Record Requests610-994-7500

Test Blog

As of September 30, 2013, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) has received over 141,754 complaints. Over 24,500 of these led to OCR investigations, resulting in required changes to privacy practices, corrective actions or technical assistance. Another 15,746 of these complaints led to OCR intervention and provision of technical assistance without the need for investigation.

Forty three of these breach and compliance investigations resulted in corrective measures, including three civil money penalties (CMPs) totaling over $7 million in fines.

My colleague Sara Goldstein, Esq., Vice President and General Counsel for MRO, and I recently gave a webinar, Lessons Learned from OCR Enforcement Actions, the first in an ongoing series of MRO-hosted privacy and security webinars. Here are some highlights.

Conduct Risk Analysis

Make sure your organization conducts regular and thorough risk analyses and assessments. Knowing where all Protected Health Information (PHI) is stored is a key part of developing a successful Information Governance (IG) strategy.

Follow through on findings from risk analyses and implement security measures that sufficiently reduce your organization’s risk of losing or compromising its PHI.

The Minimum Necessary Rule

Under the HIPAA Privacy Rule’s minimum necessary restrictions, Covered Entities (CEs) and Business Associates (BAs) must make reasonable efforts to use, disclose and request only the minimum amount of PHI needed to accomplish the intended purpose of the use and disclosure. A CE may not use or disclose the entire medical record for a particular purpose, unless it can specifically justify the whole record as the amount reasonably needed for the purpose.

For example, Triple-S Management Corporation paid $3.5 million after the OCR determined they disclosed more PHI than necessary to accomplish the purpose for which they hired an outside vendor.

Following the Minimum Necessary Rule is crucial to preventing breach. Consider partnering with a disclosure management services provider. If Release of Information (ROI) is conducted in-house, proper employee training is critical.

Physical and Technical Safeguards

Use the HIPAA Administrative Simplification Table of Contents as your guide to ensuring that your HIPAA Policies and Procedures address all of the appropriate safeguards. This makes conducting risk analyses and potential audits easier because you can crosswalk your policies and procedures to the regulations.

Educate Workforce

Educate your workforce on Policies and Procedures and enforce these standards. Train workforce members who use or disclose PHI should be provided on an ongoing basis. This is an essential step in preventing breach, as many breaches occur during the normal ROI process due to unintentional employee actions.

Encrypt, Encrypt, Encrypt!

BlueCross BlueShield of Tennessee made a $1.5 million resolution payment in 2012 after 57 unencrypted computer hard drives were stolen from a leased facility containing PHI of over one million individuals, as the CE didn’t have adequate facility access controls.

Encryption is a saving grace, and electronic PHI (ePHI) should always be encrypted prior to release to avoid breach.

To learn more, fill out the form to request a recording of MRO’s Privacy and Security Webinar Series, Part 1: Lessons Learned from OCR Enforcement Actions.

Receive a Recording of MRO’s Privacy and Security Webinar Series, Part 1

Read More

Test Press Release

NORRISTOWN, Pa. – January 7, 2016MRO, a leader in secure, compliant and efficient exchange of Protected Health Information (PHI), today announced the addition of health information management (HIM) expert Rita Bowen, MA, RHIA, CHPS, SSGB, to its leadership as vice president, privacy, HIM policy and education. Bowen will ensure new and existing client HIM policies and procedures are at code and drive the development, implementation and maintenance of MRO’s privacy and training programs. Previously, Bowen served as senior vice president and privacy officer for HealthPort, Inc.

“Rita is well-known and respected within the healthcare industry for her HIM leadership and industry expertise, and we’re excited to have her on board at MRO,” said Steve Hynes, CEO for MRO. “She brings an excellent perspective that will aid MRO in ensuring the highest levels of quality assurance and compliance while managing and disclosing PHI.”

Bowen comes to MRO with more than 30 years’ industry experience, holding a variety of HIM director and consulting roles. She is an active member of the American Health Information Management Association (AHIMA) and has served as its president and board chair, as a member of the board of directors, and on the council on certification. She has been honored with AHIMA’s Triumph Award in the mentor category, and she is the recipient of the Distinguished Member Award from the Tennessee Health Information Management Association (THIMA).

Bowen is also an established author and speaker on HIM topics and has taught HIM studies at Chattanooga State and the University of Tennessee Memphis.

“Being from Chattanooga, Tenn., I think my city’s motto ‘the right size and the right attitude,’ perfectly describes how I view MRO,” said Bowen. “MRO is the right size, and it has the right attitude. Integrity is a key principle in HIM, as well as to me personally; and MRO is a company based in honesty, integrity and high ethical standards. I look forward to joining an amazing team of professionals offering industry-leading services and technologies for HIM and other healthcare professionals.”

MRO is the standing KLAS Category Leader for Release of Information (ROI) and has been cited for having the highest quality and overall best performance in the ROI space in the KLAS “HIM Services Performance 2015: Coding, Transcription, Release of Information” report.

About MRO
MRO empowers healthcare organizations with proven, enterprise-wide solutions for the secure, compliant and efficient exchange of Protected Health Information (PHI). These solutions include a suite of PHI disclosure management services comprised of release of information, government and commercial payer audit management and accounting of disclosures. MRO’s technology-driven services reduce the risk of improper disclosure of PHI, ensure unmatched accuracy and enhance turnaround times. MRO additionally supports its clients’ current and future initiatives, including interoperability, meaningful use and health information exchange. To learn more, visit

Read More

Defining OCR Patient Access Guidelines

Five people are sitting in the waiting room of a doctor's office. Some of the people look tense or upset, and others look completely relaxed.

In the September issue of the Journal of AHIMA, some of my colleagues and I authored an article outlining the Office for Civil Rights’ (OCR) guidelines for patient access to health information. Providing individuals and their designated personal representatives easy access to their health information is prescribed by the HIPAA Privacy Rule, and is one of the OCR’s most important mandates. While the OCR’s guidance did not change HIPAA regulations, it is recommended procedure for audits.

The OCR is developing further clarifications and guidance to clear up challenges and confusion surrounding their frequently asked questions (FAQs) published in early 2016. During AHIMA’s 14th Annual Hill Day and Leadership Symposium, Deven McGraw, deputy director of the OCR, stated the initial clarification published on the OCR website still contained gray areas, stemming from the OCR’s desire to give patients more access to their health information, while promoting more engagement with health outcomes.

Patient requests for access to health information vs. third party requests

One area of confusion is the difference between a patient’s right to access health information and third-party Release of Information (ROI) requests requiring the patient’s signed authorization.

Requests for copiies of Protected Health Information (PHI) made by patients and their personal representatives – individuals with authority under applicable law to make healthcare decisions on behalf of the patient – do not need accompanying HIPAA-compliant authorizations. Only requests made by third parties must be accompanied by HIPAA-compliant authorizations.

Covered Entities (CEs), however, can require patients and their personal representatives to submit their requests for copies of PHI in writing, though they may not require patients and personal representatives to come onsite to their facility to request in person, nor can CEs require patients to submit their requests via web portal or through the mail. CEs can also require patients and their personal representatives to complete a designated form when requesting health information, “provided use of the form does not create a barrier to or unreasonably delay” patient access to PHI. Additionally, it is not recommended for providers to ask patients for a description of purpose regarding the information requested; while it is not prohibited to ask, denying access based on the answer is prohibited.

If a patient or their personal representative wants to direct a CE to send copies of the patient’s PHI to a designated third party, the request must be in writing, signed by the patient or the personal representative, and clearly identify the designated recipient and where to send the PHI.

Other dos and don’ts of patient access to health information were summarized in the Journal of AHIMA article.

 As the OCR continues to define guidance for patient access to health information, it is important for providers to allow patients easy access to their PHI.

Join our blog mailing list

Read More