Software Supply Chain Risk – Effective Third Party, “Nth” Party Management

Software Supply Chain Risk – Effective Third Party, “Nth” Party Management

Information Protection; Access, Disclosure, Privacy and Security (for CEU certificate)

Barbara Carr
, , RHIA, Verisma Advisor, Former AVP of Health Information Management at Einstein Healthcare Network
Jim Staley, CISSP, Verisma’s Chief Information Security Officer

Presentation Content:
As healthcare providers continue to improve their own security, attackers are more frequently targeting third parties, vendors, and suppliers who provide services to healthcare companies. To make matters worse, they are also attacking not only your vendors, but also your vendor’s vendors! The idea that “you’re only as strong as the weakest link in the chain” has never been more true.

In this presentation you will hear from Verisma’s Chief Information Security Officer as he will share his risk management expertise and provide real world examples of third (and even fourth or fifth!) party attacks as well as software “supply chain” attacks. He’ll review what the “standards of care” are for third party management, decipher some of the ling around third party certifications, and provide some concrete “do’s and don’ts” for managing third-party risk.

Learning Outcomes:

  1. Understand why managing third party risk is more important than ever before.
  2. Understand the differences between third party attacks, “nth” party attacks, and “supply chain” attacks.
  3. Learn what different security frameworks and vendor certifications mean and what level of assurance they provide.
  4. Learn what’s important, what’s not important, and what things can even be counter-productive, when creating or participating in a third-party risk management process.
HIPAA Update from the Office of Civil Rights

HIPAA Update from the Office of Civil Rights

Wednesday, June 22, 2:00 – 3:00 PM EDT

Information Protection; Access, Disclosure, Privacy and Security

Timothy Noonan
Deputy Director for Health Information Privacy
Office of Civil Rights

Presentation Content:

Hear directly from the Deputy Director for Health Information Privacy at OCR on the latest news and trends related to HIPAA.  A lot has been happening over the last year with the announcement of the NPRM regarding HIPAA changes.  Comments have been received and are currently under review by OCR.

Hear about other updates on OCR rulemaking and guidance that directly impacts your HIM release of information operations.  Learn about the recent trends in breach reporting to OCR and what you can do to make sure your organization stays clear of being reported to OCR.   Mr. Noonan will also inform the attendees of recent HIPAA settlements and civil monetary penalties.

Attending this very informative webinar will help you learn where things are and where they are going under HIPAA and how to keep your organization compliant. 

Learning Outcomes:

  1. Understand about OCR rulemaking and learn how this directly impacts you in HIM.
  2. Learn the latest trends in breach reporting and how to avoid a breach in your organization.
  3. Understand what the latest HIPAA settlements are and how they could have been avoided.
Managing Patient Requests for Amendments – One Health Systems’ Story

Managing Patient Requests for Amendments – One Health Systems’ Story

By Barbara Carr, RHIA

The 21st Century Cures Act’s goal of increasing information sharing and enabling patients to have their healthcare data delivered conveniently to their computers, cell phones, and mobile applications has increased privacy and security worries for many healthcare organizations. Having the right data security and processes in place to enable information sharing is forefront as this new era of patient access continues to drive a more educated and engaged patient population demanding governance over their health information. We can expect that the once rare occurrence of record amendment requests will soon be a regular activity that will need to be carefully and accurately managed.

Presently, the Patients’ Right to Access must be granted within 30 days regardless of record location (onsite vs. offsite), and regardless of media type. One 30-day extension applies but must be communicated to the patient and documented. Any denial of access also needs to fit within this 30 day/60 day time frame.

The growing tech savvy and health aware public wants access and control over their health information. This has led to an increase in demand for the release of information to the patient. As we are all aware, the electronic health record is not always neat and tidy and easy to digest. Patient records also have a high degree of “copy and paste” type notes leading to issues with accuracy of information from visit to visit. With more patients reviewing their records than ever before, perceived interpretations and actual transcription errors require a more robust ability to address the influx of questions, corrections, and possible amendments.

It requires a dedicated team to handle these requests to ensure consistency of process and compliance and should not be left up to each area within the organization to address on their own. Having a streamlined way in which you handle requests for amendments is imperative for HIPAA compliance and overall patient satisfaction.

During our May ROI Roundtable Webinar Series, we were honored to have Mercy del Rey, Assistant Vice President and Chief Privacy Officer for Baptist Health System South Florida, and a Verisma client, speak to us on how their 12 hospital and 200+ outpatient center health system has employed a centralized process to address the significant growth of patient record amendment requests over the past decade.

Baptist Health South FLorida began their journey to a centralized process right from the inception of HIPAA, by establishing a corporate privacy office that would also be responsible for handling all patient amendment requests. With the advent of HIPAA and Right to Access, HITECH, Meaningful Use, and the explosion of the electronic medical record, they saw the volume of requests for amendments dramatically increase. The advent of patient portals, the information demand related to a global pandemic , and the government’s increased push for information interoperability and sharing, has further increased the volume of requests. In 2003, Baptist Health South Florida received 7 requests to amend healthcare information. That number has steadily grown to well over 300 requests a year at present.

Mercy demonstrated how they carefully evaluate each amendment request with questions that include:

  • Does this error affect the care received?
  • How will this affect future care?
  • Legitimacy of the request such as “I fell at Walmart, not at home”.
  • Where are all the places in the record that we need to have addendums?
  • Will the record need to be re-coded and re-billed once a change has been made?


Having a central and dedicated trained and knowledgeable team review each request and make these determinations is essential for process consistency and overall amendment accuracy. This requires a detail review of the request and the medical record in question, as well as the ability to reach out to the clinician(s) involved who will review the request and review the medical record to determine whether the amendment can/will be made.

Some of the many roadblocks/challenges her team faces include a clinician’s willingness to review and amend a record, technical challenges that may affect the ability to capture the associated information across the record set, detangling medical records across multiple platforms, old paper records, complex requests that may require varying degrees of interpretation, and the careful management of unrealistic patient expectations. To help with these challenges, Mercy’s team looks to others in the organization for assistance in removing these roadblocks. They work hand-in-hand with the Patient Experience team to help manage to the patient communication process. For clinicians unwilling to cooperate, they have stablished an escalation process up the chain of command to their Chief Medical Officer. In addition, they work closely with Health Information Management on issues such as the detangling and updating of a medical record. As Mercy relayed, “It takes a Village”.

Key to process compliance and overall success, includes all new employees, including the physician staff, are trained on the amendment process as a part of their orientation and onboarding. This ensures that everyone is aware of the process from the beginning of their employment. Baptist Health System South Florida makes their patient amendment request form available on-line which automatically routes all new requests directly to Mercy and her Privacy Office. In addition, they receive requests from the Patient Experience team who sometimes receives the request as a part of their patient complaint filing process.

This centralized and accountable approach to handling patient amendment requests has enabled Baptist Health South Florida to maintain a scalable, highly organized, and compliant approach to handling patient requests for amendments all while keeping the patient’s needs, safety, and overall satisfaction at the forefront of their efforts.

Patient Request for Amendments – The Impact of Increased Patient Access to EHI

Patient Request for Amendments – The Impact of Increased Patient Access to EHI

Date: May 18, 2:00 – 3:00 PM EDT


Mercy del Rey
Assistant Vice President/Chief Privacy Officer, Baptist Health South Florida

Barbara Carr, RHIA
HIM Advisor, Verisma Systems, Inc.

The 21st Century Cures Act’s goal of increasing information sharing and enabling patients to have their healthcare data delivered conveniently to their computers, cell phones, and mobile applications has increased privacy and security worries for many healthcare organizations. Having the right data security in place to enable information sharing is forefront, the opening up of access and sharing has also increased the volume of patients’ requests to amend their healthcare information.

Baptist Health South Florida is a large multi-facility health system in South Florida that treats over 1.5 million patients per year.  Hear from Mercy Del Ray, Baptist’s VP and Chief Privacy Officer, how Baptist Health protects patient privacy and patient rights and what processes they have implemented to handle the increased patient requests for amendments.

Learning Objectives:

• Learn from Baptist Health South Florida experience on how they have met the demands and are processing requests for amendments.   

• Learn how centralizing the amendment process has benefited the healthcare organization and patients.

Pre-Approved for 1 AHIMA CEU Credit.



Information Sharing Under The 21st Century Cures Act

Information Sharing Under The 21st Century Cures Act

By Barbara Carr, RHIA

On March 16, 2022 Verisma hosted a webinar on Information Sharing and the 21st Century Cures Act presented by Elisabeth Myers, MBA, Deputy Director, Office of Policy, HHS Office of the National Coordinator (ONC). The ONC oversees regulations concerning information sharing and interoperability of electronic health information (EHI). Information sharing is at the heart of the 21st Century Cures Act’s information blocking rules.

The Information Blocking regulation went into effect on April 5, 2021. While we should all be fully compliant with the regulations by now, the fact is that in 2022, the regulation will expand the definition of EHI beyond the current United States Core Data for Interoperability Version 1 (July 2020 Errata) (USCDI v1) data set. As defined by the Information Blocking rule, the EHI definition is as follows:

  • “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.

The expansion is “only” PHI that is in an electronic format. It does not include paper documentation even though that documentation may be scanned into the electronic record (PDFs). EHI is the discreet data that is used to make medical decisions. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set”. Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media”. If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

  • Medical records and billing records of a provider about an individual
  • Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
  • Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal or administrative action or proceeding, employment records health information, and de-identified protected health information.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI in preparation for the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.

More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors”. Actors are:

  • Health Care Providers
  • Health It Developers of Certified Health IT
  • Health Information Networks (HINs)
  • Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors”, in particular the “Infeasibility Exception” where it is not considered information blocking if it is infeasible for an actor to respond to a request. One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website, where attendees can find more information.

What should you do if you are experiencing information blocking? As directed by the Cures Act, the National Coordinator has implemented a standardized process for the public to submit reports on claims of information blocking. The report can be submitted through the Information Blocking Portal at:

The second part of the presentation was focused on the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA as stated in the 21st Century Cures Act – Section 4003(b). While we do exchange EHI now, not all EHI exchanges enable exchange from another exchange. TEFCA was established to provide a technical floor for nationwide interoperability and to simplify connectivity for organizations to securely exchange information to improve care while enabling individuals to gather their health care information.

While TEFCA alone could be a webinar in and of itself, we did learn how it will be organized and were given detailed information to help us understand how TEFCA will operate. The Recognized Coordinating Entity (RCE) is the entity selected by ONC that will enter into agreements with Health Information Networks (HINs) that qualify and elect to become Qualified HINs. The RCE will act as a governing body that will operationalize TEFCA requirements on. The QHINs in turn will connect directly to each other to facilitate nationwide interoperability. Each of the QHINs will connect participants and sub participants to each other. Permitted exchange purposes are: Treatment, Payment, Health Care Operations, Public Health, Government Benefits Determination, and Individual Access Services.

The webinar provided a wealth of information and examined both interoperability and TEFCA clearly for participants to understand what to expect going forward with information sharing in 2022.