Verisma Academy recently hosted an informative webinar featuring Timothy Noonan, the Deputy Director for Health Information Privacy, Data, and Cybersecurity at the HHS Office for Civil Rights. The session provided attendees with crucial updates on the proposed rulemaking and guidance from OCR (Office for Civil Rights), shedding light on various aspects such as reproductive health, Part 2 records, and the use of tracking technologies. In this blog post, we’ll delve into the key takeaways from the webinar and explore the implications of these developments in the realm of healthcare information management (HIM).

Strengthening Privacy Protections for Reproductive Health:

One significant aspect discussed during the webinar was the Notice of Proposed Rulemaking (NPRM) regarding reproductive health. The primary objective of this proposal is to enhance privacy protections by restricting the use or disclosure of Protected Health Information (PHI) by regulated entities for investigations related to reproductive health care. To enforce this prohibition, the NPRM suggests that regulated entities obtain a signed attestation ensuring that the requested PHI is not intended for prohibited purposes. This attestation requirement applies to various circumstances, including health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. The comment period for this proposal ends on June 16, 2023.

Understanding the Impact on HIM and Release of Information Processing:

From an HIM perspective, numerous questions arise regarding the content of the attestation and its impact on the release of information processing. To gain more insights and details on this matter, interested individuals can refer to the official Federal Register document available here.

Transitioning from COVID-19 Telehealth Measures:

Timothy Noonan also provided updates on the conclusion of the COVID-19 health emergency with regards to telehealth. Attendees were reminded that personal health information (PHI) stored on mobile devices such as cell phones and tablets is not protected under HIPAA. This serves as a critical reminder for healthcare professionals to ensure appropriate safeguards are in place when handling PHI on personal devices.

Enhanced Coordination for Substance Use Treatment:

The webinar covered proposed modifications to 42 CFR Part 2 records, which deal with substance use and disorders. The objective of these modifications is to enhance coordination among providers involved in the treatment of substance use, thus reducing existing challenges. By potentially increasing patient protections regarding the disclosure of records, these changes aim to prevent discrimination in treatment. More information on the proposed modifications can be found here.

Understanding Online Tracking Technologies and Protecting ePHI:

Another crucial topic discussed in the webinar was the use of online tracking technologies, such as Google Analytics and Meta, on entity websites or apps. Attendees were reminded that using tracking technologies in a manner that leads to impermissible disclosures of electronic Protected Health Information (ePHI) to tracking vendors is strictly prohibited. The webinar provided insights into the nature and usage of tracking technologies, as well as the necessary steps that regulated entities must take to safeguard ePHI. For additional information, visit the OCR’s website here.

Escalating Breach Incidents and the Need for Robust HIPAA Security:

The number of PHI breaches has seen a concerning increase, with hacking breaches accounting for a significant portion. In 2022 alone, there were 712 reported breaches, a sharp rise from 369 in 2018. Hacking incidents accounted for 49% of all breaches in 2022, and from January 1 to April 30, 2023, hacking incidents constituted a staggering 67% of all breaches. Moreover, during the same period, there were 559 breaches affecting 400 or more individuals, with 57% being network server-related and 21% related to email. These alarming figures highlight the urgency for organizations to fortify their security measures and conduct regular HIPAA security assessments to identify and mitigate risks.

Looking Ahead and Staying Informed:

While the finalization of the HIPAA NPRM and its potential impact on turnaround times and other significant changes remains uncertain, organizations should stay updated and watch for the upcoming Spring Unified Agenda release, which may offer more clarity. In the meantime, the industry must stay vigilant about evolving areas such as reproductive health, Part 2 records, and HIPAA security to ensure compliance and protect sensitive health information.

Verisma Academy’s webinar featuring Timothy Noonan shed light on the latest proposed rulemaking and guidance from OCR regarding HIPAA. Attendees gained valuable insights into reproductive health privacy protections, substance use records modifications, the usage of online tracking technologies, and the increasing importance of robust HIPAA security measures. In this dynamic healthcare landscape, it is crucial for organizations to stay informed, adapt to changing regulations, and prioritize the protection of patients’ health information.

The recording of this event is available on-demand and CEU-eligible through May 2024.

Many providers are exploring HIM support from outside partners to take all or some of the weight off their shoulders. The right Release of Information (ROI) and HIM partner can be a reliable and cost-effective solution for ensuring your quality standards are met without burdening you or your internal staff.

Imagine a world where your team’s health information management responsibilities are supported by industry-leading experts at Verisma. What would that look like?

1. You would spend less time recruiting, hiring, training, retaining and scheduling employees.

Finding and hiring new talent has never been more challenging. HIM partners ensure you have the resources required to meet the demands on your organization. Your employees take time off for vacations, illnesses, and leaves of absence, but Verisma is always ready. We have the people and resources to meet your needs every day.

2. You could finally address your backlog.

When you partner with Verisma, you can breathe. Because Verisma:

• Allows your in-house staff to focus on patient care
• Keeps your medical records department current on requests
• Assumes responsibility for HIPAA compliance
• Fills the gaps in your department while you still maintain your own processes and standards

A dedicated team of experts can improve turnaround time and thus reduce staff stress while improving patient satisfaction.

3. You would reduce risk and achieve or maintain compliance.

As stewards of data integrity, health information managers understand that Protected Health Information (PHI) responsibilities—from compliance, workflows, training, and coding to document completion—are top priorities. But, realistically, each one of these PHI responsibilities is a full-time job. Recent regulatory changes related to release of information (ROI) are a potentially expensive pitfall as there are steep fines for violations. Verisma has in-house experts dedicated solely to staying on top of compliance and legislative activities. Working with an outsourced team of knowledgeable HIM experts can help you feel confident that your organization meets the new requirements for releasing electronic information. Furthermore, your organization will be compliant with laws regulating strict timeframes under which requests and information must be handled to avoid stiff fines.

4. You would have happier, more focused employees who are more likely to stay with your team.

Additional HIM functions, such as prior authorizations and faxing and scan filing, often fall on staff members with multiple other responsibilities. This necessity to multitask drains staff and contributes to lower job satisfaction.

By working with Verisma, you’ll know dedicated experts are:

• Completing forms and requests efficiently and accurately
• Improving your physicians’ satisfaction by eliminating the additional work and stress of tracking down accurate patient information
• Helping ensure your processes are compliant with current regulations
• Available to help train internal staff on new technology or processes

Get back to being in one place and thinking about one thing at a time. Reach out to us today to get started.

One of the best tools for ensuring organization-wide ROI compliance is a gap analysis. A gap analysis looks at the entire disclosure management process to give you a sense of where you are today versus where you need to be to achieve and maintain compliance. In addition to compliance, the benefits of a gap analysis include a full accounting of disclosures, improved productivity, reduced paper processing, increased electronic release, improved turn-around time, and improved requestor satisfaction. This is an especially relevant topic given Information Blocking and the upcoming proposed changes to HIPAA, which are presumed to go into effect this spring.

To begin a gap analysis, you must first assess your current state. We can break this down into six steps.

1. Determine where the ROI flows into departments, practices, clinics, hospitals, etc.
2. Layout a flowchart of all “on ramps.”
3. Document the handling of all requests to include how many people touch a request. For example, does HIM forward a copy to radiology, the business office, sleep center, etc.?
4. Analyze access to systems. Include all steps required to obtain access and what effort is needed to capture all pertinent information.
5. Review current delivery method options (print, package, mail, email, fax, etc.)
6. Determine current turn-around time. Start with the actual received date and remember that the TAT clock doesn’t stop and restart every time a request is forwarded to another department or location.

Once you’ve assessed your current state, it’s time to develop an action plan.

Working with a vendor partner who can automate this process will make this step much easier. Your action plan should involve a committee of location leaders or decision makers. You can use the “on ramp” flowchart from the previous step to make decisions on centralizing intake. Then provide access to all source systems to HIM or one centralized group. To reduce the number of patients wanting to review in-person, expand your delivery method options through automated technology like Verisma Request App®. Finally, establish a one-touch process to accomplish an accurate TAT.

The most difficult part of this process is building a unified ROI plan. Change projects are always challenging, especially within complex health systems, but your gap analysis will help as you move forward. Follow these five steps to build and implement your plan.

1. Recognize the need for change. Get internal support and lay out your business case with benefits. HIM leadership should usually handle this step.
2. Craft a vision. Your vendor partner can help you strategize for success.
3. Implement change.
4. Embed changes in your culture and practices. Make sure old ways aren’t creeping back in.
5. Review your progress and analyze the results.

If you’d like to learn more about how Verisma can help you conduct a gap analysis and build an ROI roadmap, contact us.

The information blocking definition of electronic health information (EHI) includes the entire scope of electronic protected health information (ePHI) that is or would be in a Designated Record Set (DRS). Prior to October 6, 2022, the definition of information blocking was focused only on the subset of EHI that is represented by elements in the United States Core Data for Interoperability (USCDI) v1. As of October 6, 2022, all EHI falls within the scope of the information blocking definition. 

What is and what is not EHI for purposes of information blocking regulations?  In Verisma’s Nov 2022 ROI Roundtable Webinar we heard from two experts with the ONC – Rachel Nelson JD, Branch Chief, Compliance and Administration Branch, and Dan Healy, Policy Coordinator, Compliance and Administration Branch on what EHI is and how its definition relates to but differs from the definition of ePHI under the HIPAA Rules. The speakers provided important facts related to current information blocking policy and what healthcare organizations and providers should bear in mind specific to information blocking regulations as they review and update their technical capabilities and workflows in context of their DRS (Designated Record Set) to ensure they are sharing EHI consistent with all applicable laws. Some highlights from their presentation follow.

What is EHI as defined by the information blocking regulation?  According to ONC, EHI is as follows:

• “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.”

The scope of EHI is relayed was shared in the following ONC graphic that can be found at HealthIT.gov:

The expansion is “only” PHI that is in an electronic format. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set.” Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media.” If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

• Medical records and billing records of a provider about an individual
• Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
• Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, employment records health information, and de-identified protected health information. EHI is not limited by when the information was generated.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI that is now in effect as of the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.  Working with your Release of Information vendor is important as well, so they are aware of exactly what ePHI is defined in your designated record set and how to access all the ePHI for disclosure purposes. Many resources such as an EHI Fact Sheet, recorded Webinars, and an Infographic are available on https://www.healthit.gov/.

Dan and Rachel also spent time going over the Information Blocking definition and explaining how that relates directly to the exchange of ePHI. More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors.” Actors are:

• Health Care Providers
• Health It Developers of Certified Health IT
• Health Information Networks (HINs)
• Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors,” in particular the “Content and Manner Exception” where it is not considered information blocking if the actor does not have all the requested EHI in their possession, cannot be shared using the technology requested, or where it must be “withheld due to laws or is permissible to be withheld, such as under the Preventing Har or Privacy exceptions.” One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website.  For more in-depth information on Information Blocking, resources can be found at https://www.healthit.gov/ where there are fact sheets, Webinars, and FAQs. 

Health Information Management leaders should be reviewing all the policies and procedures related to release of ePHI, especially their designated record set policy to ensure they are following the updated requirements that went into effect on October 6, 2022 and working closely to ensure their ROI vendor is up to date on all the requirements to ensure there are no risks of information blocking.

AHIMA22 brought us to Columbus this year, the capital and heart of Ohio. It’s been three years since we’ve all been together and there was so much catching up to do! The American Health Information Management Association (AHIMA) is the leading voice and authority in health information where the associated experts work at the intersection of healthcare, technology, and business. Today more than ever, in an era where technology drives change and efficiencies on one hand and on the other hand increases the risk of interfering with privacy and security, managing the complexity of patient’s information is critical. Healthcare professionals must ensure that sensitive health stories remain accurate, accessible, protected, and complete at all times.

We all know the tremendous effects COVID had on our healthcare and the gaps it highlighted in our systems. It changed the workforce landscape with an increased need for healthcare professionals and the reality that jobs require more technical skills than ever before. AHIMA22 highlighted the emerging changes and responsibilities that healthcare information management professionals face today.

The conference kicked off with sessions on “Design Thinking for Innovation in Healthcare” and “What Does it Take to Become a Revenue Cycle Executive” and a marching band performance! There were over 40 in-person sessions led by health data experts and visionaries, new product tech demos in the exhibit hall, networking opportunities, and social events with over 3,00 attendees. Thinking back on all that I heard and witnessed at this convention, there are a few key takeaways I’d like to share:

Design Thinking for Innovation in Healthcare

This workshop kicked off the conference and set the tone for the rest of the week. Design thinking process is a theory that many startups and innovative companies use to solve real end user problems and it’s one of my favorite methods to use to develop user centric products. Design thinking is taught at top universities like Harvard and is adopted by brand name companies such as Apple, Google, and Samsung. It’s a 5-part problem solving approach you can apply in both your organization and your daily life. It centers around end user challenges and how to put aside limiting beliefs and our own perspectives to solve a problem based on observation and thinking outside the box.

“Healthcare requires continuous innovation to meet the needs of patients and providers,” says Mary Ann Sullivan, MA, CCMP, senior director, professional development and education operations and innovation at AHIMA. But important stakeholders are not always considered when new interventions or processes are designed. This can lead to products and services that do little more than gather dust, while the underlying issues remain unaddressed. “Design thinking,” Sullivan says, “can be used to improve clinician-patient workflows, healthcare spaces, customer service, and community programs.” In a healthcare landscape where there are so many silos, this methodology can be useful to bridge the gap and deliver real solutions that bring back the patient to the center of care.

Privacy and Security

AHIMA22 had top experts on information blocking, electronic health record vendor efforts to protect privacy and achieve interoperability, cyberthreats, and risks associated with the Internet of Medical Things (IoMT). There is an ongoing responsibility to understand and comply with laws that govern the privacy and security of health information. It’s important to learn unique security gaps and how to mitigate the IoMT risk as healthcare increases its use of devices that interact directly with patients. Furthermore, understanding the current drive to achieve an interoperable landscape requires heightened privacy and security.

Consumerism

The last several years was a turning point in healthcare with consumers finally empowered to make more informed decisions about their health. AHIMA22 included a focus on consumerism with sessions that offered incredible insight for health leaders to learn about new and emerging technologies and roles in health information that place the patient at the center of it all. Returning consumers to the center of patient care will impact healthcare for generations to come. Healthcare professionals can be both patient advocates and liaisons to help patients better understand the ever-changing environment. The pandemic has accelerated patients’ usage of health-related digital devices, which can provide more productivity, but also isolates the patient from human care. Healthcare professionals need to understand technology and find ways to humanize the experience.

Data

There were many lectures and vendor demos of products related to data. Because we use the science of collected information to have predictable results in a complex system, more data can lead to more informative decision making. This is vital because health data, including population health information, must be accurate and trusted as many strategic and patient care decisions rely on it. Also, health data and data models have a significant impact on business intelligence and initiatives. It can shed light on gaps in the systems or reasons for failure in the workflows and showcase and inefficiencies. Data governance is the yellow brick road to health data integrity and must be followed to ensure the reliability of the data. Organizations seek to improve patient care and outcomes through the collection of Social Determinants of Health data. Health data lies at the center of interoperability and interoperability is the key to getting the right information at the right time to the right person. Here at Verisma, we have a leading data and analytics tool, that is easy to use and all the reports related to Release of Information can be customized in a easy to understand format to drive real engagement with the process of providing real and accurate health records.

It was interesting to flow between so many fascinating topics while acknowledging how much the role of Health Information Managers is changing. That’s why Verisma is changing ROI for a changing world. I look forward to showing you the new products and services we’re developing to support you!

If you or your colleagues plan to attend AHIMA’s virtual conference in November, don’t miss Verisma’s session on the top disclosure management trends.