Record Requests610-994-7500

Insights from MRO’s legal expert: Exploring patient access to Protected Health Information

President Obama’s Precision Medicine Initiative has encouraged millions of Americans to share their Protected Health Information (PHI) with the federal government. This push means providers should dedicate more time and resources to helping patients through the requesting process. With this in mind, my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, Vice President of Privacy, Compliance and HIM Policy for MRO, and I co-authored an article for Compliance Today, reviewing the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) patient access FAQs and guidance.

In this post, I’ll review a few compliance concerns related to patient access.

Patient requests are different than third party requests

Requiring patients and their personal representatives to submit HIPAA-compliant authorizations in order to obtain access to their PHI is one of the most common compliance mistakes. Healthcare organizations may require patients to request in writing and on provider-supplied forms, but these requirements cannot create a barrier to or unreasonably delay patient access to health information.

Designated record set may not be clearly defined

Providers should utilize the designated record set (DRS) to collect information for patient requests. The DRS contains any information used to make decisions about an individual, including medical records, billing records, insurance information, clinical lab test results, medical imaging, wellness and disease management profiles, clinical case notes and other items. Ensuring patient access may become a compliance challenge when the DRS is not clearly defined.

Timeliness and format

One major focus of the patient access FAQs is the emphasis on timely fulfillment of patient requests for access to health information, usually within 30 days. If a request cannot meet the specified turnaround time, the provider must notify the patient, explaining the reason for the delay and when the patient can expect their records.

Additionally, providers should give patients their PHI in the form and format requested. The copies should be delivered to patients for a “reasonable, cost-based” fee.

For a more in depth look at patient access, read the full Compliance Today article.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

How collaboration and technology helped Lancaster General Health/ Penn Medicine improve PHI disclosure management

Group of people meeting with technology.

This guest post is by Charlotte Walton-Sweeney, RHIT, Director of Health Information Management for Lancaster General Health/ Penn Medicine

I recently co-authored an article for ADVANCE for Health Information Professionals with MRO’s Vice President of Information Technology (IT), Anthony Murray. In the article, we looked at how extensive planning, collaboration and technology helped Lancaster General Health/ Penn Medicine (LG Health/ Penn Medicine) improve accuracy, security and efficiency in our Protected Health Information (PHI) disclosure management processes.

Establishing strong Information Governance

Mergers are set to rise in 2017. These mergers demand not only system integrations, but also standardization of Release of Information (ROI) policies and processes to ensure compliance with HIPAA and internal policies. Strong Information Governance (IG) can help ensure HIPAA compliance, PHI security and data integrity. Collaboration between Health Information Management (HIM) and IT departments is essential in developing an effective IG plan, as each group brings unique expertise to the table.

Collaboration yields benefits for Lancaster General Health/ Penn Medicine

At LG Health/ Penn Medicine, we wanted to use technology to automate processes and improve quality and turnaround times for an estimated 50,000 annual ROI requests. The first step was selecting a new PHI disclosure management partner.

After a request for proposals for ROI services was issued, the new vendor selection process took about 18 months. The search included collaboration between HIM and IT while vetting candidates, presenting options and helping establish realistic implementation timelines.

We selected MRO as our vendor, as they offered high levels of service quality and unique technology, including a seamless integration with our organization’s Epic EMR. MROeLink® offers a direct synchronization between Epic and the ROI Online® platform, eliminating dual data entry and other duplicative processes, and automates typically manual steps. MRO also performs redundant Quality Assurance (QA) checks, including the use of their record integrity application, IdentiScan®.

Since the beginning of our partnership with MRO, approximately 13,000 improper disclosures have been prevented by redundant QA, including through the use of IdentiScan, which uses optical character recognition technology to help identify potential comingling of records within charts prior to PHI disclosure. Additionally, the use of MROeLink has cut LG Health/ Penn Medicine’s processing times by 50 percent.

Offering more than just technical support and expertise, MRO also educated both our HIM and IT departments to understand changes with HIPAA and other regulations, and provides regular, ongoing training programs to help us stay compliant.

We were also so taken with the prompt and effective service MRO delivered to ensure requester satisfaction that we had their education leadership train hospital HIM staff in customer service. We have recognized improvements in our overall customer service and patient satisfaction.

Fill out the form below to receive MRO’s LG Health/ Penn Medicine case study and learn more about how collaboration and technology helped us improve PHI disclosure management.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More

Four tips for Business Associate and subcontractor management

Colleagues in office building

MRO recently sponsored and hosted an AHIMA Virtual Privacy and Security Academy session covering Business Associate (BA) and subcontractor management. BAs perform a wide array of services for healthcare organizations, and in today’s ever-changing regulatory environment, it’s important to ensure they are HIPAA-compliant.

Here are four tips for BA compliance covered in the Virtual Academy session.

1) Inform BAs of expectations

BAs and subcontractors should have knowledge of HIPAA. Healthcare organizations need to properly articulate permitted uses of Protected Health Information (PHI) to their BAs. It is also important to communicate how compliance will be monitored.

2) Hold BAs accountable

When drafting contracts and Business Associate Agreements (BAAs), it’s important to establish accountability. Ensure BAs are held responsible for their use of PHI.

3) Perform ongoing due diligence

Create a risk matrix specific to BAs’ use of PHI. This matrix can and should be used to prioritize risks, characterizing them as high, medium or low. It is also a best practice to receive notification when users associated with terminated BAs access PHI.

4) Perform risk assessments

Healthcare organizations should perform regular privacy and security risk assessments. These assessments should check the nature and extent of PHI involved, including identifiers and likelihood of re-identification. These assessments should also note the unauthorized person to whom PHI was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

The Virtual Academy session concluded with an activity discussing BAAs, in which participants were given a scenario and asked to identify items for inclusion in hypothetical BAAs, putting what they learned into action.

Discover more tips for managing BAs by downloading the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation.”

Receive the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation”

Read More

5 tips for ensuring quality in PHI disclosure management

Concept of poor sensitive data protection, Folder secured with a simple padlock

With a greater demand for Protected Health Information (PHI) comes the potential for a greater number of breaches, especially small breaches due to unintentional improper disclosures. Since 2009, over 180,000 small breaches impacting less than 500 patients at a time have been reported to the Office for Civil Rights (OCR). The escalated demand and risk associated with sharing PHI creates a serious need for improved accuracy and quality.

Here are five tips for ensuring quality in the Release of Information (ROI) process, so you can keep your organization running smoothly and compliantly.

1) Perform multiple Quality Assurance checks

Instituting multiple Quality Assurance (QA) checks on every release will dramatically improve your disclosure accuracy. Leverage technology to catch human error, and have a second set of eyes on everything before it is released. Some items to double-check include:

  • HIPAA-required criteria
  • Accuracy of patient information
  • Dates of treatment against authorization
  • Record content for comingled patient documents
  • Mailing envelope for correct address

2) Send notifications to requesters

Notify requesters of deficiencies in their requests to increase authorization efficiency. Developing a consistent methodology will streamline the authorization process and help prevent disclosure of unauthorized requests.

3) Develop a rules-based application

Developing a rules-based application that evaluates requests for HIPAA compliance and other requirements, like checking subpoenas for quash periods, will increase efficiency by automating previously manual steps.

4) Perform a final review of content and timeframe

Review the content of requested information to ensure there are no comingled records. As a best practice, leverage record integrity applications that utilize optical character recognition technology to assist humans perform these quality checks. Additionally, check that all records included for release fall within the timeframe requested. This is another iteration of “perform multiple QA checks,” but the importance of checking and rechecking cannot be stressed enough.

5) Create a uniform ROI training program

Train and retrain employees in all aspects of ROI. Without well-trained employees, all the cutting-edge technology and expertly crafted workflows will not do much to prevent breach. Revise and update this training at least annually, and be sure to document all training.

By implementing sophisticated ROI workflows and technologies, and employing expertly trained professionals, healthcare organizations can prevent breach. Often an advanced PHI disclosure management firm can provide the right people, technology and services to ensure compliance.

Watch this video detailing MRO’s National Service Center to see these best practices in action, and fill out the form below to download more information about our service teams.

Receive a Copy of our National Service Center Brochure

Read More

Four steps to minimize breach risk and liabilities for medical practices

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

As advancements are made in health information technology, allowing for easier access to Protected Health Information (PHI), the risks inevitably grow. This year alone, more than 220 PHI breaches affecting 500 patients or more have been reported. While large breaches caused by cyber attacks are often the center of media discussion, smaller breaches caused by incidents like the improper disclosure of PHI are much more common.

Smaller breaches are gaining more attention from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Earlier this year, the OCR announced the initiation of a new program to more thoroughly investigate breaches impacting 500 individuals or less. These breaches, just like larger ones, are costly, not only in dollars, but in reputational damage as well. Medical practice leaders should to be ready.

Here are four steps medical practices can take to minimize breach when disclosing PHI:

1) Institute multiple levels of Quality Assurance
Instituting multiple levels of Quality Assurance (QA) is a must for breach prevention. An estimated 20 to 30 percent of Release of Information (ROI) authorizations are initially invalid, and 5 percent of EMRs have record integrity issues, such as comingled patient records. Without multiple check points to validate HIPAA compliance and record integrity, medical practices are highly susceptible to human error, which can lead to improper disclosure of health information. The best workflows for releasing medical documentation include having a second set of eyes on every authorization and on the health information being disclosed to lower the likelihood of improper disclosures.

2) Leverage technology to catch human error
Human intervention can only prevent a certain level of error; however, dedicated technologies are available to catch human error and improve accuracy. Innovations like MRO’s IdentiScan® record integrity application, which uses optical character recognition (OCR) technology to assist record integrity specialists in reading every page of requests before release, work to catch human error and minimize the chance of disclosing records of wrong patients. IdentiScan pushes disclosure accuracy to an industry-leading 99.99 percent, well above the 90 percent average.

3) Implement proper training and education
To ensure accuracy and compliance while disclosing PHI, medical practice staff should be highly trained and specialized in HIPAA and state compliance. Since PHI disclosure management is not the core function of medical practice staff tasked with releasing medical records, this can become a tricky area. That’s where a vendor with a high level of expertise comes in.

4) Partner with a dedicated PHI disclosure management firm
Partnering with a knowledgeable and advanced PHI disclosure management firm will help prevent breach. By outsourcing PHI disclosure management processes, medical practices can better standardize their systems for disclosure and allow practice staff to focus time and energy on other priorities, such as patient care. With the right partner in place – such as MRO – practices can achieve industry-leading turnaround times and the highest levels of accuracy, ensuring compliance every step of the way.

To learn more, fill out the form below to download our case study detailing how Lehigh Valley Physician Group partnered with MRO to improve accuracy and minimize breach risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Lehigh Valley Physician Group Case Study

Read More

Five stellar tips for providing patient access while protecting privacy

Confidential documents

MRO recently hosted a webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” exploring ways Covered Entities (CEs) can provide patients and their personal representatives easy access to Protected Health Information (PHI), while staying compliant with HIPAA and protecting their data from breach.

As the title promised, we offered the following five tips:

1. Do not create patient access barriers

The HIPAA Privacy Rule requires CEs to provide patients and their personal representatives – persons with authority under state or applicable law to make healthcare decisions for a patient – easy access to their PHI for a “reasonable, cost-based” fee within 30 days of request. CEs can require the requests be made in writing and using their own supplied forms, but cannot create barriers or unreasonably delay patients from obtaining PHI.

2. Implement the HIPAA Security Rule’s safeguards

This includes:
a. Administrative Safeguards: Administrative actions to manage security measures to protect electronic PHI (ePHI).
b. Physical Safeguards: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusions.
c. Technical Safeguards: Technology used to protect and control access to ePHI.

3. Standardize and centralize

Standardizing PHI procedures and centralizing Release of Information (ROI) processes reduces the risk of HIPAA violations and decreases the number of PHI disclosure points, lessening the chance of improper disclosure and breach.

4. Educate and train workforce members

Often times, compliance issues are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information. With this in mind, it is important to create a culture of compliance. Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state laws, and the effectiveness of this training should be tested through measures such as phishing exercises and desk audits.

5. Monitor Business Associate compliance with HIPAA

CEs are required to enter into Business Associate Agreements (BAAs) with their Business Associates (BAs), as BAs are now liable for violations of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.

The webinar also included an update on HIPAA Compliance Enforcement, including information on Phase 2 of the Office for Civil Rights (OCR) HIPAA audits, which began in March 2016.

To receive a recording of the webinar, please fill out the form below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Recording of our Webinar

Read More

Four ways HIM leaders can leverage technology to improve the Release of Information process

network cable with high tech technology color background

In today’s fast-changing healthcare environment, health information management (HIM) professionals encounter a variety of challenges, including Information Governance, standardizing disclosure processes across an enterprise, operating in an environment of disparate information technology (IT) and paper systems, managing data integrity, and navigating the sharing of electronic Protected Health Information (ePHI) and interoperability initiatives. These challenges, however, can be turned into opportunities for forward-thinking, tech-savvy HIM leaders to establish organizational leadership and develop innovative strategies.

MRO will lead an educational session at the upcoming AHIMA Convention and Exhibit in Baltimore exploring some of these opportunities. Alongside our Release of Information (ROI) client Charlotte Walton-Sweeney, RHIT, Director of HIM for Lancaster General Health/Penn Medicine, we will discuss how HIM leaders can leverage technology to improve operational efficiency, increase security and mitigate breach risk.

The following is a sneak peek into some of the ROI tips we’ll cover:

1. Deploy an enterprise-wide ROI platform
MRO research shows as many as 40 disclosure points in a health system, including HIM, radiology, billing offices and physician practices. Deploying one platform across a health system ensures standardized policies, procedures and technology are in place; improves compliance; and provides centralized oversight of ROI.

2. Utilize integrations with EMR and other hospital IT systems
Automating manual steps of the ROI process by enabling system integrations saves time and drives accuracy. Sophisticated ROI vendors off such system integration solutions, like MROeLink®. At its core, MROeLink is a direct synchronization between MRO’s PHI disclosure management platform, ROI Online®, and the ROI module within the Epic electronic medical record (EMR) system. It also includes a variety of other IT system integrations, such as an MPI patient lookup feature, which enables HIM staff to electronically access patient identifiers and demographics, and encounter history directly within ROI Online, eliminating the need for copying or retyping information.

3. Implement electronic delivery methods
Implementing electronic delivery methods, such as portal technology, esMD for CMS audits, integrations with the U.S. Social Security Administration for disability determination, and Direct Secure Messaging all improve efficiency by reducing associated time and labor, and reduce risk by moving paper processes to secure, electronic methods.

4. Leverage Quality Assurance (QA) technology
Technology can be used to enhance QA in the ROI process. For example, MRO’s record integrity application IdentiScan® is powered by optical character recognition (OCR) technology that “reads” medical records to identify comingled records, resulting in accuracy rates of 99.99 percent.

Be sure to attend our session at AHIMA to learn more, and complete the form below to request a copy of a case study detailing how Lancaster General Health/ Penn Medicine partnered with MRO to improve ROI quality, service and efficiencies.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

Consider ROI vendor’s reputation, people, quality and technology before partnering

Blog 26 photo - P&S month Hynes

As Release of Information (ROI) processes continue to evolve, forward-thinking health information management (HIM) directors are moving their previously in-house ROI workflows to outsourced vendors who offer the specialized services, trained workforce and advanced technologies needed to meet today’s demands.

When researching ROI vendors, it’s important to ask the following questions when evaluating potential partnerships:

How is the vendor rated by KLAS?
KLAS is an organization that rates healthcare companies based on customer feedback in the following areas: sales and contracting; implementation and training; and service and support. KLAS began ranking ROI in 2012, and in June 2015 released its HIM Services report, which covered ROI, transcription and coding. The scores and comments from HIM professionals and C-level executives should be carefully considered when researching potential partners.

What role will the vendor’s staff play in improving quality?
Many ROI vendors offer a variety of service models, such as staffed, shared or remote, but regardless of the model, the most sophisticated partners will offer clients extra levels of team support and services, such as a Requester Services division that includes a call center to handle all requester inquiries and status checks. Some ROI partners will also offer personalized support to patients, with a heightened sense of empathy, such as MRO’s Patient Advocate program.

By leveraging multiple support teams who are highly trained in ROI and their specialized support functions, and by providing regular access to management, advanced ROI vendors essentially offer a ‘no single point of failure’ approach to ROI.

How many levels of Quality Assurance (QA) are applied to the vendor’s workflow?
Incorporating multiple levels of QA to ROI workflows is essential, given that 20 to 30 percent of ROI authorizations are invalid, and 10 percent of authorizations could be processed with errors if not reviewed a second time.

Even with the best training, human error will result in comingled records being shared 0.7 percent of the time. That may seem like a small number, but imagine a hospital releasing 100,000 records annually – that’s 700 mixed patient records likely to be shared, resulting in potential breach.

The most progressive ROI partners will use record integrity applications – like MRO’s proprietary optical character recognition (OCR) technology, called IdentiScan®, to scan each page of a record for comingled data. With 5 percent of electronic medical records (EMRs) containing data integrity issues, such technology is crucial in a ROI partner.

How is technology leveraged to improve service levels?
In addition to providing QA through record integrity applications, the most sophisticated vendors will also offer EMR integrations, such as MROeLink®, which improves efficiency and reduces keying errors by interfacing with an organization’s Master Patient Index (MPI), Epic’s ROI module, or other information technology systems.

Vendors with strong technology capabilities should also have interfaces with government agencies, such as the U.S. Social Security Administration (SSA) for automating Disability Determination Services (DDS) and the Centers for Medicare & Medicaid Services’ (CMS) to reduce turnaround times and labor for fulfilling DDS and audit requests.

To request a side-by-side comparison of how partnering with MRO for ROI services compares to both in-house processing and other ROI vendors, please fill out the form below.

Request Side by Side Comparison

Read More