HHS Steps Up Access Enforcement: Compliance Implications

HHS Steps Up Access Enforcement: Compliance Implications

By Linda Kloss

On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records.  Sadly, we’re all too familiar with the too long list of actions following breaches of health information.  In fact, OCR levied over $28 million in fines for 2018 breach actions.  Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.   

Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.  Empowering patients is one of four key strategies for HHS and access to information is a key tactic.  HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule.  However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.

The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates.  An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child.  Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney.  The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR.  HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.

Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set.  Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance.  Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation.   It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions. 

Enforcement is a powerful lever that only a governing entity can apply.  The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management.  Reasonable disclosure management practices today include the following:

  • Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
  • Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
  • Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
  • Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
  • Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records. 

We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays.  This should not happen, but I bet many are whispering “there but for the grace….”  This is a learning moment.  Business as usual in release of information is no longer in our patients’ or our employers’ best interests.  Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.   

There’s an App for That!

There’s an App for That!

By Linda Kloss

It’s a typical weekday for me working from home and stopping to get a few things cleared off my “to do” list.  It’s 2:30 in the afternoon and I have already used 10 apps:  I read my digital newspapers, did online banking, scheduled service on the car, ordered dog food, scheduled an annual dermatology appointment, booked a flight, hotel, and airport transportation, figured out a route from the airport to my hotel, and downloaded a book for next month’s book club.  You get it; this is now a typical day for most connected consumers.  Not long ago, we would have driven to the bank, dog food store, bookstore or library, called the travel agent, auto mechanic, and so on.   Apps have transformed how we get things done.

Now, many consumers use an app to access their medical records, downloading to a mobile device for their own use and to share as they see fit with providers, other caregivers and family.  Release of information, long a back office processing function, is becoming an app-enabled, consumer-driven service.  This transformation is largely driven by consumers.  When so many parts of our life are supported by apps, consumers are not satisfied with having to contact various hospitals and provider offices, complete forms, wait for paper or CD and pay a fee to gain access to their own information. 

Federal emphasis on interoperable EHRs brought the issue of barriers to access to information for patients to the forefront.  Fees were identified as a barrier, and in 2016 the Office for Civil Rights addressed this with its patient access guidance.  The Office of the National Coordinator for Health IT (ONC) extended the focus on patient access by including functionality in its EHR certification criteria, directly supporting standards-based application programming Interfaces (APIs) and apps, and promoting access through public education.  Patient access is one of six key planks in implementation of the 21st Century Cures Act designed to unlock the power of digital health information. 

Consumer demand, supported by federal policy will transform release of information to an app-enabled function and I believe that this will happen very quickly.  I base this prediction on the experiences of health systems that enable web access for patients and authorized third parties.  Adoption and update has been swift and overwhelmingly positive.  

You can learn from NewYork-Presbyterian’s Susan Tabickman about this world renowned health system’s use of Verisma’s API-based app for release of information in a free webinar on October 30!  Registration information follows.   

There are inherent privacy and security risks for apps involving confidential patient data.  Access and disclosure of patient information also requires hardened compliance protocols.  Trusted release of information app developers must meet a high bar;  a developer must have the requisite technical and standards know how, but must also have compliance, data protection, and accuracy in its DNA.  

Against this background, CIOs and HIM professionals should proactively advance access transformation on four fronts:

1.  Transition from fragmented to standardized and centralized disclosure management across the health system.  This requires adoption of enterprise release of information management software and best practices.

2.  Add an app linking EHR and the enterprise release of information software so information can be requested and disclosed via web portal.

3.  Design and implement policies and processes to protect the consumers’ right of access with appropriate privacy and security protections for an app-enabled patient access environment.

4.  Develop an implementation plan that includes consumer and staff outreach and education.

I can’t yet access my EHR via app, but when I can, you can be sure I will keep my medical record securely on my password protected phone.  The days of taking notes, requesting and storing paper reports, and trying to recall when I last did this or that will be over.  The timing is right and It just makes sense.

Use this link to register for the free webinar on October 30 at 2-3 pm EDT: https://bit.ly/2peAwoK

WEBINAR: There’s an App for That! Connecting People with their Health Information

Date: Oct 30th, 2019 2:00 pm – 3:00 pm EST

Presenters:

Susan Tabickman, RHIA
HIM Manager, NewYork-Presbyterian Hospital

Anupriyo Chakravarti
CIO & SVP, R&D, Verisma Systems, Inc.  

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management, Verisma Systems, Inc.

Last year the Office of the National Coordinator for Health IT (ONC) announced rules in support of patient access to their health information using standards-based application programming interface technology (APIs).  APIs enable computers to talk to each other and it is the vision of ONC to enable people to access and direct their health information using API-based apps.

In this webinar, participants will learn from the firsthand experience of NewYork-Presbyterian Hospital how the Verisma Request App (VRA) is transforming release of health information (ROI) at NYC’s #1 hospital.  NewYork-Presbyterian is proactively advancing the right of the patient to get their electronic health information — and they are using VRA as the application to do so.  This  webinar will also highlight essential technical and functionality app requirements that HIM, CIO and Compliance managers should assess when considering use of mobile tools.

Webinar objectives:

  • Understand the federal policy environment concerning apps and health information access
  • Learn from health system experiences using apps to enable release of information while improving customer satisfaction;
  • Review a technology, standards, privacy and security checklist for sound release of information apps.

Approved for 1 AHIMA CEU Credit for Management Development

VIEW RECORDING

 

WEBINAR: Northwell Health Physician Partners: Automating Disclosure Management in an Ambulatory Setting

Date: Jan 16th, 2019 2:00 pm – 3:00 pm EST

Presenters:

Lyndsey Kane, RN-BSN
Project Manager, Northwell Health Physician Partners

Anupriyo Chakravarti
SVP, R&D, Verisma Systems, Inc.  

This webinar will focus on key compliance and business drivers for standardizing release of information practices and procedures across physician practices that are part of an ambulatory or integrated health delivery system. Health systems often begin by ensuring consistency and efficiency of information disclosure management across their acute care facilities. But the job is not done until health information is released in a standard way across all levels of care.

During this presentation, Lyndsey Kane, RN-BSN, Project Manager at Northwell Health Physician Partners and Anupriyo Chakravarti, SVP, R&D at Verisma Systems, Inc. will explore how the ambulatory HIM department is centralizing ROI processes and implementing disclosure management solutions to automate workflows, ensuring accounting for all disclosures while improving overall compliance and efficiency.

Geared towards managers of medical practices, HIM, privacy and release of information teams and compliance managers, this webinar will address the following learning goals:

  • Review current regulations and guidance on patient access and release of information
  • The case for automating compliance and disclosure management in medical practices
  • Review the challenges and solutions used by Northwell to improve ROI automation and compliance
  • Discuss the benefits and rationale for centralizing ROI across ambulatory practices, and the processes needed to move towards technology-supported standardization

Approved for 1 AHIMA CEU Credit: Privacy & Security

REGISTER NOW

No More ‘Business as Usual’

By: Linda Kloss

The professional discipline of ROI has changed in the past two decades. Your job has changed. And, without a doubt, expectations around your performance have changed.

Once, ROI was a narrow hospital-centric workflow that could be outsourced and forgotten. No more. Now we are called upon to manage access and
disclosure across and beyond an entire healthcare enterprise – and in support of a mission-critical imperative of improving the patient experience.

3 major drivers

What is shaping the new HIM ecosystem?

  1. The rise of complex and community-wide health systems like Sutter Health in San Francisco, Partners Health in Boston and UPMC in Pittsburgh.
  2. Health information is no longer “at rest,” safely tucked away in the archives. Because it is now digitized, health information is in motion and in use, being reused, recombined, redisclosed.
  3. Patient-centeredness is no long a concept limited to direct patient care, but to all points where patients interact with a health system.

4 keys to transformation

You’re heard the old inspirational saying, “The bend in the road is not the end of the road…unless you fail to make the turn.” Fortunately, the past few years have seen the emergence of new tools and workflows that help you and your colleagues make this turn.

  1. Request apps help healthcare organizations increase the convenience for patients, accelerate the speed of request processing, and lower the cost for both patient and organization. New technologies empower patients – as well as other authorized requestors – to submit requests from their computer or smart phone.
  2. Automation allows healthcare organizations to centralize and standard disclosure management processes. The old playbook – where processes across ambulatory, acute care, home care and the ED were fragmented – increased cost and compliance risk.
  3. Auditing and analytics are now valued as critical to effective and efficient access and disclosure management processes. New tools streamline workflows, quality assurance and reporting so leaders can monitor compliance and performance issues.
  4. Accountability is a critical component. Work flow technology should help people do the right thing at the right time. And it should produce a record of the work performed for accountability and as a teaching tool to improve the productivity and skill of access and disclosure staff.

Of course, any transformative effort requires more than can be contained in a simple 400-word blog. If you are going to AHIMA next week, look me up for a deeper conversation. I will be at the Verisma booth #403 and will deliver a presentation on this topic at 2:30 p.m. – 3 p.m. on Tuesday, Sept. 25.