The U.S. Health & Human Services (HHS) Office of Civil Rights (OCR) Phase 2 of the HIPAA Audit Program will continue through the end of the year with on-site audits starting up early in 2017. During this effort, their goal is to “review the policies and procedures adopted and employed by covered entities and their business associates to meet selected standards and implementation specifications of the Privacy, Security, and Breach Notification Rules.” The OCR anticipates that their goal will result in helping them to identify industry best practices, and to help get out in front of problems before they result in breaches.
Naturally, no one should be more concerned than the Covered Entity (CE) as it relates to taking steps to preempt Protected Health Information (PHI) breach. First and foremost, for the sake of the customer – the patient, but secondly because there are steep financial penalties to the tune of $50,000 per incident. This year alone (and as of this writing) there have been over 250 breaches affecting more than 500 individuals, and between 2009 and June of 2016 there have been 230,000 small breaches (breaches affecting less than 500 individuals). Recently the OCR announced that it was increasing its efforts in investigating these smaller breaches and that these events would be subjected to closer scrutiny.
Clearly a CE can get out in front of problems before they result in a breach by simply increasing security and compliance within the organization. One area that will go a long way in reaching this objective will be to standardize and centralize the Release of Information (ROI) process.
Regarding smaller practices, one may ask, “What’s to standardize and centralize? Whoever is the most available in the office at the time will handle the request when it comes in. They find the record, push a couple buttons, and send it out. Done.” Maybe that’s oversimplified, but here are some key considerations to think about with a decentralized process:
- Are all the staff trained on the state and federal regulations as it relates to releasing PHI?
- Are they aware of (and completing) the 45-plus steps required to complete the ROI process?
- Are they looking for commingled records?
- Are they consistently following disclosure management procedures?
The point being is that a smaller practice can address standardization by not only ensuring that the organization policy reflects up-to-date HIPPA and state regulations, but also by conducting periodic staff training to help ensure procedural adherence. While the concept of centralization is primarily the concern of larger organizations, a smaller practice can centralize by limiting the number of people who manage the ROI process and thus simplifying enforcement to further mitigate breach risk.
Standardization and centralization becomes an even greater concern when multiple points of release exist in a much larger, or multi-location, facility thereby opening a healthcare organization to more risk. Added to this dilemma growing organizations that bring in physician practices with different EHR’s and various policies. By implementing compliant, standardized disclosure policies and procedures across the entire organization (along with sufficient training) risk can be significantly reduced. Centralization is a more complicated task at this level. Fortunately, with the use of technology, this is not insurmountable. Whether a practice is a single or multi-specialty practice, single or multi-location, small or large, technology exists that can not only deliver a single point of release, but also provide access to one centralized HIPAA log for all disclosures of PHI. Moreover, the process to make the request for medical records can be streamlined with technology to such a degree as to minimize and perhaps even eliminate staff involvement on the front end (or all together in a purely outsourced model).
At the center of what we do here at ChartRequest is to provide just such a technology. We have developed software to address this need in a fashion that no other ROI provider has paralleled, and we are continuously rolling out new features to meet the ROI needs of healthcare providers. ChartRequest will help you standardize, centralize, and streamline to reduce exposure risk. Let us help you get out in front of problems before they result in a breach of any size! Whether you are a solo healthcare provider or a complex Integrated Delivery Network, ChartRequest can empower your staff and your HIM Department to be a strategic differentiator for your organization.