What Keeps a Compliance Officer up at Night?  Challenges with Access and Disclosure of PHI

What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI

With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.

Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.

I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.

I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.

Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips  as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.

As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.

Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008. 

TAKE QUIZ

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

In 2020, The Office of the National Coordinator’s (ONC) and the Centers for Medicare and Medicaid Services’ (CMS) released Regulations for Interoperability and Patient Access as required by the 21st Cures Act. Regulations increase access to medical information through application programing interfaces (API) to empower patients in their health care decisions. The API allows information to be shared and exposed within a consumer’s application-based solution of choice (e.g., wellness app). The information is portable, provides ability to share clinical information with care team, caregiver or other party and better understand healthcare costs and financial obligations. 

The focus has been on the Information Blocking Regulations issued by ONC, but the companion CMS Interoperability and Patient Access Rules also have important implications. ONC information blocking allows consumers health information access from a provider setting. However, health insurers have most of their enrollee’s financial and clinical information across care settings (i.e., provider, hospital, pharmacy, laboratory, or other setting that submits claims to health insurer) to provide a more complete picture of the consumer’s healthcare experience. 

The CMS rules require CMS-regulated plans to provide a patient access API, provider directory API and payer-to payer API by January 1, 2021. However, enforcement has been delayed to July 1, 2021. 

Patient Access API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) and Qualified Health Plan (QHP) on the federal exchanges are required to provide the Patient Access API. This API includes adjudicated claims (including Pharmacy), enrollee cost-sharing, encounter information, provider remittances, select clinical data, including lab results, formularies or preferred drug lists. 

The health insurer provides updates within 24 hours of receiving an encounter or processing a claim containing the cost and services provided to a patient. This financial information will assist consumers in tracking submitted claims, expected and current financial responsibility, in and out-of-network deductible amounts and other financial information for themselves and their dependents.  

The clinical information includes clinical notes that are written to track patient progress, inform other medical staff and explain treatment options. Typically, these notes are written using medical terminology and abbreviations that may not be familiar or understandable. The evolution of documentation narratives toward the inclusion of easy-to-understand layman’s terms and description of the patient and clinician team interaction and decision making will increase the value of the medical information to the consumer. This information needs to be boiled down into brief, understandable and actionable problem lists for the patient that add value, not burden.

Commercial payers may consider voluntarily providing this API to empower their enrolled consumers and assist providers participating in their alternative payment models. Value-based care, including capitation payment shift more of the medical risk to the provider including costs that occur outside of the facility or system. Therefore, providers need costs and clinical information across provider settings for attributed patients. 

Provider Directory API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) fee for service and managed care entities are required to provide the Provider Directory API. This API requires the provider names, addresses, phone numbers and specialties. An effective provider API will inform consumers what providers are in the health insurer’s network and if the provider is in the consumer’s specific health plan. 

Payer to Payer API

Medicare Advantage, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities and Qualified Health Plans (QHP) on the federal exchanges are required to provide the Payer to Payer API. This API requires an individual’s past health insurer to transmit their claims and encounter information, and subset of clinical information to their new health insurer. This sharing of history allows a longitudinal medical record to be compiled no matter how many times a consumer changes their health insurance. 

Commercial payers may consider voluntarily providing this API to maintain longitudinal records and ensure new enrollees are in the appropriate wellness programs and receive any gaps in current care.    

ONC and CMS’s information sharing requirements allow vendors and payers to enable a one stop shop that is secure, easy to access, actionable and meet a priority consumer need. This may include promotion of wellness through integration with wearables, reduce redundant paperwork at provider settings, make payments, appeal claim payment, store and share medical records for a chronic patient or their caregiver, provide dashboard with tracking/monitoring of hospital at home activities, maintain current drug list, order medical supplies, access care through telemedicine and more from the comfort of home. 

Expanded access to health information, including insurance-related information, has the potential to be inform and transform. Getting accurate and useful information to securely flow to consumers, across provider organizations, between providers and payers and payer to payer will be the work of healthcare over the next decade. This will be a heavy lift for consumers,  covered entities, vendors and business associates. For decades I have worked on the standards and policies to enable us to realize this vision.  Still, I have no illusion that this will be accomplished without significant challenges and protecting privacy and security will be among the most vexing. It’s an all hands on deck time to learn to use information for the benefit of consumer health and health services. 

Tammy Banks, MBA is a Healthcare Consultant with ImpactQue and previously served as Vice President Interoperability Program Development for Optum and as Director Practice Management Center and Payment Advocacy for the American Medical Association.  Outstanding Leadership and Distinguished Service Awards from WEDI.

TAKE QUIZ

“Too Much Too Soon?” Or “An Idea Whose Time Has Come?” Information Blocking Regulations and Proposed HIPAA Access Changes

“Too Much Too Soon?” Or “An Idea Whose Time Has Come?” Information Blocking Regulations and Proposed HIPAA Access Changes

The year 2021 has been punctuated by a flurry of regulatory activity around individuals’ ability to access their own health information.  With access a hot button issue, the information blocking final rule went into effect April 5, compelling health care providers, health technology developers, and health information exchanges and networks to make specific information available to individuals without intentional and unnecessary delay, thus prohibiting interference with access and exchange. Additionally, May 6 marked the end of the public comment period for proposed modifications to the HIPAA Privacy Rule, which include extensive changes that would enhance individuals’ right of access to their PHI, such as the ability to inspect PHI at no cost by taking photos, videos, or notes of their information. Where, a mere five years ago, my attempt to take photos of my father’s nursing home record (to which I was legally permitted access) brought gasps of alarm from staff, the possibility that this practical use of technology might become a legal right brings palpable relief.

But are there negative ramifications to these new regulations and proposed changes? Having helplessly watched family members struggle to access their health records at a time when providers could ignore their requests without consequences, I believe the continual strengthening of the right to access is, in many ways, long overdue. But is there also a point where this right can go too far? I raise this question not because of the burden on healthcare providers (although that could be a separate conversation) but, rather, because of the emotional burden it places on patients and their families. Have we reached a point where access becomes “too much too soon?” As a fierce advocate of patients being able to access their own health information, I find this to be a painful question and – yet – one that needs to be addressed.

Several years ago, a friend of mine was diagnosed with an aggressive form of cancer. Following surgery, chemotherapy and radiation, she underwent a routine scan several months later. The healthcare provider – per meaningful use – posted the radiologist’s interpretation of her scan in the patient portal where she could view it. My friend was able to access that information, and what she read alarmed her. Unable to reach her physician and knowing that she would not be able to obtain clarification of the interpretation for several days, she and her family agonized until she was reassured at her follow-up visit that everything was normal.

The volume and velocity of information, and the ability to push it out to patients in an effort to promote access, is not unlike a gushing fire hose. In other words, we should ask ourselves whether there is a point where there is too much of a good thing, particularly when balanced against patients’ health literacy and the limited bandwidth of providers to provide their patients with prompt explanations. After all, while technological capabilities have increased, the number of hours in a day have not. Too, there is concern about erroneous or incomplete health information being pushed out to patients, resulting in panic, confusion, or – at its worst – substantial emotional or physical harm.

Access to health information is critical to patient empowerment, and empowerment is a crucial paradigm shift in the patient experience. Technology is enabling this shift.  Further, health policy and –with it — laws that foster patient engagement are propelling access to health information forward. At the same time, we need to ensure that technological, policy, and legal advances are keeping pace with human need. We must take care not to be so focused on the patient that in the process we lose sight of that same patient, with detrimental effects.

Laurie A. Rinehart-Thompson, JD, RHIA, CHP, FAHIMA is Professor and Program Director, Health Information Management and Systems at The Ohio State University. Rinehart-Thompson is author of Introduction to Health Information Privacy and Security, 2nd Edition, AHIMA Press. 

TAKE QUIZ

It’s Block and Tackle:  Are Consumers and Providers Ready for the Heavy Lifting?

It’s Block and Tackle: Are Consumers and Providers Ready for the Heavy Lifting?

It seems not too long ago I was living a completely normal “mom life.” Normal routines, happy family, and happy life. Eight years ago, seems like yesterday. Our world changed with one routine doctor’s visit and with one diagnostic test. I can remember that day very clearly. I can remember every detail. My 11-year-old adopted daughter was diagnosed of Cystic Fibrosis. How could this diagnosis be found so many years after birth? Believe it or not, it is not that uncommon. Since that day, we live a very different kind of normal.  Our lives and routines have changed dramatically. My now 19-year-old daughter is acutely aware of her diagnosis and plays a very active role in her care and the maintenance and review of her electronic health information. She often tells everyone “Personal health information is saving Grace.” She generates and shares quite a bit of data collected by medical equipment, wearables, and other devices. My daughter’s chronic diagnosis requires her to be seen by multiple providers in-state and often across state lines. She is intimately involved in the collection, review, and sharing of her personal and electronic health information.

Our quest for interoperability is ongoing and while many believe interoperability exists, that is not always true or at least not true in every circumstance. It is often a challenge to receive access to every element of electronic health information required for care. APIs exist but are often underutilized placing the burden on the consumer. We have access to electronic health information, but it is often not comprehensive or interoperable. Electronic health information should not be leveraged to hold consumers hostage to a particular provider, service, or location. Recommended lean data sharing solutions are not appropriate for every consumer. In addition, provider utilization of legacy systems can interfere or prevent exchange of electronic health information. These systems may have checked the boxes for meaningful use but lack the capability to provide meaningful exchange of information. The challenges faced by providers and consumers are perplexing. Many times, we continue to rely on paper records to be transferred from provider to provider. Believe it or not, we still maintain scanned and indexed copies of health records to support care and in many cases the provider will request that we share. Technology is invisibly integrated into our daily lives. I am amazed that in 2021 I can electronically unlock the doors of my home and car, track items in my refrigerator, bank, shop, and be seen by a physician digitally but still struggle with electronic access to complete health information.

Information Blocking Final Rule removed intentional obstacles to patient access to electronic health information. The long-awaited rule handed patients greater control over information sharing and use of electronic health data. But will it really live up to consumer expectations? In conversations with providers, I have often been told that “our vendor will accommodate our data sharing needs.”  What does that mean? Will your vendor meet the consumer’s need for electronic health information? Will meeting the providers need, improve the quality of care for patients? I believe it can, but the journey will not be an easy lift. The burden cannot be placed solely on the vendor. It is a heavy lift that will require an ongoing commitment to an interoperable system that supports health information exchange and embraces education. Providers and consumers alike will play an important role in leading change.

For the 21st Century Cures Act to reach its potential as a catalyst for better healthcare and outcomes, advocating for and adoption of a systemic free-flow of electronic health information with a consumer-centric focus will be required. It should be a partnership between provider and consumer. Health Information Management (HIM) professionals can play a key role in accessing organization readiness and ongoing compliance. The HIM professional’s vast knowledge of HIPAA, electronic data access and exchange, as well as privacy and security standards position HIM professionals to be leaders in developing organization policies and educational programs that will benefit providers and consumers. Deliberate attention must be given to the eight exceptions outlined in the Cures Act related to information blocking. Aiding providers and consumers in understanding these exceptions are essential in achieving a successful partnership. Knowledge is key to access innovation and in mitigating future challenges.

Angela Kennedy, EdD, MBA, RHIA is CEO, Commission on Accreditation for Health Informatics and Information Management Education and former Professor and Chair, Health Informatics and Information Management Program, Louisiana Tech University.  She is a Past President of AHIMA and in recent years has become a Consumer Advocate.

TAKE QUIZ

Unifying ROI Across Your Health System:  Your Leadership Priority

Unifying ROI Across Your Health System: Your Leadership Priority

By Linda Kloss

I first wrote about the value of uniform ROI practices throughout a health system in the fall of 2016. At the time, I cited risk mitigation and cost control as key drivers. I described the experiences of health systems who had achieved centralized release processing and argued that when centralization is not possible, at minimum, release should be guided by uniform policies and procedures.

Fast forward five years. The imperative has come into even sharper focus today. First, fines and compliance plans are being regularly levied by the Office for Civil Rights for failure to comply with patient access regulations. In the past 18 months, 18 enforcement actions have been announced. What’s amazing is that in each of these cases, covered entities were notified of the complaint and received technical assistance. They were given a chance to self-correct, but still failed to come into compliance. Reasonable risk management was clearly lacking as was quality control and accountability.

Cost control remains a key driver and this too has become more urgent. Many health systems have decided that they will absorb the cost of patient requests, which comprise 15-20% of all requests. Further, per page reimbursement which helped subsidize ROI operations for decades is eroding with limits on what can be charged for electronic release. The business model for ROI has changed irrevocably. Like any other form of transaction processing, ROI must be fully automated with an emphasis on doing it right the first time. This just isn’t possible when release is handled differently across the health system.

Today there is a third driver and that is the consumer. People have a greater interest and need to access their health information. Health systems now see patient access as a customer service requirement.  Fortunately, technology supports this focus. Patients have responded positively to use of the Verisma Request App™ (VRA). It enables them to submit requests via Web and receive e-records—all with state of the art security. VRA also feeds the ROI system to eliminate data entry, reduce costs, and improve productivity. It is a key tool in the unification toolkit.

The May 19th Verisma Webinar “Unifying ROI Across the Enterprise: Large Health Systems Leading the Way” opened my eyes to how the value of unifying ROI across the enterprise can be further expanded. Lisa Perez, RHIA, Assistant Vice President Health Information Management, NYC Heath + Hospitals (the nation’s largest public health system) and Lloyd Torres, MHA, Senior Director, Health Systems Projects, ColumbiaDoctors (the faculty practice organization for Columbia University Irving Medical Center and NewYork-Presbyterian Hospital) described how their very complex health systems achieved enterprise standardization for ROI.  And then they went further.

They are leveraging  ROI technology and service to meet the access needs of internal customers including revenue cycle, case management, utilization review and others who need access to patient records to carry out their responsibilities, access permitted under the TPO (treatment-payment-operation) definitions of HIPAA. Working with managers of these services, they analyzed needs and workflows and designed new processes for access and disclosure using the ROI system. This really was a very remarkable discussion, casting the imperative for unification in a very important new light.

What Lloyd and Lisa taught me is that unifying ROI across the enterprise is not the end point of transformation, it is the starting point. Once uniform across the system, access and disclosure management processes can be optimized. Traditional ROI services can be optimized by deploying VRA, by organizing work to meet user requirements, by deploying consistent invoicing and collections, and by using smart tools to identify requests that may require closer monitoring. In fact, the proposed modifications to the HIPAA Privacy Rule call for “Covered entities having a policy to prioritize urgent or otherwise high priority requests.” How do you administer that in a fragmented non-automated system?  In a unified technology-supported system, smart tools such as Verisma’s Spotlight ™, a rules engine, can be set up to monitor the status of the types of requests you specify.  It’s automatic, it’s consistent, and managers can stay on top of high-risk requests.

In addition to optimizing ROI, Lloyd and Lisa have tackled  other access and disclosure management challenges. In doing so, they now serve a broader set of customers who require reliable access to patient information to do their jobs. This may be information to demonstrate medical necessity and support a claim. It may be information to enable the case manager to plan care continuity. In broadening the use of the ROI platform and service their investments in ROI technology and service are leveraged reducing the overall cost and amping up benefits. By bolting this on to ROI, they also improve compliance and accountability.

We often consider change from the familiar frame; in this instance, the frame of ROI. We look at how this improvement can avoid untoward events, such as compliance failure. We look at how it can improve the productivity of existing processes. We don’t often look at change from the perspective of the new opportunities it might create for the health system. That’s what Lisa and Lloyd did. They achieved the desired improvements in ROI and then considered what other functions could benefit from this new technology. They went looking for opportunity to bring even greater value to their organizations. We congratulate them for showing us a new frame for ROI managing the access and disclosure needs of a broader set of customers.

The Pandemic’s Lasting Effects on Access and Disclosure of Health Information

The Pandemic’s Lasting Effects on Access and Disclosure of Health Information

By Linda Kloss

Every crisis brings about change, some transient and some permanent. Last week we learned about ways that the COVID-19 pandemic changed day to day release of health information (ROI) and accelerated the transformation of access and disclosure. We are grateful to these terrific HIM leaders who shared their 2020 experiences and forecast for changes yet to come: 

  • Stefanie Brumberg, RHIA, Corporate Director, HIM Services, ChristianaCare, Newark, DE
  • Steve Eddington, MHI, RHIA, Director, HIM , Boston Children’s Hospital, Boston, MA
  • Susan Tabickman, RHIA, HIM Manager of Operations, NewYork-Presbyterian Hospital, New York, NY
  • Lauren Zuckerman, RHIA , Director, HIM, Garnet Health, Middletown, NY

With 2020 barely in the rear view mirror and the pandemic still raging,  the experiences of these four prestigious health systems are remarkably consistent. Here are the major 2020 changes in release of information:

  1. ROI is now predominantly performed by an offsite workforce

Work from home is a familiar part of the HIM scene for transcription and coding, but unless outsourced, ROI was generally performed on site. This changed overnight and importantly, panelists agree that it is unlikely to return to its pre-pandemic state.  Success in this abrupt transition challenged managers to find new ways of supporting their workforce.  Lessons learned underscore that a team does not have to be physically together to properly function well together. Flexibility, effective communications, and composure under pressure have been managerial traits contributing to this success. 

2. ROI is now technology-supported knowledge work

Remote work is only possible if guided by workflow technology that ensures a consistent and compliant process and accountability. The pandemic accelerated recognition that ROI can no longer be decentralized clerical transactions relying on faxes, paper processing, phones and service windows. It must be a largely paperless automated workflow that is uniformly executed.  Panelists agree that the end-to-end workflow is not yet fully optimized, but the basics are in place and optimization will be the work of the next several years. This is important from a service and compliance perspective, but it’s also essential as sources of revenue to support the function are shrinking.

3. Request and release goes digital

Powered by the Verisma Request App™ (VRA), digital requests and e-release has quickly transplanted paper requests, walk-up windows, and faxes. One panelist’s health system had implemented VRA before the outbreak of COVID-19, two others accelerated implementation as part of their rapid response, and the fourth is implementing an expanded version in the near future. All agree that digital requests and e-release is the new normal and that while we are in early stages, the VRA technology is an essential part of access and disclosure management.

4. ROI begins a shift from reactive to proactive

The COVID-19 response has ushered in a new paradigm that positions ROI as an enabler not a barrier to access. Consistent with recent federal policy, the fundamental mission of access and disclosure management is most likely forever changed.  Future goals will be to anticipate patients’ needs for information and make it easier for these needs to be met. There will be plenty of challenges as this new paradigm takes hold. With greater patient access, comes increased requests for amendments and corrections.  Interoperability, expanded access to EHR information via portals and other health information ecosystem changes will shape continued ROI transformations. ROI no longer operates in a vacuum. Teamwork around a vision of patient access and secure disclosure is the new normal. 

Despite the challenges of the past year, panelists agreed that their resourcefulness has been an important contributor to their leadership successes. ROI isn’t what it was a year ago.  COVID-19 accelerated many changes that have already redrawn the landscape. With new building blocks in place, complex information management challenges abound. Still, in the words of one panelist, “it’s a great time to be in HIM, as usual.”