Record Requests610-994-7500

The evolving HIM role paves the way for exciting career opportunities

The evolving HIM role paves the way for exciting career opportunities

Career Photo - Paige Blog1

As I stood by the podium at my high school graduation in 2008 accepting my diploma, I had no idea where life was going to take me. Fast-forward four years, and I am walking across the stage at Temple University’s Liacouras Center, fighting back tears as I am handed my college diploma.

I still had no idea what was in store for me. Luckily, I had one unique asset under my belt—something that would open many doors for me. At Temple, I studied Health Information Management (HIM). I assure you that I did not even know that this major existed until I was already a college student, but majoring in HIM was truly one of the best decisions that I have ever made. Being armed with both an in-demand degree like HIM and also having earned my Registered Health Information Administrator (RHIA) certification, suddenly new options presented themselves, and my world became much bigger than the one I knew on graduation day.

In HIM, we learned about billing, coding, quality improvement, anatomy and physiology, project management, privacy and security, Release of Information, as well as the latest information management technology, healthcare provider workflows, and data integrity. Now more than ever, hospitals and large health systems need professionals who are trained and skilled in these areas to support compliant Protected Health Information (PHI) standards and processes. Being such a vital partner in the healthcare organization and the rapid growth of the industry right now makes this field both stimulating and rewarding.

Working at MRO offers an excitement all its own. Our implementation team has more than doubled in size since I joined in 2013. We are now made up of seven members, and we are still expanding due to the overwhelming demand for our company’s solutions.

On our implementation team, I am lucky enough to be involved in client onboarding, and projects occurring all over the country. In many of these implementations, we are integrating direct interfaces between our platform and our clients’ EHRs, such as Epic. I am watching this company rapidly expand right in front of my eyes, and I am so excited to be a part of it.

There could not be a better time to be involved in HIM. The demand is high and there is much work to be done. To learn more about careers at MRO, visit our Careers page.

Join our mailing list

Read More

PHI disclosure legal issues, part 3: Adopting ROI policies that are stricter than HIPAA and state laws

The evolving HIM role paves the way for exciting career opportunities

Sara Goldstein Blog 3

It comes as a surprise to many requesters of medical records that healthcare providers can implement policies that are stricter than both HIPAA and state law. This is because HIPAA was designed to permit the adoption of more stringent federal and state laws, as well as healthcare provider policies, to further safeguard Protected Health Information (PHI).

As Health Information Management (HIM) professionals are aware, the HIPAA privacy rule serves as a “federal floor” of privacy protections for patients’ PHI, meaning that it sets the minimum standards that healthcare providers must follow for disclosure.

States can enact laws that provide additional protections for PHI as long as they are not contrary to HIPAA, meaning that it should not be impossible for a healthcare provider to comply with both HIPAA and the state law; state law should not be an obstacle to accomplishing the purposes and objectives of HIPAA. Most states have adopted laws to further protect certain types of PHI from disclosure that are not specifically addressed by HIPAA or other federal laws, such as mental health records and PHI related to a patient’s treatment for AIDS/HIV.

Additionally, many healthcare providers have implemented their own disclosure policies that are more restrictive than both HIPAA and applicable state laws. For example, HIPAA and some states permit the disclosure of PHI when subpoenaed as long as it is accompanied by “satisfactory assurance” – documentation that the patient subject to the subpoena was notified and was given opportunity to object to the disclosure. A healthcare provider, however, can choose to adopt a more restrictive policy in the interest of protecting patient privacy, such as requiring that subpoenas be accompanied by a HIPAA-compliant authorization or a court order signed by a judge.

Facilities, however, should be cautious before adopting policies that are more stringent than HIPAA and state law because such policies may be seen as restricting a patient’s access to PHI. For example, it may seem more secure to only process requests for copies of PHI with a healthcare provider’s authorization. However, if such a policy was adopted and a HIPAA-compliant authorization were rejected, the facility may be subject to a complaint with the Office of Civil Rights (OCR) for restricting a patient’s access to their PHI. Thus, healthcare providers need to make sure that their policies do not run contrary to the objectives of HIPAA and the applicable state laws.

Given the myriad of federal and state laws related to disclosure of PHI, it is important that healthcare providers and their HIM staff adopt Release of Information (ROI) policies that do not contradict the applicable federal and state laws. MRO’s ROI specialists who work at our clients’ facilities are trained on how to disclose PHI according to the applicable federal and state laws and facility policies to ensure they remain compliant with all relevant rules and regulations.

This is the third post of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our mailing list

Read More

Reputational damage of data breach the most lingering consequence

The evolving HIM role paves the way for exciting career opportunities

Data Breach - Steves Blog

Few other industries emphasize and value reputation more than healthcare, especially when it concerns patient care quality and experience. When a provider organization discloses Protected Health Information (PHI) to an unauthorized party, that organization’s reputation can suffer significant damage. Reputational damage is just one of the elements that I described in my last post about the financial risks of a PHI breach, but I wanted to focus on it exclusively in this post because the consequences are so far reaching beyond financial penalties.

I also want to emphasize that healthcare organizations can help prevent the lingering reputational damage associated with a breach by partnering with a PHI disclosure management vendor that offers state-of-the-art technology and a highly trained and knowledgeable staff who are experts in HIPAA compliance and avoiding breaches.

Patients key stakeholders for reputational risk

A “negative reputation event,” such as a data breach, can cause a “loss of brand value” for healthcare providers, according to a group of healthcare and life sciences executives who were surveyed recently by consulting firm Deloitte.

The survey also found that customers (patients for healthcare organizations) were the “most important stakeholders for managing reputational risk.” Although patients can easily find out about a PHI breach in the news, smaller breaches, which are much more common, can also be damaging to hospitals’ reputations. Word of a breach can spread online through social media, such as Facebook and Twitter, through consumer rating sites, such as Yelp, and even through Google results when someone searches for the hospital. These online assessments are increasingly influencing patients’ expectations, Deloitte reported.

Patients sharing experiences with others online about hospitals and providers is also another reflection of how patients are even more so becoming healthcare consumers with much more mobility and choice over where they seek their care. If patients don’t trust providers with their PHI, they are more likely than ever before to move their healthcare dollars elsewhere.

Establishing a culture of compliance

Decreased patient volume due to reputational damage is just one of the financial impacts of a PHI breach. But the lingering effects of reputational damage, I believe, are more long lasting and difficult to quantify in terms of dollars and cents. Apart from the loss of patient trust, breaches can impact employee morale, providers’ confidence, and degrade the overall culture of the organization to one of instability and confusion.

By instilling a culture of adherence to HIPAA-compliant PHI disclosure policies and procedures, and offering employees the support and tools they need to comply, organizations can avoid these breach-caused negative reputation events and their impacts.

A trusted PHI disclosure management partner that has already established a culture of HIPAA compliance and knowledge, supported by technology to prevent improper disclosures, can be a significant advantage to an organization in protecting its reputation and its bottom line.

To learn more about the financial and reputational impacts of a PHI breach, please download our white paper: “Mitigating breach risk in an era of expanding PHI disclosure points and requests for health information.”

Join our mailing list

Read More

PHI disclosure legal issues, Part 2: Obtaining deceased patients’ records

The evolving HIM role paves the way for exciting career opportunities

Sara's Blog 2

After a loved one dies, there are numerous situations where families might need copies of the deceased patient’s medical records. For example, records are needed when the family submits a life insurance death claim or if they plan to file any sort of lawsuit related to the patient’s death.

But after a patient dies, HIPAA and state laws can complicate the process of obtaining these records, especially if the patient dies without a will, which is called “intestate.” Given the myriad of state and federal laws related to disclosure of deceased patients’ Protected Health Information (PHI), it is important that healthcare providers and their HIM staff establish a policy for what type of documentation must be provided by a requester in order to disclose their PHI. For example, unless an authorization signed by the deceased patient’s “Personal Representative” is provided, HIPAA prohibits the disclosure of PHI belonging to a deceased patient (decedent).

The person who qualifies as the Personal Representative under HIPAA changes when the patient dies. Durable healthcare powers of attorney, for instance, are revoked upon a patient’s death, meaning that without other documentation, the durable healthcare power of attorney is no longer the decedent’s Personal Representative. Adding to the complexity, while some states have adopted HIPAA’s definition of Personal Representative, many state laws list other people, such as family members, who can be identified as the decedent’s Personal Representative, if there is no will.

Complying with all applicable state and federal laws is certainly essential, but many healthcare providers adopt policies that are even more stringent. While state law may only require a copy of the decedent’s will, healthcare providers in that state may choose to require additional documentation proving executorship, such as Letters Testamentary. In other cases, if a patient died intestate, a hospital may require the person claiming to be the Personal Representative to petition the court to obtain Letters of Administration, a laborious process that can be made even more complicated if the decedent’s spouse, children, or another interested party objects to that appointment.

Rest assured, MRO staff who work at our clients’ facilities are trained on how to disclose deceased patients’ PHI according to the applicable federal and state laws and facility policies to ensure legal compliance.

To learn more about how MRO’s highly trained employees protect their clients through their PHI disclosure expertise and support, check out our clients’ experiences.

This is the second of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our mailing list

Read More

Information Governance was the buzz at AHIMA

The evolving HIM role paves the way for exciting career opportunities

Mariela Blog 2 - Lock

The 87th Annual AHIMA Convention and Exhibit in New Orleans was a resounding success, despite the coinciding industry-wide transition to ICD-10, which occurred just a day after the event ended on October 1.

Not surprisingly, ICD-10 was a major topic of discussion during the conference. Other topics addressed were emerging issues surrounding data privacy and security including confidentiality, integrity and availability; interoperability; Release of Information (ROI); health information exchanges (HIEs); cyber security; and the Department of Health and Human Services’ Office for Civil Rights audit readiness, as we approach the launch of desk audits.

Information Governance (IG), however, was the most covered topic at the event. AHIMA defines IG as “an organization-wide framework for managing information throughout its lifecycle and supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

To help navigate this increasingly complex issue, AHIMA released an IG tool kit that urges HIM professionals to take leadership in data sharing, budget allocation and collaboration with other departments for an IG plan. To ensure this collaboration is successful, HIM needs to delegate some IG responsibilities to other departments, which can be difficult, but allows the opportunity for HIM to integrate and oversee data silos it wouldn’t have had access to in years past.

This is just one of the emerging IG challenges that our chief technology officer, David Borden, discussed during the educational session he co-presented at AHIMA with Susan Carey, MHI, RHIT, PMP, the system director of HIM for Norton Healthcare in Louisville, Ky., a not-for-profit system comprised of five hospitals, 19 outpatient centers and 140 practice sites. In their session, Borden and Carey urged HIM professionals to “get in the HIE boat” to ensure their voice is heard and considered during HIE planning.

HIM professionals, who are typically the Protected Health Information (PHI) privacy and HIPAA experts within healthcare organizations, need to be integral in this planning because HIE was not created with HIPAA in mind, and has not been updated since. Organizational compliance has taken a backseat to the technical requirements of HIE, as David also told in a dual interview with Susan at AHIMA. This means that without the proper policies, procedures and safeguards, breaches can occur on a larger scale and much easier than in the past — with only a few keystrokes and mouse clicks — which exponentially increases risk and liability for healthcare organizations.

“Very often, it’s not well understood that security and privacy are two very distinct knowledge domains,” David told the publication, as well as AHIMA attendees. “IT is very good at security, and sometimes they may think that means they’re also good at privacy, without realizing that’s just as naïve as someone who’s trained in privacy thinking they understand all the ins and outs of security.”

As David and Susan’s presentation discussed, with the growth of electronic HIE, patient-identity matching is becoming a growing patient safety issue and workflow challenge that usually requires HIM to design a solution, but one that requires IT input and assistance. Patient identity is also one of the many data integrity issues that organizations face including accurately and reliably integrating PHI from other providers into the legal record.

Other emerging issues that David and Susan explored in their presentation include sharing of sensitive and “super-protected information”, such as mental health, AIDS/HIV and substance abuse information; patient consent management, such as opt-in, opt-out, and patient education; and managing the minimum necessary standard requirements for payers in a query-based HIE.

As HIEs expand and connect with other information networks, the rules-of-the-road may change without sufficient input from participants, which is why HIM needs to be ever vigilant in having its voice heard. “I feel like we’re in a good place with HIEs, but there’s a lot more work to be done,” Susan told “…[K]eeping those avenues open between IT and HIM is really want you want to strive for. We have to understand the roles we all play and what the use cases are.”

For information on these important IG issues that are impacting healthcare organizations, please download the slides from David and Susan’s AHIMA educational session by clicking here.

Join our mailing list

Read More

Reducing PHI breach risk essential for physician groups

The evolving HIM role paves the way for exciting career opportunities

For many physician groups, Protected Health Information (PHI) disclosure policies and procedures can vary greatly between practice locations. This variability and limited administrative oversight increases the risk of a PHI breach, which can be costly in terms of reputational damage and financial consequences.

Transitioning a physician group from multiple different Release of Information (ROI) processes to a single ROI technology platform, with the help of an experienced and knowledgeable PHI disclosure management partner, can help identify errors before records are released and avoid these costly breaches. A standardized process across any size practice through a single platform ensures that consistent and compliant ROI policies and procedures are enforced and safeguards are established to prevent a breach.

Practices face same improper disclosure liability as hospitals

Physician practices carry the same PHI disclosure liability as hospitals, although many groups lack the resources of a large health system to recover from a significant breach. HIPAA financial penalties can be as much as $50,000 per breach or $1.5 million annually for repeated occurrences. In addition to such penalties, there are soft costs associated with each breach, ranging from $8,000 to $300,000, according to the results of an American National Standards Institute (ANSI) survey of organizations that had been affected by a PHI breach. Those figures do not include the HIPAA violation civil penalties, but rather costs such as credit or identity-theft monitoring for breach victims, forensic and legal fees, and reputational harm, including loss of goodwill and of business, according to survey respondents. In addition, the reputational harm suffered by practices due a breach may be more significant than a hospital due to the group’s more narrow patient population.

Just because practices typically have fewer overall ROI requests than hospitals or health systems doesn’t mean a breach is any less likely. MRO’s research shows there are more than 100 error types found across ROI authorizations and that 20 to 30 percent of authorizations are initially invalid. Plus, the PHI disclosure processes that many practices follow are highly susceptible to human error. These errors could include disclosing the wrong patient records due to co-mingled records, which affect at least 0.7 percent of releases.

Practices may not even be aware of how many unauthorized ROI requests are approved, or have tools to identify and prevent the release of comingled records. And without safeguards to mitigate risk, practices may facing the matter of “when” rather than “if” a breach will occur.

Reduce risk, increase efficiency

Standardizing PHI disclosure across physician practices with a centralized ROI solution can help reduce this risk by ensuring consistently enforced policies and procedures. With a single technology platform and an experienced, knowledgeable PHI disclosure management team than can offer best practices and tools, a physician group’s procedures can become compliant faster while reliving practice staff of the burdens of ROI, including Quality Assurance and billing.

Best of all, centralizing and standardizing ROI processes through an outsourced partner can give practices more time and resources to concentrate on revenue-generating activities, and most importantly, focus on patient care. The liability of establishing safeguards to mitigate breach risk should be a business partner’s concern so practice staff can focus on what truly matters: patients and their care.

To learn more how your group can reduce breach risk and increase efficiency, please read about Lehigh Valley Physician Group’s experience with centralizing their PHI disclosure here.

Join our mailing list

Read More

The ticking PHI breach bomb

The evolving HIM role paves the way for exciting career opportunities


When organizations don’t have the right Protected Health Information (PHI) disclosure policies, procedures and infrastructure in place, it can be like they’re sitting on a ticking breach time bomb.

With more than 100 error types found across Release of Information (ROI) authorizations, each request has the potential to result in a PHI breach. That is just one of the many risks detailed in MRO’s new white paper, “Mitigate Breach Risk in an Era of Expanding PHI Disclosure Points And Requests For Health Information.” We also describe industry trends, gaps within the ROI process and other factors that make healthcare organizations vulnerable to breach risk.

The white paper also discusses the most recent findings of the Ponemon Institute, which reported in May 2015 that 91 percent of healthcare organizations had suffered a PHI breach, and 40 percent had more than five data breaches over the past two years. The financial impacts of these breaches are real, including the HIPAA penalties, which can reach as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences.

The good news is that organizations can protect themselves from breaches through the combination of highly trained, knowledgeable staff and state-of-the-art technology, which can improve PHI disclosure accuracy rates to 99.99 percent. In our white paper, we describe how improved Quality Assurance procedures and technology could enable an example 300-bed hospital, with approximately 33,000 ROI requests per year, to avoid 231 potential breaches annually.

Financial impacts
Beyond the steep HIPAA penalties and settlement agreement fines described above, organizations also face $8,000 to $300,000 in costs from a reported improper PHI disclosure, according to an estimate from the American National Standards Institute, who surveyed healthcare organizations affected by a breach. These costs include credit or identity theft monitoring for breach victims, forensic and legal fees, and loss of goodwill and of business. The reputational damage of a breach causes an incalculable financial impact in terms of loss of current and/or new patients, as well as physicians or business partners who leave the organization because they don’t want to be associated with the institution.

Additionally adding to the high cost of breach, healthcare organizations can now be sued for negligence and other damages based on improper PHI disclosure. In these cases, courts in at least 10 states have ruled that HIPAA does not supersede their state laws, but rather, the statute represents the relevant standard of care.

Although popular perception is that the vast majority of these breaches are caused only by a cyberattack or stolen laptop, nearly 40 percent are caused by “unintentional employee action,” not including lost or stolen devices containing PHI.

Right people and right technology
Defusing this ticking time bomb can be as simple as partnering with an experienced and knowledgeable PHI disclosure management partner, such as MRO, where employees undergo specialized training on the most up-to-date HIPAA regulations and PHI disclosure requirements at the federal, state and facility level.

We also utilize technology to identify errors at every step of the ROI process, including optical character recognition (OCR) technology, to ensure there are no comingled records before release. All of the above can result in our high disclosure accuracy rate and an alleviated operational burden from hospital HIM departments and physician practices.

What risk does your organization face from this ticking time bomb? Find out by using our Breach Risk Calculator, which is based on our industry research and in-depth analysis of thousands of ROI transactions. You may be surprised by the results.

Join our mailing list

Read More

PHI Disclosure Legal Issues, Part 1: Healthcare Power of Attorney

The evolving HIM role paves the way for exciting career opportunities

Power of Attorney Photo

PHI Disclosure Legal Issues, Part 1: Healthcare Power of Attorney

Just before our first wedding anniversary this August, my husband and I agreed to finalize our last wills and testaments, durable healthcare powers of attorney and living wills. A durable healthcare power of attorney is a legal document that allows you to authorize a representative to make your healthcare decisions if you become incapacitated, while a living will provides instructions on whether life-prolonging measures should be taken. It may not sound like the most romantic thing to do—I don’t think that signed legal documents count for the gift of “paper” that is traditionally given on a first anniversary—but it is hard to think of a more meaningful gesture as we begin our second year of marriage.

As MRO’s Privacy and Compliance Counsel, I am frequently reminded of the importance of these documents because the Health Information Management (HIM) departments in our healthcare-provider client organizations often encounter situations where a family member requests a patient’s Protected Health Information (PHI) with a general or durable power of attorney. Unfortunately, unless those documents explicitly grant the authority to make healthcare decisions or to access to the patient’s health information, the requester is not the patient’s personal representative under HIPAA and without other documentation, they may not be able to access the records. If records were released, the provider organization would be disclosing PHI to an unauthorized person, which is considered to be a breach under HIPAA.

It is best practice for HIM staff handling Release of Information to be specially trained on how to review these types of legal documents, because some durable or general powers of attorney do grant the authority to make these specific healthcare decisions, but many do not. Finalizing my durable healthcare power of attorney and living will gives me peace of mind that if the unthinkable were to happen, my husband would have proper guidance to manage my care in accordance with my wishes. That is definitely something worth celebrating.

For more information on ensuring your regulatory compliance and improving the workflow efficiency of your PHI disclosure process, check out MRO’s Vice President of Client Relations and Compliance Don Hardwick’s thoughts in this piece from For the Record.

This is the first of a five-part blog series discussing different legal issues surrounding Release of Information and PHI disclosure management. This blog post is made available by MRO’s privacy and compliance counsel for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. This blog post does not create an attorney-client relationship between the reader and MRO’s privacy and compliance counsel. This blog post should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Join our mailing list

Read More

HIM: The Original Health Information Exchange(rs)

The evolving HIM role paves the way for exciting career opportunities

Sharing Documents

HIM: The Original Health Information Exchange(rs)

It wasn’t that many years ago that medical records consisted of reams of paper files stored in rows and rows of cabinets. It’s also not that long ago that fax machines were considered “high-tech.” Although the technology was lacking by today’s standards, health information management (HIM) professionals led initiatives around the exchange of patient health information, ensuring compliance with federal, state and facility patient-privacy policies.

Fast forward to today’s HIM department, where patient charts are digitized and can be electronically transmitted in a matter of seconds using electronic medical records (EMRs) and Health Information Exchanges (HIEs). Technology has changed the face of health information exchange, bringing about both challenges and opportunities that require HIM leaders to evolve their roles and keep pace with changing times.

For example, electronic exchange technologies are typically implemented by the information technology (IT) department without involving HIM professionals until late in the process. It is essential, however, that collaboration with HIM leaders occurs early in these HIE initiatives and throughout the process so they can offer their expertise and knowledge of best practices in information governance, workflow and compliance.

One way to get involved early in the planning and implementation is for HIM leaders to present potential exchange solutions to their IT peers. This requires research and education (and gumption). Often, a Release of Information (ROI) partner can be a great resource. A technologically advanced ROI company, in particular, likely offers some “HIE-like” solutions such as:

  • Direct Secure Messaging as a fax replacement
  • esMD delivery to the Centers for Medicare & Medicaid Services for audits
  • Social Security Administration interfaces for automating the disability claims process

With their HIM expertise and technology capabilities, your ROI partner can equip you with solutions, help raise your levels of influence, and assist in bridging the gap between HIM and IT. By opening the doors of communication and collaboration, the departments can work as a team to electronically exchange health information in a secure, compliant and efficient way.

Check out our white paper, Finding the Right Partner for Integrated HIE, which discusses the benefits of partnering with a PHI disclosure management firm to implement HIE-based solutions.

For even more information, please attend our session on HIM and IT collaboration around HIE at the 87th Annual AHIMA Convention in New Orleans. We will be presenting with Susan Carey, MHI, RHIT, PMP, who serves as System Director for HIM at Norton Healthcare, at 10 a.m. on Wednesday, September 30, 2015. Look forward to seeing you there!

Join our mailing list

Read More

Preparing Your Healthcare Enterprise for Phase 2 OCR Audits

The evolving HIM role paves the way for exciting career opportunities

Are You Ready

Earlier this year, MRO published a white paper, A Proactive Approach to PHI Disclosure Management: Strategies to Prepare Your Healthcare Enterprise for Phase 2 Audits. In the white paper, we shared the most-up-to-date information about Phase 2 of Office of Civil Rights (OCR) HIPAA compliance audits and offered tips to prepare for them by implementing an enterprise-wide approach to disclosure management.

While OCR’s widely anticipated Phase 2 audits are still pending, there has been some activity since publication of the white paper. Here are some updates:

Myth Busted

AHIMA’s June 4, 2015 E-Alert quoted from a FierceHealthIT article that pre-audit screening questionnaires had been sent to potential Covered Entity (CE) auditees. In preparation for an MRO presentation at the MSHIMA annual convention, we reached out to an OCR contact, who replied on June 12, 2015 via email: “The report is misleading. OCR has started verifying contact information of CEs. Pre-audit screening questionnaires have not been sent out.”

Sneak Peek

We also contacted attorney Adam Greene, a nationally recognized authority on HIPAA and the HITECH Act, who provided a link (look for the survey PDF titled “Survey 03 13 2015” under “Instrument File”) to the screening questionnaire. The web page suggests they are seeking 500 respondents.

Audit Focus

OCR’s presentation at the HCCA Compliance Institute in April confirmed that “desk audits” will focus on privacy, security and breach notification. The speaker also emphasized that the OCR will conduct onsite audits, as funds permit, in addition to desk audits. Key focuses by audit type are expected to be:

  • Privacy Rule audits: Notice of Privacy Practices and Patient’s Right to Access
  • Breach Notification audits: Breach Notification Policy, Breach Notifications to Patients, instances where Breach Risk Assessment concluded no breach, and timeline from discovery to notification
  • Security Rule audits: Security Risk Analysis and Risk Management Plan

It’s important to remember that complaints can trigger an investigation that may lead to full-scale audits. Thus, it’s important to be ready for an onsite audit by reviewing the protocol on OCR’s website. The website states: “Please be aware that the protocol has not yet been updated to reflect the Omnibus Final Rule.” OCR is reportedly working on the audit protocol update now. Another task they are tackling is a method for sharing penalty amounts with harmed individuals. We suspect that will encourage more people to file more complaints to the OCR due to possible payouts

Being Prepared

What steps can you take now to prepare?

  • Make sure all documentation is up-to-date
  • Implement an enterprise-wide PHI disclosure management strategy
  • Invest in security technologies
  • Train your workforce (we can help)

The Ponemon Institute’s 2015 State of Endpoint Report: User-Centric Risk states that 78 percent of organizations cited employee negligence as the biggest security threat. Privacy and security compliance and breach prevention training are critical. It’s also key to make sure employees fully understand your policies and procedures for PHI disclosure. If an onsite auditor wants to evaluate your privacy and security culture, he’ll solicit information from non-management staff.

To learn more about OCR audits and tips for audit preparation, download our white paper today.

Join our mailing list

Read More