Enterprise Access and Disclosure Management: Your Opportunity to Lead

Enterprise Access and Disclosure Management: Your Opportunity to Lead

Jun 18, 2021 | Blog, Compliance & Regulations, Information Sharing, Operational Outcomes, Release of Information

This first Health Information Access Week has brought together a range of perspectives on serving consumers, mitigating risks and deploying technology. We’ve been privileged to learn from experts who bring a lifetime of experience and insight to the changing challenges of  access and disclosure.  I am closing out this week with some reflections about leadership and management of access and disclosure operations. It is my belief that there is an urgent need for HIM leaders to address the health information access and disclosure disparities within their organizations. This is a key stepping stone to being able to modernize our approaches.  We have the expertise to do this and the time is now.

As a HIM leader, I made it one of my goals to achieve centralized health information access regardless of where the patient may have been treated within the healthcare organization. I view this as having three benefits: improved patient satisfaction, risk reduction and cost savings. It was clear to me several years ago, that HIM professionals needed to broaden our thinking beyond the hospital’s four walls and reach out to our physician practice administration, outpatient satellite and other facilities that make up our health system. Ultimately, the entire organization can benefit from centralizing the release of healthcare information.   

In leading the charge at Einstein Health in Philadelphia, I first called a meeting of our Hospital Administration staff, Physician Practice administrators, Risk Management and Compliance.

I described a recent scenario where an elderly patient had to go to three separate locations to acquire the healthcare information they needed for an upcoming appointment with a specialist. I then posed questions regarding why we persisted in this approach. All the patient’s information was stored in our Clinical Information System (CIS) regardless of location of treatment. Everyone agreed this was not ideal and agreed to work with me on a solution. 

The physician practices, at the time, were all doing their own individual release of information with various copy vendors, or their own in-house staff. There was no tracking, and very little quality control. At that time, all the HIM Departments were being handled by one vendor and covered by the same policies. Therefore, it was decided that we would tackle the practices first.

We started with bringing our release of healthcare information vendor to the table and put them to the task of working with us on a solution for the physician practice locations first. Since there are over 200 locations, this was a large change project. A project plan was developed, and a team of key stakeholders was assigned carry out the project. After 6 months of planning and strategizing, the first group of practices went live, followed by the next group, until all practices were handled by one group of release of information staff. Our vendor staffed the central location. 

Once we standardized and centralized the physician practices, we were able to move quickly with outpatient locations. In all, it took about 18 months to accomplish. In the end it was merged into one centralized release of healthcare information site. Now a patient can make one request for their information, which is then processed all at the same time, and delivered to the patient via whatever media and route they have specified. We were able to monitor quality and track all released information. We reduced costs and duplication of effort. Patients were less frustrated and more satisfied with our service. 

Risk and Compliance are less concerned with surprises and have one place to go to check on any issues. We are far less likely to receive a complaint and if we do, we have protocols to  resolve any before they become investigations. Importantly, having a standard way of handling access and disclosure across the enterprise, positions the organization to broaden the scope of release of information. For example, it possible to handle access requests from financial services, case management, utilization review and other health system function that rely on access to information.  When going through our release of information we are assured of the same quality control and tracking.

This experience not only helped me grow as a HIM leader but helped to expand my role in the organization beyond the HIM borders.  I was given more opportunities to work across the organization to streamline other processes. All this really helped fulfill my own goals to grow within my organization. 

In the end, I believe it is up to us as HIM leaders to have the vision, and then use our leadership to organize and lead others towards that vision.

Barbara Carr, RHIA a Verisma Advisor formerly served as Assistant Vice President Health Information Management at Albert Einstein Health Network in Philadelphia and as Corporate Director of Health Information Management at ChristianaCare, Wilmington, DE.

TAKE QUIZ

What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI

What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI

Jun 17, 2021 | Blog, Compliance & Regulations, Health Information Solutions, Operational Outcomes, Release of Information

With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.

Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.

I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.

I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.

Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips  as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.

As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.

Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008. 

TAKE QUIZ

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Jun 16, 2021 | Blog, Compliance & Regulations, Health Information Solutions, Information Sharing, Operational Outcomes, Uncategorized

In 2020, The Office of the National Coordinator’s (ONC) and the Centers for Medicare and Medicaid Services’ (CMS) released Regulations for Interoperability and Patient Access as required by the 21st Cures Act. Regulations increase access to medical information through application programing interfaces (API) to empower patients in their health care decisions. The API allows information to be shared and exposed within a consumer’s application-based solution of choice (e.g., wellness app). The information is portable, provides ability to share clinical information with care team, caregiver or other party and better understand healthcare costs and financial obligations. 

The focus has been on the Information Blocking Regulations issued by ONC, but the companion CMS Interoperability and Patient Access Rules also have important implications. ONC information blocking allows consumers health information access from a provider setting. However, health insurers have most of their enrollee’s financial and clinical information across care settings (i.e., provider, hospital, pharmacy, laboratory, or other setting that submits claims to health insurer) to provide a more complete picture of the consumer’s healthcare experience. 

The CMS rules require CMS-regulated plans to provide a patient access API, provider directory API and payer-to payer API by January 1, 2021. However, enforcement has been delayed to July 1, 2021. 

Patient Access API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) and Qualified Health Plan (QHP) on the federal exchanges are required to provide the Patient Access API. This API includes adjudicated claims (including Pharmacy), enrollee cost-sharing, encounter information, provider remittances, select clinical data, including lab results, formularies or preferred drug lists. 

The health insurer provides updates within 24 hours of receiving an encounter or processing a claim containing the cost and services provided to a patient. This financial information will assist consumers in tracking submitted claims, expected and current financial responsibility, in and out-of-network deductible amounts and other financial information for themselves and their dependents.  

The clinical information includes clinical notes that are written to track patient progress, inform other medical staff and explain treatment options. Typically, these notes are written using medical terminology and abbreviations that may not be familiar or understandable. The evolution of documentation narratives toward the inclusion of easy-to-understand layman’s terms and description of the patient and clinician team interaction and decision making will increase the value of the medical information to the consumer. This information needs to be boiled down into brief, understandable and actionable problem lists for the patient that add value, not burden.

Commercial payers may consider voluntarily providing this API to empower their enrolled consumers and assist providers participating in their alternative payment models. Value-based care, including capitation payment shift more of the medical risk to the provider including costs that occur outside of the facility or system. Therefore, providers need costs and clinical information across provider settings for attributed patients. 

Provider Directory API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) fee for service and managed care entities are required to provide the Provider Directory API. This API requires the provider names, addresses, phone numbers and specialties. An effective provider API will inform consumers what providers are in the health insurer’s network and if the provider is in the consumer’s specific health plan. 

Payer to Payer API

Medicare Advantage, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities and Qualified Health Plans (QHP) on the federal exchanges are required to provide the Payer to Payer API. This API requires an individual’s past health insurer to transmit their claims and encounter information, and subset of clinical information to their new health insurer. This sharing of history allows a longitudinal medical record to be compiled no matter how many times a consumer changes their health insurance. 

Commercial payers may consider voluntarily providing this API to maintain longitudinal records and ensure new enrollees are in the appropriate wellness programs and receive any gaps in current care.    

ONC and CMS’s information sharing requirements allow vendors and payers to enable a one stop shop that is secure, easy to access, actionable and meet a priority consumer need. This may include promotion of wellness through integration with wearables, reduce redundant paperwork at provider settings, make payments, appeal claim payment, store and share medical records for a chronic patient or their caregiver, provide dashboard with tracking/monitoring of hospital at home activities, maintain current drug list, order medical supplies, access care through telemedicine and more from the comfort of home. 

Expanded access to health information, including insurance-related information, has the potential to be inform and transform. Getting accurate and useful information to securely flow to consumers, across provider organizations, between providers and payers and payer to payer will be the work of healthcare over the next decade. This will be a heavy lift for consumers,  covered entities, vendors and business associates. For decades I have worked on the standards and policies to enable us to realize this vision.  Still, I have no illusion that this will be accomplished without significant challenges and protecting privacy and security will be among the most vexing. It’s an all hands on deck time to learn to use information for the benefit of consumer health and health services. 

Tammy Banks, MBA is a Healthcare Consultant with ImpactQue and previously served as Vice President Interoperability Program Development for Optum and as Director Practice Management Center and Payment Advocacy for the American Medical Association.  Outstanding Leadership and Distinguished Service Awards from WEDI.

TAKE QUIZ

“Too Much Too Soon?” Or “An Idea Whose Time Has Come?” Information Blocking Regulations and Proposed HIPAA Access Changes

“Too Much Too Soon?” Or “An Idea Whose Time Has Come?” Information Blocking Regulations and Proposed HIPAA Access Changes

Jun 15, 2021 | Blog, Compliance & Regulations, Health Information Solutions

The year 2021 has been punctuated by a flurry of regulatory activity around individuals’ ability to access their own health information.  With access a hot button issue, the information blocking final rule went into effect April 5, compelling health care providers, health technology developers, and health information exchanges and networks to make specific information available to individuals without intentional and unnecessary delay, thus prohibiting interference with access and exchange. Additionally, May 6 marked the end of the public comment period for proposed modifications to the HIPAA Privacy Rule, which include extensive changes that would enhance individuals’ right of access to their PHI, such as the ability to inspect PHI at no cost by taking photos, videos, or notes of their information. Where, a mere five years ago, my attempt to take photos of my father’s nursing home record (to which I was legally permitted access) brought gasps of alarm from staff, the possibility that this practical use of technology might become a legal right brings palpable relief.

But are there negative ramifications to these new regulations and proposed changes? Having helplessly watched family members struggle to access their health records at a time when providers could ignore their requests without consequences, I believe the continual strengthening of the right to access is, in many ways, long overdue. But is there also a point where this right can go too far? I raise this question not because of the burden on healthcare providers (although that could be a separate conversation) but, rather, because of the emotional burden it places on patients and their families. Have we reached a point where access becomes “too much too soon?” As a fierce advocate of patients being able to access their own health information, I find this to be a painful question and – yet – one that needs to be addressed.

Several years ago, a friend of mine was diagnosed with an aggressive form of cancer. Following surgery, chemotherapy and radiation, she underwent a routine scan several months later. The healthcare provider – per meaningful use – posted the radiologist’s interpretation of her scan in the patient portal where she could view it. My friend was able to access that information, and what she read alarmed her. Unable to reach her physician and knowing that she would not be able to obtain clarification of the interpretation for several days, she and her family agonized until she was reassured at her follow-up visit that everything was normal.

The volume and velocity of information, and the ability to push it out to patients in an effort to promote access, is not unlike a gushing fire hose. In other words, we should ask ourselves whether there is a point where there is too much of a good thing, particularly when balanced against patients’ health literacy and the limited bandwidth of providers to provide their patients with prompt explanations. After all, while technological capabilities have increased, the number of hours in a day have not. Too, there is concern about erroneous or incomplete health information being pushed out to patients, resulting in panic, confusion, or – at its worst – substantial emotional or physical harm.

Access to health information is critical to patient empowerment, and empowerment is a crucial paradigm shift in the patient experience. Technology is enabling this shift.  Further, health policy and –with it — laws that foster patient engagement are propelling access to health information forward. At the same time, we need to ensure that technological, policy, and legal advances are keeping pace with human need. We must take care not to be so focused on the patient that in the process we lose sight of that same patient, with detrimental effects.

Laurie A. Rinehart-Thompson, JD, RHIA, CHP, FAHIMA is Professor and Program Director, Health Information Management and Systems at The Ohio State University. Rinehart-Thompson is author of Introduction to Health Information Privacy and Security, 2nd Edition, AHIMA Press. 

TAKE QUIZ

It’s Block and Tackle: Are Consumers and Providers Ready for the Heavy Lifting?

It’s Block and Tackle: Are Consumers and Providers Ready for the Heavy Lifting?

Jun 14, 2021 | Blog, Compliance & Regulations, Health Information Solutions, Information Sharing, Operational Outcomes

It seems not too long ago I was living a completely normal “mom life.” Normal routines, happy family, and happy life. Eight years ago, seems like yesterday. Our world changed with one routine doctor’s visit and with one diagnostic test. I can remember that day very clearly. I can remember every detail. My 11-year-old adopted daughter was diagnosed of Cystic Fibrosis. How could this diagnosis be found so many years after birth? Believe it or not, it is not that uncommon. Since that day, we live a very different kind of normal.  Our lives and routines have changed dramatically. My now 19-year-old daughter is acutely aware of her diagnosis and plays a very active role in her care and the maintenance and review of her electronic health information. She often tells everyone “Personal health information is saving Grace.” She generates and shares quite a bit of data collected by medical equipment, wearables, and other devices. My daughter’s chronic diagnosis requires her to be seen by multiple providers in-state and often across state lines. She is intimately involved in the collection, review, and sharing of her personal and electronic health information.

Our quest for interoperability is ongoing and while many believe interoperability exists, that is not always true or at least not true in every circumstance. It is often a challenge to receive access to every element of electronic health information required for care. APIs exist but are often underutilized placing the burden on the consumer. We have access to electronic health information, but it is often not comprehensive or interoperable. Electronic health information should not be leveraged to hold consumers hostage to a particular provider, service, or location. Recommended lean data sharing solutions are not appropriate for every consumer. In addition, provider utilization of legacy systems can interfere or prevent exchange of electronic health information. These systems may have checked the boxes for meaningful use but lack the capability to provide meaningful exchange of information. The challenges faced by providers and consumers are perplexing. Many times, we continue to rely on paper records to be transferred from provider to provider. Believe it or not, we still maintain scanned and indexed copies of health records to support care and in many cases the provider will request that we share. Technology is invisibly integrated into our daily lives. I am amazed that in 2021 I can electronically unlock the doors of my home and car, track items in my refrigerator, bank, shop, and be seen by a physician digitally but still struggle with electronic access to complete health information.

Information Blocking Final Rule removed intentional obstacles to patient access to electronic health information. The long-awaited rule handed patients greater control over information sharing and use of electronic health data. But will it really live up to consumer expectations? In conversations with providers, I have often been told that “our vendor will accommodate our data sharing needs.”  What does that mean? Will your vendor meet the consumer’s need for electronic health information? Will meeting the providers need, improve the quality of care for patients? I believe it can, but the journey will not be an easy lift. The burden cannot be placed solely on the vendor. It is a heavy lift that will require an ongoing commitment to an interoperable system that supports health information exchange and embraces education. Providers and consumers alike will play an important role in leading change.

For the 21st Century Cures Act to reach its potential as a catalyst for better healthcare and outcomes, advocating for and adoption of a systemic free-flow of electronic health information with a consumer-centric focus will be required. It should be a partnership between provider and consumer. Health Information Management (HIM) professionals can play a key role in accessing organization readiness and ongoing compliance. The HIM professional’s vast knowledge of HIPAA, electronic data access and exchange, as well as privacy and security standards position HIM professionals to be leaders in developing organization policies and educational programs that will benefit providers and consumers. Deliberate attention must be given to the eight exceptions outlined in the Cures Act related to information blocking. Aiding providers and consumers in understanding these exceptions are essential in achieving a successful partnership. Knowledge is key to access innovation and in mitigating future challenges.

Angela Kennedy, EdD, MBA, RHIA is CEO, Commission on Accreditation for Health Informatics and Information Management Education and former Professor and Chair, Health Informatics and Information Management Program, Louisiana Tech University.  She is a Past President of AHIMA and in recent years has become a Consumer Advocate.

TAKE QUIZ

Unifying ROI Across Your Health System: Your Leadership Priority

Unifying ROI Across Your Health System: Your Leadership Priority

Jun 11, 2021 | Blog, Compliance & Regulations, Health Information Solutions, Information Sharing, Operational Outcomes, Release of Information

By Linda Kloss

I first wrote about the value of uniform ROI practices throughout a health system in the fall of 2016. At the time, I cited risk mitigation and cost control as key drivers. I described the experiences of health systems who had achieved centralized release processing and argued that when centralization is not possible, at minimum, release should be guided by uniform policies and procedures.

Fast forward five years. The imperative has come into even sharper focus today. First, fines and compliance plans are being regularly levied by the Office for Civil Rights for failure to comply with patient access regulations. In the past 18 months, 18 enforcement actions have been announced. What’s amazing is that in each of these cases, covered entities were notified of the complaint and received technical assistance. They were given a chance to self-correct, but still failed to come into compliance. Reasonable risk management was clearly lacking as was quality control and accountability.

Cost control remains a key driver and this too has become more urgent. Many health systems have decided that they will absorb the cost of patient requests, which comprise 15-20% of all requests. Further, per page reimbursement which helped subsidize ROI operations for decades is eroding with limits on what can be charged for electronic release. The business model for ROI has changed irrevocably. Like any other form of transaction processing, ROI must be fully automated with an emphasis on doing it right the first time. This just isn’t possible when release is handled differently across the health system.

Today there is a third driver and that is the consumer. People have a greater interest and need to access their health information. Health systems now see patient access as a customer service requirement.  Fortunately, technology supports this focus. Patients have responded positively to use of the Verisma Request App™ (VRA). It enables them to submit requests via Web and receive e-records—all with state of the art security. VRA also feeds the ROI system to eliminate data entry, reduce costs, and improve productivity. It is a key tool in the unification toolkit.

The May 19th Verisma Webinar “Unifying ROI Across the Enterprise: Large Health Systems Leading the Way” opened my eyes to how the value of unifying ROI across the enterprise can be further expanded. Lisa Perez, RHIA, Assistant Vice President Health Information Management, NYC Heath + Hospitals (the nation’s largest public health system) and Lloyd Torres, MHA, Senior Director, Health Systems Projects, ColumbiaDoctors (the faculty practice organization for Columbia University Irving Medical Center and NewYork-Presbyterian Hospital) described how their very complex health systems achieved enterprise standardization for ROI.  And then they went further.

They are leveraging  ROI technology and service to meet the access needs of internal customers including revenue cycle, case management, utilization review and others who need access to patient records to carry out their responsibilities, access permitted under the TPO (treatment-payment-operation) definitions of HIPAA. Working with managers of these services, they analyzed needs and workflows and designed new processes for access and disclosure using the ROI system. This really was a very remarkable discussion, casting the imperative for unification in a very important new light.

What Lloyd and Lisa taught me is that unifying ROI across the enterprise is not the end point of transformation, it is the starting point. Once uniform across the system, access and disclosure management processes can be optimized. Traditional ROI services can be optimized by deploying VRA, by organizing work to meet user requirements, by deploying consistent invoicing and collections, and by using smart tools to identify requests that may require closer monitoring. In fact, the proposed modifications to the HIPAA Privacy Rule call for “Covered entities having a policy to prioritize urgent or otherwise high priority requests.” How do you administer that in a fragmented non-automated system?  In a unified technology-supported system, smart tools such as Verisma’s Spotlight ™, a rules engine, can be set up to monitor the status of the types of requests you specify.  It’s automatic, it’s consistent, and managers can stay on top of high-risk requests.

In addition to optimizing ROI, Lloyd and Lisa have tackled  other access and disclosure management challenges. In doing so, they now serve a broader set of customers who require reliable access to patient information to do their jobs. This may be information to demonstrate medical necessity and support a claim. It may be information to enable the case manager to plan care continuity. In broadening the use of the ROI platform and service their investments in ROI technology and service are leveraged reducing the overall cost and amping up benefits. By bolting this on to ROI, they also improve compliance and accountability.

We often consider change from the familiar frame; in this instance, the frame of ROI. We look at how this improvement can avoid untoward events, such as compliance failure. We look at how it can improve the productivity of existing processes. We don’t often look at change from the perspective of the new opportunities it might create for the health system. That’s what Lisa and Lloyd did. They achieved the desired improvements in ROI and then considered what other functions could benefit from this new technology. They went looking for opportunity to bring even greater value to their organizations. We congratulate them for showing us a new frame for ROI managing the access and disclosure needs of a broader set of customers.