Check Request Status610-994-7500

2017: Predictions for Health Information Management

2017 Bulb Sign

I recently sat down with my colleague Rita Bowen, MA, RHIA, CHPS, SSGB, MRO’s Vice President of Privacy, Compliance and HIM Policy, to talk about our predictions and expectations for 2017 regarding Health Information Management (HIM), specifically our areas of expertise – privacy and security.

There are many unknowns with the incoming administration – some initiatives could be strengthened, some weakened, some totally done away with – but there are some things that will undoubtedly stay relevant, at least for some time, which we’ll cover in this blog.

Focus on vendor relationships and Business Associate compliance

Over the past few years we’ve seen an influx of third party risk assessment surveys at MRO. In addition to initial surveys during the evaluation phase, annual surveys are now more common. This focus on privacy and security stems from the 2013 Omnibus Rule, which updated HIPAA and HITECH. These updates made Covered Entities (CEs) responsible and financially liable for their Business Associates (BAs), and also made BAs responsible for any associated penalties.

With this in mind, the creed for CEs conducting due diligence should be “trust but verify.” Be sure to partner with the appropriate people and organizations, and use a standardized assessment to ensure potential BAs are focused on privacy and security and have the proper staff in place, in terms of both headcount and skillset.

Patient-generated health data and telemedicine

The rise of patient-generated health data and telemedicine continues to impact HIM, and we predict it will present ongoing challenges to be addressed in 2017.

Some of these challenges include the increased use of patient portals and unencrypted personal devices, as well as a growing interest in population health. Deciding how to incorporate this new information into health records, along with developing a plan for managing and releasing patient-generated data should be an integral part of every Information Governance strategy moving forward.

OCR guidance on patient access

The Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) stated they will release new guidance on providing patient access to Protected Health Information sometime during the first quarter of 2017. This guidance is expected to include further direction on Release of Information requests from attorneys, a source of perpetual confusion.

So, what do we know for sure going into 2017? Be ready for anything.

Fill out the form below to receive our monthly newsletter and stay up to date with the latest news from MRO.

Receive our Monthly Digital Newsletter

Read More

Four tips for Business Associate and subcontractor management

Colleagues in office building

MRO recently sponsored and hosted an AHIMA Virtual Privacy and Security Academy session covering Business Associate (BA) and subcontractor management. BAs perform a wide array of services for healthcare organizations, and in today’s ever-changing regulatory environment, it’s important to ensure they are HIPAA-compliant.

Here are four tips for BA compliance covered in the Virtual Academy session.

1) Inform BAs of expectations

BAs and subcontractors should have knowledge of HIPAA. Healthcare organizations need to properly articulate permitted uses of Protected Health Information (PHI) to their BAs. It is also important to communicate how compliance will be monitored.

2) Hold BAs accountable

When drafting contracts and Business Associate Agreements (BAAs), it’s important to establish accountability. Ensure BAs are held responsible for their use of PHI.

3) Perform ongoing due diligence

Create a risk matrix specific to BAs’ use of PHI. This matrix can and should be used to prioritize risks, characterizing them as high, medium or low. It is also a best practice to receive notification when users associated with terminated BAs access PHI.

4) Perform risk assessments

Healthcare organizations should perform regular privacy and security risk assessments. These assessments should check the nature and extent of PHI involved, including identifiers and likelihood of re-identification. These assessments should also note the unauthorized person to whom PHI was disclosed, whether or not the PHI was actually acquired or viewed, and the extent to which the risk has been mitigated.

The Virtual Academy session concluded with an activity discussing BAAs, in which participants were given a scenario and asked to identify items for inclusion in hypothetical BAAs, putting what they learned into action.

Discover more tips for managing BAs by downloading the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation.”

Receive the MRO-authored Journal of AHIMA article “Reduce BA Risk through Due Diligence and Documentation”

Read More

5 tips for ensuring quality in PHI disclosure management

Concept of poor sensitive data protection, Folder secured with a simple padlock

With a greater demand for Protected Health Information (PHI) comes the potential for a greater number of breaches, especially small breaches due to unintentional improper disclosures. Since 2009, over 180,000 small breaches impacting less than 500 patients at a time have been reported to the Office for Civil Rights (OCR). The escalated demand and risk associated with sharing PHI creates a serious need for improved accuracy and quality.

Here are five tips for ensuring quality in the Release of Information (ROI) process, so you can keep your organization running smoothly and compliantly.

1) Perform multiple Quality Assurance checks

Instituting multiple Quality Assurance (QA) checks on every release will dramatically improve your disclosure accuracy. Leverage technology to catch human error, and have a second set of eyes on everything before it is released. Some items to double-check include:

  • HIPAA-required criteria
  • Accuracy of patient information
  • Dates of treatment against authorization
  • Record content for comingled patient documents
  • Mailing envelope for correct address

2) Send notifications to requesters

Notify requesters of deficiencies in their requests to increase authorization efficiency. Developing a consistent methodology will streamline the authorization process and help prevent disclosure of unauthorized requests.

3) Develop a rules-based application

Developing a rules-based application that evaluates requests for HIPAA compliance and other requirements, like checking subpoenas for quash periods, will increase efficiency by automating previously manual steps.

4) Perform a final review of content and timeframe

Review the content of requested information to ensure there are no comingled records. As a best practice, leverage record integrity applications that utilize optical character recognition technology to assist humans perform these quality checks. Additionally, check that all records included for release fall within the timeframe requested. This is another iteration of “perform multiple QA checks,” but the importance of checking and rechecking cannot be stressed enough.

5) Create a uniform ROI training program

Train and retrain employees in all aspects of ROI. Without well-trained employees, all the cutting-edge technology and expertly crafted workflows will not do much to prevent breach. Revise and update this training at least annually, and be sure to document all training.

By implementing sophisticated ROI workflows and technologies, and employing expertly trained professionals, healthcare organizations can prevent breach. Often an advanced PHI disclosure management firm can provide the right people, technology and services to ensure compliance.

Watch this video detailing MRO’s National Service Center to see these best practices in action, and fill out the form below to download more information about our service teams.

Receive a Copy of our National Service Center Brochure

Read More

Four steps to minimize breach risk and liabilities for medical practices

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

As advancements are made in health information technology, allowing for easier access to Protected Health Information (PHI), the risks inevitably grow. This year alone, more than 220 PHI breaches affecting 500 patients or more have been reported. While large breaches caused by cyber attacks are often the center of media discussion, smaller breaches caused by incidents like the improper disclosure of PHI are much more common.

Smaller breaches are gaining more attention from the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR). Earlier this year, the OCR announced the initiation of a new program to more thoroughly investigate breaches impacting 500 individuals or less. These breaches, just like larger ones, are costly, not only in dollars, but in reputational damage as well. Medical practice leaders should to be ready.

Here are four steps medical practices can take to minimize breach when disclosing PHI:

1) Institute multiple levels of Quality Assurance
Instituting multiple levels of Quality Assurance (QA) is a must for breach prevention. An estimated 20 to 30 percent of Release of Information (ROI) authorizations are initially invalid, and 5 percent of EMRs have record integrity issues, such as comingled patient records. Without multiple check points to validate HIPAA compliance and record integrity, medical practices are highly susceptible to human error, which can lead to improper disclosure of health information. The best workflows for releasing medical documentation include having a second set of eyes on every authorization and on the health information being disclosed to lower the likelihood of improper disclosures.

2) Leverage technology to catch human error
Human intervention can only prevent a certain level of error; however, dedicated technologies are available to catch human error and improve accuracy. Innovations like MRO’s IdentiScan® record integrity application, which uses optical character recognition (OCR) technology to assist record integrity specialists in reading every page of requests before release, work to catch human error and minimize the chance of disclosing records of wrong patients. IdentiScan pushes disclosure accuracy to an industry-leading 99.99 percent, well above the 90 percent average.

3) Implement proper training and education
To ensure accuracy and compliance while disclosing PHI, medical practice staff should be highly trained and specialized in HIPAA and state compliance. Since PHI disclosure management is not the core function of medical practice staff tasked with releasing medical records, this can become a tricky area. That’s where a vendor with a high level of expertise comes in.

4) Partner with a dedicated PHI disclosure management firm
Partnering with a knowledgeable and advanced PHI disclosure management firm will help prevent breach. By outsourcing PHI disclosure management processes, medical practices can better standardize their systems for disclosure and allow practice staff to focus time and energy on other priorities, such as patient care. With the right partner in place – such as MRO – practices can achieve industry-leading turnaround times and the highest levels of accuracy, ensuring compliance every step of the way.

To learn more, fill out the form below to download our case study detailing how Lehigh Valley Physician Group partnered with MRO to improve accuracy and minimize breach risk.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Download Lehigh Valley Physician Group Case Study

Read More

Five stellar tips for providing patient access while protecting privacy

Confidential documents

MRO recently hosted a webinar, “Skyrocket your HIPAA Compliance: 5 Stellar Tips for Providing Patient Access while Protecting Privacy,” exploring ways Covered Entities (CEs) can provide patients and their personal representatives easy access to Protected Health Information (PHI), while staying compliant with HIPAA and protecting their data from breach.

As the title promised, we offered the following five tips:

1. Do not create patient access barriers

The HIPAA Privacy Rule requires CEs to provide patients and their personal representatives – persons with authority under state or applicable law to make healthcare decisions for a patient – easy access to their PHI for a “reasonable, cost-based” fee within 30 days of request. CEs can require the requests be made in writing and using their own supplied forms, but cannot create barriers or unreasonably delay patients from obtaining PHI.

2. Implement the HIPAA Security Rule’s safeguards

This includes:
a. Administrative Safeguards: Administrative actions to manage security measures to protect electronic PHI (ePHI).
b. Physical Safeguards: Physical measures to protect electronic information systems and related buildings and equipment from natural and environmental hazards, and from unauthorized intrusions.
c. Technical Safeguards: Technology used to protect and control access to ePHI.

3. Standardize and centralize

Standardizing PHI procedures and centralizing Release of Information (ROI) processes reduces the risk of HIPAA violations and decreases the number of PHI disclosure points, lessening the chance of improper disclosure and breach.

4. Educate and train workforce members

Often times, compliance issues are caused by unintentional actions taken by workforce members who are not familiar with the proper policies and procedures for the use and disclosure of health information. With this in mind, it is important to create a culture of compliance. Workforce members should undergo formal training at least once a year to ensure compliance with applicable federal and state laws, and the effectiveness of this training should be tested through measures such as phishing exercises and desk audits.

5. Monitor Business Associate compliance with HIPAA

CEs are required to enter into Business Associate Agreements (BAAs) with their Business Associates (BAs), as BAs are now liable for violations of the HIPAA Security Rule, Privacy Rule and Breach Notification Rule.

The webinar also included an update on HIPAA Compliance Enforcement, including information on Phase 2 of the Office for Civil Rights (OCR) HIPAA audits, which began in March 2016.

To receive a recording of the webinar, please fill out the form below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Receive a Recording of our Webinar

Read More

Four ways HIM leaders can leverage technology to improve the Release of Information process

network cable with high tech technology color background

In today’s fast-changing healthcare environment, health information management (HIM) professionals encounter a variety of challenges, including Information Governance, standardizing disclosure processes across an enterprise, operating in an environment of disparate information technology (IT) and paper systems, managing data integrity, and navigating the sharing of electronic Protected Health Information (ePHI) and interoperability initiatives. These challenges, however, can be turned into opportunities for forward-thinking, tech-savvy HIM leaders to establish organizational leadership and develop innovative strategies.

MRO will lead an educational session at the upcoming AHIMA Convention and Exhibit in Baltimore exploring some of these opportunities. Alongside our Release of Information (ROI) client Charlotte Walton-Sweeney, RHIT, Director of HIM for Lancaster General Health/Penn Medicine, we will discuss how HIM leaders can leverage technology to improve operational efficiency, increase security and mitigate breach risk.

The following is a sneak peek into some of the ROI tips we’ll cover:

1. Deploy an enterprise-wide ROI platform
MRO research shows as many as 40 disclosure points in a health system, including HIM, radiology, billing offices and physician practices. Deploying one platform across a health system ensures standardized policies, procedures and technology are in place; improves compliance; and provides centralized oversight of ROI.

2. Utilize integrations with EMR and other hospital IT systems
Automating manual steps of the ROI process by enabling system integrations saves time and drives accuracy. Sophisticated ROI vendors off such system integration solutions, like MROeLink®. At its core, MROeLink is a direct synchronization between MRO’s PHI disclosure management platform, ROI Online®, and the ROI module within the Epic electronic medical record (EMR) system. It also includes a variety of other IT system integrations, such as an MPI patient lookup feature, which enables HIM staff to electronically access patient identifiers and demographics, and encounter history directly within ROI Online, eliminating the need for copying or retyping information.

3. Implement electronic delivery methods
Implementing electronic delivery methods, such as portal technology, esMD for CMS audits, integrations with the U.S. Social Security Administration for disability determination, and Direct Secure Messaging all improve efficiency by reducing associated time and labor, and reduce risk by moving paper processes to secure, electronic methods.

4. Leverage Quality Assurance (QA) technology
Technology can be used to enhance QA in the ROI process. For example, MRO’s record integrity application IdentiScan® is powered by optical character recognition (OCR) technology that “reads” medical records to identify comingled records, resulting in accuracy rates of 99.99 percent.

Be sure to attend our session at AHIMA to learn more, and complete the form below to request a copy of a case study detailing how Lancaster General Health/ Penn Medicine partnered with MRO to improve ROI quality, service and efficiencies.

Fill Out Form to Receive Lancaster General Health/Penn Medicine Case Study

Read More

Consider ROI vendor’s reputation, people, quality and technology before partnering

Blog 26 photo - P&S month Hynes

As Release of Information (ROI) processes continue to evolve, forward-thinking health information management (HIM) directors are moving their previously in-house ROI workflows to outsourced vendors who offer the specialized services, trained workforce and advanced technologies needed to meet today’s demands.

When researching ROI vendors, it’s important to ask the following questions when evaluating potential partnerships:

How is the vendor rated by KLAS?
KLAS is an organization that rates healthcare companies based on customer feedback in the following areas: sales and contracting; implementation and training; and service and support. KLAS began ranking ROI in 2012, and in June 2015 released its HIM Services report, which covered ROI, transcription and coding. The scores and comments from HIM professionals and C-level executives should be carefully considered when researching potential partners.

What role will the vendor’s staff play in improving quality?
Many ROI vendors offer a variety of service models, such as staffed, shared or remote, but regardless of the model, the most sophisticated partners will offer clients extra levels of team support and services, such as a Requester Services division that includes a call center to handle all requester inquiries and status checks. Some ROI partners will also offer personalized support to patients, with a heightened sense of empathy, such as MRO’s Patient Advocate program.

By leveraging multiple support teams who are highly trained in ROI and their specialized support functions, and by providing regular access to management, advanced ROI vendors essentially offer a ‘no single point of failure’ approach to ROI.

How many levels of Quality Assurance (QA) are applied to the vendor’s workflow?
Incorporating multiple levels of QA to ROI workflows is essential, given that 20 to 30 percent of ROI authorizations are invalid, and 10 percent of authorizations could be processed with errors if not reviewed a second time.

Even with the best training, human error will result in comingled records being shared 0.7 percent of the time. That may seem like a small number, but imagine a hospital releasing 100,000 records annually – that’s 700 mixed patient records likely to be shared, resulting in potential breach.

The most progressive ROI partners will use record integrity applications – like MRO’s proprietary optical character recognition (OCR) technology, called IdentiScan®, to scan each page of a record for comingled data. With 5 percent of electronic medical records (EMRs) containing data integrity issues, such technology is crucial in a ROI partner.

How is technology leveraged to improve service levels?
In addition to providing QA through record integrity applications, the most sophisticated vendors will also offer EMR integrations, such as MROeLink®, which improves efficiency and reduces keying errors by interfacing with an organization’s Master Patient Index (MPI), Epic’s ROI module, or other information technology systems.

Vendors with strong technology capabilities should also have interfaces with government agencies, such as the U.S. Social Security Administration (SSA) for automating Disability Determination Services (DDS) and the Centers for Medicare & Medicaid Services’ (CMS) to reduce turnaround times and labor for fulfilling DDS and audit requests.

To request a side-by-side comparison of how partnering with MRO for ROI services compares to both in-house processing and other ROI vendors, please fill out the form below.

Request Side by Side Comparison

Read More

PHI disclosure legal issues, part 5: Removing barriers to patient access, continued

 

FINAL Sara's Blog - Part 4 of 5 picture

In the previous post of our five-part Legal Issues blog series, we explored the FAQs that the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in recent months concerning patient access to Protected Health Information (PHI). The FAQs were generated in response to recent studies and OCR investigations that found patients often face obstacles when trying to access their health information from hospitals and physician practices.

The last post described potential barriers in the request stage of the Release of Information (ROI) process for patients, which you can read here . This post, the final in our Legal Issues series, will focus on the release stage of the process.

Provide patients with access to their “designated record set”
HIPAA entitles patient access to their “designated record set” which consists of a broad array of health information including: medical and billing records; insurance information; clinical laboratory test results; medical imaging; wellness and disease management program files; and clinical case notes. The OCR’s FAQs provide guidance on what should be considered part of a designated record set and should be reviewed by providers to ensure compliance.

Deliver PHI in the requested format
Under HIPAA, patients are entitled to receive copies of their PHI in the form and format they request. If that’s not feasible, the PHI must be in a readable format agreed to by the provider and patient. Thus, if a patient requests copies of their electronically-stored PHI in the same format, a provider should offer the requested PHI copies in an email, on a CD-ROM, or in another electronic method. The same rule applies if the patient requests copies of their PHI be delivered on paper.

Release PHI within 30 days of receipt of their request
A major focus of the OCR’s recent FAQs is the importance of providing patients with access to their PHI within 30 days of receipt of the request. If a rare long turnaround time is unavoidable, the provider must notify the patient of the delay, explain why it has occurred, and when the patient should expect to receive copies of their PHI.

Providers should review their turnaround times and make sure they are in line. Having a form letter prepared in the event that there is a delay is also a good idea.

I hope you enjoyed reading the posts in this Legal Issue series as much as I enjoyed writing them. To be sure you never miss a new post, you can subscribe to MRO’s blog below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More

PHI disclosure legal issues, part 4: Removing barriers to patient access

 

FINAL Sara's Blog - Part 4 of 5 picture

Over the past few months, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published several FAQs related to patient access to Protected Health Information (PHI). These FAQs were generated in response to recent studies and OCR investigations that found that patients often face obstacles when trying to access their health information from hospitals and physician practices.

In continuation with our Legal Issues blog series, parts four and five will explore ways providers can avoid patient complaints being filed against them with the OCR regarding PHI access that could lead to investigations and possible enforcement actions. Part four is about removing obstacles from patients requesting their PHI, while part five will look at how providers can properly disclose patients’ information.

HIPAA-compliant authorization not required
HIPAA-compliant authorizations are required when a third party is requesting access to a patient’s PHI. However, a patient or a patient’s authorized representatives (see below) does not need to provide a HIPAA-compliant authorization to obtain access to the patient’s own PHI. A patient can simply submit their request in writing to their healthcare provider, provided that the request contains enough information for the healthcare provider to verify the patient’s identity.

Providers can require that patients use a specific form to request access to their PHI, but the form cannot create an access obstacle. Healthcare providers need to review what documentation they are requiring patients to provide to release their information and ensure that access is not obstructed.

Honor the personal representative’s Release of Information (ROI) request
Under HIPAA, a patient’s personal representative has the same right as the patient to access the patient’s PHI. Examples of personal representatives include healthcare power of attorneys and the parents/guardians of minor children.

Providers should ensure, however, that the personal representative’s request includes information regarding his or her authority to act on behalf of the patient, such as a healthcare power of attorney executed in accordance with applicable state law. Medical providers should make sure their policies do not create a barrier to access for personal representatives.

In light of the OCR’s recent FAQs, healthcare providers should make efforts towards enhancing their patient request policies and procedures to ensure they are providing patients with timely access to their PHI. At MRO, we are dedicated to providing patients with timely access to their PHI and have recently launched a new Patient Advocate Program to guide patients through the ROI process.

In the final segment of our Legal Issues blog series, we’ll take a look at how providers can ensure proper and compliant disclosure of patient information. Don’t want to miss part five? Sign up for future MRO blog posts below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Sign Up for Future Blog Posts

Read More