By Linda Kloss

“Health information remains a critical part of the current and future healthcare environment and is no less important in the midst of a global pandemic” stated Dr. Wylecia Wiggs Harris in opening remarks on last week’s webinar entitled Integrity, Connection, Access: A Framework for the Future. Dr. Harris, CEO of American Health Information Management Association (AHIMA), shared the principles and assumptions that shape AHIMA’s 2020-2023 Enterprise Strategic Plan via Webinar instead of delivering the keynote address at Verisma’s 4^th Annual Disclosure Management Summit cancelled due to COVID-19.[i]

The Strategic Framework bridges HIM’s legacy, today’s crisis, and tomorrow’s imperatives. Dr. Harris emphasized three grounding principles undergirding the Framework: Integrity, Access, and Connection.  These sustaining principles are reimagined for what Dr. Harris described as a time when AHIMA and health information professionals need to “show up as transformational leaders.” She noted that the health information professional may be more important in the pandemic and post pandemic world.

In a world where people are more engaged in their health and health care and where health is finally understood to be broader medical services, Dr. Harris stressed that AHIMA’s Strategy is “People-Centric “ and that health information professionals must always remember that their work is uniquely important because  “Health information Is Human Information.” In fact, we have seen this play out in recent years as health information professionals proactively help people gain access to their health information in portals and health information exchanges. More recently, the use of request Apps is transforming patient access and release of information specialists are stepping into new roles of supporting innovation in access.

Dr. Harris and I discussed how the Framework’s grounding principles of Integrity, Access, and Connection might guide transformational improvement in access and disclosure management. The table shows examples of desired outcomes for some well-known areas of vulnerability and those in need of transformational change.

AHIMA’s initiatives will be guided by the Framework in the years to come. The guiding principles are also useful in anchoring needed change in access and disclosure management and in other HIM domains such as  coding, revenue cycle, EHR management, privacy, data analytics.

What’s required is a commitment to achieving measurable improvement.  As reported in our recent blogs about HIM leaders’ responses to COVID-19, there is currently momentum for modernizing outmoded processes and a spirit of empowerment for transformational change.  Dr. Harris summed this up so well for us, “When surrounded by uncertainty, we must be crystal clear about what grounds us, what will guide our decisions, what will help us navigate our new norm.”   

Once again, we congratulate Wylecia Wiggs Harris and the AHIMA Board of Directors for its compelling Vision and Framework and we thank Dr. Harris for sharing it so eloquently with the Verisma community.

[i] American Health Information Management Association.  2020-2023 Enterprise Strategic Plan.
http://bok.ahima.org/PdfView?oid=302888

By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

• • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
  • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
  • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

• • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
  • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
  • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.