Record Requests610-994-7500

PHI disclosure legal issues, part 5: Removing barriers to patient access, continued

 

FINAL Sara's Blog - Part 4 of 5 picture

In the previous post of our five-part Legal Issues blog series, we explored the FAQs that the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published in recent months concerning patient access to Protected Health Information (PHI). The FAQs were generated in response to recent studies and OCR investigations that found patients often face obstacles when trying to access their health information from hospitals and physician practices.

The last post described potential barriers in the request stage of the Release of Information (ROI) process for patients, which you can read here . This post, the final in our Legal Issues series, will focus on the release stage of the process.

Provide patients with access to their “designated record set”
HIPAA entitles patient access to their “designated record set” which consists of a broad array of health information including: medical and billing records; insurance information; clinical laboratory test results; medical imaging; wellness and disease management program files; and clinical case notes. The OCR’s FAQs provide guidance on what should be considered part of a designated record set and should be reviewed by providers to ensure compliance.

Deliver PHI in the requested format
Under HIPAA, patients are entitled to receive copies of their PHI in the form and format they request. If that’s not feasible, the PHI must be in a readable format agreed to by the provider and patient. Thus, if a patient requests copies of their electronically-stored PHI in the same format, a provider should offer the requested PHI copies in an email, on a CD-ROM, or in another electronic method. The same rule applies if the patient requests copies of their PHI be delivered on paper.

Release PHI within 30 days of receipt of their request
A major focus of the OCR’s recent FAQs is the importance of providing patients with access to their PHI within 30 days of receipt of the request. If a rare long turnaround time is unavoidable, the provider must notify the patient of the delay, explain why it has occurred, and when the patient should expect to receive copies of their PHI.

Providers should review their turnaround times and make sure they are in line. Having a form letter prepared in the event that there is a delay is also a good idea.

I hope you enjoyed reading the posts in this Legal Issue series as much as I enjoyed writing them. To be sure you never miss a new post, you can subscribe to MRO’s blog below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

PHI disclosure legal issues, part 4: Removing barriers to patient access

 

FINAL Sara's Blog - Part 4 of 5 picture

Over the past few months, the United States Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has published several FAQs related to patient access to Protected Health Information (PHI). These FAQs were generated in response to recent studies and OCR investigations that found that patients often face obstacles when trying to access their health information from hospitals and physician practices.

In continuation with our Legal Issues blog series, parts four and five will explore ways providers can avoid patient complaints being filed against them with the OCR regarding PHI access that could lead to investigations and possible enforcement actions. Part four is about removing obstacles from patients requesting their PHI, while part five will look at how providers can properly disclose patients’ information.

HIPAA-compliant authorization not required
HIPAA-compliant authorizations are required when a third party is requesting access to a patient’s PHI. However, a patient or a patient’s authorized representatives (see below) does not need to provide a HIPAA-compliant authorization to obtain access to the patient’s own PHI. A patient can simply submit their request in writing to their healthcare provider, provided that the request contains enough information for the healthcare provider to verify the patient’s identity.

Providers can require that patients use a specific form to request access to their PHI, but the form cannot create an access obstacle. Healthcare providers need to review what documentation they are requiring patients to provide to release their information and ensure that access is not obstructed.

Honor the personal representative’s Release of Information (ROI) request
Under HIPAA, a patient’s personal representative has the same right as the patient to access the patient’s PHI. Examples of personal representatives include healthcare power of attorneys and the parents/guardians of minor children.

Providers should ensure, however, that the personal representative’s request includes information regarding his or her authority to act on behalf of the patient, such as a healthcare power of attorney executed in accordance with applicable state law. Medical providers should make sure their policies do not create a barrier to access for personal representatives.

In light of the OCR’s recent FAQs, healthcare providers should make efforts towards enhancing their patient request policies and procedures to ensure they are providing patients with timely access to their PHI. At MRO, we are dedicated to providing patients with timely access to their PHI and have recently launched a new Patient Advocate Program to guide patients through the ROI process.

In the final segment of our Legal Issues blog series, we’ll take a look at how providers can ensure proper and compliant disclosure of patient information. Don’t want to miss part five? Sign up for future MRO blog posts below.

This blog post is made available by MRO’s general counsel for educational purposes only, as well as to give general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

OCR HIPAA Phase 2 Audits: What to Expect

Audit photo for OCR audit blog

On Monday, March 21, I attended the 24th National HIPAA Summit in Washington, D.C., where Jocelyn Samuels, Director of the HHS Office for Civil Rights (OCR), announced the launch of Phase 2 of its HIPAA audits of Covered Entities (CEs) and Business Associates (BAs). The OCR anticipates conducting approximately 200 audits during Phase 2 of the HIPAA Audit Program, which will be executed in three stages. The first stage will involve desk audits of CEs; desk audits of BAs will be conducted during the second stage; and on-site audits of both CEs and BAs will be performed during the third stage.

What is the HIPAA Audit Program?
The Health Information Technology for Economic and Clinical Health (HITECH) Act requires that the OCR conduct periodic audits of CEs and BAs to evaluate their compliance with the HIPAA Privacy, Security and Breach Notification Rules.

Completed in 2012, Phase 1 of the HIPAA Audit Program involved approximately 115 audits of CEs. This first phase of audits found that many of the participants lacked awareness of key Privacy and Security Rule requirements, such as the need to provide patients with Notices of Privacy Practices, the proper protocol for providing individuals and their personal representatives with timely access to the individual’s Protected Health Information (PHI), the need to conduct a risk analysis on a regular basis, and the importance of disposing of media containing PHI in a secure manner.

Who will be subject to Phase 2 of the HIPAA Audit Program and how will participants be selected?
Since announcing the launch of Phase 2 of the HIPAA Audit Program, the OCR has started sending emails to CEs to verify contact information. CEs need to check their spam filters to ensure that any emails from the OCR have not been incorrectly identified as junk email.

Those CEs who are asked by the OCR to verify their contact information may eventually be sent a pre-audit questionnaire that will ask recipients a host of questions about their organization, including where they are located, how many employees they have, what services they provide, and who their BAs are. The questionnaires will be used by the OCR to determine which CEs and BAs will be selected to participate in Phase 2 of the HIPAA Audit Program. The OCR wants to audit a diverse selection of CEs and BAs that will range in size, type and location.

All CEs and BAs are eligible for an audit and could be asked to participate in either one or two stages of Phase 2 of the HIPAA Audit Program. However, CEs or BAs who are involved in an ongoing OCR complaint investigation or compliance review will not be selected as an audit participant during Phase 2 of the HIPAA Audit Program.

What is the timeline for the three stages?
Stage 1 – Desk Audits of CEs

The first stage of Phase 2 of the HIPAA Audit Program will involve desk audits of CEs. The focus of these desk audits will be on the CE’s compliance with specific requirements of the Privacy, Security or Breach Notification Rules. Audit participants should be prepared to share their risk analyses, policies and procedures and their Notice of Privacy Practices with the OCR. It appears that the OCR will also be interested in learning about how the CE process individuals’ requests for PHI copies. The OCR states that these desk audits will be completed by the end of December 2016.

Stage 2 – Desk Audits of BAs

The second stage of Phase 2 will be very similar to the first stage, except desk audits will be conducted on BAs. The OCR states that these desk audits will also be completed by the end of December 2016.

Stage 3 – On-Site Audits of CEs and BAs

The third stage of Phase 2 will involve on-site audits of select CEs and BAs. These on-site audits will be comprehensive and will likely include a three- to five-day on-site visit by the OCR.

What’s next?
Any day now, the OCR will be publishing audit protocols for Phase 2 of the HIPAA Audit Program. These protocols will provide instructions to CEs and BAs on what the OCR will be evaluating during the various stages of Phase 2.

MRO will be sharing helpful tips to our clients in upcoming email and webinar formats. Stay tuned for more details.

This blog post is made available by MRO’s general counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s general counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our blog mailing list

Read More

Information governance requires technology, consistency and HIM leadership

More Protected Health Information (PHI) and other data is coming in and going out of healthcare organizations than ever before. Electronic medical records (EMRs) and numerous electronic devices make accessing and exchanging information much easier than with paper. But it’s also easier to disclose PHI to an unauthorized recipient, resulting in breach that can be costly financially, but also to an organization’s reputation.

This challenge—among many others—has spurred the adoption of Information Governance (IG) programs across organizations. Protecting patient information and mitigating an organization’s risk, however, are only two reasons why implementing an IG program at your organization is so important.

Crucial to implementing an IG program is having the right technology and a knowledgeable team in place, which we’ll explore in this blog post. But first, a little background about IG.

HIM becoming the IG leaders
In 2014, AHIMA laid out its eight IG principles, described in greater detail here. The overriding theme across these principles is that organizations need to implement consistent, standardized policies and procedures surrounding the access, disclosure and management of information across their enterprises.

To achieve this, collaboration with the CIO, HIT, Compliance and other senior executives is essential, but HIM can lead in helping design and implement an IG program. Why? Because HIM has the most applicable knowledge base and experience in ensuring consistent policies and procedures around managing PHI and other information.

Additional expertise HIM leaders can share are best practices to educate other departments on compliant information access and disclosure. This leadership role should institute a continual effort to address gaps and ensure compliance with the organization’s IG program. HIM leaders also have insight into the technology that can help protect data integrity and prevent breaches.

How technology supports IG
As centralized policies are developed and communicated, technology solutions can be implemented to help manage information in a coordinated manner across the enterprise. One such tool available to support an organization’s IG efforts is MRO’s IdentiScan®, which uses optical character recognition technology to search medical record content to identify and correct comingled records containing information for multiple patients. Correcting comingled records prior to Release of Information (ROI) can prevent a PHI breach, but more importantly, it can protect patient safety and improve quality care by ensuring that providers are reviewing the right data for the right patient.

Eliminating mixed records using this automated validation process can noticeably enhance overall accuracy. For example, one large health system we assisted utilized eight full-time employees just to perform quality reviews of their charts at the point of patient discharge. Even with this extra layer of focused manual checks, IdentiScan detected more than 350 instances of comingled patient records, in addition to what the healthcare organization’s staff found over the course of nearly two and a half years.

Integrity is one of AHIMA’s primary IG principles, focusing on eliminating errors and ensuring accuracy. IdentiScan also supports organizations in helping follow most of AHIMA’s other IG principles, including Protection, Compliance, Availability and Accountability. However, advanced technology alone won’t help organizations achieve their IG goals. Technology is only a tool that supports a knowledgeable, highly trained staff of HIM experts. This staff can help organizations achieve the AHIMA IG goals of helping to improve patient safety, care quality, interoperability and organization-wide efficiency, among others.
Schedule a no-obligation demonstration of MRO’s IdentiScan today to learn how our technology can protect your organization’s data integrity and mitigate its breach risk.

Join our blog mailing list

Read More

PHI privacy and security challenges reign supreme in 2016

Health IT Outcomes reported that 2016 will mark “the end of EHR/MU’s five-year reign as the top health IT initiative with Protected Health Information (PHI) security taking over the top spot.”

I agree with the article author’s assessment that there are multiple PHI security and privacy concerns as we enter the second month of this new year. The top risks I see include:

  • Mobile device protection: Device theft is a major risk, but so is how PHI is exchanged using these devices.
  • Data segmentation: Ensuring disclosed PHI includes only the information the patient has authorized providers to share is an emerging challenge in our electronic age.
  • Data integrity: Errors, redundancies and gaps in the electronic medical record (EMR) can result in inaccurate Release of Information (ROI)—such as including PHI about the wrong patient due to comingled records—which would qualify as a breach under HIPAA.
  • Cybercrime: Hackers are developing new techniques to steal PHI from hospitals.

However, a substantial PHI privacy and security issue that providers have an opportunity to control is the PHI disclosure process occurring within their own organizations. As we will explore in this post, establishing standardized disclosure policies and procedures and partnering with a tech-savvy PHI disclosure management partner can address emerging privacy and security issues and limit breach risk.

Small breach risk escalating
All indicators are pointing toward an increased focus in 2016 on small breaches, defined by the Department of Health and Human Service’s Office for Civil Rights (OCR) as those affecting fewer than 500 individuals. These types of breaches are often the result of an organizational failure to fully implement compliant privacy and security standards around the disclosure of PHI.

Research conducted by news organization ProPublica last year revealed that there were 1,400 large breaches of 500 or more individuals since 2009, but there were also more than 181,000 small breaches. Despite the size, small breaches are just as impactful to providers, carrying similar financial implications. According to a report by the American National Standards Institute, each incident can cost $8,000 to $300,000, not including HIPAA violation civil penalties. These penalties can reach as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.

While cybercrime or device thefts make for sensational headlines, breaches due to employee or organization errors are also reported in the news and can spread virally in social media, resulting in loss of brand value. As these trends continue, patient awareness of privacy and security concerns will increase, as will their expectations when a privacy and/or security event occurs.

Breach prevention tips
To protect your organization, establish and train a privacy and security incident response team before a breach occurs. Standardizing and enforcing policies and procedures around PHI access, use and disclosure in all departments is also important to mitigate breach risk.

In addition, mitigation includes educating your staff on risks, such as how working too fast could cause careless mistakes resulting in improperly disclosing health information. With PHI disclosure, we are called to strike the right balance between efficient workflows and excellence in accuracy.

Another best practice is to leverage technology to make the process secure, reliable and efficient. For example, MRO’s ROI solution includes the cutting-edge IdentiScan® data integrity application that uses optical character recognition technology to check medical documentation to identify comingled records. Errors are flagged and corrected by MRO’s Quality Assurance (QA) team before PHI is disclosed.

Data integrity
MRO is expanding IdentiScan’s capabilities this year to better ensure the data integrity within a health system’s EMR. There are many points at which patient records can become mixed, and by leveraging IdentiScan in this new way, we help identify and correct comingled records at every stage.

At the upcoming HIMSS16 conference in Las Vegas, my colleague David Borden, MRO’s CTO and inventor of IdentiScan, and I will be showcasing IdentiScan at MRO’s booth #6454. In our presentation, we will focus on how this kind of technology can safeguard healthcare organizations against breach and contribute to your Information Governance goals for data integrity.

For more information about our presentation and all the events at MRO’s booth, view our schedule.

Join our blog mailing list

Read More

Maximize your EMR investment with systems integration

Fueled by the Meaningful Use program, healthcare organizations nationwide have invested billions of dollars plus countless hours in their electronic medical record (EMR) systems and are looking for ways to maximize value from those huge investments. More than 70 percent of responding College of Healthcare Information Management Executives (CHIME) members agreed that optimizing such investments is a top priority, according to an August survey.

One key optimization opportunity is EMR integration, which allows providers to leverage their investments and continue to use best-of-breed frameworks, ensuring they don’t get locked in with a single vendor.

Opportunity to integrate
EMR vendors have recognized the importance of opening up their systems by letting other vendors add to their core product. Epic has taken the lead in this area. The company’s new application exchange program, which is similar to Apple’s App Store or Android’s Google Play, provides a framework of APIs and technical support to help non-competing vendors make value-added integrations between their product and Epic; they also provide a sandbox for testing. This open approach creates a win-win-win scenario for the EMR vendor, other third-party vendors and their mutual clients.

Ease of use and streamlined workflow
MRO has taken advantage of the EMR integration opportunity to streamline Release of Information (ROI) workflows and improve ease of use for our clients. This January, we officially announced the launch of MROeLink®, a suite of health information technology (HIT) integrations for ROI. At the core of MROeLink is a web services-based synchronization between our ROI platform and the ROI module within Epic, using API services provided on Epic’s Interconnect Server.

MROeLink automates seven different manual ROI workflow steps, and eliminates the need for dual data entry in MRO’s application and the EMR. Clients using the integration have reported time savings of up to 50 percent in logging requests, and selecting and aggregating patient records for release.

MRO’s team continues to devote time and financial resources towards making this and other EMR integrations possible, to help our partners derive the maximum value from their HIT investments. Learn more about MROeLink by watching the video below.

Join our blog mailing list

Read More

CEO Spotlight, Part 2: Steve Hynes describes how MRO will lead the way amid the changing health information marketplace

Last week, we featured part 1 of our discussion with MRO’s CEO Steve Hynes where he described how the company evolved since its founding in 2002. In part 2 of that discussion, Steve looks to the future to explain how MRO’s technology will continue to innovate in the increasingly complex world of health information management (HIM) and exchange (HIE), and how healthcare organizations will be able to continue to rely on MRO’s technology, service and expertise to ensure their Protected Health Information (PHI) is safeguarded.

Q: Why do you think MRO continues to lead the industry in regards to its technology and innovation?
We put a lot of focus and resources into our technology vision in terms of making PHI exchange in the electronic age more secure, efficient and compliant with HIPAA and state regulations. David Borden, our chief technology officer, has done an excellent job of being our visionary in terms of technology. As provider and requester IT needs evolve, it is important for MRO to evolve with them. While we are in the service business, technology is a critical tool for delivering quality service.

Q: What do you see as the most pressing challenges facing healthcare provider organizations in 2016 and beyond in regards to exchanging health information?
A few of the challenges include merging disparate systems from within healthcare organizations and maintaining patient privacy as certain types of disclosures become more automated via HIE and interoperability. Having privacy and security experts, such as MRO, in their corner is essential in facing these challenges. We will continue to evolve our service and technology offerings to help healthcare organizations meet these challenges.

Q: Do you have any examples?
Sure, in 2016, we are rolling out a suite of health information technology (HIT) integrations called MROeLink® to streamline ROI workflows and improve accuracy through automation of the process. Additionally, we are expanding the capabilities of IdentiScan®, our proprietary Quality Assurance (QA) application that identifies comingled patient records. Soon, it will assist in quality checking every page of released documentation, ensuring the highest levels of accuracy; we are also exploring additional use cases to leverage this technology for data integrity purposes outside of the release process.

Q: How will you measure success for MRO?
In many, many ways, but in the end I have two primary metrics: our client retention rate and our KLAS rating. I don’t mean to minimize other metrics, but if we get those right, which we have thus far, then we will be successful.

To learn more about Steve’s vision for MRO and health information exchange, please watch the video below.

Join our blog mailing list

Read More

CEO Spotlight, Part 1: Steve Hynes discusses MRO’s steadfast adherence to innovation, compliance and client service

When MRO was founded in 2002, the healthcare industry was significantly different than it is today. Electronic medical records (EMRs) were in their infancy, and faxing and postal mail were the primary methods of compliantly exchanging Protected Health Information (PHI).

Fast-forward to 2016, and electronic PHI (ePHI) exchange is everywhere. While more efficient to manage, ePHI also raises new challenges and risks for healthcare provider organizations. With the start of the New Year, it is the ideal time to discuss the evolving state of PHI exchange with MRO’s co-founder and CEO, Steve Hynes, and how MRO will help clients rise to the challenges and mitigate those risks. In the first part of this discussion, Steve describes how MRO has evolved since its founding. In part two, Steve will describe what he sees for the future of MRO and the healthcare industry.

Q: How has your vision for MRO evolved since the company was founded in 2002?
When we founded MRO, our focus was on building a Release of Information (ROI) platform that would enable healthcare providers to process ROI in-house while partnering with MRO to provide Quality Assurance (QA), requester customer service and fulfillment, such as billing, collections and distribution. This is still what MRO offers as our ROI Shared Services model today. Since then, we have evolved our platform to be leveraged in fully-outsourced Staffed and Centralized Remote Services models that provide flexibility to meet client needs. We’ve also enhanced the platform to include new technology features that enable clients to exchange PHI at the highest accuracy and efficiency rates.

With a continued focus on innovation, technology and unparalleled service, MRO’s vision has expanded beyond ROI to address the many privacy and security compliance challenges healthcare organizations face in today’s age of information exchange and interoperability.

Q: What changes in the healthcare industry and/or MRO caused your vision to evolve?
EMR systems and health information exchange (HIE) have fundamentally changed the way healthcare organizations manage and share PHI. Health information management (HIM) and a myriad of other departments in a healthcare enterprise are accessing and exchanging ePHI with more requesters than ever before. There are several reasons behind the increased demand for medical records from patients and third-party requesters, such as the rising tide of payer audits that may require providers to share thousands of records at a time.

MRO was ahead of the curve in addressing these issues by enhancing our technology and expanding our service offerings so we could help organizations manage and share PHI more efficiently and productively, while improving HIPAA compliance in their exchange processes.

Q: What are some aspects of the vision that haven’t changed?
We set out to build the best PHI disclosure management platform in the industry and that remains an important component of our value proposition. In 2016 and the coming years, we will continue to enhance the platform with additional functionality and safeguards as ePHI exchange continues to expand across the industry. However, our vision will always include an unwavering focus on exceptional service quality.

Q: To what do you attribute MRO’s significant growth over the years, particularly in 2015 when the company was named to Inc. magazine’s 5000 fastest-growing companies?
We have built a client-first culture that cuts across our entire organization. This enables us to be responsive to client needs and drives a high client retention rate. You can’t grow if you don’t retain your clients! Our move in November 2015 to our new larger National Service Center near our former corporate offices demonstrates that commitment to our culture.

To learn more about how our National Service Center serves our clients, watch our facility video here.

Join our blog mailing list

Read More

Our clients are the reason for our success in 2015

We Appreciate Your Trust In Us

2016 is almost here, but before we ring in the New Year, I would like to take a moment to celebrate a few of MRO’s accomplishments in 2015 — all of which are attributable to our clients and our collective commitment to exceeding their expectations.

This year our company was recognized for superior quality, service, innovation and growth by several organizations. In part due to this growth, this fall we also moved into a new larger headquarters that affords us the space and technology to deliver better client service.

What we’re perhaps most proud of this year, though, is that we learned through an impartial, third-party survey that 100 percent of our clients would hire us again. This finding alone is fulfilling for all of us at MRO and motivates us to continue to earn that loyalty every day of the year.

Multiple recognitions for quality and growth
Our recognitions began in January when MRO was named Category Leader for the Release of Information (ROI) services market segment as part of the “2014 Best in KLAS: Software & Professional Services” report. This was MRO’s second year in a row to receive this honor. Later in 2015, KLAS also named MRO as the ROI vendor with the best quality and overall performance in its “HIM Services Performance 2015: Coding, Transcription, Release of Information” report.

These rankings were especially meaningful for us because KLAS researchers base their evaluations on in-depth, impartial and honest interviews with our own clients. Being named “the best” by clients is what we aspire to every day.

Other organizations also recognized our achievements in 2015, including Corporate LiveWire, a corporate-finance news and information organization, which named MRO as the “Most Innovative Disclosure Management Firm – USA.” MRO was selected ahead of three other disclosure management firms who were not named by Corporate LiveWire.

Lastly, MRO was named one of Inc. magazine’s 5000 Fastest Growing Companies based on our growth over the last three years, a pace we are positioned to maintain or exceed in 2016.

New National Service Center
In October, we launched operations in our new larger, vibrant and modern facility outside of Philadelphia, PA in historic Valley Forge. The new National Service Center has twice the floor space to accommodate our expanding workforce and technology needs and includes an improved communications system, which will especially benefit our requester- and client-services teams. The system assists our specialists and leadership team in assessing phone call metrics, managing calls, adjusting resources and analyzing workloads. Take a look at our facility video that showcases how our National Service Center serves our clients below.


Client commitment drives success
While we’re proud of our accomplishments this year, we really want to thank our clients for helping drive our success with their loyalty, feedback and recommendations to colleagues. Continuous client-service improvement is the engine of our success strategy, driving our technology improvements and new technology development, employee-training curriculum, and partnership- and expansion-opportunity evaluations, among other strategic decisions.

For 2016, we’re busy planning and perfecting new services and technology enhancements to further enable our clients with the most cutting-edge solutions. Most importantly, we will continue to strive to exceed our clients’ expectations.

Happy New Year!

Join our blog mailing list

Read More

4 ways a high-quality PHI disclosure management team can bring home Release of Information touchdowns

Winter is almost upon us. We’re deep into the football season. And, I’ll be settling in at home to watch the local Philadelphia Eagles play the Buffalo Bills this weekend.

I’ve watched the home team struggle this season, and I can’t help but think about what makes some teams more successful than others. I believe that great teams need solid training and coaching, plus the confidence that comes with practiced experience, to choose and execute the right play at the right moment as part of a winning strategy. Just as it does in the game of football, this counts in the business of ensuring efficient and compliant disclosure of Protected Health Information (PHI), too.

To manage Release of Information (ROI) in the best interests of the patient and for timely, informed care, a Health Information Management (HIM) team needs to protect the ball (or the request) and deliver it (and its associated PHI) safely over the goal line time after time. In that spirit, the following are four ways your PHI disclosure management team can bring home ROI touchdowns:

1. Preparation. Having a great playbook means being prepared with a set of plans for a variety of situations. Each player (or ROI specialist) should be trained and ready to take the best-practice action in each case. This kind of proactive approach can help prevent fumbles in the request completion process.

2. Know the rules. Knowing the rulebook is also essential to the game. With ongoing changes to the HIPAA Privacy & Security rules, as well as the need to comply with state law, healthcare organizations must ensure that all requirements are met. HIPAA guidelines may be overruled by state law, and the regulations that apply in one state may not exist in another. To be in compliance, the organization needs to understand the variant situations and adjust processes appropriately.

3. Performance measurement. Measuring, reporting and reviewing performance are also crucial to ensure that productivity, turnaround, Accounting of Disclosures and other key areas are all running at their peak. It’s much like watching the game films at practice the next day to determine exactly what took place and then figure out how to execute better next time. Likewise, thorough risk assessment will allow the team to eliminate any openings in its defense.

4. Strong coaching. Team members should receive a formal program of ongoing learning led by highly qualified “head coaches” where they gain knowledge and learn good judgment which results in strong productivity and highly accurate ROI deliveries. Learn more about MRO’s training and education programs on our website.

As part of their strategy, many organizations choose to outsource PHI disclosure management rather than maintain their own team and processes. Fortunately, MRO is positioned to take it all on and consistently score for our partners. MRO offers the type of team I have described here plus state-of-the-art technology all integrated into a proven, standardized workflow that helps enforce HIPAA-compliant policies and procedures across the multiple departments that disclose PHI.

A successful PHI disclosure management strategy should be dedicated to using all available resources to win the game and the season, and a strong, focused team is a key component. MRO’s winning team delivers high-quality results every day.

Join our blog mailing list

Read More