Key Takeaways: HIPAA Update from the OCR

Key Takeaways: HIPAA Update from the OCR

Verisma Academy recently hosted an informative webinar featuring Timothy Noonan, the Deputy Director for Health Information Privacy, Data, and Cybersecurity at the HHS Office for Civil Rights. The session provided attendees with crucial updates on the proposed rulemaking and guidance from OCR (Office for Civil Rights), shedding light on various aspects such as reproductive health, Part 2 records, and the use of tracking technologies. In this blog post, we’ll delve into the key takeaways from the webinar and explore the implications of these developments in the realm of healthcare information management (HIM).

Strengthening Privacy Protections for Reproductive Health:

One significant aspect discussed during the webinar was the Notice of Proposed Rulemaking (NPRM) regarding reproductive health. The primary objective of this proposal is to enhance privacy protections by restricting the use or disclosure of Protected Health Information (PHI) by regulated entities for investigations related to reproductive health care. To enforce this prohibition, the NPRM suggests that regulated entities obtain a signed attestation ensuring that the requested PHI is not intended for prohibited purposes. This attestation requirement applies to various circumstances, including health oversight activities, judicial and administrative proceedings, law enforcement purposes, and disclosures to coroners and medical examiners. The comment period for this proposal ends on June 16, 2023.

Understanding the Impact on HIM and Release of Information Processing:

From an HIM perspective, numerous questions arise regarding the content of the attestation and its impact on the release of information processing. To gain more insights and details on this matter, interested individuals can refer to the official Federal Register document available here.

Transitioning from COVID-19 Telehealth Measures:

Timothy Noonan also provided updates on the conclusion of the COVID-19 health emergency with regards to telehealth. Attendees were reminded that personal health information (PHI) stored on mobile devices such as cell phones and tablets is not protected under HIPAA. This serves as a critical reminder for healthcare professionals to ensure appropriate safeguards are in place when handling PHI on personal devices.

Enhanced Coordination for Substance Use Treatment:

The webinar covered proposed modifications to 42 CFR Part 2 records, which deal with substance use and disorders. The objective of these modifications is to enhance coordination among providers involved in the treatment of substance use, thus reducing existing challenges. By potentially increasing patient protections regarding the disclosure of records, these changes aim to prevent discrimination in treatment. More information on the proposed modifications can be found here.

Understanding Online Tracking Technologies and Protecting ePHI:

Another crucial topic discussed in the webinar was the use of online tracking technologies, such as Google Analytics and Meta, on entity websites or apps. Attendees were reminded that using tracking technologies in a manner that leads to impermissible disclosures of electronic Protected Health Information (ePHI) to tracking vendors is strictly prohibited. The webinar provided insights into the nature and usage of tracking technologies, as well as the necessary steps that regulated entities must take to safeguard ePHI. For additional information, visit the OCR’s website here.

Escalating Breach Incidents and the Need for Robust HIPAA Security:

The number of PHI breaches has seen a concerning increase, with hacking breaches accounting for a significant portion. In 2022 alone, there were 712 reported breaches, a sharp rise from 369 in 2018. Hacking incidents accounted for 49% of all breaches in 2022, and from January 1 to April 30, 2023, hacking incidents constituted a staggering 67% of all breaches. Moreover, during the same period, there were 559 breaches affecting 400 or more individuals, with 57% being network server-related and 21% related to email. These alarming figures highlight the urgency for organizations to fortify their security measures and conduct regular HIPAA security assessments to identify and mitigate risks.

Looking Ahead and Staying Informed:

While the finalization of the HIPAA NPRM and its potential impact on turnaround times and other significant changes remains uncertain, organizations should stay updated and watch for the upcoming Spring Unified Agenda release, which may offer more clarity. In the meantime, the industry must stay vigilant about evolving areas such as reproductive health, Part 2 records, and HIPAA security to ensure compliance and protect sensitive health information.

Verisma Academy’s webinar featuring Timothy Noonan shed light on the latest proposed rulemaking and guidance from OCR regarding HIPAA. Attendees gained valuable insights into reproductive health privacy protections, substance use records modifications, the usage of online tracking technologies, and the increasing importance of robust HIPAA security measures. In this dynamic healthcare landscape, it is crucial for organizations to stay informed, adapt to changing regulations, and prioritize the protection of patients’ health information.

Verisma Academy

The recording of this event is available on-demand and CEU-eligible through May 2024.

How Leveraging an HIM Partner Helps Decrease Staff Stress

How Leveraging an HIM Partner Helps Decrease Staff Stress

“Everything Everywhere All at Once” isn’t just the title of an award-winning movie that many viewers found quite confusing. It’s how a lot of health information management (HIM) employees feel about their jobs. There aren’t enough hours in the day, and one person can’t do everything at once.

Many providers are exploring HIM support from outside partners to take all or some of the weight off their shoulders. The right Release of Information (ROI) and HIM partner can be a reliable and cost-effective solution for ensuring your quality standards are met without burdening you or your internal staff.

Following our acquisition of ScanSTAT Technologies, Verisma now offers a full suite of outsourced HIM solutions in addition to our industry-leading ROI service:

Prior Authorizations

Inbound Document Management

Chart Abstraction

EHR Conversion

Forms Completion

Document Scanning


Contact us to learn more!

Imagine a world where your team’s health information management responsibilities are supported by industry-leading experts at Verisma. What would that look like?

1. You would spend less time recruiting, hiring, training, retaining and scheduling employees.

Finding and hiring new talent has never been more challenging. HIM partners ensure you have the resources required to meet the demands on your organization. Your employees take time off for vacations, illnesses, and leaves of absence, but Verisma is always ready. We have the people and resources to meet your needs every day.

2. You could finally address your backlog.

When you partner with Verisma, you can breathe. Because Verisma:

  • Allows your in-house staff to focus on patient care
  • Keeps your medical records department current on requests
  • Assumes responsibility for HIPAA compliance
  • Fills the gaps in your department while you still maintain your own processes and standards


A dedicated team of experts can improve turnaround time and thus reduce staff stress while improving patient satisfaction.

3. You would reduce risk and achieve or maintain compliance.

As stewards of data integrity, health information managers understand that Protected Health Information (PHI) responsibilities—from compliance, workflows, training, and coding to document completion—are top priorities. But, realistically, each one of these PHI responsibilities is a full-time job. Recent regulatory changes related to release of information (ROI) are a potentially expensive pitfall as there are steep fines for violations. Verisma has in-house experts dedicated solely to staying on top of compliance and legislative activities. Working with an outsourced team of knowledgeable HIM experts can help you feel confident that your organization meets the new requirements for releasing electronic information. Furthermore, your organization will be compliant with laws regulating strict timeframes under which requests and information must be handled to avoid stiff fines.

4. You would have happier, more focused employees who are more likely to stay with your team.

Additional HIM functions, such as prior authorizations and faxing and scan filing, often fall on staff members with multiple other responsibilities. This necessity to multitask drains staff and contributes to lower job satisfaction.

By working with Verisma, you’ll know dedicated experts are:

  • Completing forms and requests efficiently and accurately
  • Improving your physicians’ satisfaction by eliminating the additional work and stress of tracking down accurate patient information
  • Helping ensure your processes are compliant with current regulations
  • Available to help train internal staff on new technology or processes

Get back to being in one place and thinking about one thing at a time. Reach out to us today to get started.

Verisma Launches Academy for Disclosure Management Mastery

Verisma Launches Academy for Disclosure Management Mastery

Alexandria, VA, February 18, 2023 – Verisma, a leading provider of release of information and disclosure management solutions, is pleased to announce the launch of Verisma Academy, an educational program designed to advance excellence in release of information (ROI) through disclosure management mastery.

Once buried in paper charts, health information management (HIM) professionals now sit at the intersection of technology, patient/requestor experience, compliance, and revenue retention. ROI is part of this larger ecosystem we call disclosure management.

Navigating disclosure complexity is a challenge. Many professionals are heads-down in the operations of their own facility and struggle to stay up-to-date on external factors like regulation changes, cyber security threats, and hybrid workforce management. Siloed processes miss the big-picture impact on patient experience and the goals of the entire health system.

Verisma Academy offers the education and expertise to address these challenges. Standards of excellence in disclosure management will be taught by thought leaders from healthcare organizations, government agencies, and Verisma team members with decades of experience providing HIM solutions across the country.

Free enrollment in the academy includes live webinars, master classes, and on-demand courses, many of which are eligible for continuing education units (CEUs) through the American Health Information Management Association (AHIMA). State AHIMA chapters with the most enrollees will receive a $500 scholarship from Verisma to promote the future of HIM in their local area.

“We believe education is key to elevating the profession of health information management and advancing the industry as a whole,” said Marty McKenna, CEO of Verisma. “We envision Verisma Academy as a platform for sharing knowledge and fostering collaboration among professionals in the field, and we are excited to see the impact it will have on the HIM community.”

For more information and to enroll in Verisma Academy, visit

Media Contact:
Delinda Tinkey

Advancing Information Sharing: Understanding EHI

Advancing Information Sharing: Understanding EHI

This blog summarizes the content from Verisma’s ROI Roundtable Webinar. The full recording and slidse are available.
The information blocking definition of electronic health information (EHI) includes the entire scope of electronic protected health information (ePHI) that is or would be in a Designated Record Set (DRS). Prior to October 6, 2022, the definition of information blocking was focused only on the subset of EHI that is represented by elements in the United States Core Data for Interoperability (USCDI) v1. As of October 6, 2022, all EHI falls within the scope of the information blocking definition. 

What is and what is not EHI for purposes of information blocking regulations?  In Verisma’s Nov 2022 ROI Roundtable Webinar we heard from two experts with the ONC – Rachel Nelson JD, Branch Chief, Compliance and Administration Branch, and Dan Healy, Policy Coordinator, Compliance and Administration Branch on what EHI is and how its definition relates to but differs from the definition of ePHI under the HIPAA Rules. The speakers provided important facts related to current information blocking policy and what healthcare organizations and providers should bear in mind specific to information blocking regulations as they review and update their technical capabilities and workflows in context of their DRS (Designated Record Set) to ensure they are sharing EHI consistent with all applicable laws. Some highlights from their presentation follow.

What is EHI as defined by the information blocking regulation?  According to ONC, EHI is as follows:

  • “Electronic Health Information (EHI) means electronic protected health information (ePHI) to the extent that the ePHI would be included in a designated record set as these terms are defined for HIPAA.”

The scope of EHI is relayed was shared in the following ONC graphic that can be found at

The expansion is “only” PHI that is in an electronic format. Noted in the webinar is that EHI is “electronic health information (ePHI) to the extent that it would be included in a designated record set.” Further explained during the webinar was that EHI “is individually identifiable health information, that is maintained in electronic media or transmitted by electronic media.” If the ePHI is included in any of the following records and not in the exclusions such as psychotherapy notes, then it would be considered EHI:

  • Medical records and billing records of a provider about an individual
  • Enrollment, payment, claim adjudication, and case or medical management record systems maintained by or for a health plan.
  • Records used in whole or in part to make decisions about individuals

What is not EHI was explained as well. For example, such things like psychotherapy notes, information complied in anticipation of, or for use in, a civil, criminal, or administrative action or proceeding, employment records health information, and de-identified protected health information. EHI is not limited by when the information was generated.

Organizations should be looking at what they now include in their designated record set policy and revise if necessary, to ensure the that their policy includes the full scope of EHI that is now in effect as of the October 6, 2022 expansion of the EHI definition beyond the current USCDI v.1 definition.  Working with your Release of Information vendor is important as well, so they are aware of exactly what ePHI is defined in your designated record set and how to access all the ePHI for disclosure purposes. Many resources such as an EHI Fact Sheet, recorded Webinars, and an Infographic are available on

Dan and Rachel also spent time going over the Information Blocking definition and explaining how that relates directly to the exchange of ePHI. More details and explanation of the Information Blocking Regulation was shared with the attendees. Points that have caused some questions from health care providers and others in the health IT field were clarified. Information Blocking applies to “actors.” Actors are:

  • Health Care Providers
  • Health It Developers of Certified Health IT
  • Health Information Networks (HINs)
  • Health Information Exchanges (HIEs)

Exceptions to the Information Blocking Rule, which have caused a lot of questions from “actors,” in particular the “Content and Manner Exception” where it is not considered information blocking if the actor does not have all the requested EHI in their possession, cannot be shared using the technology requested, or where it must be “withheld due to laws or is permissible to be withheld, such as under the Preventing Har or Privacy exceptions.” One example would be if it would be impossible for an actor to segment out psychotherapy notes from the EHI. Another would be the cost to comply would be prohibitive. Other examples were given as well as resource information available on ONC’s Cures Act Final Rule website.  For more in-depth information on Information Blocking, resources can be found at where there are fact sheets, Webinars, and FAQs. 

Health Information Management leaders should be reviewing all the policies and procedures related to release of ePHI, especially their designated record set policy to ensure they are following the updated requirements that went into effect on October 6, 2022 and working closely to ensure their ROI vendor is up to date on all the requirements to ensure there are no risks of information blocking.






Webinar: Advancing Information Sharing – Understanding EHI

Webinar: Advancing Information Sharing – Understanding EHI

Date and Time

November 30, 2022
2:00-3:00 PM ET


Dan Healy

Dan Healy
Policy Coordinator

Rachel Nelson

Rachel Nelson, JD
Branch Chief

Barbara Carr

Barbara Carr, RHIA
Strategic Advisor


Information Protection; Access, Disclosure, Privacy and Security

Presentation Content

The information blocking definition of electronic health information (EHI) includes the entire scope of electronic protected health information (ePHI) that is or would be in a Designated Record Set (DRS). Prior to October 6, 2022, the definition of information blocking was focused only on the subset of EHI that is represented by elements in the United States Core Data for Interoperability (USCDI) v1. As of October 6, 2022, all EHI falls within the scope of the information blocking definition.

What is and what is not EHI for purposes of information blocking regulations? In this presentation you will hear from experts with the ONC (Office of the National Coordinator for Health IT) on what EHI is and how its definition relates to but differs from the definition of ePHI under the HIPAA Rules. Learn about current information blocking policy and what healthcare organizations and providers should bear in mind specific to information blocking regulations as they review and update their technical capabilities and workflows in context of their DRS to ensure they are sharing EHI consistent with all applicable laws.

Learning Outcomes

  1. Understand how EHI is an important part of the information blocking definition.
  2. Learn how to identify what is and what is not EHI.
  3. Learn more about how information blocking policy recognizes the importance of maintaining cybersecurity of your health IT and of respecting patients’ privacy rights and preferences.

Reference List

HHS Office of the National Coordinator for Health Information Technology.

Understanding Electronic Health Information (EHI)

Information Blocking Exceptions

Information Blocking FAQs

Using Technology to Achieve Centralized ROI

Using Technology to Achieve Centralized ROI

By Barbara Carr, RHIA

I have spoken often about how urgent it is to centralize your release of information (ROI) processes. COVID, hybrid workforces, Information Blocking requirements, as well as the upcoming anticipated HIPAA changes with a reduced turnaround time to 15 days, have put more pressure on healthcare organizations to move to a streamlined unified process to manage requests for healthcare information that are flowing into their organizations and landing in various locations.

Having disparate processes and various policies sets your organization up for compliance risks in addition to redundant and costly processing. Are all incoming requests making it to your ROI team in a timely way or are they sitting on fax machines, or desks waiting days to be entered into the system? We need to ask ourselves; can we truly account for all disclosures of protected health information taking place across our entire organizations?

Without a centralized intake process, the answer is probably no.

Once you make the commitment to centralize your ROI process, you will need the right technology to make it work. Some questions you may have include:

  • How will various requests get into a centralized system?
  • How will you be able to ascertain and prioritize the types of requests that are coming in across your system?
  • How will you know where the requests are coming from and what, if any, backlogs may be creeping in?
  • How will you be able to manage the input of requests?
  • How can you report on the success of centralized process?

All these questions can be answered by utilizing the right technology and partnering with the right ROI vendor. Of course, you will need sound policies and procedures, but without the technology, it just doesn’t work.

The Verisma Release Manager® (VRM®) platform with its powerful Verisma Inbox™ technology can help your organization centralize and streamline the request intake process and aid in reducing redundancy, improving productivity and turnaround time, and providing metrics and visibility into your ROI operations. Here’s how:

  • Utilizes smart barcode technology that automates the entire request intake by healthcare facility, giving you 100% visibility.
  • Centralizes and automatically categorizes all requests based on rules you specify. This helps effectively prioritize the time sensitive requests so they can be worked on first.
  • Requests can be received from multiple sources with duplicate requests flagged to reduce multiple releases of the same record to the same requestor.
  • Everything visible on one page enables faster processing of each request. The actual request/authorization images, its current status, who in production the request is assigned to, and any important instructions/notes regarding the request is all visible on one page.
  • Built in retrieval protocols available to the ROI workflow specialist so they know where to go across your disparate record sources for each record type being requested supported by built-in policies and procedures specific to your organization. No need to search elsewhere for this information.
  • Comprehensive analytics that produce metrics on volume, productivity, turn-around-times, workflow compliance, and financials by multiple data levels including by facility, employee, request types, delivery methods, etc., make managing a centralized process a more efficient and manageable process than ever before.

Examples of how the right technology can be an invaluable asset in the management, compliance, and overall efficiency of an enterprise-wide disclosure management process include a large, complex, multi-hospital health system who discovered, and quickly resolved, a significant request back-log challenge that was due to their previous decentralized ROI approach. Within weeks of implementing the Verisma Inbox tool, this organization is now realizing the benefits of one centralized solution to processing ROI requests. They now have immediate visibility into their volume and turnaround time metrics across all sites, greatly reducing the risk of future backlogs.

Utilizing advanced technology along with well thought out policies, procedures, and staff training, can make managing a centralized approach to ROI across your enterprise a highly achievable objective.