Key Takeaways from AHIMA21

Key Takeaways from AHIMA21

By Barbara Carr, RHIA

AHIMA21 was unlike any I can remember in recent years. Of course, my first AHIMA Convention was 40 years ago. AHIMA’s focus today is nothing like it was back then. Back then there were dictation systems with tapes and discs, transcription was still being done on a typewriter and vendors were selling the latest in file folders and filing systems. The name of this year’s convention was “Transforming the Future of Health Data”, and the convention was all about data: data integrity, data interoperability, data governance, and data sharing. The content this year was rich with information on the latest technology, data interoperability, and management trends that HIM professionals need to be prepared to execute in our fast-changing technology-focused world. AHIMA CEO, Wylecia Wiggs-Harris, reminded us that “health data is human data” and “data needs to be translated into information that is accurate and can be trusted.”

Reflecting on all that I heard and witnessed at this convention, I found a few key takeaways that I would like to reflect on:

    1. Top trends in data interoperability and information blocking – The number of healthcare Apps that are available to patients for accessing and downloading their health information is growing. The development of these healthcare apps is continuing to explode thanks to the 21st Century Cures Act. Apple is the most common 3rd party app, but many other apps are also available and in development. We learned that HL7 FHIR (Fast Healthcare Interoperability Resources) is now the standard API (Application Program Interface). This game changer is enabling the healthcare market to employ faster and easier methods to exchange EHI as well as enable mobile app integration.  The Verisma Request App® is one app that is helping organizations meet the demand for apps that are easy to use and provide the patient with direct access to their healthcare information regardless of the EHR where their information is stored.
    2. Data Integrity and Patient Matching – The importance of accurate patient matching and avoiding duplicate records for a patient is becoming even more important under information blocking. HIM professionals have always known how important correct patient matching is for patient safety and data integrity. However, now incorrect patient matching can cause your organization to be out of compliance with the 21st Century Cures Act. The patient would not be accessing ALL their health information they request due to duplicate patient records. Technology is advancing to enable smart fault tolerant searches within clinical systems to do a better job of patient matching. We learned how artificial intelligence (AI) is being utilized to improve the accuracy and integrity of both patient and clinical information. However, it still requires human oversight.  AHIMA CEO, Wylecia Wiggs-Harris, stated that “It’s our profession that drives all aspects of integrity and protection of data and health information.”
    3. New Era of HIM Leadership – Speakers addressed how HIM leadership has evolved during the pandemic and managing virtual workplaces. Speakers stressed how HIM professionals need to be ready for the new world of technological advances and prepared for it ahead of time. Innovation in management as well as technology were driven forth at a faster pace over the last 18 months due to the COVID-19 Pandemic. Monday’s speaker, Seth Jeremy Katz, MPH, RHIA, FAHIMA, spoke on what HIM needs to focus on during this decade. There will be a continued growth in AI in many areas of healthcare, big tech such as Apple and Google are getting in on healthcare and we will see this grow stronger in the future. What new issues will this cause for HIM and data integrity and accuracy? We will see a continued growth in telehealth and remote patient monitoring.  Remote work will be the norm as the HIM department becomes a virtual one. The one fascinating thing I heard about from one speaker was robotics. Robots will be able to do many simple tasks that are now performed by humans. This will create a new area for HIM oversight of the information produced/collected by the robots. For instance, robots, or chat bots, will be able to help fill out ROI requests, and know what information you requested and be able to go into the clinical system and release the information to you without any human interaction. HIM leaders need to be prepared and plan for all the new technological changes and how they will manage these changes. It will be up to HIM professionals to ensure that the data they produce is accurate. The new technology will create a huge disruption if you are not prepared for it. New roles will be open to HIM professionals who are prepared. One speaker at the conference, Dr. Daniel Kraft said it best; “Uber yourself before you get Kodaked.” Start preparing for the future now.

    4. Protecting Healthcare Data – OCR Director, Roger Severino was quoted by one speaker, “Hacking continues to be the greatest threat to privacy and security of individual health information.” We heard about many threats to healthcare data and ways in which those threats are growing. This creates new areas for HIM professionals to focus their expertise in protecting the healthcare data. One speaker, Michael Stearns, MD, CPC, CRC, CFPC, noted that “value-based care initiatives coupled with interoperability mandates are creating a data tsunami and a desperate need to tame it.” The 21st Century Cures Act which requires that patients have access to structured and unstructured EHR information has led to concerns for privacy and security. Ensuring the patient gets the right record they are requesting is essential to maintaining privacy.

I have to say I’ve missed all the personal connections and conversations that occur at the annual conventions and I hope we are able to go back to the in-person events in the future. I did enjoy the participant chats and found out that there were many people who were able to attend this year because it was virtual as their employers are no longer paying travel expenses.

As a final observation, I was very proud of Verisma and the many AHIMA members who made possible the company’s $5,000 donation to the AHIMA Foundation.  This donation reflects individual and state association pledges to protect truth and accuracy of health information.  Add your name to this pledge embracing the values of HIM at: https://verisma.com/pledge-to-protect-truth-and-accuracy/.

 

 

 

ROI as the Gatekeeper for Access and Disclosure Management Compliance

ROI as the Gatekeeper for Access and Disclosure Management Compliance

Date: August 18, 2:00 pm – 3:00 pm EDT

Presenters:

Michael Salsbury, JD, MBA
Counsel and Privacy Officer

Barbara Carr, RHIA
Strategic Advisor

Release of Information (ROI) functions as the gatekeeper for access and disclosure of confidential health information. ROI advances patient rights, enforces organizational policy, and complies with federal and state law. The gatekeeper role is more complex today because:

  • Health delivery and information systems are more complex
  • Request volumes are greater from patients and a range of requestors
  • Regulatory ground rules were largely designed for a paper-based health system, and
  • Privacy and security are being deliberately and inadvertently put at risk.

This presentation will provide an update on privacy’s evolution through law, policy and attitudes. Recent proposed changes to the HIPAA Privacy Rule will be reviewed and their implications discussed. Approaches for identifying recurring compliance problems that constitute risk will be examined with examples and speakers will recommend mitigation strategies.

As we begin the third decade of the 21st century, privacy and security challenges are increasingly under attack. ROI can and must be proactive in adapting effective gatekeeper methods for access and disclosure of confidential health information.

Learning Objectives:

  • To review the context for a stepped up ROI compliance focus,
  • To identify the key access, disclosure, and privacy trends that impact ROI practices,
  • To align ROI technology and approaches and how they address trends, and
  • To offer an action plan to improve ROI compliance.

Pre-Approved for 1 AHIMA CEU Credit

REGISTER TODAY

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at dsimanivanh@verisma.com to receive a recording of the webinar.

Enterprise Access and Disclosure Management: Your Opportunity to Lead

Enterprise Access and Disclosure Management: Your Opportunity to Lead

This first Health Information Access Week has brought together a range of perspectives on serving consumers, mitigating risks and deploying technology. We’ve been privileged to learn from experts who bring a lifetime of experience and insight to the changing challenges of  access and disclosure.  I am closing out this week with some reflections about leadership and management of access and disclosure operations. It is my belief that there is an urgent need for HIM leaders to address the health information access and disclosure disparities within their organizations. This is a key stepping stone to being able to modernize our approaches.  We have the expertise to do this and the time is now.

As a HIM leader, I made it one of my goals to achieve centralized health information access regardless of where the patient may have been treated within the healthcare organization. I view this as having three benefits: improved patient satisfaction, risk reduction and cost savings. It was clear to me several years ago, that HIM professionals needed to broaden our thinking beyond the hospital’s four walls and reach out to our physician practice administration, outpatient satellite and other facilities that make up our health system. Ultimately, the entire organization can benefit from centralizing the release of healthcare information.   

In leading the charge at Einstein Health in Philadelphia, I first called a meeting of our Hospital Administration staff, Physician Practice administrators, Risk Management and Compliance.

I described a recent scenario where an elderly patient had to go to three separate locations to acquire the healthcare information they needed for an upcoming appointment with a specialist. I then posed questions regarding why we persisted in this approach. All the patient’s information was stored in our Clinical Information System (CIS) regardless of location of treatment. Everyone agreed this was not ideal and agreed to work with me on a solution. 

The physician practices, at the time, were all doing their own individual release of information with various copy vendors, or their own in-house staff. There was no tracking, and very little quality control. At that time, all the HIM Departments were being handled by one vendor and covered by the same policies. Therefore, it was decided that we would tackle the practices first.

We started with bringing our release of healthcare information vendor to the table and put them to the task of working with us on a solution for the physician practice locations first. Since there are over 200 locations, this was a large change project. A project plan was developed, and a team of key stakeholders was assigned carry out the project. After 6 months of planning and strategizing, the first group of practices went live, followed by the next group, until all practices were handled by one group of release of information staff. Our vendor staffed the central location. 

Once we standardized and centralized the physician practices, we were able to move quickly with outpatient locations. In all, it took about 18 months to accomplish. In the end it was merged into one centralized release of healthcare information site. Now a patient can make one request for their information, which is then processed all at the same time, and delivered to the patient via whatever media and route they have specified. We were able to monitor quality and track all released information. We reduced costs and duplication of effort. Patients were less frustrated and more satisfied with our service. 

Risk and Compliance are less concerned with surprises and have one place to go to check on any issues. We are far less likely to receive a complaint and if we do, we have protocols to  resolve any before they become investigations. Importantly, having a standard way of handling access and disclosure across the enterprise, positions the organization to broaden the scope of release of information. For example, it possible to handle access requests from financial services, case management, utilization review and other health system function that rely on access to information.  When going through our release of information we are assured of the same quality control and tracking.

This experience not only helped me grow as a HIM leader but helped to expand my role in the organization beyond the HIM borders.  I was given more opportunities to work across the organization to streamline other processes. All this really helped fulfill my own goals to grow within my organization. 

In the end, I believe it is up to us as HIM leaders to have the vision, and then use our leadership to organize and lead others towards that vision.

Barbara Carr, RHIA a Verisma Advisor formerly served as Assistant Vice President Health Information Management at Albert Einstein Health Network in Philadelphia and as Corporate Director of Health Information Management at ChristianaCare, Wilmington, DE.

TAKE QUIZ

What Keeps a Compliance Officer up at Night?  Challenges with Access and Disclosure of PHI

What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI

With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.

Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.

I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.

I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.

Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips  as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.

As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.

Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008. 

TAKE QUIZ

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

In 2020, The Office of the National Coordinator’s (ONC) and the Centers for Medicare and Medicaid Services’ (CMS) released Regulations for Interoperability and Patient Access as required by the 21st Cures Act. Regulations increase access to medical information through application programing interfaces (API) to empower patients in their health care decisions. The API allows information to be shared and exposed within a consumer’s application-based solution of choice (e.g., wellness app). The information is portable, provides ability to share clinical information with care team, caregiver or other party and better understand healthcare costs and financial obligations. 

The focus has been on the Information Blocking Regulations issued by ONC, but the companion CMS Interoperability and Patient Access Rules also have important implications. ONC information blocking allows consumers health information access from a provider setting. However, health insurers have most of their enrollee’s financial and clinical information across care settings (i.e., provider, hospital, pharmacy, laboratory, or other setting that submits claims to health insurer) to provide a more complete picture of the consumer’s healthcare experience. 

The CMS rules require CMS-regulated plans to provide a patient access API, provider directory API and payer-to payer API by January 1, 2021. However, enforcement has been delayed to July 1, 2021. 

Patient Access API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) and Qualified Health Plan (QHP) on the federal exchanges are required to provide the Patient Access API. This API includes adjudicated claims (including Pharmacy), enrollee cost-sharing, encounter information, provider remittances, select clinical data, including lab results, formularies or preferred drug lists. 

The health insurer provides updates within 24 hours of receiving an encounter or processing a claim containing the cost and services provided to a patient. This financial information will assist consumers in tracking submitted claims, expected and current financial responsibility, in and out-of-network deductible amounts and other financial information for themselves and their dependents.  

The clinical information includes clinical notes that are written to track patient progress, inform other medical staff and explain treatment options. Typically, these notes are written using medical terminology and abbreviations that may not be familiar or understandable. The evolution of documentation narratives toward the inclusion of easy-to-understand layman’s terms and description of the patient and clinician team interaction and decision making will increase the value of the medical information to the consumer. This information needs to be boiled down into brief, understandable and actionable problem lists for the patient that add value, not burden.

Commercial payers may consider voluntarily providing this API to empower their enrolled consumers and assist providers participating in their alternative payment models. Value-based care, including capitation payment shift more of the medical risk to the provider including costs that occur outside of the facility or system. Therefore, providers need costs and clinical information across provider settings for attributed patients. 

Provider Directory API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) fee for service and managed care entities are required to provide the Provider Directory API. This API requires the provider names, addresses, phone numbers and specialties. An effective provider API will inform consumers what providers are in the health insurer’s network and if the provider is in the consumer’s specific health plan. 

Payer to Payer API

Medicare Advantage, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities and Qualified Health Plans (QHP) on the federal exchanges are required to provide the Payer to Payer API. This API requires an individual’s past health insurer to transmit their claims and encounter information, and subset of clinical information to their new health insurer. This sharing of history allows a longitudinal medical record to be compiled no matter how many times a consumer changes their health insurance. 

Commercial payers may consider voluntarily providing this API to maintain longitudinal records and ensure new enrollees are in the appropriate wellness programs and receive any gaps in current care.    

ONC and CMS’s information sharing requirements allow vendors and payers to enable a one stop shop that is secure, easy to access, actionable and meet a priority consumer need. This may include promotion of wellness through integration with wearables, reduce redundant paperwork at provider settings, make payments, appeal claim payment, store and share medical records for a chronic patient or their caregiver, provide dashboard with tracking/monitoring of hospital at home activities, maintain current drug list, order medical supplies, access care through telemedicine and more from the comfort of home. 

Expanded access to health information, including insurance-related information, has the potential to be inform and transform. Getting accurate and useful information to securely flow to consumers, across provider organizations, between providers and payers and payer to payer will be the work of healthcare over the next decade. This will be a heavy lift for consumers,  covered entities, vendors and business associates. For decades I have worked on the standards and policies to enable us to realize this vision.  Still, I have no illusion that this will be accomplished without significant challenges and protecting privacy and security will be among the most vexing. It’s an all hands on deck time to learn to use information for the benefit of consumer health and health services. 

Tammy Banks, MBA is a Healthcare Consultant with ImpactQue and previously served as Vice President Interoperability Program Development for Optum and as Director Practice Management Center and Payment Advocacy for the American Medical Association.  Outstanding Leadership and Distinguished Service Awards from WEDI.

TAKE QUIZ