It’s 4:45 pm and your shift is about to end. You take one final glance at the queue of new patient record requests and unbelievably, it’s at zero. “Great!” you think, “My team has visibility on everything that needs to be processed and is well on their way to responding within 30 days. Even if we only had 15 days, we could handle this!”

Now let’s be honest – this is a fantastical scenario. Most, if not all, healthcare organizations have a backlog of requests they’re aware of but haven’t processed. Thankfully, if you track the date those requests entered your system, reaching the HIPAA-required turnaround time should be doable, right?

Not always. Here’s three reasons why:

1. Your backlog is bigger than you think

If you manage turnaround times based on your intake queue, you need 100% certainty that record requests make it to the queue on day one. Are there requests sitting on the fax machine? Are there several sitting in someone’s email inbox? Are they on vacation?

There’s risk in what you can’t see. If your organization has multiple locations with a decentralized ROI process, this problem compounds.

To confidently say your organization meets required turnaround times, you need 100% visibility across the intake process.

2. Your backlog is smaller than you think

We all know it’s unavoidable – duplicate requests. Whether by accident or due to impatience, this redundancy is an inefficient use of time and resources.

3. You’re not prioritizing effectively

First in first out isn’t always the best process. If all record requests in your system look the same, how do you know which are from patients vs attorneys? How many are for continuity of care?

COVID, hybrid workforces, Information Backlog requirements, and the upcoming anticipated HIPAA changes with a reduced turnaround time to 15 days have put more pressure on healthcare organizations to move to a streamlined unified process.

Verisma’s disclosure management experts are here to guide you through the process. Well-orchestrated policies and procedures paired with leading technology designed for ROI workflows are the key to achieving improved productivity, enhanced patient/requestor experience, and actionable metrics on your ROI operations success.

Specifically, the Verisma® advanced Release Management (VRM®) platform with its powerful Verisma Inbox™ technology:

• Utilizes smart barcode technology that automates the entire request intake by healthcare facility, giving you 100% visibility
• Flags duplicate requests to reduce multiple releases of the same record to the same requestor
• Centralizes and automatically categorizes all requests based on rules you specify so you can prioritize effectively

Verisma Inbox™ technology is the first of its kind and continues to offer more automation capabilities at no extra cost to our clients. Come see our latest innovations at AHIMA 22 booth #411.

Not going to AHIMA? Request a demo any time here.

On August 10^th Verisma hosted a webinar where Verisma’s Chief Information Security Officer, Jim Staley, provided the HIM community with vital information on how to protect Protected Health Information (PHI) from third-party cyberattacks. This topic is not only timely, but something all of us need to be aware of and take steps for in order to protect our critical PHI.

The top 2 enforcement actions by the Department of Health and Human Services and OCR in 2021 were: 1) Patient Right of Access to their medical information and 2) ransomware attacks. In 2021 there was a 21% increase in cyberattacks in the Healthcare Industry. Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. The proliferation of third-party, patient-facing technologies makes healthcare organizations more vulnerable. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.

Jim explained that third-party attacks leverage trust between two or more organizations, making them difficult to defend against. Third-party attacks allow attackers to breach multiple targets at once, providing attackers with both scale and efficiency. A traditional cyberattack targets a person, organization, etc. which then gives the attacker access into that one organization’s data or systems. Phishing emails are the most common way used to gain access.

Third-party attacks work a bit differently in that an attacker will try to compromise a vendor. Once the vendor is successfully compromised the attacker then leverages the trust relationship between the vendor and ALL the vendor’s customers to (potentially) compromise all the customers’ systems and data. The initial attack takes the same amount of effort for the attacker, but the payoff is orders of magnitude higher.

Types of third-party attacks:

• True third-party attacks: one of your vendors is attacked and the attacker then uses that to get to you. (Ex. Target in 2013 where Target’s HVAC vendor was compromised)
• “Nth”-party attacks: one of your vendor’s vendors is attacked and then the attacker pivots to get to your vendor and then to you. (Ex. The law firm that your vendor uses is attacked, leading to an attack on your vendor, and then from the vendor to you. Law firms are a very popular target right now because of this leverage!)
• Software supply chain attacks: some piece of commonly used software is attacked, usually by inserting malicious code into the patch cycle (Ex. Solar Winds attack in 2021). When the patch is pushed to all the vendor’s customers, all the customers get infected as soon as they apply the patch.
  • Note: this type of attack is rare and requires a high level of sophistication. DO NOT be hesitant about deploying patches. Unpatched environments create a much higher level of risk!

As a covered entity or business associate who engages a vendor, it is your responsibility to understand the completeness of the vendor’s security control environment. One tool we use to do this is leveraging established and accepted security frameworks that provide either guidance or tools to ensure security. There are many widely accepted security frameworks that describe the controls (“safeguards” under HIPAA) that are appliable to a given type of business or situation. These frameworks are designed to provide “commercially reasonable assurance” that the vendor is meeting the minimum legal requirements for security controls. It is important to understand the different frameworks and the types of assurance they offer.

Before diving into the different frameworks and some of the differences between them, let’s take a look at the three types of controls that are measured by the frameworks:

• Administrative Controls – these are typically policy (what to do or not to do) and procedure documents (how things are to be done).
• Technical Controls – firewalls, anti-virus software, and encryption are all examples of technical controls
• Physical Controls – examples include having designated secure areas for people, data, and systems with locked doors and secure badge entry systems

One way to differentiate between the types of security frameworks is to look at those that are externally certified by an auditor vs. those that may not be. It is important for HIM leaders to be aware of these frameworks so that they can adequately evaluate a vendor and the vendor’s security prior to signing a contract for service from them.

Risk management frameworks that don’t necessarily provide external validation and certification include:

• NIST – National Institute of Standards and Technologies (nist.gov): This is required by law for all Federal agencies and many State agencies and for companies wanting to do business with those companies. Highly flexible because the same framework has to be applied to agencies as different as NASA and your local Parks & Rec department. Because of this it can be highly complex to implement. Because it is issued by the Federal Government, it is considered the “gold standard” from a legal perspective.

• CIS Critical Controls – Center for Internet Security (cisecurity.org): Widely used commercially for performing rapid assessments of the most critical controls. Very simple and flexible and is easily customized to any type and size of business. Focuses highly on the technical controls that have been proven to be the most effective in stopping real-world attacks.

• HIPAA Security Rules: HIPAA is also a type of framework that provides both required and “addressable” safeguards (i.e., controls) that covered entities and business associates must follow. One of HIPAA’s safeguards is that it requires detailed Business Associate Agreements (BAAs) to be in place not only for all contracts between covered entities, and between a BA and their vendors. But it’s important to note that just having a Business Associate Agreement that requires the vendor to be HIPAA compliant does not in itself necessarily constitute due diligence on the part of the covered entity; additional due diligence is often required. Another important but often overlooked HIPAA safeguard is that all covered entities and business associates are required to perform an annual HIPAA-centric security risk assessment, and these assessments (or the lack of them) are often used by OCR to determine the severity of penalties. Make sure that you and all of your vendors are doing these!

Risk management frameworks that do provide required external auditing, verification, and certification include:

• SOC 2 – American Institute of Certified Public Accountants (aicpa.org)
  • There are other types of “SOC” audit reports, but “SOC 2” is the one that applies to a company’s security controls
  • Annual audit performed by an accredited CPA firm
  • Can be Type I (“point in time”) or Type II (“over a period of time”)
  • Failing any of the Trust Criteria can result in a “qualified” report, at auditor’s discretion
  • Not as prescriptive as some other frameworks because the company has the flexibility to write its own control statements
  • Should be done every year, but “Bridge Letters” may be issued by the company if they don’t do a SOC 2 within a given year. The Bridge Letter is the company’s official statement that there have been no significant changes in their control environment.
  • Typically, 75 to 150 controls that are audited

• HITRUST r2 Validated Assessment – (hitrustalliance.net)
  • There are several HITRUST assessments that provide varying levels of assurance; the R2 validated assessment provides the highest
  • Full audit every other year, with “interim” assessments in the off years
  • Failing any of the 19 domains results in failing the certification
  • Very prescriptive, controls are provided based on scoping, and then scored based on the completeness of policy and procedure documentation plus evidence that the control has been implemented.
  • Typically, 300 audited controls, and can be over a thousand depending on the scoping
  • Leverages NIST and provides a report that shows how the company is doing against the relevant NIST standards.

• ISO-27000 – International Standards Organization (iso.org)
  • An internationally recognized standard that provides an externally audited certification that is accepted around the world, not just in the US. In healthcare this is typically used by medical device manufacturers who sell in multiple countries, and by larger international law firms.

As HIM leaders are charged with protecting PHI, we should be looking for vendors who are leveraging security frameworks that provide some level of externally validated certification. We don’t have to be experts in all the details of cyber security, but we need to understand what these various certifications mean when evaluating a vendor. Understand not just your third-party, but also your “Nth”-party risks, all the way down to your entire vendor supply chain. Require ALL vendors who provide software or who have any kind of direct access to your systems to have at the very least a SOC 2 Type II report that is renewed annually. HITRST is a high bar for small vendors but is rapidly becoming the standard in healthcare especially for larger technology vendors who deal with large volumes of PHI, such as Verisma. Any certification requirements should be written into your Business Associate Agreements. Ask the vendor to supply a SOC 2 or HITRUST r2 certification report. Read reports and ask questions about findings and corrective action plans. It is possible for your vendor to be certified but still have gaps. Understanding any relevant gaps is key to understanding and managing your risk, so read the reports carefully! Do an annual inventory of your vendors and identify what they have access to and assess whether the access they have is the minimum required for them to do their job.

In conclusion, protecting PHI from cyberattacks is not just the job of the IT Department, but it is also the responsibility of Healthcare Leaders to ensure the many vendors we deal with and who have access to our PHI are certified to protect our most valuable information.

By Barbara Carr, RHIA

The 21st Century Cures Act’s goal of increasing information sharing and enabling patients to have their healthcare data delivered conveniently to their computers, cell phones, and mobile applications has increased privacy and security worries for many healthcare organizations. Having the right data security and processes in place to enable information sharing is forefront as this new era of patient access continues to drive a more educated and engaged patient population demanding governance over their health information. We can expect that the once rare occurrence of record amendment requests will soon be a regular activity that will need to be carefully and accurately managed.

Presently, the Patients’ Right to Access must be granted within 30 days regardless of record location (onsite vs. offsite), and regardless of media type. One 30-day extension applies but must be communicated to the patient and documented. Any denial of access also needs to fit within this 30 day/60 day time frame.

The growing tech savvy and health aware public wants access and control over their health information. This has led to an increase in demand for the release of information to the patient. As we are all aware, the electronic health record is not always neat and tidy and easy to digest. Patient records also have a high degree of “copy and paste” type notes leading to issues with accuracy of information from visit to visit. With more patients reviewing their records than ever before, perceived interpretations and actual transcription errors require a more robust ability to address the influx of questions, corrections, and possible amendments.

It requires a dedicated team to handle these requests to ensure consistency of process and compliance and should not be left up to each area within the organization to address on their own. Having a streamlined way in which you handle requests for amendments is imperative for HIPAA compliance and overall patient satisfaction.

During our May ROI Roundtable Webinar Series, we were honored to have Mercy del Rey, Assistant Vice President and Chief Privacy Officer for Baptist Health System South Florida, and a Verisma client, speak to us on how their 12 hospital and 200+ outpatient center health system has employed a centralized process to address the significant growth of patient record amendment requests over the past decade.

Baptist Health South FLorida began their journey to a centralized process right from the inception of HIPAA, by establishing a corporate privacy office that would also be responsible for handling all patient amendment requests. With the advent of HIPAA and Right to Access, HITECH, Meaningful Use, and the explosion of the electronic medical record, they saw the volume of requests for amendments dramatically increase. The advent of patient portals, the information demand related to a global pandemic , and the government’s increased push for information interoperability and sharing, has further increased the volume of requests. In 2003, Baptist Health South Florida received 7 requests to amend healthcare information. That number has steadily grown to well over 300 requests a year at present.

Mercy demonstrated how they carefully evaluate each amendment request with questions that include:

• Does this error affect the care received?
• How will this affect future care?
• Legitimacy of the request such as “I fell at Walmart, not at home”.
• Where are all the places in the record that we need to have addendums?
• Will the record need to be re-coded and re-billed once a change has been made?

Having a central and dedicated trained and knowledgeable team review each request and make these determinations is essential for process consistency and overall amendment accuracy. This requires a detail review of the request and the medical record in question, as well as the ability to reach out to the clinician(s) involved who will review the request and review the medical record to determine whether the amendment can/will be made.

Some of the many roadblocks/challenges her team faces include a clinician’s willingness to review and amend a record, technical challenges that may affect the ability to capture the associated information across the record set, detangling medical records across multiple platforms, old paper records, complex requests that may require varying degrees of interpretation, and the careful management of unrealistic patient expectations. To help with these challenges, Mercy’s team looks to others in the organization for assistance in removing these roadblocks. They work hand-in-hand with the Patient Experience team to help manage to the patient communication process. For clinicians unwilling to cooperate, they have stablished an escalation process up the chain of command to their Chief Medical Officer. In addition, they work closely with Health Information Management on issues such as the detangling and updating of a medical record. As Mercy relayed, “It takes a Village”.

Key to process compliance and overall success, includes all new employees, including the physician staff, are trained on the amendment process as a part of their orientation and onboarding. This ensures that everyone is aware of the process from the beginning of their employment. Baptist Health System South Florida makes their patient amendment request form available on-line which automatically routes all new requests directly to Mercy and her Privacy Office. In addition, they receive requests from the Patient Experience team who sometimes receives the request as a part of their patient complaint filing process.

This centralized and accountable approach to handling patient amendment requests has enabled Baptist Health South Florida to maintain a scalable, highly organized, and compliant approach to handling patient requests for amendments all while keeping the patient’s needs, safety, and overall satisfaction at the forefront of their efforts.

By Barbara Carr, RHIA

On March 16, 2022 Verisma hosted a webinar on Information Sharing and the 21st Century Cures Act presented by Elisabeth Myers, MBA, Deputy Director, Office of Policy, HHS Office of the National Coordinator (ONC). The ONC oversees regulations concerning information sharing and interoperability of electronic health information (EHI). Information sharing is at the heart of the 21st Century Cures Act’s information blocking rules.

The Information Blocking regulation went into effect on April 5, 2021. While we should all be fully compliant with the regulations by now, the fact is that in 2022, the regulation will expand the definition of EHI beyond the current United States Core Data for Interoperability Version 1 (July 2020 Errata) (USCDI v1) data set. As defined by the Information Blocking rule, the EHI definition is as follows:

• “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.

The expansion is “only” PHI that is in an electronic format. It does not include paper documentation even though that documentation may be scanned into the electronic record (PDFs). EHI is the discreet data that is used to make medical decisions. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set”. Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media”. If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

• Medical records and billing records of a provider about an individual
• Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
• Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal or administrative action or proceeding, employment records health information, and de-identified protected health information.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI in preparation for the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.

More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors”. Actors are:

• Health Care Providers
• Health It Developers of Certified Health IT
• Health Information Networks (HINs)
• Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors”, in particular the “Infeasibility Exception” where it is not considered information blocking if it is infeasible for an actor to respond to a request. One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website, where attendees can find more information.

What should you do if you are experiencing information blocking? As directed by the Cures Act, the National Coordinator has implemented a standardized process for the public to submit reports on claims of information blocking. The report can be submitted through the Information Blocking Portal at: https://healthit.gov/report-info-blocking.

The second part of the presentation was focused on the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA as stated in the 21st Century Cures Act – Section 4003(b). While we do exchange EHI now, not all EHI exchanges enable exchange from another exchange. TEFCA was established to provide a technical floor for nationwide interoperability and to simplify connectivity for organizations to securely exchange information to improve care while enabling individuals to gather their health care information.

While TEFCA alone could be a webinar in and of itself, we did learn how it will be organized and were given detailed information to help us understand how TEFCA will operate. The Recognized Coordinating Entity (RCE) is the entity selected by ONC that will enter into agreements with Health Information Networks (HINs) that qualify and elect to become Qualified HINs. The RCE will act as a governing body that will operationalize TEFCA requirements on. The QHINs in turn will connect directly to each other to facilitate nationwide interoperability. Each of the QHINs will connect participants and sub participants to each other. Permitted exchange purposes are: Treatment, Payment, Health Care Operations, Public Health, Government Benefits Determination, and Individual Access Services.

The webinar provided a wealth of information and examined both interoperability and TEFCA clearly for participants to understand what to expect going forward with information sharing in 2022.

By Barbara Carr, RHIA

On our January 26^th Webinar we learned what disclosure management trends would be forefront for the upcoming year. Verisma’s Director of Compliance and Privacy, Debbie Lobb and Verisma’s SVP of Operations, Julia Applegate, shared first-hand knowledge and steps being taken operationally to prepare for these challenges and helping health system clients navigate through these changes.

COVID-19 continues to challenge our healthcare operations. The trend of a hybrid workforce and seeing increases in both digital requests for healthcare information along with increasing payor audits will continue to put an increased burden on the Health Information Management Departments disclosure management operations.

In addition to the ongoing COVID-19 challenges, the deadline has passed for comments on the proposed changes to HIPAA and we are all waiting on OCR to let us know if there will be any further changes and revisions based on the comments. While the proposed changes are to modernize the regulations, the new rules present new challenges for organizations to ensure compliance. For now, I believe it is important for all of us to prepare for these changes and educate our organizations. How will organizations ensure compliance? Will additional staffing be required? How will you train your organization on the changes? On the Webinar we explored what each of these changes mean to your HIM Department operations and how having the right vendor partner and technology can help you manage the changes and ensure compliance.

Debbie Lobb, Verisma’s Director of Compliance and Privacy reviewed the upcoming changes as well as the rationale behind the changes. The overall goal of the upcoming HIPAA changes is to move further toward a more patient centered process and delivering PHI efficiently and accurately to the requestor.  Julia Applegate, SVP of Operations at Verisma, reviewed the operational challenges related to the proposed changes as well as demonstrated how having the right technology can help HIM Departments meet these challenges and remain compliant.

Proposed HIPAA changes and the challenges that were discussed:

Reduction in turnaround time from 30 days to 15 days

The clock starts when the request is received by the organization. The request must be fulfilled, with all authorized information to the requestor within 15 days.

Julia explained that the challenge to this requirement is many. Information being requested can be stored in multiple locations. Sometimes requests can float throughout several departments before reaching the release of information professional’s desk to be processed. Sometimes records with statutorily protected PHI require an additional level of review before being released, based on health system protocols.

Providing on-line access through your website, such as the Verisma Request App®, to request and receive records can reduce many of these challenges and ensure fast and accurate receipt and delivery of the records. In addition, Verisma Spotlight™ reports (our rule-based workflow engine) automatically alert you and your team when sensitive or high-risk requests are entered into the system. This too can cut down on any delays in processing the requests.

Patients Right to Access PHI in-person and allow taking of notes and/or photographs of their PHI

Both Julia and Debbie explained that this will require an additional layer of staff needed to queue up the electronic record, a secure/private area for the review and the presence of a HIM person will need to there in person throughout the onsite review. Many times, the record is not all neatly in one place on the system for review and this may require either signing onto different systems, printing, or actual paper chart or microfilm review. None of this is ideal.

Julia noted that one way to solve the in-person review is to make it easy to request and retrieve the records for the patient. Currently at Verisma, we partner with our clients to integrate with their patient portals and allow the patient to easily request records not available in the portal and once the records are retrieved, we then push the records back into the portal. If an organization does not have a well-functioning portal that can handle this, we then provide direct access for the patient through our Verisma Request App®.

Improved Information Sharing

Allowing for good faith disclosures to avert a threat to health or safety. The definition of healthcare operations has been broadened to cover care coordination and case management. This will ensure a pathway for individuals to direct sharing of ePHI amongst covered entities. An individual will be permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.

Operationally, as Julia mentioned in the Webinar, not much would probably change with the current process of allowing “good faith” type of disclosures. Julia presented some operational challenges with these new proposed changes to information sharing. Again, one challenge is multiple sources for the information being requested, records that require special attention, per HIM policy for additional review around sensitive information. Some records being requested aren’t stored in a manner that will allow them to be uploaded to personal health applications. Keeping track of the requests pending review for good faith disclosures or records to be uploaded to personal health application present a challenge to ensure they are reviewed and processed timely, especially given that the turnaround time will be changing to 15 days. Some of the ways to meet these challenges are to have a centralized process, if possible, of ingesting requests from various sources such as fax, snail mail, email, hand delivery and more, and have it all gone into one system for one group of qualified people to account for each request and process for distribution. Having the technology to provide reports and alerts on pending urgent requests and those reaching the timely processing limit. Create protocols specifically detailing, where to go for what records is very important and should be clearly available to all ROI staff processing requests.

Reduced ID Verification Requirements

The proposed changes also reduce the ID verification requirement. For instance, a covered entity cannot require that a patient show up in person and present their ID. Other means of verification can be two factor identification for digital requests. Each covered entity will need to determine their procedures around ID Verification should this change go into effect. They should work with a ROI vendor that has the technology to assist them with this.

Posting Fee Schedules and Notice of Privacy Practices (NPP)

Covered entities will be required to post fee schedules on their websites for PHI access and disclosures. In addition, an estimate of the fees for providing an individual with a copy of their own PHI and if applicable when ePHI may be provided without charge. Some healthcare organizations already post this on their websites. If yours does not, now is the time to work with your IT Department to prepare to post the fees. A patient acknowledgement of receipt of the NPP will no longer be required, which will eliminate the administrative burden of having to require a signature of the patient’s receipt be kept on file.  However, the following changes to the NPP will be required:

• Changes to the header to provide instructions to the individual how to access their medical records
• Information on how to file a HIPAA compliant
• Right to receive a copy of the NPP
• Right to discuss the NPP with a designated person
• Provide information regarding the designated contact person. Is the designated person on-site and include their phone number and e-mail address?

Information Blocking

Debbie reviewed information blocking as it relates to HIM and release of information. While most of the information blocking regulation is technical in nature and relates to technical barriers such as hardware and software, there are administrative barriers such as fees, forms, policies, and authorizations that HIM should be aware of and be prepared to address.

If a request is not fulfilled for a requestor when it would be allowed under HIPAA, that is considered information blocking. Having stricter security for access than what is required by HIPAA would be considered information blocking.  Requiring more information than is needed to fulfill a request would be considered information blocking.

HIM leaders should be reviewing their policies and procedures as well as their authorizations and ID requirements to ensure they are incompliance with the information blocking rules.

Julia strongly recommends reviewing the rejection letter policies to ensure your best practices align with the new rules. Rejecting requests for reasons such as electronic signatures, original signatures, stricter rules around expiration dates, requests for any and all, etc. may represent information blocking concerns.

Continued Disclosure Management Trends Aside from HIPAA and Information Blocking

Digital requests are expected to continue to increase. Having the technology to intake these requests and manage them in a timely and accurate manner is of utmost importance. Working to centralize those requests to a group of individuals for managing, processing, and accountability is something to strive for in ensuring you can meet these demands. This is where it is vitally important to have the right vendor partner who has the technology to support your organization.

Hybrid workforces and staffing challenges will be a continuing trend.  Verisma has workforce training and support centers located throughout the country with a main distribution center located in Syracuse, NY. Verisma can also supply on-site support as well. Again, having the right vendor who can be flexible and work with you to meet your needs will help your organization through these continuing workforce challenges.

In conclusion, it is not too soon to prepare your department and your organization for these proposed changes and ongoing disclosure management trends. Prepare your organization by educating your administration, legal, risk, and other department leaders on the proposed changes and what they will mean for your organization. Review your current policies, procedures, and authorizations and make the changes now.  Seek out technology that can help you and work closely with an ROI vendor who can support you to achieve your goals. HIM leaders should be the ones to lead the way to their organization’s compliance and success!