3 Ways to Mitigate Breach Risk

Serving aboard a nuclear powered, fast-attack submarine in the early 90’s, we once conducted naval war games with surface fleets of several nations off the coast of Portugal.  On one operation, our mission was to hunt and “destroy” an aircraft carrier (a rather large target), while avoiding anti-submarine warfare (ASW) tactics deployed by “enemy” aircraft and other surface vessels tasked with finding us and protecting the “mother ship”.  After several hours of a series of evasive and well-executed maneuvers conducted by our highly skilled captain, we were able to position ourselves close enough to the carrier to launch a flare (out of a 3” launch tube) onto the deck of the massive ship signifying that we had accomplished our goal.  I recall there seemed to be something rather gratifying in bringing down such a large target - even if pretend.

Speaking of large targets, it’s no mystery that the healthcare industry is the target of many nefarious groups bent on exploiting healthcare organization’s weaknesses and having their way with them.  While their main goal may not be to sink the organization per se, they certainly go a long way toward accomplishing that with the havoc they create.  According to Becker’s Hospital Review, more than 27 million patient records were breached in 2016. Of those, hacking and ransomware alone were responsible for well over 7 million.  Both Becker’s and Health Data Management confirmed that Providers were among top targets for cyber attacks in 2016

Beside testing military skills and tactics, an important aspect of playing wargames is to identify potential weaknesses that can be exploited, learn from that information, and then implement measures moving forward that will help avoid risk of loss, thus making the ship a stronger force to contend with.  We mentioned doing a risk assessment in a prior article, but as HealthITSecurity.com points out, “healthcare risk assessments are not only required under HIPAA regulations, but can also be a key tool for organizations as they develop stronger data security measures.”  The goal is to ensure that Protected Health Information (PHI) stays secure.  Risk assessments are one way to mitigate risk.

Training, training, training.  The submarine days were filled with it.  Training and re-training on specialized equipment.  Battle stations training at shore-based simulator schools.  We even conducted training exercises whereby we would simulate being underway while remaining tied to the pier.  Training is the second way to mitigate risk.  The basic concept behind training is that doing the right thing should be automatic.  Doing the correct actions should be behaviors we shouldn’t need to think a whole lot about, and training helps ensure this is possible.  We’ve mentioned this article before regarding guidance on setting up a training program, but outside resources such as HIPAATraining.com may be an investment worth looking into.  This website has a HIPAA Security Training course available for $30 per individual which, among other things, covers safeguards required to protect the security of protected health information in electronic form.  Security awareness solutions may be another avenue in helping to adequately train staff to further protect your organization from hackers and ransomware.

The third way to mitigate risk is through encryption.  I can’t speak regarding submarine communication activity and data security measures as it was mostly outside my job responsibility.  However, one shouldn’t have to reach too far to consider that for a submarine to retain its tactical advantage, its communication and data must remain secure.  Trend Micro reveals that not only is the Healthcare industry the most frequent victim of data breach crimes, both Personally Identifiable Information (PII) and Healthcare data (because it contains PII) are the most popular record types stolen.  Data encryption is a tactical defense every healthcare organization should employ in managing electronic protected health information (ePHI). Encoding the text of these sensitive records is an important step in the direction of mitigating risk.  As a leading release of information company, ChartRequest uses industry-leading data protection and military-grade security policies combined with full 256-bit SSL encryption,  2048-bit private keys, and AES multi-layered encryption for all documents and data, both at rest and in transit. In fact, we force the https:// standard for all desktop, mobile, web and API communication features, protecting from unauthorized access over wireless and wired networks.

Unfortunately, healthcare organizations are the big ship that can’t be missed in the middle of the ocean of organizations, and they are being targeted by criminals who work hard to compromise ePHI.  Let the 27 million breached records in 2016 serve as a flare warning on the deck to let us all know, we’ve got to do what it takes to mitigate risk for our respective organizations.  The three areas - identifying weaknesses through risk assessment, consistent training, and data encryption will go a long way in winning the war against Healthcare data breach!

If It Ain’t Broke, Don’t Fix It

There are several approaches to releasing Protected Health Information (PHI).  Methods are often driven by the size or the specific needs to the organization.   Some providers have set up workflows, got them underway some time ago, and they sort of just worked.  Any pain revealed in the process may not be immediately evident, or perhaps the problems pale in comparison to other internal workflow concerns.  The old idiom “if it ain’t broke, don’t fix it” sounds fantastic on the surface, but like the illness left untreated for too long, there will come a day it can no longer be ignored, and perhaps with devastating consequences. 

Taking the time to examine the viability of your current Release of Information (ROI) process may reveal security vulnerabilities, potential compliance violation pitfalls, or possibly a shortfall in projected revenue (some even find they are operating at a loss).  Categorically speaking, there are two approaches to managing the process of releasing medical records: insourcing and outsourcing (or a hybrid of the two).

Insourcing suggests that healthcare providers prefer to do ROI themselves.  Everything appears to be running smoothly and they enjoy the revenue gained from invoicing for billable records.  It is interesting how many providers feel this way, yet they are unable to quantify the number of records that they process on weekly or monthly basis.  Does the income from an unknown number of requests truly out way the expense of various cost centers associated with ROI?  That said, insourcing can be and is a solid alternative, but carve out some time to examine afresh whether it’s still the best option for your medical practice.  Also, look again at your insourcing approach and make sure you are avoiding some of the following pitfalls.

The Whoever’s Available Approach – Expediency is a pitfall one should always be cautious of.  This may be more typical in very small practices, but size does not provide a free pass for compliance violations.  Process consistency, staff training, and other procedural concerns are top of mind here.  Consider ways to consolidate roles and responsibilities for this task, and ensure that policies and procedures are known and followed by all employees involved.

The Get a Fax, Push a Button Approach – Simplicity is great when it doesn’t come at the expense of compliance.  Simply getting the fax request, looking up the patient records in the EHR, compiling what’s requested, and pushing a button is not going to suffice.  The release of medical records is characterized by high levels of complexity and risk that must be carefully accounted for.  There are critical, strictly regulated steps that must be followed to ensure that both patient information and healthcare organization liability are always protected.   And, as we’ve mentioned before, simply placing a note in the patient EHR record, “sent on this date to John Smith Law Firm,” falls short of compliance standards.

The Multi-Department Approach – Convenience based on entry points makes a lot of sense for larger organizations.  Unfortunately having multiple points of release significantly increases risk. Compliance officers lay awake at night worried about whether all the requests have been entered in the disclosure management log, or if all the staff at various locations are following protocol.  Consider how you may be able to centralize this process and create a single point of release.

Outsourcing ROI, whether in full or in part, is an alternative option chosen by providers for various reasons.   Providers in this category desire to reduce administrative costs; free up staff to focus on other core competencies; reduce compliance worries, costs, and efforts; or to provide faster turnaround times (and happier patients).  With the increase in insurance audits and other 3rd party requestors, this option has gained a lot of popularity as of late.  Still, however, it may be time to take another look at your outsourcing provider.  Remember that just having a signed BAA does not free your practice from all liability.  Have you evaluated the Business Associate’s privacy and security policy and practices?  Do they have an Incident Response Plan (IRP)?  Reevaluate what they provide and what their approach to servicing your account is:

The Guy Who Comes by Once a Week Approach.  This may be a small, local copy service, or the 10,000 lb. gorilla Release of Information Company.  They may use their own equipment and resources, or they may use yours.  They may access the EHR on sight or leave with the requests and do it remotely.  How are the requests fulfilled?  Are they still faxing or mailing everything (more risk)?  What is the real turnaround time?  Are they staffing up onsite?  Is that necessary?  Are there other ways to improve the process?

The Copy Service has us Covered Approach.  Perhaps the ROI company is operating remotely.  One option is that the medical practice still get all the requests via fax and mail, but they then must input and electronically transmit to the outsource company.  Is this the best use of your staff’s time?  Thankfully, some ROI providers provide a level of service where calls and faxes can be directed directly to them.  The beginning and the end of the process are a concern here.  Again, how are they delivering the requests once they get them.  Mailing and faxing everything is an antiquated approach inherently predisposed to exposure risk.  What about when the process starts? Rather than have the requestor fish around on your website to find a form to download, fill out, and fax – what if they could just be provided with a landing page that was easy to find, where they could log in and make a request that get transmitted directly to the insourced or outsourced staff member that handles the requests?   Why not provide a better customer experience on the front end as well as the back end of making the request?

Whichever approach you take to ROI, it may not be broken per se, but it may well be worth your time to make it better.  For the sake of those you serve, for the sake of your staff, and even for your own sake, we invite you to take a fresh look at ROI through the eyes of ChartRequest.  If you currently insource, give us the opportunity to show you what’s possible (you can even continue to insource while leveraging the ChartRequest platform).  If you already see the value of outsourcing, then you owe it to yourself to become more familiar with ChartRequest’s release of information services, and how we may better serve your ROI needs.

No Audit – No Worries. [7 Steps You Should Take to Prepare Anyways]

The second phase of the Department of Human Services HIPAA Audit program got underway last summer with a little over 200 desk audits; your number wasn’t picked out of the hat, so you must be off the hook, right?   In early December, an Office of Civil Rights (OCR) official stated that on-site audits for a small number of hospitals (perhaps up to 50) would occur in 2017.  Great news, you’re not a hospital, so you’ve dodged the bullet again, right?  The reality is that of the tens of thousands of Covered Entities that exist today, the odds were extremely low to begin with that you would have been picked for the HIPAA Phase 2 audit.  No worries.

Per HHS.gov, “the audits are primarily a compliance improvement activity,” and they tell us that one of their main objectives is to leverage the audit information gathered to “develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches.”  Perhaps the audit itself was never anything to fear due to their good intentions (the OCR Director stated clearly on a webinar that this is not a punitive process), but don’t miss the rest of their website copy: “Should an audit report indicate a serious compliance issue, OCR may initiate a compliance review to further investigate.”  The fact that an audit can lead to a compliance review is cause for concern as it is from these that enforcement actions ensue and fines result.  But again, no audit, no worries, correct?

Incorrect.  A compliance review isn’t just the result of an audit gone wrong.  Remember the data breach you are required to report at the end of the year?  That can trigger a HIPAA compliance review.  Historically it seems that mostly larger breaches (involving 500 or more individuals) were pursued, but as we mentioned in an earlier article, the OCR announced last summer that it was increasing its efforts in investigating breaches involving 500 or fewer individuals and that these events would be subjected to closer scrutiny by their regional offices.  Moreover, a HIPAA compliance review can be triggered by a HIPAA related complaint that is filed against a Covered Entity, and it’s easy for someone to do

So, you didn’t get caught in the HIPAA Audit program phase two drag net, but that doesn’t mean that compliance should not be a top of mind concern for you.  Here are 7 steps you should take to prepare anyways. 

  1. Formally review your compliance program to ensure that you are in proper alignment with the HIPAA and HITECH Act.  Be sure to document what you do, and make necessary changes to your current policies and procedures.
  2. Closely related to this is to conduct a formal risk analysis.  If you’ve done one in the past, but it has been a while, another analysis is likely prudent.  It will help ensure compliance with HIPAA’s administrative, physical, and technical safeguards, and will also help reveal areas where your organization’s protected health information (PHI) could be at risk.  You can download the free analysis tool here, and check out the tutorial here
  3. List every outside company that helps run your organization and evaluate whether they handle any PHI.  Be sure that Business Associate Agreements are in place, and take the time to evaluate their risk of HIPAA breaches as you may still suffer legal consequences for their mistakes.
  4. Train.   Train every new hire.  Train when you update policies and procedures.  Train at least once per year.  Document all of it.  Here’s a great article to get you up to speed on training.
  5. Make sure you have a subject matter expert on staff, or get a staff member some specialized training to make them a subject matter expert.  This person can be responsible for spear heading the completion of the aforementioned steps, and be point person when compliance issues or audits arise.
  6. Get legal advice or hire a consultant.  These support teams can help ensure HIPAA compliance as well as help ensure that a HIPAA compliance review will not result in any fines.  In short: peace of mind.
  7. A final consideration is to ensure that you buy software and technology that will meet HIPAA standards. The last thing you want to do is invest in technology that will set you backwards in your compliance efforts.  You want to move forward.  Disclosure management software such as ChartRequest, which streamlines the ROI workflow, can help you meet HIPAA standards.  For instance, many practices feel that simply adding a note in the patient’s chart that says something to the effect that “records were sent to John Smith Law Firm today on this date” fulfills the accounting of disclosures requirement.  This is not compliant and ChartRequest can automate this process to provide an accounting of disclosures which fully meets HIPAA standards (see § 164.528 Accounting of Disclosures of Protected Health Information, and this AHIMA article  for more information).

According to the “Overall Cause Analysis” presented by the OCR following Phase 1, the leading cause for non-compliance was unawareness of the requirement.  Other causes noted were incomplete implementation, and complete disregard.  If you are currently being audited, those factors may give way to a HIPAA Compliance Review.  However, if you’re not currently being audited, why not make sure that you’re fully informed, and fully implementing policy and procedures which conform to current compliance standards.  These measures will help you to declare with a different paradigm and with a better kind of confidence, “no audit – no worries.”

eROI & HIPAA – ChartRequest Has It Covered

You need better process efficiency as it relates to releasing Protected Health Information (PHI), and you recognize the role that technology plays to get you there, but you are reluctant as to whether PHI security will be sacrificed at the altar of a more powerful and productive workflow that technology provides.

Naturally, document security and compliance should be at the top of everyone’s mind, especially since PHI has not only become more a target for hackers in recent years, but Covered Entities also face the possibility of stiff penalties for data breaches based on the degree to which these occur.  

We get it.  You need peace of mind, and ChartRequest has got you covered.  Check out this white paper explaining how we address security and compliance as it relates to the Release of Information (ROI) process. 

Know that ChartRequest, under the HIPAA privacy rule, operates on behalf of the Covered Entity as a Business Associate, and takes every measure to appropriately safeguard PHI.

Under the HIPAA security rule, ChartRequest has implemented appropriate “technical safeguards…that protect electronic protected health information and control access to it.”

Technical safeguards that ChartRequest addresses include access control measures; person or entity authentication requirements; transmission security protocols; audit control operations; and data integrity efforts.

Check out the white paper and feel confident that you can move forward with process improvements that employ additional technology because ChartRequest’s HIPAA-Compliant Disclosure Management platform has you covered!

Top 6 Mistakes Made When Releasing Medical Records

Releasing medical records may not be one of the favored tasks in the healthcare field, but regardless of how one feels, there is a propensity for human error when processing these requests.  Mistakes can and do happen; perhaps it is because of the mundane nature of the process, or maybe the fact that individuals feel pressured and are rushing to get back to patient care, or possibly because it often boils down to a manual and time-consuming process.  Whatever the reasons, errors do occur, and we want to minimize those as much as possible.

Release of information (ROI) mistakes never result in a favorable outcome.  At the minimum, mistakes turn in to more work needing to be performed.  The worst-case scenario, of course, is that mistakes can result in significant monetary penalties.  The reality is that no one wants to work harder than they need to, and no medical record custodian wants to receive a financial setback due to negligence.  Since liability rests solely with the medical records custodian, finding ways to limit mistakes, and perhaps even limit some human interaction that leads to those mistakes is prudent.

The following is a quick overview of six common mistakes as it relates to ROI.  Keep in mind that there is no intent to provide an exhaustive explanation of each point, but simply to highlight some thoughts in each category.   Each of these relates to some area of compliance: 

  1. Ensure that a valid authorization has been received. Verify the correct information is present (patient’s name, enough information about requestor and what’s being requested, etc.), and ensure that the person making the request has the legal right to do so.  Moreover, check to make sure it has been signed by the appropriate person.
  2. Are you processing the record for the correct person?  Don’t just go by the name.  Leslie Smith can be a male or a female, so use as many patient identifiers (date of birth, dates of service, etc.) as necessary to ensure that you have the correct patient record.  
  3. Process requests in a timely manner.   While medical records must be made available to the requestor within 30 days under the HIPAA requirement, State law may be more stringent (10 Days in Montana, 15 Days in California, 21 Days in Maryland, etc.).  Special consideration should also be given for the type of request being made.  Clearly one shouldn’t push off a continuity of care request for three weeks when the patient has an appointment with another provider in a few days.    Other considerations must be given for unique requirements under Meaningful Use, or with attorney issued subpoena’s and commercial insurers.  
  4. Verify what is being sent.  QA the documents that are being placed in the envelope or on the fax machine and ensure that they are not only correct, but that they contain the minimum necessary information (only the information that was requested and within the dates requested). 
  5. Verify where it is being sent.  Double check you’ve written the correct mailing address or typed in the right fax number. ChartRequest can help mitigate this type of exposure risk by virtually eliminating the need to ever mail or fax records.  
  6. Maintain a log of all disclosures.  The disclosure audit requirement mandates that a disclosure management log be kept for up to 6 years; therefore, be sure to enter every single request along with all the required elements to be recorded.

You may be pleased to know there is a software tool that can help significantly reduce the likelihood that these mistakes will occur.  Here at ChartRequest, our software was designed to help eliminate these top 6 mistakes and put the burden for accuracy more squarely upon the requestor.  We’d love to show you how our software and service can help improve compliance.

Ten Compliance Steps to Take Right Now

It is no secret that HIPPA compliance is excessively complex and requires a well-planned strategy to effectively execute.  A strong compliance program acknowledges that not only is your organization’s reputation at risk if a breach occurs, but also at risk of significant fines and other costs that may ensue.    

In today’s environment, especially with actors wanting to exploit Protected Health Information for nefarious purposes, compliance cannot and should not be viewed as voluntary.  Moreover, the Office of Civil Rights (OCR) conducts random audits of Covered Entities and levies steep fines for non-compliance which further drives home the point that indifference or inattentiveness in this area is ill-advised.  

HIPPA compliance incorporates 169 different requirements between the Privacy Rule, Security Rule and Breach Notification.  Thus, a comprehensive approach to compliance can be an arduous task at best.  Here are ten compliance steps that your practice can take right now as it relates to the release of information:

1. Drive requestors to an online record request platform that requires an authorization for all uses and disclosures that can be kept on file and accessible 24/7

2. Create a policy that details every aspect of ROI (i.e. items needed to validate authorizations, redacting sensitive information, etc.) to ensure compliance

3. Safeguard PHI from unintentional disclosure by making digital release a priority over faxing and mailing records thereby reducing exposure risk

4. Create a Quality Assurance protocol that helps ensure the correct records are being released and that there are no co-mingled records present

5. Implement a software tool that streamlines workflow and provides for the quickest, and most secure turnaround possible

6. Have Business Associates agreements in place with any service providers that perform ROI functions for you to ensure that these service providers only disclose patient health information properly and safeguard it appropriately

7. Implement a training program for you and your employees that consistently reaffirms your ROI policy and procedure

8. Centralize and automate the accounting of disclosures thereby alleviating the need to make constant determinations (and possible mistakes) as to what can be excluded, and to ensure that all the required content is accounted for (providers often are shocked to be audited and subsequently fined due to missing information)

9. Lock down access. Only allow fully authorized 3rd Parties to access your medical records/EHR systems. Providing a law firm, insurance company, or another provider carte blanche access to your medical records is a recipe for disaster, breach, and litigation 

10. Time stamp everything! Labor rates are the future of the HIM Department ROI process. Leveraging software that can help you understand the unit economics of your HIM Department will empower more strategic decision making within the HIM Department

HIPAA compliance in general, and specifically concerning ROI, ensures sensitive information is appropriately safeguarded. Health care providers are entrusted with details that should never fall into the wrong hands. Carefully evaluating compliance as it relates to releasing PHI is important as Covered Entities must be able to share information with patients and other authorized parties in a secure and effective way.  A streamlined ROI workflow that enhances compliance is essential for doing business and providing care in today’s health care environment.

Let ChartRequest help with your compliance initiatives as it relates to releasing PHI.  Our software was created to help providers become more compliant.  It can be leveraged by your staff, but since the ROI process is characterized by high levels of complexity and risk, we also provide a service where we handle this task for you.  We have ROI specialists who know how to protect both the patient’s confidentiality and the health care provider’s liability in information release.  Sign up for a demo today!

The Top Five Reasons to Leverage More Technology in Your HIM Department

Meaningful Use was presented as part of the 2009 HITECH Act to incentivize health care providers to adopt electronic health systems.  The goal, among other things, was that widespread EHR adoption would ultimately improve the quality, safety, and efficiency of patient care.  Essentially the government recognized that the use of technology could provide a “measurable improvement in patient outcomes, patient engagement, care coordination, and population health.”  Penalties for not being a “meaningful user” further drives the importance that they feel this technology brings.

The Office of the National Coordinator for Health Information Technology (ONC) states that: “Health information technology allows comprehensive management of medical information and its secure exchange between health care consumers and providers.”  HIT refers to a wide range of technology to include EMR/EHRs, electronic prescribing systems, patient portals, personal health records, digital imaging systems, etc.  Thus, the use of technology within HIM is growing in its reach and implementation.

Several early studies have demonstrated the positive impact of EHRs specifically around quality improvement, and reduced medical record and transcription costs.  While technology has been shown in some areas to have its disadvantages, it will continue to have a growing influence in the HIM Department, and a path will be cleared to provide greater opportunities to leverage technology and reap the benefits that often outweigh problematic areas. 

One area where more technology can be leveraged within the HIM Department centers around the release of Protected Health Information (PHI).  Here are the top 5 reasons for consideration:

  1. Improve the quality of the ROI process and results.  Implementing disclosure management software such as ChartRequest to complement this process can help to accurately deliver PHI directly to the entities that need it by providing a single point of release, and restricting the delivery method.  Consistent results can be provided due to the reduction and simplification of the steps required to process the release.
  2. Better control of costs associated with medical records release.  ChartRequest’s platform will boost staff productivity and reduce paperwork and other costs associated with releasing medical records, which will significantly reduce administrative overhead.   In contrast, because ChartRequest is capable of automatically pricing records per state statute and requiring payment prior to release, a substantial revenue increase can be realized.
  3. Enhanced efficiency as it relates to Release of Information.  ChartRequest significantly reduces the number of steps required to process a medical record request and therefore workflow becomes more simplified and streamlined.  
  4. Further reduce exposure risk associated with mailing and faxing records.  Our software was designed to virtually eliminate the need to mail or fax medical records and it helps ensure that you get the right information to the right place.  It is designed with the highest security measures in place to further ensure patient information is secure and protected.  As an additional benefit, providers can be alerted when patients move in or out of your system, or be alerted when legal risks begin to surface.
  5. Improve customer satisfaction.  At ChartRequest, we recognize that at the end of the day, what matters most is the impact on the people you serve.  A much quicker turnaround time to get the records into the hands of the requestors goes a long way in improving that relationship, especially with patients.

Let us take you for a test drive so that you can get a better idea how leveraging ROI technology may benefit your HIM department.  

Sign up for a demo today!

 

 

Write here...

Standardizing and Centralizing ROI – Getting out in Front of the Problems

The U.S. Health & Human Services (HHS) Office of Civil Rights (OCR) Phase 2 of the HIPAA Audit Program will continue through the end of the year with on-site audits starting up early in 2017.  During this effort, their goal is to “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.”  The OCR anticipates that their goal will result in helping them to identify industry best practices, and to help get out in front of problems before they result in breaches.

Naturally, no one should be more concerned than the Covered Entity (CE) as it relates to taking steps to preempt Protected Health Information (PHI) breach.  First and foremost, for the sake of the customer – the patient, but secondly because there are steep financial penalties to the tune of $50,000 per incident.  This year alone (and as of this writing) there have been over 250 breaches affecting more than 500 individuals, and between 2009 and June of 2016 there have been 230,000 small breaches (breaches affecting less than 500 individuals).  Recently the OCR announced that it was increasing its efforts in investigating these smaller breaches and that these events would be subjected to closer scrutiny.  

Clearly a CE can get out in front of problems before they result in a breach by simply increasing security and compliance within the organization.  One area that will go a long way in reaching this objective will be to standardize and centralize the Release of Information (ROI) process.

Regarding smaller practices, one may ask, “What’s to standardize and centralize?  Whoever is the most available in the office at the time will handle the request when it comes in.  They find the record, push a couple buttons, and send it out.  Done.”  Maybe that’s oversimplified, but here are some key considerations to think about with a decentralized process:

  • Are all the staff trained on the state and federal regulations as it relates to releasing PHI?
  • Are they aware of (and completing) the 45-plus steps required to complete the ROI process?
  • Are they looking for commingled records? 
  • Are they consistently following disclosure management procedures?  

The point being is that a smaller practice can address standardization by not only ensuring that the organization policy reflects up-to-date HIPPA and state regulations, but also by conducting periodic staff training to help ensure procedural adherence.  While the concept of centralization is primarily the concern of larger organizations, a smaller practice can centralize by limiting the number of people who manage the ROI process and thus simplifying enforcement to further mitigate breach risk.


Standardization and centralization becomes an even greater concern when multiple points of release exist in a much larger, or multi-location, facility thereby opening a healthcare organization to more risk.  Added to this dilemma growing organizations that bring in physician practices with different EHR’s and various policies.   By implementing compliant, standardized disclosure policies and procedures across the entire organization (along with sufficient training) risk can be significantly reduced.  Centralization is a more complicated task at this level.  Fortunately, with the use of technology, this is not insurmountable.  Whether a practice is a single or multi-specialty practice, single or multi-location, small or large, technology exists that can not only deliver a single point of release, but also provide access to one centralized HIPAA log for all disclosures of PHI.  Moreover, the process to make the request for medical records can be streamlined with technology to such a degree as to minimize and perhaps even eliminate staff involvement on the front end (or all together in a purely outsourced model). 

At the center of what we do here at ChartRequest is to provide just such a technology.  We have developed software to address this need in a fashion that no other ROI provider has paralleled, and we are continuously rolling out new features to meet the ROI needs of healthcare providers.  ChartRequest will help you standardize, centralize, and streamline to reduce exposure risk.  Let us help you get out in front of problems before they result in a breach of any size! Whether you are a solo healthcare provider or a complex Integrated Delivery Network, ChartRequest can empower your staff and your HIM Department to be a strategic differentiator for your organization.

Challenges in Removing Patient Access Barriers

As a leader in the healthcare industry, you recognize the importance of removing access barriers to patient health information, yet challenges often exist in keeping with this effort. 

The implementation of electronic health records (EHR’s) has gone a long way in helping to remove barriers naturally created in paper-based systems due to cost, time, and effort to obtain medical records.

Digitizing and providing more seamless access for a patient advances healthcare initiatives geared toward encouraging individuals to take more responsibility for their overall healthcare; EHR’s provide the ability for patient’s to better manage their personal health and wellness through a patient portal.

One challenge, of course, is that not only is there a possibility of certain medical history being absent within the EHR, patients may, for whatever reason, choose not to use the portal regardless of its availability.  The proverbial “you can lead a horse to water, but you can’t make her drink” may be in order here.  One study revealed that just over 1/3 of all participating providers leveraging an EHR also provided a patient portal, and half of those respondents reported that only 5% of their patients used the portal.

The American Recovery and Reinvestment Acts (ARRA) extends the rights given under HIPAA for a patient to be provided with their medical records in electronic format from providers utilizing EHR’s, and meaningful use criteria encouraged timely electronic access to patients within 4 business days.  Naturally various challenges arise when individual practices attempt to adhere to multiple guidelines, rules, and regulations as software capability, staffing and other limitations are present.

A further challenge presents itself with the dilemma of choosing whether to charge a patient for his or her records or not.  On its face, it would seem obvious that charging a patient for medical records presents a patient access barrier.  The American Health Information Management Association (AHIMA) has gone on record stating that “healthcare organizations remove or reduce costs associated” with patients obtaining their medical records.  That said, most healthcare organizations find that it is prudent to charge patients for varied internal reasons, yet they rarely do so in a manner that is consistent with HIPAA and HITECH requirements (by overcharging, undercharging, or simply not keeping a consistent policy due to staffing challenges) thus creating an access obstacle for their patients.

A final challenge exists when provider organizations have all PHI requestors utilize the same HIPAA-compliant medical record authorization form.  These are only required when third party requests are made, and providers should require patients (or their personal representatives) to use a different form for their own requests so as not to create any access barriers.

Here at ChartRequest, we can help address these challenges and remove these patient access roadblocks.  At the core of our service is software that provides a unique method of streamlining the request process for patients both online and in-person, a digital ROI model that can turn requests around in hours not days, a platform that automates pricing per state statute (charging reasonable cost-based fees to patients), and provides multiple online and offline avenues and workflows to assist patients and their advocates.

Let us take you for a test drive: www.chartrequest.com

When Should You Outsource PHI Disclosure Management?

When Should You Outsource PHI Disclosure Management?

Managing the disclosure of Protected Health Information (PHI) is becoming increasingly difficult for health systems and hospitals to handle as a result of 1) an abundance of regulations that are transient, complex, and difficult to comply with, 2) keeping staff up-to-date on training related to these changing regulations, especially as they relate to especially sensitive patient information, and 3) a huge increase in the sheer volume of record requests.

With these factors and others, the process of PHI disclosure management has become so complex and so risky that managing it internally may be beyond the capabilities of many health systems and hospitals. An easy way to know if your organization needs to outsource PHI disclosure is if you have:

Many Point of Disclosure

If your organization has multiple points of disclosure with many staff members handling requests, it’s probable that your staff training may be inconsistent or hard to maintain. The regulations surrounding PHI disclosure are complex, vary from place to place, and change often, as mentioned above. This makes maintaining consistent staff knowledge on regulations very difficult.

Trouble Addressing Variation in Pricing for Disclosure

Depending on the type of requester and the geographical location that the request is coming from, pricing regulations for release of information (ROI) requests vary greatly. If the tools that you’re using for PHI disclosure don’t accurately address these differences, you may be opening yourself up to over- or under-charging, leading to bad debt, liability, denial of payments, and the possibility of litigation. Disclosure management outsourcing companies provide the tools to track these fluctuations accurately.

Slow Delivery of Records

As a result of the increasing volume of ROI requests, internal staff can often have difficulty responding to record requests in a timely matter. This leads to a slow-down in collections, an increase in phone calls and faxes requesting status updates, the possibility of errors, and missed deadlines.

Costs That Outweigh Your Collections

Internal PHI disclosure management can be expensive when you add up all that goes into it, including physical resources, staff wages and training, and equipment. If these costs are outweighing your collections, you may need to look into a more streamlined and specialized external process.

Luckily, there are many options for outsourcing these processes to independent companies.

Healthcare providers looking to automate their HIPAA compliance may turn to web-based solutions for their PHI disclosure management. These solutions provide several benefits beyond just mitigating risk and reducing training costs; they save staff time that they would otherwise be dealing with phone calls, faxes, and other disruptive requests. They also automate invoicing, meaning that state fees are automatically charged and collected, and lower resource costs by eliminating the need for snail mail and fax delivery.

The best fit for your institution can be determined by evaluating your needs.

Find out what your internal PHI disclosure costs are.

Included in these fees are staff training, additional staff needed to support the processes, supplies, slow collections, and money allocated for covering associated risks (i.e. breaches, penalties, and missed deadline fees). Once you’ve evaluated your current costs, you’ll have a reference point for comparison when speaking to outsourcing companies.

Get a handle on your technological integration needs.

Decide what you need from a prospective outsourcing partner regarding their technology. This includes ease of use, possible reporting features, security, training offered, and whether it’s locally installed or web-based, among other things. Being able to fit the new process smoothly in with your current system is essential.

Decide which requests you want to handle internally.

Many organizations may choose to handle specific requests internally even once they’ve decided to outsource the bulk of their requests to an external entity. Decide if this is the case with your organization, and which requests you want to continue to process. These specifications can then be addressed when choosing a firm, as some may not accommodate these preferences.

Evaluate which service type you need.

You may need remote services, if your HIM department has limited space. This option, however, may require that all of your records are electronic. You may also opt for on-site services if you have the space, or a hybrid option where staff both on-site and off-site interact to provide the best service.

 Once you’ve determined a basic outline of your hospital or healthcare system needs from a release-of-information solution, you can look at additional benefits offered. For example, services that offer a streamlined tracking process where your requests are tracked automatically, enabling you to quickly respond to payer and state audits. Make sure that you ask the right questions and find a partner in PHI disclosure that will be more efficient, make you more compliant, and better your relationships with your clients.