Webinar Recap:  Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

Webinar Recap: Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

On August 10th Verisma hosted a webinar where Verisma’s Chief Information Security Officer, Jim Staley, provided the HIM community with vital information on how to protect Protected Health Information (PHI) from third-party cyberattacks. This topic is not only timely, but something all of us need to be aware of and take steps for in order to protect our critical PHI.

The top 2 enforcement actions by the Department of Health and Human Services and OCR in 2021 were: 1) Patient Right of Access to their medical information and 2) ransomware attacks. In 2021 there was a 21% increase in cyberattacks in the Healthcare Industry. Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. The proliferation of third-party, patient-facing technologies makes healthcare organizations more vulnerable. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.

Jim explained that third-party attacks leverage trust between two or more organizations, making them difficult to defend against. Third-party attacks allow attackers to breach multiple targets at once, providing attackers with both scale and efficiency. A traditional cyberattack targets a person, organization, etc. which then gives the attacker access into that one organization’s data or systems. Phishing emails are the most common way used to gain access.

Third-party attacks work a bit differently in that an attacker will try to compromise a vendor. Once the vendor is successfully compromised the attacker then leverages the trust relationship between the vendor and ALL the vendor’s customers to (potentially) compromise all the customers’ systems and data. The initial attack takes the same amount of effort for the attacker, but the payoff is orders of magnitude higher.

Types of third-party attacks:

  • True third-party attacks: one of your vendors is attacked and the attacker then uses that to get to you. (Ex. Target in 2013 where Target’s HVAC vendor was compromised)
  • “Nth”-party attacks: one of your vendor’s vendors is attacked and then the attacker pivots to get to your vendor and then to you. (Ex. The law firm that your vendor uses is attacked, leading to an attack on your vendor, and then from the vendor to you. Law firms are a very popular target right now because of this leverage!)
  • Software supply chain attacks: some piece of commonly used software is attacked, usually by inserting malicious code into the patch cycle (Ex. Solar Winds attack in 2021). When the patch is pushed to all the vendor’s customers, all the customers get infected as soon as they apply the patch.
    • Note: this type of attack is rare and requires a high level of sophistication. DO NOT be hesitant about deploying patches. Unpatched environments create a much higher level of risk!

As a covered entity or business associate who engages a vendor, it is your responsibility to understand the completeness of the vendor’s security control environment. One tool we use to do this is leveraging established and accepted security frameworks that provide either guidance or tools to ensure security. There are many widely accepted security frameworks that describe the controls (“safeguards” under HIPAA) that are appliable to a given type of business or situation. These frameworks are designed to provide “commercially reasonable assurance” that the vendor is meeting the minimum legal requirements for security controls. It is important to understand the different frameworks and the types of assurance they offer.

Before diving into the different frameworks and some of the differences between them, let’s take a look at the three types of controls that are measured by the frameworks:

  • Administrative Controls – these are typically policy (what to do or not to do) and procedure documents (how things are to be done).
  • Technical Controls – firewalls, anti-virus software, and encryption are all examples of technical controls
  • Physical Controls – examples include having designated secure areas for people, data, and systems with locked doors and secure badge entry systems

One way to differentiate between the types of security frameworks is to look at those that are externally certified by an auditor vs. those that may not be. It is important for HIM leaders to be aware of these frameworks so that they can adequately evaluate a vendor and the vendor’s security prior to signing a contract for service from them.

Risk management frameworks that don’t necessarily provide external validation and certification include:

  • NIST – National Institute of Standards and Technologies (nist.gov): This is required by law for all Federal agencies and many State agencies and for companies wanting to do business with those companies. Highly flexible because the same framework has to be applied to agencies as different as NASA and your local Parks & Rec department. Because of this it can be highly complex to implement. Because it is issued by the Federal Government, it is considered the “gold standard” from a legal perspective.
  • CIS Critical ControlsCenter for Internet Security (cisecurity.org): Widely used commercially for performing rapid assessments of the most critical controls. Very simple and flexible and is easily customized to any type and size of business. Focuses highly on the technical controls that have been proven to be the most effective in stopping real-world attacks.
  • HIPAA Security Rules: HIPAA is also a type of framework that provides both required and “addressable” safeguards (i.e., controls) that covered entities and business associates must follow. One of HIPAA’s safeguards is that it requires detailed Business Associate Agreements (BAAs) to be in place not only for all contracts between covered entities, and between a BA and their vendors. But it’s important to note that just having a Business Associate Agreement that requires the vendor to be HIPAA compliant does not in itself necessarily constitute due diligence on the part of the covered entity; additional due diligence is often required. Another important but often overlooked HIPAA safeguard is that all covered entities and business associates are required to perform an annual HIPAA-centric security risk assessment, and these assessments (or the lack of them) are often used by OCR to determine the severity of penalties. Make sure that you and all of your vendors are doing these!

Risk management frameworks that do provide required external auditing, verification, and certification include:

  • SOC 2 – American Institute of Certified Public Accountants (aicpa.org)
    • There are other types of “SOC” audit reports, but “SOC 2” is the one that applies to a company’s security controls
    • Annual audit performed by an accredited CPA firm
    • Can be Type I (“point in time”) or Type II (“over a period of time”)
    • Failing any of the Trust Criteria can result in a “qualified” report, at auditor’s discretion
    • Not as prescriptive as some other frameworks because the company has the flexibility to write its own control statements
    • Should be done every year, but “Bridge Letters” may be issued by the company if they don’t do a SOC 2 within a given year. The Bridge Letter is the company’s official statement that there have been no significant changes in their control environment.
    • Typically, 75 to 150 controls that are audited
  • HITRUST r2 Validated Assessment – (hitrustalliance.net)
    • There are several HITRUST assessments that provide varying levels of assurance; the R2 validated assessment provides the highest
    • Full audit every other year, with “interim” assessments in the off years
    • Failing any of the 19 domains results in failing the certification
    • Very prescriptive, controls are provided based on scoping, and then scored based on the completeness of policy and procedure documentation plus evidence that the control has been implemented.
    • Typically, 300 audited controls, and can be over a thousand depending on the scoping
    • Leverages NIST and provides a report that shows how the company is doing against the relevant NIST standards.
  • ISO-27000 – International Standards Organization (iso.org)
    • An internationally recognized standard that provides an externally audited certification that is accepted around the world, not just in the US. In healthcare this is typically used by medical device manufacturers who sell in multiple countries, and by larger international law firms.

As HIM leaders are charged with protecting PHI, we should be looking for vendors who are leveraging security frameworks that provide some level of externally validated certification. We don’t have to be experts in all the details of cyber security, but we need to understand what these various certifications mean when evaluating a vendor. Understand not just your third-party, but also your “Nth”-party risks, all the way down to your entire vendor supply chain. Require ALL vendors who provide software or who have any kind of direct access to your systems to have at the very least a SOC 2 Type II report that is renewed annually. HITRST is a high bar for small vendors but is rapidly becoming the standard in healthcare especially for larger technology vendors who deal with large volumes of PHI, such as Verisma. Any certification requirements should be written into your Business Associate Agreements. Ask the vendor to supply a SOC 2 or HITRUST r2 certification report. Read reports and ask questions about findings and corrective action plans. It is possible for your vendor to be certified but still have gaps. Understanding any relevant gaps is key to understanding and managing your risk, so read the reports carefully! Do an annual inventory of your vendors and identify what they have access to and assess whether the access they have is the minimum required for them to do their job.

In conclusion, protecting PHI from cyberattacks is not just the job of the IT Department, but it is also the responsibility of Healthcare Leaders to ensure the many vendors we deal with and who have access to our PHI are certified to protect our most valuable information.

Managing Patient Requests for Amendments – One Health Systems’ Story

Managing Patient Requests for Amendments – One Health Systems’ Story

By Barbara Carr, RHIA

The 21st Century Cures Act’s goal of increasing information sharing and enabling patients to have their healthcare data delivered conveniently to their computers, cell phones, and mobile applications has increased privacy and security worries for many healthcare organizations. Having the right data security and processes in place to enable information sharing is forefront as this new era of patient access continues to drive a more educated and engaged patient population demanding governance over their health information. We can expect that the once rare occurrence of record amendment requests will soon be a regular activity that will need to be carefully and accurately managed.

Presently, the Patients’ Right to Access must be granted within 30 days regardless of record location (onsite vs. offsite), and regardless of media type. One 30-day extension applies but must be communicated to the patient and documented. Any denial of access also needs to fit within this 30 day/60 day time frame.

The growing tech savvy and health aware public wants access and control over their health information. This has led to an increase in demand for the release of information to the patient. As we are all aware, the electronic health record is not always neat and tidy and easy to digest. Patient records also have a high degree of “copy and paste” type notes leading to issues with accuracy of information from visit to visit. With more patients reviewing their records than ever before, perceived interpretations and actual transcription errors require a more robust ability to address the influx of questions, corrections, and possible amendments.

It requires a dedicated team to handle these requests to ensure consistency of process and compliance and should not be left up to each area within the organization to address on their own. Having a streamlined way in which you handle requests for amendments is imperative for HIPAA compliance and overall patient satisfaction.

During our May ROI Roundtable Webinar Series, we were honored to have Mercy del Rey, Assistant Vice President and Chief Privacy Officer for Baptist Health System South Florida, and a Verisma client, speak to us on how their 12 hospital and 200+ outpatient center health system has employed a centralized process to address the significant growth of patient record amendment requests over the past decade.

Baptist Health South FLorida began their journey to a centralized process right from the inception of HIPAA, by establishing a corporate privacy office that would also be responsible for handling all patient amendment requests. With the advent of HIPAA and Right to Access, HITECH, Meaningful Use, and the explosion of the electronic medical record, they saw the volume of requests for amendments dramatically increase. The advent of patient portals, the information demand related to a global pandemic , and the government’s increased push for information interoperability and sharing, has further increased the volume of requests. In 2003, Baptist Health South Florida received 7 requests to amend healthcare information. That number has steadily grown to well over 300 requests a year at present.

Mercy demonstrated how they carefully evaluate each amendment request with questions that include:

  • Does this error affect the care received?
  • How will this affect future care?
  • Legitimacy of the request such as “I fell at Walmart, not at home”.
  • Where are all the places in the record that we need to have addendums?
  • Will the record need to be re-coded and re-billed once a change has been made?

 

Having a central and dedicated trained and knowledgeable team review each request and make these determinations is essential for process consistency and overall amendment accuracy. This requires a detail review of the request and the medical record in question, as well as the ability to reach out to the clinician(s) involved who will review the request and review the medical record to determine whether the amendment can/will be made.

Some of the many roadblocks/challenges her team faces include a clinician’s willingness to review and amend a record, technical challenges that may affect the ability to capture the associated information across the record set, detangling medical records across multiple platforms, old paper records, complex requests that may require varying degrees of interpretation, and the careful management of unrealistic patient expectations. To help with these challenges, Mercy’s team looks to others in the organization for assistance in removing these roadblocks. They work hand-in-hand with the Patient Experience team to help manage to the patient communication process. For clinicians unwilling to cooperate, they have stablished an escalation process up the chain of command to their Chief Medical Officer. In addition, they work closely with Health Information Management on issues such as the detangling and updating of a medical record. As Mercy relayed, “It takes a Village”.

Key to process compliance and overall success, includes all new employees, including the physician staff, are trained on the amendment process as a part of their orientation and onboarding. This ensures that everyone is aware of the process from the beginning of their employment. Baptist Health System South Florida makes their patient amendment request form available on-line which automatically routes all new requests directly to Mercy and her Privacy Office. In addition, they receive requests from the Patient Experience team who sometimes receives the request as a part of their patient complaint filing process.

This centralized and accountable approach to handling patient amendment requests has enabled Baptist Health South Florida to maintain a scalable, highly organized, and compliant approach to handling patient requests for amendments all while keeping the patient’s needs, safety, and overall satisfaction at the forefront of their efforts.

Information Sharing Under The 21st Century Cures Act

Information Sharing Under The 21st Century Cures Act

By Barbara Carr, RHIA

On March 16, 2022 Verisma hosted a webinar on Information Sharing and the 21st Century Cures Act presented by Elisabeth Myers, MBA, Deputy Director, Office of Policy, HHS Office of the National Coordinator (ONC). The ONC oversees regulations concerning information sharing and interoperability of electronic health information (EHI). Information sharing is at the heart of the 21st Century Cures Act’s information blocking rules.

The Information Blocking regulation went into effect on April 5, 2021. While we should all be fully compliant with the regulations by now, the fact is that in 2022, the regulation will expand the definition of EHI beyond the current United States Core Data for Interoperability Version 1 (July 2020 Errata) (USCDI v1) data set. As defined by the Information Blocking rule, the EHI definition is as follows:

  • “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.

The expansion is “only” PHI that is in an electronic format. It does not include paper documentation even though that documentation may be scanned into the electronic record (PDFs). EHI is the discreet data that is used to make medical decisions. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set”. Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media”. If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

  • Medical records and billing records of a provider about an individual
  • Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
  • Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal or administrative action or proceeding, employment records health information, and de-identified protected health information.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI in preparation for the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.

More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors”. Actors are:

  • Health Care Providers
  • Health It Developers of Certified Health IT
  • Health Information Networks (HINs)
  • Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors”, in particular the “Infeasibility Exception” where it is not considered information blocking if it is infeasible for an actor to respond to a request. One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website, where attendees can find more information.

What should you do if you are experiencing information blocking? As directed by the Cures Act, the National Coordinator has implemented a standardized process for the public to submit reports on claims of information blocking. The report can be submitted through the Information Blocking Portal at: https://healthit.gov/report-info-blocking.

The second part of the presentation was focused on the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA as stated in the 21st Century Cures Act – Section 4003(b). While we do exchange EHI now, not all EHI exchanges enable exchange from another exchange. TEFCA was established to provide a technical floor for nationwide interoperability and to simplify connectivity for organizations to securely exchange information to improve care while enabling individuals to gather their health care information.

While TEFCA alone could be a webinar in and of itself, we did learn how it will be organized and were given detailed information to help us understand how TEFCA will operate. The Recognized Coordinating Entity (RCE) is the entity selected by ONC that will enter into agreements with Health Information Networks (HINs) that qualify and elect to become Qualified HINs. The RCE will act as a governing body that will operationalize TEFCA requirements on. The QHINs in turn will connect directly to each other to facilitate nationwide interoperability. Each of the QHINs will connect participants and sub participants to each other. Permitted exchange purposes are: Treatment, Payment, Health Care Operations, Public Health, Government Benefits Determination, and Individual Access Services.

The webinar provided a wealth of information and examined both interoperability and TEFCA clearly for participants to understand what to expect going forward with information sharing in 2022.

Leveraging Technology to Address Labor Shortages

Leveraging Technology to Address Labor Shortages

By Barbara Carr, RHIA

Hospitals are facing a severe labor shortage of both skilled and unskilled workers.  COVID stress and burnout, on top of retirement of the baby boomers, as well as the new vaccine mandates have all contributed to the shortage of labor. 

American economic growth is highly dependent on the quality and quantity of workers. According to recent Forbes article, “Currently, the United States is facing a severe skilled and unskilled worker shortage that has long and short-term economic implications. In addition to the 9.3 million job openings, various economic indicators strongly support the idea that there aren’t enough workers in the United States:  The number of people voluntarily leaving their jobs rose by 164,000 to 942,000 in June 2021.” 

Labor shortages impact both the skilled and unskilled workers’ categories. Clinicians fall into the skilled worker category. While there is an acute shortage of clinicians, skilled workers with “middle skills” requiring more experience than just a high school diploma yet less than a four-year college degree are also contributing to the labor shortage. Middle skills requiring a better-than average understanding of the tools they need to do their job, technical knowledge, problem solving skills, and the healthcare landscape are in short supply. Now COVID vaccine requirements have added to the staffing issue that health care institutions need to address to keep operating. 

During our December 14th Webinar, “Managing and Maintaining Productivity During a Time of Labor Shortages” we heard from experts at Verisma on how they leveraged Verisma’s technology to help several hospitals’ Health Information Management (HIM) and Patient Financial Services (PFS)/Business Office Departments that experienced labor shortages related to processing requests for records.  PFS departments were faced with the need to keep payments coming in and any backlog in processing claims requests was going to cause a delay in payments. HIM departments dealing with labor shortages and lack of on-site staff were faced with quickly accumulating backlogs that needed to be addressed. Technology and creative out-of-the box thinking were urgently needed to address both types of challenges.

The PFS/Business Office Departments staff were working remote and experiencing labor shortages all at the same time.  The Verisma Release Manager® (VRM) platform, along with Verisma Inbox™ were deployed to allow the remote staff to enter and track claims processing requests for records, respond to denials, as well as ADR Requests. The PFS/Business Office Department was provided access so they could see the status of their requests. Confirmation of records receipt by the payors was available to them and an important tool they could then use when on the phone with a payor. In addition, they had the use of Verisma Analytics™ so they could see volume and turnaround time statistics. Prior to implementation of this tool they were just processing record requests without knowing exactly what was received by the payors and without volume information.

In another real-world example, COVID and then subsequent labor shortages in the HIM department required a solution to handle walk-in requestors.  The remaining HIM staff on site needed to take care of STAT requests and process the incoming mail requests and staff was also hesitant regarding in-person engagement with requestors. The time the existing staff on-site spent on walk-ins was taking away from processing of the paper requests received via the mail and thus a solution was needed.

The Verisma Request App® was installed on the hospital’s website along with the authorization for patients to complete with all the required information of what was being requested.  Patients were able to upload a copy of their driver’s license for verification. Flyers and announcements went out within the healthcare system regarding the new app that was available for patient requests.  Patients walking into HIM were given information for the app as well as access to a kiosk with a PC to complete their request. The request would be sent directly into VRM for processing. This freed up the on-site staff for other duties that were needed to be performed.

Another scenario addressed a health system experiencing a large backlog of requests due to high volumes and staffing shortages. Verisma Inbox™ was implemented where requests from multiple locations were centralized into one location and uploaded by bar code sheets into VRM. Requests were reviewed for duplicates and then sent for processing and distribution by Verisma staff. This relieved the HIM staff of having to process the workload for these requests and allocated time to other priorities.

All the scenarios discussed required thinking outside of the box and creatively using technology to tackle the ever-growing volume of requests coming into the hospital. 

The panelist concluded with a discussion on how to retain talented staff. Ideas such as joining daily staff huddles, keeping work/life balances in mind for your staff, competitive salaries, and showing appreciation for staff were top of mind. Letting staff know they are appreciated and celebrating their achievements goes a long way!

The Healthcare labor shortage is not going away anytime soon. Investing in technology that promotes higher staff satisfaction, reduces turnover, and increases retention is a true investment in higher quality healthcare and organizational longevity. Training and technology can improve a worker’s overall experience as well as reducing the feelings of stress and burnout.   Partner with local educational facilities, find ways to use the technology you already have in place and think outside the box to create new more efficient processes. Looking for a vendor partner that has the technology capability you are looking for and is willing to work with you to achieve your goals, is vitally important to mitigate labor shortages during these times of uncertainty. 

 

 

 

Key Takeaways from AHIMA21

Key Takeaways from AHIMA21

By Barbara Carr, RHIA

AHIMA21 was unlike any I can remember in recent years. Of course, my first AHIMA Convention was 40 years ago. AHIMA’s focus today is nothing like it was back then. Back then there were dictation systems with tapes and discs, transcription was still being done on a typewriter and vendors were selling the latest in file folders and filing systems. The name of this year’s convention was “Transforming the Future of Health Data”, and the convention was all about data: data integrity, data interoperability, data governance, and data sharing. The content this year was rich with information on the latest technology, data interoperability, and management trends that HIM professionals need to be prepared to execute in our fast-changing technology-focused world. AHIMA CEO, Wylecia Wiggs-Harris, reminded us that “health data is human data” and “data needs to be translated into information that is accurate and can be trusted.”

Reflecting on all that I heard and witnessed at this convention, I found a few key takeaways that I would like to reflect on:

    1. Top trends in data interoperability and information blocking – The number of healthcare Apps that are available to patients for accessing and downloading their health information is growing. The development of these healthcare apps is continuing to explode thanks to the 21st Century Cures Act. Apple is the most common 3rd party app, but many other apps are also available and in development. We learned that HL7 FHIR (Fast Healthcare Interoperability Resources) is now the standard API (Application Program Interface). This game changer is enabling the healthcare market to employ faster and easier methods to exchange EHI as well as enable mobile app integration.  The Verisma Request App® is one app that is helping organizations meet the demand for apps that are easy to use and provide the patient with direct access to their healthcare information regardless of the EHR where their information is stored.
    2. Data Integrity and Patient Matching – The importance of accurate patient matching and avoiding duplicate records for a patient is becoming even more important under information blocking. HIM professionals have always known how important correct patient matching is for patient safety and data integrity. However, now incorrect patient matching can cause your organization to be out of compliance with the 21st Century Cures Act. The patient would not be accessing ALL their health information they request due to duplicate patient records. Technology is advancing to enable smart fault tolerant searches within clinical systems to do a better job of patient matching. We learned how artificial intelligence (AI) is being utilized to improve the accuracy and integrity of both patient and clinical information. However, it still requires human oversight.  AHIMA CEO, Wylecia Wiggs-Harris, stated that “It’s our profession that drives all aspects of integrity and protection of data and health information.”
    3. New Era of HIM Leadership – Speakers addressed how HIM leadership has evolved during the pandemic and managing virtual workplaces. Speakers stressed how HIM professionals need to be ready for the new world of technological advances and prepared for it ahead of time. Innovation in management as well as technology were driven forth at a faster pace over the last 18 months due to the COVID-19 Pandemic. Monday’s speaker, Seth Jeremy Katz, MPH, RHIA, FAHIMA, spoke on what HIM needs to focus on during this decade. There will be a continued growth in AI in many areas of healthcare, big tech such as Apple and Google are getting in on healthcare and we will see this grow stronger in the future. What new issues will this cause for HIM and data integrity and accuracy? We will see a continued growth in telehealth and remote patient monitoring.  Remote work will be the norm as the HIM department becomes a virtual one. The one fascinating thing I heard about from one speaker was robotics. Robots will be able to do many simple tasks that are now performed by humans. This will create a new area for HIM oversight of the information produced/collected by the robots. For instance, robots, or chat bots, will be able to help fill out ROI requests, and know what information you requested and be able to go into the clinical system and release the information to you without any human interaction. HIM leaders need to be prepared and plan for all the new technological changes and how they will manage these changes. It will be up to HIM professionals to ensure that the data they produce is accurate. The new technology will create a huge disruption if you are not prepared for it. New roles will be open to HIM professionals who are prepared. One speaker at the conference, Dr. Daniel Kraft said it best; “Uber yourself before you get Kodaked.” Start preparing for the future now.

    4. Protecting Healthcare Data – OCR Director, Roger Severino was quoted by one speaker, “Hacking continues to be the greatest threat to privacy and security of individual health information.” We heard about many threats to healthcare data and ways in which those threats are growing. This creates new areas for HIM professionals to focus their expertise in protecting the healthcare data. One speaker, Michael Stearns, MD, CPC, CRC, CFPC, noted that “value-based care initiatives coupled with interoperability mandates are creating a data tsunami and a desperate need to tame it.” The 21st Century Cures Act which requires that patients have access to structured and unstructured EHR information has led to concerns for privacy and security. Ensuring the patient gets the right record they are requesting is essential to maintaining privacy.

I have to say I’ve missed all the personal connections and conversations that occur at the annual conventions and I hope we are able to go back to the in-person events in the future. I did enjoy the participant chats and found out that there were many people who were able to attend this year because it was virtual as their employers are no longer paying travel expenses.

As a final observation, I was very proud of Verisma and the many AHIMA members who made possible the company’s $5,000 donation to the AHIMA Foundation.  This donation reflects individual and state association pledges to protect truth and accuracy of health information.  Add your name to this pledge embracing the values of HIM at: https://verisma.com/pledge-to-protect-truth-and-accuracy/.

 

 

 

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at dsimanivanh@verisma.com to receive a recording of the webinar.