Recently, my colleague Anthony Murray and I presented Watch List: 2021 Privacy and Security Trends as part of the MRO 2020 Webinar Series. During this presentation, we highlighted the key areas of privacy and security within health information management (HIM) that professionals should be aware of during 2021.
First, I discussed the trends we should see in the privacy arena:
- HIPAA Notice of Proposed Rulemaking (NPRM)—Since HIPAA has not been updated for many years, it was time to address gaps between the existing HIPAA rule and the new Interoperability rule. Although the NPRM has since been released, there is still time for things to change. Looking ahead, I encourage you to take advantage of our upcoming webinar in March on this specific rule, where I will analyze the details with my colleague Angela Rose.
- Patient Right of Access—A new policy change that also came out of gaps within HIPAA was the Patient Right of Access, which allows patients to more easily get their records for themselves or direct them to a third party. An item of note from 2020 was the Ciox v. Azar case, which determined that if the third party is not making healthcare decisions for the patient, then the third party can be charged state rates to get the records. To ensure patients access to their medical records, the Office for Civil Rights (OCR) has cracked down on enforcement of this rule. To put this into perspective, we have seen 14 actions since August of 2020. As this is another hot topic for 2021, I encourage you to attend my upcoming webinar in February on this specific issue.
- New Patient Identifier—While this is not a new concept, AHIMA, AHIOS and other associations recently expressed their support for its implementation. Though some people argue that NPIs could threaten patient privacy, we should be on the lookout for this to make some headway in 2021.
- Interoperability—We have spoken a lot about this topic in 2020, and it will continue to be a hot topic for 2021. All HIM leaders need to look at their processes and the requirements of the rule in preparation for compliance and enforcement coming in 2021! To find out more and assist in your preparations, visit our 2020 Information Blocking Webinar Series landing page, and stay tuned for more sessions in 2021.
Next, my colleague Anthony Murray discussed security trends for 2021:
- COVID-19 Effect—As many of us know, there was a telehealth boom in 2020 due to the pandemic. And because telehealth is likely here to stay, organizations must prepare for updated regulations and guidelines regarding telehealth vulnerabilities, such as breaches. Currently, the OCR is not pursuing breach penalties because we are still considered to be in a national public health emergency. However, that time is ending and we can expect enforcement to resume in 2021. This means that all organizations should make sure their policies and procedures are in place. To ensure your organization is ready, it is critical to complete a risk assessment, document potential risk, and conduct employee education and training. For more telehealth tips and ideas, visit the webinar Anthony and Angela presented in October 2020.
- Ransomware—In October 2020 an alert was released regarding the tactics, techniques and procedures used by cybercriminals targeting the healthcare sector to gain access to protected information. These bad actors use ransomware, a form of malware designed to encrypt files on a device, rendering any files and systems unusable. These malicious actors then demand a ransom in exchange for decryption or release of the information. While the exact motive is usually unclear, they typically do it for espionage or financial reasons. Organizations now need insurance to cover a ransomware attack resulting in payment to the bad actors. Once they are paid, they continue to use ransomware to make more money. To prepare your organization, we recommend four steps: establish a plan, run tests, provide education and create a backup plan.
- Other 2021 Predictions:
- 5G networks—While it’s a great thing for many individuals, remember that bad actors will also have access to this new and improved network function. As this continues to roll out, security teams should monitor these networks to protect their organizations.
- Cybertechnology—AI and machine learning will help us in threat detection, but again, bad actors will also have access to this technology.
As we look forward in 2021, it is imperative that we all stay on top of privacy and security trends by remaining vigilant, compliant and safe in our daily operations. I encourage you to view the recording of this presentation, and stay tuned for many more webinars to come in 2021. Education is essential to preventing any privacy or security mishaps.
To register for the playback recording of our webinar, click here.
Join our mailing list
New solutions minimize human interactions for patient medical record release of information (ROI) services and drive workflow efficiencies.
MRO’s four-part special webinar series regarding the Interoperability Rule will teach attendees how this rule helps healthcare data and systems become more standardized, so that data can be exchanged seamlessly. Even if you and your organization are already making strides toward achieving interoperability at your facility, you can benefit by continually learning more. The Interoperability Rule, which consists of over 1,200 pages, probably seems daunting. Therefore, we created these expert-led sessions to break down the rule for you, since the rule has major compliance implications that your organization needs to prepare for.
Highlighted below are the four sessions included in our webinar series.
Information Blocking and the Interoperability Rule
Information Blocking: Setting the Stage – Lauren Riplinger, AHIMA
The first session of the Information Blocking webinar series, presented by an AHIMA staff member, provides an introduction by setting the stage for the other sessions. Attendees will learn the history of information blocking as well as the legislative background of the 21st Century Cures Act. They will also take a deep dive into the intended goals of the rule, and how the ONC got to the current state we are in.
Information Blocking and Interoperability: Decoding API Elements, Incompatibilities, and the Role of HIM in Technical Developments – Jeff Smith, AMIA and Diana Warner, MRO
The second session of the Information Blocking webinar series breaks down the technical developments and considerations from the ruling. Jeff Smith from AMIA will highlight the informatics and the technical compatibility requirements, as well as delve deeper into the technical aspects of the ruling and what it means for supporting CIOs and their teams. Specializing in information governance, Diana Warner from MRO will then guide attendees through the special considerations for HIM teams.
Information Blocking and HIPAA: Road to Compliance – Rita Bowen, MRO and Angela Rose, MRO
The third session of the Information Blocking webinar series, presented by two of MRO’s industry experts, analyzes the rule with a focus on HIPAA. Attendees will be immersed in a discussion around critical aspects of the rule and explore ways to operationalize its requirements to achieve compliance. Furthermore, they will take away tips and strategies to share with their organizations to guide planning efforts for success.
Information Blocking: Looking Ahead – All Webinar Presenters
The fourth and final session of the Information Blocking webinar series features a roundtable panel discussion from all the previous presenters. This session will briefly summarize what attendees learned during the first three sessions, as well as discuss what comes next. Attendees will learn practical enforcement mechanisms, OIG timing and enforcements, and possible penalties. The expert panel will also provide answers to the most frequently asked questions from the entire series.
Please join us for the first webinar, presented by Lauren Riplinger, JD, from AHIMA, Information Blocking: Setting the Stage, on June 11, 2020 at 2 pm ET.
As our current climate continues to change day by day, I thought it would be beneficial to share some best practices for security awareness. While this is certainly not all encompassing, many of these practices can be applied not only to your organizations, but also in your personal life as well.
Working from Home
Due to the COVID-19 pandemic, many of us are now working from home. Unfortunately, cyber criminals will continue to target individuals and organizations with phishing campaigns in the hopes of exploiting vulnerable systems and services. While working from home, everyone must remain vigilant and keep an eye out for suspicious activity. Here are some of the most effective ways to protect yourself while working at home:
- Secure your wireless network router at home, and make sure to change the default admin password. Also enable WPA2 encryption and use a strong WiFi password for the wireless network that you created.
- Be aware of all the devices you have connected to your network, including baby monitors, gaming consoles, Alexa, Google Home, TVs, appliances or even your car. Ensure that each device is protected by a strong password and that the operating system is kept up to date. You should enable automatic updating whenever possible, so that you don’t forget. This includes your cell phone and computer as well.
- Make sure every account has a separate, unique password. If you can’t remember all your passwords, consider using a password manager to securely store all of them for you. Some of our (free) favorites include LastPass, Dashlane and Keeper.
- Keep your account secure by using multi-factor authentication or two-factor authentication. Whenever this feature is offered, you should absolutely use it. When you login, both your password and a code sent to your mobile device are needed. For example, you might use it for banking, Gmail, Dropbox and various social media sites.
- Make sure antivirus software is installed on your personal computer. Chances are your work computer already has this software from the corporate level. Some free options for personal computers (Windows, Mac and even smartphones) include Sophos Home, Bitdefender and Avast.
- Use your common sense! If an email, phone call or online message seems odd, suspicious or too good to be true, then it probably is.
Using Social Media
While most people use social media for personal reasons rather than for business, almost everyone has a LinkedIn account which is considered social media but designed for work purposes. Regardless of the social media platform you use, here are some friendly reminders to ensure stronger security awareness:
- Use social media wisely. Once it’s out there, it will never permanently come down, even if you think that it has!
- Apply the strongest privacy settings possible to ensure your privacy and protection.
- Enable multi-factor authentication. If someone is trying to hack your account, you will know immediately and can remedy the situation quickly.
- Don’t share personal information on business accounts. And don’t share business information on personal accounts.
If you are working from home, and believe you have been hacked, how can you tell? This can be more challenging if you’re accustomed to being in the office and reporting an issue to your IT/Security team in person. Here are some signs that you’ve been hacked:
- Your antivirus program triggers an alert. That’s why you should always install an antivirus program.
- Your password no longer works, but you know it is correct.
- You get a pop-up message stating that your computer is infected, and you must pay a ransom or call a phone number to fix the problem.
- You believe that you have accidentally installed suspicious or unauthorized software.
- Your friends and coworkers are receiving odd messages from you, that you never sent.
- Your browser takes you to a random website that you can’t close.
Maybe more important, what can you do if you believe that you have been hacked? If your equipment in question is from your organization, always consult the appropriate department or person. At MRO, our employees are directed to contact the IT department. Don’t try to fix the problem. Stop what you are doing and report the problem right away. If it’s your personal equipment that has possibly been hacked, contact a local business for assistance. However, if an account such as LinkedIn has been hacked, then contact LinkedIn support for assistance. Getting help from a knowledgeable professional is always the best course of action when you are hacked.
Whether you are working from home or using a personal device for leisure, being proactive and vigilant can help both your organization and you practice better security awareness and protect your important online accounts.
There are times in a person’s life where resilience is tested. As I reflect upon this pandemic, I feel hopeful. I say this because time and time again, we Americans have risen to challenges such as natural disasters, 9/11, the Great Depression, rationing during wars, etc. I remember the extraordinary story of people forming a human chain into the ocean to rescue someone drowning. I remember how I was assisted after Hurricane Katrina and we recently saw volunteers lined up in Nashville to assist tornado victims. One of my city leaders said, “We have to face this with storm coming mentality. That’s when we check on our neighbors and make sure they have a plan, especially elderly neighbors. Let’s make sure they have groceries or whatever they need to stay home and stay safe.” I love this sentiment- that in a crisis, we band together where the fate of us all matters more than the individual. Surrender the ME to WE!
In wars, natural disasters, or pandemics, we are called upon to be our best selves. It’s time for you to ask the question, “How can I be my best self in this pandemic?” Staying calm and collected is important. Anxiety about the future just inflames your immune system. Live in the present. The past is done, the future cannot be controlled, but the present is the state in which to live and appreciate the little things. Minute by minute, hour by hour, day by day. Preparation is important in a possible quarantine situation. Yes, buy groceries for a couple of weeks, but don’t hoard. I know someone who was worried about families who don’t have childcare, and she decided that she would volunteer to babysit. How generous, she will make a difference and leave this world a better place.
Psychologist Gretchen Schmelzer wrote, “For most people worldwide, this virus is not about you. This is one of those times in life when your actions are about something greater, a greater good that you may never witness. A person you will save who you will never meet. This isn’t like other illnesses and we don’t get to act like it is. It’s more contagious, it’s more fatal—and most importantly, even if manageable, it can’t be managed at a massive scale anywhere. We need this to move slowly enough for our medical systems to hold the very ill so that all can be cared for. There is still cancer, heart attacks, car accidents and complicated births. We need to be responsible because medical systems are made up of people and these amazing healthcare workers are a precious and limited resource. They will rise to this occasion and work to help you heal. They will work to save your mother, father, sibling, grandparent or baby. For that to happen, we have important work to do. Yes, you need to wash your hands, stay home if you are sick and comply with all social distancing rules. But the biggest work you can do is to expand your heart and your mind to see yourself and your family as part of a much bigger community that can have a massive impact on the lives of other people.”
I’ve already seen amazing stories happening- the patron who left a $3,000 tip at a restaurant for workers to split, people delivering groceries to those in need, stores dedicating hours for elderly shopping and many more. Let’s share these stories to encourage others. Imagine if we can make our response to this crisis our finest hour. Hopefully, we can look back and tell stories of how we came together as a team in our community, our state, our nation and across the world. Your contribution to the finest hour may seem small—but every small act of kindness adds up exponentially to save lives.
At MRO, we have an incredible team and a culture we’re so proud of. I recently shared with our team, that if they start to feel stressed, take a deep breath and practice mindfulness. One thing that always works for me is to name 5 things for which I’m grateful for right in this moment. It eases your anxiety. Rely only upon reputable sources for information. Unplug for a while to de-stress. Now is a great time to journal your daily thoughts. You’ll appreciate reading them in the future.
Interested in learning more? Request the playback of my recent webinar, Effective Leadership During COVID-19.
Join our mailing list
MRO receives accolades for customer service department, strategy, and woman of the year in customer service.
The Philadelphia Inquirer names MRO a winner of the Philadelphia Top Workplaces 2020 Award
MRO is the top performer for release of information services in 2020 Best in KLAS report.
On December 11, 2019, I joined my colleague Danielle Wesley, Esq., Vice President and General Counsel, to present the fourth and final installment of MRO’s PHI Disclosure Management Webinar Series. In this webinar titled “Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope,” we reviewed trends and national efforts underway, discussed how the health system is impacted and formulated tactics to combat the confusion.
Patient-Directed Request Trends
The OCR’s 2016 guidance on patient access was meant to remove roadblocks for patients and their personal representatives when requesting medical records or PHI. However, instead of adding more clarification for healthcare provider organizations, the 2016 guidance opened the door for third-party requesters and attorneys to inappropriately request medical records under the guise of patient-directed requests, resulting in mounting challenges for healthcare providers. Recently, we have begun to see the following trends:
- Attorneys and other third parties have increased the number of “patient-directed” requests and are using the records for their own for-profit activities—such as litigation or data sharing/selling.
- Such requests demand that records be sent directly to the third party but be billed at the patient rate under the HITECH Act.
- Use of the phrase “any and all” has led to a rise in page count per request. This phrase is used as an attempt to receive all PHI regarding a patient, not just the specific encounters or visits that are relevant to the litigation.
- An increase in the submission of meritless complaints to release of information companies such as MRO, their clients, and the OCR has resulted in more time and effort to respond to baseless complaints, which ultimately generates greater operational costs.
These trends are concerning for release of information companies and their clients because attorneys and record retrieval companies are able to obtain large volumes of essentially unrestricted, unregulated PHI at lower fees by using generic, template forms. Furthermore, patients are unaware of the risks associated with the documents they are signing and are not actually providing “informed consent.” Such risks include:
- No acknowledgement of HIPAA rights
- No expiration date, allowing third parties to copy and use the “patient-directed” request letter indefinitely
- No restriction on sensitive information regarding HIV, sexually transmitted diseases, psychotherapy notes, substance abuse and more
Health System Impacts
As the misuse of patient-directed requests grows, so does the impact across health system departments. Not only does this issue directly affect the Health Information Management (HIM) department, it also affects the Compliance and Legal/Risk Management departments.
HIM departments must mitigate patient privacy risks while managing an increase in volume, workload, costs and staffing.
Compliance departments are concerned about OCR incrimination, which results in knee-jerk responses versus well-informed actions. There is also a lack of time and resources to appropriately push back on meritless attorney complaints and threats.
Legal and Risk Management departments face OCR complaints and outside attorney pressure, and lack understanding of the steps and costs required to fulfill requests for medical records. For all parties involved, proper training is needed to mitigate risk and take appropriate action in response to attorney requests and patient-directed requests.
PHI Disclosure Management: Recommendations for Organizations
All health systems and organizations should have a plan in place to combat attorney misuse of patient-directed requests. Here are four simple, yet effective tactics:
- Provide HIPAA training and education throughout your organization, particularly focused on patient access and patient privacy. Include departments such as HIM, Legal, Compliance, Risk Management, Finance, etc.
- Recognize this as a long-term problem that cannot be resolved effectively by short-term solutions. Consistency is essential, begin by understanding your responsibilities set forth in your organization’s HIPAA compliant Notice of Privacy Practices.
- Don’t be afraid to push back. Engage with the OCR whenever possible since it is critical that they hear from your organization directly. MRO’s most successful clients have taken a strong stance for their patients and against third parties misusing patient access.
- Contact your representatives and senators to share your concerns regarding misuse and abuse of patient-directed requests from attorneys, record retrieval companies and other third parties. Specifically, contact members of the Health, Education, Labor and Pensions (HELP) Committee.
Continuing Education for the Misuse of Patient-Directed Requests
As we begin the New Year, Danielle and I will continue to educate our client base by hosting webinars, publishing additional content and visiting Capitol Hill alongside other industry experts. Stay connected and view the latest updates by following us on our social media platforms.
To learn more about the misuse of patient-directed record requests, fill out the form below to receive a copy of this webinar.
Receive a copy of the webinar "Clearing the Confusion: Attorney Misuse of Patient-Directed Record Requests and How to Cope"
KLAS-rated No. 1 provider of release of information (ROI) vendor receives funding to continue accelerated growth.