Enabling Patient Access in a Pandemic

Enabling Patient Access in a Pandemic

By Linda Kloss

The tragic surge in coronavirus cases and deaths continues through the long hot summer. Healthcare systems are fully focused on caring for pandemic victims and the health of our communities. We witness heroism every day in lives saved, new treatments, and compassionate attention to peoples’ needs. And we are proud to have health care as our life’s work. While we may not directly treat a person’s illness, we know that managing their health information is an essential element of managing illness and promoting health, including public health.

We are in a time of profound personal and professional uncertainty. Decisions require continually adjusting assessments of risks about how to protect ourselves and our families and in making sound business decisions.  There have been furloughs and layoffs due to shifting patient care services and workloads. Work from home is the new normal for many more in HIM. Workflows and procedures have been redesigned to adapt to physical distancing. Long days and nights of work and uncertainty.

Against this background it is great to learn about an innovation that offers demonstrated benefit now and will also be an important bridge to a new era. That innovation is the Verisma Request App (VRA). Reggie Abadsantos, RHIT, HIM Operations Supervisor, NCH Healthcare System, Naples Florida was guest speaker at the July 15 webinar “App-Based Release of Information Comes of Age.”[i] NCH implemented VRA in 2018 to improve patient satisfaction with a convenient and secure web-based  method to  obtain their health records.

With VRA and a centralized ROI workflow firmly in place, Reggie described how NCH quickly adapted to physical distancing and work from home without missing a beat in patient access. When walk in services were abruptly suspended in March, patients were redirected to the web App.  Patients could use their smart phone, tablet, laptop, or desktop to request their medical records; and like any App, it is available 24/7. VRA enables the request, authorization, and authentication process, creating a complete record that feeds the release of information management software and triggers the release. NCH consistently averages a 24 to 48 hour turnaround in fulfilling patient requests!  This performance level was not disrupted as NCH responded to COVID-19 and the volume of requests via VRA increased sharply.

Serving an elderly population, Reggie reports that having reduced paper and fax processing, team members are freed up to help patients who may need telephone assistance in walking through the use of the App. For people who wish to pick  up a physical copy of their health record or imaging, NCH offers a curb-side delivery service.  These unique ways to serve patients are consistent with NCH’s 2018 service goals for VRA.

We spotlighted NewYork-Presbyterian Hospital’s journey with VRA last October before New York City was the epicenter of the pandemic.[ii] We revisited NYP’s experiences in April in the midst of the surge. Like NCH, NYP was able to send staff home, close walk in service, yet continue to enable timely patient access.[iii] In fact, in the past 2 months, 20+ health systems comprising over 1500 sites of care, are now live with VRA to mitigate the impact of closed request services and work from home.    Further, the rate releasing e-records rather than paper, has significantly increased. VRA fulfills the requirements of HIM for completeness, security, compliance and cost-effectiveness. And when integrated with a comprehensive ROI workflow platform, it creates a seamless record of the request and its fulfillment.

Times of great challenge bring innovation.  Apps are no longer disruptive technology, but their application to Release of Information is! VRA’s value was well demonstrated as a popular adjunct request route prior to the pandemic. The pandemic has shown that VRA is the right technology for the time and for the future.  Health systems report that they will rethink walk up services, paper requests, faxing, and release of paper documents when physical distancing is no longer needed. They have learned we can do a better job in enabling patient access while strengthening business goals such as patient satisfaction, compliance, and cost effectiveness. Release of Information will never be the same…it will be vastly improved.

[i] www.Verisma.com:  July 15, 2020 webinar “App based Release of Information Comes of Age”

[ii] www.Verisma.com:  October 30, 2019 webinar “There’s an App for That! Connecting People with their Health Information”

[iii] www.Verisma.com:  April 29, 2020 webinar “COVID-19 Response:  Emerging Best Practices for Health Information Disclosure Management- Part 2”

HIPAA Privacy Policy – Adapting and Evolving

HIPAA Privacy Policy – Adapting and Evolving

By Linda Kloss

The Verisma disclosure management community was fortunate to be briefed last week by Timothy Noonan, JD, Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR). OCR administers and enforces the Health Insurance Portability and Accountability Act (HIPAA) and compliance with HIPAA’s Privacy Rule is a central focus for release of information professionals. His webinar update covered three very timely and important topics:

  • Recent privacy-related COVID-19 guidance and bulletins
  • OCR’s Right of Access Initiative, and
  • Developments regarding the Right to Direct health records to a third party.

Mr. Noonan had been scheduled to address Verisma’s 4th Annual Disclosure Management Summit in early May, cancelled due to the COVID-19 pandemic. The Webinar provided an opportunity to cover COVID-related guidance and as Noonan noted, it was a first opportunity this year for OCR to address its Right of Access Initiative.  (The webinar archive is available from Davy Simanivanh at DSimanivanh@verisma.com).

 COVID-19 Guidance

We are grateful to Mr. Noonan and the team at the Office for Civil Rights for its rapid fire response to COVID-19 in issuing seven (7) guidance documents in about the same number of weeks. The guidance helps front line care givers, first responders, public health officials, privacy and compliance officers, and health information professionals by clarifying common Privacy Rule questions such as sharing patient information without authorization with family and friends and public health.  Guidance expands flexibility, where needed, to get essential (read ‘minimally necessary’) information to those who need it to care for people in a time of crisis.

Guidance also addresses challenges relating to rapid expansion of telehealth, the ramp up of community-based testing, and media and film crew access to protected health information in a public health emergency.  Guidance outlines limits to enforcement discretion where good faith efforts by covered entities and business associates to fully comply with the Privacy Rule are a barrier to supporting critical public health and health oversight needs. If you haven’t already done so, visit the HIPAA and COVID-19 Web Page and become familiar with the guidance and its cautions.[1]

Right of Access Initiative

OCR is responsible for teaching covered entities and business associates and educating communities about the Privacy Rule (and other areas of civil rights).  It is also responsible for investigating complaints to determine whether they constitute violations.  Often areas of violation can be resolved by education coupled with a corrective action plan. Generally, the agency encourages corrective action and such encouragement produces change. For areas of egregious violation or failed corrective action, OCR has enforcement authority.

Mr. Noonan reported that OCR recieves over 26,000 complaints each year on some aspect of HIPAA and that complaints regarding Right of Access violations are increasingly common. He emphasized that the Right of Access is the “cornerstone of the Privacy Rule.” Accordingly, in February 2019, OCR announced that Right of Access violations would be a priority for HIPAA enforcement and two enforcement actions were announced in late 2019.  (Verisma addressed these in its December 17, 2019 Webinar: Turning Up the Heat! HHS Initiates Access Enforcement)  Mr. Noonan reminded us that the enforcement actions taken represent demonstrated systemic non-compliance. Effective release of information is characterized by policies and procedures that advance an individual’s Right of Access, including the right of individuals to exercise their privacy preferences and assert their information rights.

Right to Direct Health Records to a Third Party

One of these rights is to direct health records to a third party. Mr. Noonan reviewed elements of the January 2020 lawsuit settlement that vacated previous OCR policy limiting fees for authorized provision of health records to third parties—such as law firms and life insurance companies.  Mr. Noonan reiterated that this policy revision does not affect the individual’s right to access their protected health information.

The Health Insurance Portability and Accountability Act (HIPAA) is a multi-part law enacted by Congress in 1996.  Its privacy provisions went into effect over 17 years ago, at a time when health information was largely stored on paper and population health and patient engagement were not yet central strategies for health improvement.  In 2018, OCR issued a Request for Information (RFI) on areas where the Rule might be improved.In 2018, OCR issued a Request for Information (RFI) on areas where the Rule might be improved.  Now, a Notice of Proposed Rulemaking (NPRM) based on feedback obtained through the RFI is under internal review.  Mr. Noonan encouraged our community to read, reflect, and comment on the NPRM when it is published in the Federal Register, most likely later this year.  While privacy rights are enduring, how they are best protected must evolve to be relevant.

[1] https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-covid19/index.html

OCR Update on HIPAA Policy and Enforcement

OCR Update on HIPAA Policy and Enforcement

Date: May 27, 2:00 pm – 3:00 pm EST

Presenters:

Timothy Noonan, JD
Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR)

Michael Salsbury, JD, MBA
Counsel and Privacy Officer, Verisma

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) administers and enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules and federal civil rights laws that prohibit discrimination in the delivery of health and human services based on race, color, national origin, disability, age, sex, religion, and the exercise of conscience. Timothy Noonan, OCR’s Deputy Director for Health Information Privacy, is the featured speaker for this timely Webinar.

Throughout March, April, and May, OCR issued important COVID-19 and HIPAA-related bulletins, notifications of enforcement discretion, and guidance explaining how protected health information may be used and disclosed in response to the COVID-19 public health emergency. Mr. Noonan will discuss OCR’s recent HIPAA materials and answer participants’ questions, which you have the opportunity to submit when you register for this Webinar.

OCR has consistently advanced policies supporting the Individual Right of Access to health information to empower patients to be more in control of their health and health care. In 2019, OCR announced the Right of Access Initiative as an enforcement priority, and resolved two investigations by the end of the year with settlements. In 2020, a court issued a decision affecting the right of individuals to direct copies of their health information to another person. Mr. Noonan’s update will help all attendees understand the changes in the health information privacy legal landscape and move forward with greater confidence.

Webinar objectives:

This webinar will enable Privacy, HIM, compliance, and R-O-I teams to:

  • Review recent COVID-19 actions and the materials available
  • Reinforce the importance of advancing the Individual Right of Access
  • Describe OCR’s Right of Access Initiative

 Approved for 1 AHIMA CEU Credit

REGISTER NOW

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

    • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
    • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
    • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

    • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
    • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
    • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.

WEBINAR: Release of Patient Information: Increased Focus on Information Integrity

WEBINAR: Release of Patient Information: Increased Focus on Information Integrity

Date: March 19th, 2:00 pm – 3:00 pm EST

Presenters:

Jim Staley, CISSP
Chief Information Security Officer, Chief Compliance Officer   

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management

Marcy Caudill
VP, Client Operations

Information Integrity is the dependability or trustworthiness of information.  Releasing protected health record and other high value information for continuity of care, patient engagement, payment and other purposes carries special obligations to ensure that the information is dependable and trustworthy.  But what do you know about the integrity of the information being released?  What controls are in place to identify integrity issues?  What standards are you using to monitor and manage information integrity?  If your release of information function is outsourced, how do you  really know whether the QA protocols in place are rigorous and reliable?

In this Verisma thought leadership webinar, release of information (R-o-I) integrity challenges are highlighted in the areas of content, process, and system.  The risks associated with these challenges are discussed.  A Release of Information Integrity Framework (ROII) is presented consisting of practical strategies for reducing risks while improving integrity. The ROII Framework lays out risk-based content, process, and system controls that should be in place, and key productivity and quality measures that you can use to apply the Framework.

Whether R-o-I is done in-house, outsourced or a combination, information integrity measures and measurement are essential tools.  Demonstrating the integrity of the R-o-I work performed is as important as its productivity.  This webinar will arm you with the essential concepts and means to check the adequacy of your current approaches.

The learning objectives for the webinar are to:

  1. Lay out the information integrity concerns relating to release of information functions
  2. Identify key monitors, measures, and controls that can help to mitigate integrity problems
  3. Offer a framework for systematic Release of Information Integrity management
  4. Suggest short term actions that participants can take to improve information integrity and reduce risk associated with release of information

Pre-Approved for 1 AHIMA CEU Credit for Management Development

REGISTER NOW

WEBINAR: Turning Up The Heat! HHS Initiates Access Enforcement

WEBINAR: Turning Up The Heat! HHS Initiates Access Enforcement

Date: December 17th, 2019 2:00 pm – 3:00 pm EST

Presenters:

Michael Salsbury, JD, MBA
Counsel and Privacy Officer 

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management

Keri Bay
Director of Client Operations

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its first monetary enforcement action against a health system for failure to deliver medical records in response to a valid request by a patient.  The health system paid a fine and entered into a corrective action agreement with HHS. The focus of OCR compliance has heretofore been on breaches of protected health information.  Authorized requests and release of information (ROI) is a new area of focus, ushering in a new era for ROI. And it comes at a time when the volume of requests for release of information are increasing as are the risks.

This development should not come as a surprise. Earlier this year, HHS announced its intent to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. This should serve as a wake-up call for health systems that have yet to build robust compliance checks built into their release of information management systems. 

This timely webinar will help participants understand HHS’ intent in using its enforcement authority in matters pertaining to ROI. They will learn about the elements of this first enforcement action and the compliance lessons it offers for all health systems. Participants will probe the elements of robust release of information compliance and how to hardwire compliance through sound practice and use technology to flag and identify cases that represent a compliance risk.    

Webinar objectives:

This webinar is designed to help compliance, HIM, Privacy and ROI teams understand:

  • The federal policy environment concerning enforcement of patient access rights,
  • Elements of a first ROI enforcement action,
  • A systems approach to ROI compliance, and
  • How technology can be used to anticipate and red flag ROI compliance risks.

Approved for 1 AHIMA CEU Credit for Management Development

VIEW RECORDING