Date: August 18, 2:00 pm – 3:00 pm EDT

Presenters:

Michael Salsbury, JD, MBA
Counsel and Privacy Officer

Barbara Carr, RHIA
Strategic Advisor

Release of Information (ROI) functions as the gatekeeper for access and disclosure of confidential health information. ROI advances patient rights, enforces organizational policy, and complies with federal and state law. The gatekeeper role is more complex today because:

• Health delivery and information systems are more complex
• Request volumes are greater from patients and a range of requestors
• Regulatory ground rules were largely designed for a paper-based health system, and
• Privacy and security are being deliberately and inadvertently put at risk.

This presentation will provide an update on privacy’s evolution through law, policy and attitudes. Recent proposed changes to the HIPAA Privacy Rule will be reviewed and their implications discussed. Approaches for identifying recurring compliance problems that constitute risk will be examined with examples and speakers will recommend mitigation strategies.

As we begin the third decade of the 21^st century, privacy and security challenges are increasingly under attack. ROI can and must be proactive in adapting effective gatekeeper methods for access and disclosure of confidential health information.

Learning Objectives:

• To review the context for a stepped up ROI compliance focus,
• To identify the key access, disclosure, and privacy trends that impact ROI practices,
• To align ROI technology and approaches and how they address trends, and
• To offer an action plan to improve ROI compliance.

Pre-Approved for 1 AHIMA CEU Credit

REGISTER TODAY

Verisma Wins GHIMA Champion Award

Serving the needs of GHIMA and the HIM profession

WASHINGTON, D.C., June 28, 2021 – Verisma, an industry leader in disclosure management technology and services to the US provider market, was honored to receive GHIMA’s Champion Award. Verisma has shown their commitment to furthering the HIM profession through training, CEU-credited webinars, expert-written blogs, a Pledge to Protect Program, and AHIMA national and state scholarship awards. GHIMA gives the Champion Award to individuals, groups, and corporations that have worked tirelessly to support the HIM profession, and Verisma is proud to be recognized as a leader in this area.

“The GHIMA board of directors unanimously voted to recognize Verisma with the GHIMA Champion Award. Verisma has been supportive of GHIMA during the pandemic by providing over one dozen education sessions for our members to earn CEUs at no cost or for GHIMA to incorporate into our virtual annual meeting. Verisma was extremely supportive of HIM students by contributing $5K in scholarship assistance to the AHIMA Foundation this past year. We value our partnership and thank Verisma for their continued commitment in helping GHIMA achieve its mission in serving the needs of our members,” stated Neisa Jenkins, Ed.D, RHIA, FAHIMA, President of GHIMA.

About Verisma: From our technology to our people and our partnerships, we believe our purpose is to protect truth and accuracy. Learn more about our disclosure management system at verisma.com.

Media Contact:
Davy Simanivanh
Phone (571) 205-6722
dsimanivanh@verisma.com

By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21^st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21^st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at dsimanivanh@verisma.com to receive a recording of the webinar.

This first Health Information Access Week has brought together a range of perspectives on serving consumers, mitigating risks and deploying technology. We’ve been privileged to learn from experts who bring a lifetime of experience and insight to the changing challenges of  access and disclosure.  I am closing out this week with some reflections about leadership and management of access and disclosure operations. It is my belief that there is an urgent need for HIM leaders to address the health information access and disclosure disparities within their organizations. This is a key stepping stone to being able to modernize our approaches.  We have the expertise to do this and the time is now.

As a HIM leader, I made it one of my goals to achieve centralized health information access regardless of where the patient may have been treated within the healthcare organization. I view this as having three benefits: improved patient satisfaction, risk reduction and cost savings. It was clear to me several years ago, that HIM professionals needed to broaden our thinking beyond the hospital’s four walls and reach out to our physician practice administration, outpatient satellite and other facilities that make up our health system. Ultimately, the entire organization can benefit from centralizing the release of healthcare information.   

In leading the charge at Einstein Health in Philadelphia, I first called a meeting of our Hospital Administration staff, Physician Practice administrators, Risk Management and Compliance.

I described a recent scenario where an elderly patient had to go to three separate locations to acquire the healthcare information they needed for an upcoming appointment with a specialist. I then posed questions regarding why we persisted in this approach. All the patient’s information was stored in our Clinical Information System (CIS) regardless of location of treatment. Everyone agreed this was not ideal and agreed to work with me on a solution. 

The physician practices, at the time, were all doing their own individual release of information with various copy vendors, or their own in-house staff. There was no tracking, and very little quality control. At that time, all the HIM Departments were being handled by one vendor and covered by the same policies. Therefore, it was decided that we would tackle the practices first.

We started with bringing our release of healthcare information vendor to the table and put them to the task of working with us on a solution for the physician practice locations first. Since there are over 200 locations, this was a large change project. A project plan was developed, and a team of key stakeholders was assigned carry out the project. After 6 months of planning and strategizing, the first group of practices went live, followed by the next group, until all practices were handled by one group of release of information staff. Our vendor staffed the central location. 

Once we standardized and centralized the physician practices, we were able to move quickly with outpatient locations. In all, it took about 18 months to accomplish. In the end it was merged into one centralized release of healthcare information site. Now a patient can make one request for their information, which is then processed all at the same time, and delivered to the patient via whatever media and route they have specified. We were able to monitor quality and track all released information. We reduced costs and duplication of effort. Patients were less frustrated and more satisfied with our service. 

Risk and Compliance are less concerned with surprises and have one place to go to check on any issues. We are far less likely to receive a complaint and if we do, we have protocols to  resolve any before they become investigations. Importantly, having a standard way of handling access and disclosure across the enterprise, positions the organization to broaden the scope of release of information. For example, it possible to handle access requests from financial services, case management, utilization review and other health system function that rely on access to information.  When going through our release of information we are assured of the same quality control and tracking.

This experience not only helped me grow as a HIM leader but helped to expand my role in the organization beyond the HIM borders.  I was given more opportunities to work across the organization to streamline other processes. All this really helped fulfill my own goals to grow within my organization. 

In the end, I believe it is up to us as HIM leaders to have the vision, and then use our leadership to organize and lead others towards that vision.

Barbara Carr, RHIA a Verisma Advisor formerly served as Assistant Vice President Health Information Management at Albert Einstein Health Network in Philadelphia and as Corporate Director of Health Information Management at ChristianaCare, Wilmington, DE.

TAKE QUIZ

With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.

Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.

I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.

I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.

Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips  as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.

As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.

Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008. 

TAKE QUIZ