May 6, 2020 | Blog, Compliance & Regulations, Health Information Solutions, Operational Outcomes
By Linda Kloss
In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.
The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits. For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.
Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus. They do not, for example, relax other obligations such as breach notification.
Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.
Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:
-
- The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
- Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
- Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.
As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.
An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:
-
- Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
- The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
- Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.
Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.
Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.
Apr 23, 2020 | Blog, Health Information Solutions, Operational Outcomes, Release of Information
By Linda Kloss
This is the third blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of the COVID-19 pandemic. Their experiences teach us much about release of information best practices. They also identify broader health information access and disclosure challenges of dealing with this public health emergency. The first blog focused on best practices for protecting the safety of staff through rapid transition to work-from-home and protecting staff that must continue to perform their work on site.
The second blog addressed best practices in adapting release of information practices. By optimizing electronic workflows, health systems are flexing to ensure compliant and accurate work from request through fulfillment. A game changer is use of the Verisma Request App (VRA), which when integrated with the Verisma Release Management, is providing seamless continuity of work regardless of shifting workflows, who is doing the work, and where it is being done.
Our interviews with HIM leaders also described stepped up involvement with patient portals and a new focus on policies and procedures for telemedicine. I might not have anticipated these two areas of best practice as early responses, but it has quickly become clear that this pandemic is accelerating all aspects of virtual health services. In addition to experiences with Verisma’s VRA, interviews highlighted an uptick in use of patient portals. Thus, we identified Support for use of patient portals as a best COVID-19 practice for HIM working in collaboration with IT and others.
Despite years of somewhat sluggish use of patient portals, many health systems are now seeing a marked uptick as patients seek ways to connect and communicate, get test results, and general information. HIM leaders report stepped up involvement in helping patients enroll in patient portals and in supporting them in their use. This has required allocating HIM staff to focus on portal support. An important lesson is to be certain that current portal policies and procedures are documented and capturing changes or special procedures relating to reporting COVID test results and handling questions about those results.
Long standing barriers to broad adoption of telehealth services have been eliminated by recent federal and state regulatory changes. Virtual visits and remote monitoring services have surged for routine primary and specialty care, behavioral, and employee health. In the midst of the pandemic, this is a lifeline. Rapid adoption, however, may strain organizations who may not have robust policies and procedures or a broad understanding of them.
HIM leaders report greater involvement with the ramp up of telehealth and Support for telehealth information needs is another important HIM emerging best practice. As with portals, they recommend telehealth policies and procedures be reviewed and adjusted as needed. Issues such as enrollment procedures and consents may need sharpening. Identity proofing — provider and patient, handling attachments, coding and health record protocols are cited as areas where HIM expertise is needed. Telehealth may also increase patient access requests because patients and providers need to review current information to have an effective virtual encounter.
Long after this public health crisis comes under control, virtual health and health information applications will be indispensable elements of care delivery and patient engagement. There are sure to be many important health information best practices associated in this nascent era of virtual health and now is the time to capture these lessons. There is no going back…only going forward.
Once again, I want to thank the HIM leaders who continue to share their experiences as they learn and adapt for business continuity while supporting the needs of their staff, health systems, and the communities that they serve. Please join us on April 29th for our Webinar, COVID-19 Response: Emerging Best Practices for Health Information Disclosure Management – Part 2.
Apr 16, 2020 | Blog, Health Information Solutions, Operational Outcomes, Release of Information
By Linda Kloss
This is the second blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of responding to patients ill with the COVID-19 virus. Once again, I want to thank these leaders for agreeing to be interviewed to share their experiences in the midst of this chaotic and frightening professional and social experience.
Their experiences pointed to 8 emerging best practices based on these leaders first several weeks of COVID-19 response efforts. We label them emerging because they describe adaptive, not static changes. Adjustments will continue to be made as disaster–and recovery–response circumstances evolve. The best practices comprise three key initiatives:
- physical distancing – staff and patients
- optimizing electronic workflows, and
- adapting policies to remove barriers
The first blog described two best practices for protecting staff through work at home and by changing the on-site environment. Today, we share two more important best practices directly relating to release of information practices.
Best practice #3: Close in-person R-O-I request services turned out to be easier than expected. First, health systems were limiting all public traffic in and out of buildings. Interviewees uniformly reported that in-person requests dropped off abruptly simply because traffic was so diminished. Second, routine and elective referrals were delayed, physician practices closed and this further depressed the volume of routine requests. In closing in-person services, interviewees advised careful attention to posting clear instructions, updating signage, web pages, and automated messaging systems.
Protected health information may be requested in five ways : 1) by completing request/authorizations at an in-person service window, 2) accessing a request/authorization on the health system website and submitting it via mail, 3) accessing a form on the health system website, scanning and e-mailing it, 4) processing verbal requests, and 5) using a request App.
Five routes have rapidly become four. Routes 2, 3 involve handling and processing residual paper and these routes represent the biggest barriers to work from home. Verbal requests, route 4 may be tolerable alternative in a public health emergency, but shouldn’t become a new routine. It is labor intensive, does not permit rigorous authentication, and can’t easily be audited.
The need to optimize electronic workflows is thus the key initiative and a key lesson from health systems on the front line. Thus, another best practice is to Use R-O-I workflow technology and the Verisma Request App. Workflow technology and request apps eliminate paper, permit rigorous authentication, and create records of requests and their fulfillment.
One of the health systems interviewed had fully implemented the Verisma Request App (VRA) and integrated it with its patient portal 18 months ago. For this large health system at the epicenter of the pandemic, minimal adjustments were needed in request procedures. The HIM leader noted that the VRA provided “peace of mind” because the request, authentication and release processes were fully automated. Another interviewee was planning to implement VRA to eliminate in-person requests for security reasons. This health system accelerated implementation, delaying full portal integration, but getting the App in place to ensure an electronic route.
In addition to using request apps, other workflow best practices involve redirecting whatever work you can to your R-O-I vendor. Because health system staff and the vendor staff use the Verisma Release Management (VRM) workflow platform, work distribution can keep pace with changing demands. Health systems that have centralized R-O-I across facilities and practices using VRM are in the best position to respond to the rapid changes in workflow required for these vexing times. One health system that was in process of centralizing R-O-I from hundreds of physician practices at the outset of the crisis. Their current challenges are with the practices that have yet to be centralized and are now closed, with unprocessed requests buried in incoming mail and virtually irretrievable. This health system also implemented a call center operated by Verisma, so all requests are processed uniformly and seamlessly.
In August of 2005, Hurricane Katrina hit the gulf coast and New Orleans leaving millions of people displaced and caregivers without any trustworthy information about their health conditions and medications. We all remember the photos of people with their pill bottles in paper bags. We remember photos of wet piles of records, detritus of the flood. Only the Veteran’s Administration hospitals could easily access electronic medical and medication records when people relocated. COVID-19 and the lessons being learned will irrevocably change health information access and disclosure. It is already clear from the experiences of the HIM leaders interviewed that automated ROI systems, including the request application, is providing R-O-I business continuity and security flexibility.
Next week we will feature lessons learned about the importance of HIM engagement with portal and telemedicine workflows and policies. Our continued wishes for your safety and health in this very sad time. Please jump in and share your experiences and questions, request an archive of the April 1 Webinar by e-mailing Davy Simanivanh (dsimanivanh@verisma.com) and plan to join us on April 29 for a follow-up webinar.
Nov 25, 2019 | Blog, Compliance & Regulations, Operational Outcomes, Release of Information
By Linda Kloss
On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records. Sadly, we’re all too familiar with the too long list of actions following breaches of health information. In fact, OCR levied over $28 million in fines for 2018 breach actions. Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.
Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Empowering patients is one of four key strategies for HHS and access to information is a key tactic. HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule. However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.
The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates. An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child. Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney. The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR. HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.
Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set. Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance. Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation. It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions.
Enforcement is a powerful lever that only a governing entity can apply. The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management. Reasonable disclosure management practices today include the following:
- Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
- Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
- Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
- Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
- Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records.
We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays. This should not happen, but I bet many are whispering “there but for the grace….” This is a learning moment. Business as usual in release of information is no longer in our patients’ or our employers’ best interests. Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.
Oct 17, 2019 | Blog, Compliance & Regulations, Health Information Solutions, Release of Information, Uncategorized
By Linda Kloss
It’s a typical weekday for me
working from home and stopping to get a few things cleared off my “to do” list. It’s 2:30 in the afternoon and I have already
used 10 apps: I read my digital
newspapers, did online banking, scheduled service on the car, ordered dog food,
scheduled an annual dermatology appointment, booked a flight, hotel, and
airport transportation, figured out a route from the airport to my hotel, and downloaded
a book for next month’s book club. You
get it; this is now a typical day for most connected consumers. Not long ago, we would have driven to the
bank, dog food store, bookstore or library, called the travel agent, auto
mechanic, and so on. Apps have transformed
how we get things done.
Now, many consumers use an app to
access their medical records, downloading to a mobile device for their own use
and to share as they see fit with providers, other caregivers and family. Release of information, long a back office
processing function, is becoming an app-enabled, consumer-driven service. This transformation is largely driven by
consumers. When so many parts of our
life are supported by apps, consumers are not satisfied with having to contact
various hospitals and provider offices, complete forms, wait for paper or CD
and pay a fee to gain access to their own information.
Federal emphasis on interoperable
EHRs brought the issue of barriers to access to information for patients to the
forefront. Fees were identified as a
barrier, and in 2016 the Office for Civil Rights addressed this with its patient access
guidance. The Office of the National
Coordinator for Health IT (ONC) extended the focus on patient access by
including functionality in its EHR certification criteria, directly supporting
standards-based application programming Interfaces (APIs) and apps, and
promoting access through public education.
Patient access is one of six key planks in implementation of the 21st
Century Cures Act designed to unlock the power of digital health
information.
Consumer demand, supported by federal policy will
transform release of information to an app-enabled function and I believe that
this will happen very quickly. I base
this prediction on the experiences of health systems that enable web access for
patients and authorized third parties.
Adoption and update has been swift and overwhelmingly positive.
You can learn from NewYork-Presbyterian’s Susan
Tabickman about this world renowned health system’s use of Verisma’s API-based
app for release of information in a free webinar on October 30! Registration information follows.
There are inherent privacy and security risks for apps
involving confidential patient data.
Access and disclosure of patient information also requires hardened
compliance protocols. Trusted release of
information app developers must meet a high bar; a developer must have the requisite technical
and standards know how, but must also have compliance, data protection, and
accuracy in its DNA.
Against this background, CIOs and
HIM professionals should proactively advance access transformation on four
fronts:
1.
Transition from fragmented to standardized and centralized disclosure
management across the health system.
This requires adoption of enterprise release of information management
software and best practices.
2. Add
an app linking EHR and the enterprise release of information software so
information can be requested and disclosed via web portal.
3.
Design and implement policies and processes to protect the consumers’
right of access with appropriate privacy and security protections for an
app-enabled patient access environment.
4.
Develop an implementation plan that includes consumer and staff outreach
and education.
I can’t yet access my EHR via app, but when I can, you
can be sure I will keep my medical record securely on my password protected
phone. The days of taking notes,
requesting and storing paper reports, and trying to recall when I last did this
or that will be over. The timing is
right and It just makes sense.
Use this link to register for the free webinar on October 30 at 2-3 pm EDT: https://bit.ly/2peAwoK
Sep 9, 2019 | Blog, Information Sharing, Operational Outcomes, Release of Information, Uncategorized
Observations about the changing nature of health information practice
By Linda Kloss
Arriving for her mammogram, she is told that the radiologists will not read her digital mammography without the historical files. In following up, the staff at the “most wired” health system acknowledged that they had received the request, but the fax number didn’t work and they had called once to follow up but didn’t connect to a live person. The ROI team didn’t know about the digital files because those were handled elsewhere and they had no information or responsibility for that aspect of the request. Anxious follow up calls produced fairly quick responses and the mammography test results were interpreted and were normal. You have probably also guessed that I was the patient in this story. Ironic, eh?
This simple story is repeated over and over again. In this case, there were no quality of care consequences, just a frustrated delay and some worry. In other instances, such errors have real consequences. Getting access and disclosure right in the current environment is a complex systems challenge requiring coordination of three elements of change: technical, political, and cultural:
- Technical systems include workflow procedures, transaction and analytic technologies, guiding policies, business practices, regulations, and standards.
- Political systems are the ways that authority and responsibility for administering technical systems are assigned among stakeholders. Today there is a drive toward greater standardization and even centralization of ROI to improve accuracy and efficiency.
- Cultural issues include the shifting organizational and societal values and pressures for change. The emphasis on patient access, patient-generated health information and use of apps at the same time there is growing concern about personal privacy and breaches demonstrates cultural dilemmas.
The technical systems failed in this example. There was no accountability baked into the processes of either organization. Obviously, their technology did not include any flagging about open requests. For a care coordination issue, they were way outside the range of efficient information sharing. The interpretation and digital records were not handled in a coordinated manner; these were unlinked transactions with no responsible party. While I did all the right things to start the process, I made the assumption that given enough time—5 months—the systems would work on my behalf. I did not follow up. But should I have to? We live in a world where trillions of transactions across all aspects of our lives are handled reliably on line with feedback to the initiator and the ability to track transactions.
This blog, sponsored by Verisma, represents the company’s core commitment to serving patients with game-changing disclosure management technology and innovative management solutions designed for accurate, timely, and compliant disclosure management. At its 4th Disclosure Management Summit held in May, Verisma challenged participants to be working toward a goal of “your records in 5 minutes.” In the coming months, we are going to explore what it will take to meet this challenge. We look forward to your engagement and participation.
