OCR Update on HIPAA Policy and Enforcement

OCR Update on HIPAA Policy and Enforcement

Date: May 27, 2:00 pm – 3:00 pm EST

Presenters:

Timothy Noonan, JD
Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR)

Michael Salsbury, JD, MBA
Counsel and Privacy Officer, Verisma

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) administers and enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules and federal civil rights laws that prohibit discrimination in the delivery of health and human services based on race, color, national origin, disability, age, sex, religion, and the exercise of conscience. Timothy Noonan, OCR’s Deputy Director for Health Information Privacy, is the featured speaker for this timely Webinar.

Throughout March, April, and May, OCR issued important COVID-19 and HIPAA-related bulletins, notifications of enforcement discretion, and guidance explaining how protected health information may be used and disclosed in response to the COVID-19 public health emergency. Mr. Noonan will discuss OCR’s recent HIPAA materials and answer participants’ questions, which you have the opportunity to submit when you register for this Webinar.

OCR has consistently advanced policies supporting the Individual Right of Access to health information to empower patients to be more in control of their health and health care. In 2019, OCR announced the Right of Access Initiative as an enforcement priority, and resolved two investigations by the end of the year with settlements. In 2020, a court issued a decision affecting the right of individuals to direct copies of their health information to another person. Mr. Noonan’s update will help all attendees understand the changes in the health information privacy legal landscape and move forward with greater confidence.

Webinar objectives:

This webinar will enable Privacy, HIM, compliance, and R-O-I teams to:

  • Review recent COVID-19 actions and the materials available
  • Reinforce the importance of advancing the Individual Right of Access
  • Describe OCR’s Right of Access Initiative

 Approved for 1 AHIMA CEU Credit

REGISTER NOW

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

    • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
    • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
    • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

    • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
    • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
    • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.

Integrity, Connection, Access: A Framework for the Future

Integrity, Connection, Access: A Framework for the Future

Date: May 13, 2:00 pm – 3:00 pm EST

Presenters:

Wylecia Wiggs Harris, PhD, CAE
Chief Executive Officer, AHIMA

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management, Verisma

The American Health Information Management Association (AHIMA) enters the new decade ready to execute a strategic Framework with three key impact areas — Integrity, Connection, and Access — to improve the management and value of health information. Wylecia Wiggs Harris, PhD, CAE, AHIMA’s CEO is a special guest for this important thought leadership webinar.

Dr. Harris will discuss how the Framework reflects AHIMA’s Vision of “A world where trusted information impacts health and healthcare by connecting people, systems, and ideas.” She will describe the environmental trends that have informed the impact areas.  She will also highlight some of the plans for 2020/21 and desired outcomes for HIM professionals and AHIMA and the ways in which the direction benefits the health system and those it serves.

Dr. Harris and Linda Kloss will discuss how the impact areas of Integrity, Connection, and Access apply to the access and disclosure management of health information, important HIM and compliance responsibilities. The integrity of release of information practice is being transformed by advanced release management technology and improved quality control; workflows from request through release are being standardized and automated, and; web-based apps are streamlining access to empower people. The impact areas of AHIMA’s plan reflect the future of release of information and this webinar will connect the dots so the industry can embrace and promote AHIMA’s Framework for the future.

Webinar objectives:

This webinar will enable HIM, compliance, and ROI teams to:

  • Describe AHIMA’s Framework for the Future and its intended benefits;
  • Translate AHIMA’s Framework to access and disclosure management, including release of information (ROI) practice,
  • Consider ways in which incorporating the Framework’s direction and impact areas can help to advance transformation of access and disclosure management, and
  • Enlist ROI practitioners in advancing change.

 Approved for 1 AHIMA CEU Credit

REGISTER NOW

HIM and Virtual Health: Emerging Best Practices and Lessons (Part 3 of 4)

HIM and Virtual Health: Emerging Best Practices and Lessons (Part 3 of 4)

By Linda Kloss

This is the third blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of the COVID-19 pandemic. Their experiences teach us much about release of information best practices. They also identify broader health information access and disclosure challenges of dealing with this public health emergency. The first blog focused on best practices for protecting the safety of staff through rapid transition to work-from-home and protecting staff that must continue to perform their work on site.

The second blog addressed best practices in adapting release of information practices. By optimizing electronic workflows, health systems are flexing to ensure compliant and accurate work from request through fulfillment. A game changer is use of the Verisma Request App (VRA), which when integrated with the Verisma Release Management, is providing seamless continuity of work regardless of shifting workflows, who is doing the work, and where it is being done.

Our interviews with HIM leaders also described stepped up involvement with patient portals and a new focus on policies and procedures for telemedicine. I might not have anticipated these two areas of best practice as early responses, but it has quickly become clear that this pandemic is accelerating all aspects of virtual health services. In addition to experiences with Verisma’s VRA, interviews highlighted an uptick in use of patient portals. Thus, we identified Support for use of patient portals as a best COVID-19 practice for HIM working in collaboration with IT and others.

Despite years of somewhat sluggish use of patient portals, many health systems are now seeing a marked uptick as patients seek ways to connect and communicate, get test results, and general information. HIM leaders report stepped up involvement in helping patients enroll in patient portals and in supporting them in their use. This has required allocating HIM staff to focus on portal support. An important lesson is to be certain that current portal policies and procedures are documented and capturing changes or special procedures relating to reporting COVID test results and handling questions about those results.

Long standing barriers to broad adoption of telehealth services have been eliminated by recent federal and state regulatory changes. Virtual visits and remote monitoring services have surged for routine primary and specialty care, behavioral, and employee health. In the midst of the pandemic, this is a lifeline. Rapid adoption, however, may strain organizations who may not have robust policies and procedures or a broad understanding of them.

HIM leaders report greater involvement with the ramp up of telehealth and Support for telehealth information needs is another important HIM emerging best practice.  As with portals, they recommend telehealth policies and procedures be reviewed and adjusted as needed. Issues such as enrollment procedures and consents may need sharpening. Identity proofing — provider and patient, handling attachments, coding and health record protocols are cited as areas where HIM expertise is needed.  Telehealth may also increase patient access requests because patients and providers need to review current information to have an effective virtual encounter.

Long after this public health crisis comes under control, virtual health and health information applications will be indispensable elements of care delivery and patient engagement. There are sure to be many important health information best practices associated in this nascent era of virtual health and now is the time to capture these lessons. There is no going back…only going forward.

Once again, I want to thank the HIM leaders who continue to share their experiences as they learn and adapt for business continuity while supporting the needs of their staff, health systems, and the communities that they serve. Please join us on April 29th for our Webinar, COVID-19 Response:  Emerging Best Practices for Health Information Disclosure Management – Part 2

Optimizing Workflows While Decreasing Paper: Emerging Best Practices and Lessons (Part 2 of 4)

Optimizing Workflows While Decreasing Paper: Emerging Best Practices and Lessons (Part 2 of 4)

By Linda Kloss

This is the second blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of responding to patients ill with the COVID-19 virus.  Once again, I want to thank these leaders for agreeing to be interviewed to share their experiences in the midst of this chaotic and frightening professional and social experience.

Their experiences pointed to 8 emerging best practices based on these leaders first several weeks of COVID-19 response efforts. We label them emerging because they describe adaptive, not static changes. Adjustments will continue to be made as disaster–and recovery–response circumstances evolve. The best practices comprise three key initiatives:

  • physical distancing – staff and patients
  • optimizing electronic workflows, and
  • adapting policies to remove barriers

The first blog described two best practices for protecting staff through work at home and by changing the on-site environment. Today, we share two more important best practices directly relating to release of information practices.

Best practice #3: Close in-person R-O-I request services turned out to be easier than expected. First, health systems were limiting all public traffic in and out of buildings. Interviewees uniformly reported that in-person requests dropped off abruptly simply because traffic was so diminished.  Second, routine and elective referrals were delayed, physician practices closed and this further depressed the volume of routine requests. In closing in-person services, interviewees advised careful attention to posting clear instructions, updating signage, web pages, and automated messaging systems.

Protected health information may be requested in five ways :  1) by completing request/authorizations at an in-person service window, 2) accessing a request/authorization on the health system website and submitting it via mail, 3) accessing a form on the health system website, scanning and e-mailing it, 4) processing verbal requests, and 5) using a request App.

Five routes have rapidly become four.  Routes 2, 3 involve handling and processing residual paper and these routes represent the biggest barriers to work from home. Verbal requests, route 4 may be tolerable alternative in a public health emergency, but shouldn’t become a new routine.  It is labor intensive, does not permit rigorous authentication, and can’t easily be audited.

The need to optimize electronic workflows is thus the key initiative and a key lesson from health systems on the front line. Thus, another best practice is to Use R-O-I workflow technology and the Verisma Request App.  Workflow technology and request apps eliminate paper, permit rigorous authentication, and create records of requests and their fulfillment.

One of the health systems interviewed had fully implemented the Verisma Request App (VRA) and integrated it with its patient portal 18 months ago.  For this large health system at the epicenter of the pandemic,  minimal adjustments were needed in request procedures. The HIM leader noted that the VRA provided “peace of mind” because the request, authentication and release processes were fully automated. Another interviewee was planning to implement VRA to eliminate in-person requests for security reasons.  This health system accelerated implementation, delaying full portal integration, but getting the App in place to ensure an electronic route.

In addition to using request apps, other workflow best practices involve redirecting whatever work you can to your R-O-I vendor. Because health system staff and the vendor staff use the Verisma Release Management (VRM) workflow platform, work distribution can keep pace with changing demands. Health systems that have centralized R-O-I across facilities and practices using VRM are in the best position to respond to the rapid changes in workflow required for these vexing times. One health system that was in process of centralizing R-O-I from hundreds of physician practices at the outset of the crisis. Their current challenges are with the practices that have yet to be centralized and are now closed, with unprocessed requests buried in incoming mail and virtually irretrievable. This health system also implemented a call center operated by Verisma, so all requests are processed uniformly and seamlessly.

In August of 2005, Hurricane Katrina hit the gulf coast and New Orleans leaving millions of people displaced and caregivers without any trustworthy information about their health conditions and medications.  We all remember the photos of people with their pill bottles in paper bags.  We remember photos of wet piles of records, detritus of the flood. Only the Veteran’s Administration hospitals could easily access electronic medical and medication records when people relocated. COVID-19 and the lessons being learned will irrevocably change health information access and disclosure. It is already clear from the experiences of the HIM leaders interviewed that automated ROI systems, including the request application,  is providing R-O-I business continuity and security flexibility.

Next week we will feature lessons learned about the importance of HIM engagement with portal and telemedicine workflows and policies. Our continued wishes for your safety and health in this very sad time. Please jump in and share your experiences and questions, request an archive of the April 1 Webinar by e-mailing Davy Simanivanh (dsimanivanh@verisma.com) and plan to join us on April 29 for a follow-up webinar.