, and thus no breach occurred. Organizations will need to document a timeline from discovery to notification for any instances determined to be reportable breaches.

For additional risk mitigation best practices, fill out the form below and receive a copy of MRO’s white paper, Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Copy of our White Paper: “Increasing Enforcement of Protected Health Information Breaches and Patient Access Requires Healthcare Organizations to Scrutinize Processes and Risk.”

Read More