Nov 25, 2019 | Blog, Compliance & Regulations, Operational Outcomes, Release of Information
By Linda Kloss
On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records. Sadly, we’re all too familiar with the too long list of actions following breaches of health information. In fact, OCR levied over $28 million in fines for 2018 breach actions. Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.
Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. Empowering patients is one of four key strategies for HHS and access to information is a key tactic. HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule. However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.
The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates. An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child. Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney. The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR. HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.
Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set. Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance. Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation. It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions.
Enforcement is a powerful lever that only a governing entity can apply. The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management. Reasonable disclosure management practices today include the following:
- Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
- Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
- Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
- Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
- Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records.
We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays. This should not happen, but I bet many are whispering “there but for the grace….” This is a learning moment. Business as usual in release of information is no longer in our patients’ or our employers’ best interests. Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.
Oct 17, 2019 | Blog, Compliance & Regulations, Health Information Solutions, Release of Information, Uncategorized
By Linda Kloss
It’s a typical weekday for me
working from home and stopping to get a few things cleared off my “to do” list. It’s 2:30 in the afternoon and I have already
used 10 apps: I read my digital
newspapers, did online banking, scheduled service on the car, ordered dog food,
scheduled an annual dermatology appointment, booked a flight, hotel, and
airport transportation, figured out a route from the airport to my hotel, and downloaded
a book for next month’s book club. You
get it; this is now a typical day for most connected consumers. Not long ago, we would have driven to the
bank, dog food store, bookstore or library, called the travel agent, auto
mechanic, and so on. Apps have transformed
how we get things done.
Now, many consumers use an app to
access their medical records, downloading to a mobile device for their own use
and to share as they see fit with providers, other caregivers and family. Release of information, long a back office
processing function, is becoming an app-enabled, consumer-driven service. This transformation is largely driven by
consumers. When so many parts of our
life are supported by apps, consumers are not satisfied with having to contact
various hospitals and provider offices, complete forms, wait for paper or CD
and pay a fee to gain access to their own information.
Federal emphasis on interoperable
EHRs brought the issue of barriers to access to information for patients to the
forefront. Fees were identified as a
barrier, and in 2016 the Office for Civil Rights addressed this with its patient access
guidance. The Office of the National
Coordinator for Health IT (ONC) extended the focus on patient access by
including functionality in its EHR certification criteria, directly supporting
standards-based application programming Interfaces (APIs) and apps, and
promoting access through public education.
Patient access is one of six key planks in implementation of the 21st
Century Cures Act designed to unlock the power of digital health
information.
Consumer demand, supported by federal policy will
transform release of information to an app-enabled function and I believe that
this will happen very quickly. I base
this prediction on the experiences of health systems that enable web access for
patients and authorized third parties.
Adoption and update has been swift and overwhelmingly positive.
You can learn from NewYork-Presbyterian’s Susan
Tabickman about this world renowned health system’s use of Verisma’s API-based
app for release of information in a free webinar on October 30! Registration information follows.
There are inherent privacy and security risks for apps
involving confidential patient data.
Access and disclosure of patient information also requires hardened
compliance protocols. Trusted release of
information app developers must meet a high bar; a developer must have the requisite technical
and standards know how, but must also have compliance, data protection, and
accuracy in its DNA.
Against this background, CIOs and
HIM professionals should proactively advance access transformation on four
fronts:
1.
Transition from fragmented to standardized and centralized disclosure
management across the health system.
This requires adoption of enterprise release of information management
software and best practices.
2. Add
an app linking EHR and the enterprise release of information software so
information can be requested and disclosed via web portal.
3.
Design and implement policies and processes to protect the consumers’
right of access with appropriate privacy and security protections for an
app-enabled patient access environment.
4.
Develop an implementation plan that includes consumer and staff outreach
and education.
I can’t yet access my EHR via app, but when I can, you
can be sure I will keep my medical record securely on my password protected
phone. The days of taking notes,
requesting and storing paper reports, and trying to recall when I last did this
or that will be over. The timing is
right and It just makes sense.
Use this link to register for the free webinar on October 30 at 2-3 pm EDT: https://bit.ly/2peAwoK
Oct 11, 2019 | Compliance & Regulations, News, Release of Information
Date: Oct 30th, 2019 2:00 pm – 3:00 pm EST
Presenters:
Susan Tabickman, RHIA
HIM Manager, NewYork-Presbyterian Hospital
Anupriyo Chakravarti
CIO & SVP, R&D, Verisma Systems, Inc.
Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management, Verisma Systems, Inc.
Last year the Office of the National Coordinator for Health IT (ONC) announced rules in support of patient access to their health information using standards-based application programming interface technology (APIs). APIs enable computers to talk to each other and it is the vision of ONC to enable people to access and direct their health information using API-based apps.
In this webinar, participants will learn from the firsthand experience of NewYork-Presbyterian Hospital how the Verisma Request App (VRA) is transforming release of health information (ROI) at NYC’s #1 hospital. NewYork-Presbyterian is proactively advancing the right of the patient to get their electronic health information — and they are using VRA as the application to do so. This webinar will also highlight essential technical and functionality app requirements that HIM, CIO and Compliance managers should assess when considering use of mobile tools.
Webinar objectives:
- Understand the federal policy environment concerning apps and health information access
- Learn from health system experiences using apps to enable release of information while improving customer satisfaction;
- Review a technology, standards, privacy and security checklist for sound release of information apps.
Approved for 1 AHIMA CEU Credit for Management Development
VIEW RECORDING
Dec 20, 2018 | Compliance & Regulations, News, Release of Information, Uncategorized
Date: Jan 16th, 2019 2:00 pm – 3:00 pm EST
Presenters:
Lyndsey Kane, RN-BSN
Project Manager, Northwell Health Physician Partners
Anupriyo Chakravarti
SVP, R&D, Verisma Systems, Inc.
This webinar will focus on key compliance and business drivers for standardizing release of information practices and procedures across physician practices that are part of an ambulatory or integrated health delivery system. Health systems often begin by ensuring consistency and efficiency of information disclosure management across their acute care facilities. But the job is not done until health information is released in a standard way across all levels of care.
During this presentation, Lyndsey Kane, RN-BSN, Project Manager at Northwell Health Physician Partners and Anupriyo Chakravarti, SVP, R&D at Verisma Systems, Inc. will explore how the ambulatory HIM department is centralizing ROI processes and implementing disclosure management solutions to automate workflows, ensuring accounting for all disclosures while improving overall compliance and efficiency.
Geared towards managers of medical practices, HIM, privacy and release of information teams and compliance managers, this webinar will address the following learning goals:
- Review current regulations and guidance on patient access and release of information
- The case for automating compliance and disclosure management in medical practices
- Review the challenges and solutions used by Northwell to improve ROI automation and compliance
- Discuss the benefits and rationale for centralizing ROI across ambulatory practices, and the processes needed to move towards technology-supported standardization
Approved for 1 AHIMA CEU Credit: Privacy & Security
REGISTER NOW
Mar 13, 2018 | Compliance & Regulations, News, Release of Information, Uncategorized
Date: April 3rd, 2018 | 1:30 pm – 2:30 pm EST
Presenters:
Barbara Beckett, RHIT, CHPS
System Privacy Officer for Saint Luke’s Health System, Kansas City
Jon Neiditz, JD
Cybersecurity, Privacy & Data Governance Co-Leader, Kilpatrick Townsend & Stockton LLP
Linda Kloss, MA, RHIA
President, Kloss Strategic Advisors, Inc.
Compliance is often defined in terms of meeting current regulations. Regulatory compliance is necessary but no longer sufficient. Today’s privacy and security risks are changing too rapidly and regulations don’t cover the range of issues that confront you as a health information steward. This webinar offers a risk management approach to help you address privacy and security risks inherent in access and disclosure management.
An expert faculty panel will discuss techniques for risk assessment, a critical tool for boosting compliance, using practical case studies. They will suggest key actions you can take now to improve overall trustworthiness of your organization’s information disclosure function.
Learning goals:
- Understand compliance in terms of risk assessment, risk reduction and mitigation
- Consider specific disclosure management risk situations and effective ways to manage them
- Assess skills to boost the risk management capabilities of your release of information team
- Leverage your risk management results to help educate others
Approved for 1 AHIMA CEU Credit: Privacy and Security
REGISTER NOW
Feb 9, 2017 | Compliance & Regulations, Operational Outcomes, Release of Information
Date: March 8th, 2017, 2:00 pm EST
Presenters: Linda Kloss, MA, RHIA, FAHIMA, Angela Rose, MHA, RHIA, CHPS, FAHIMA and Jim Moore, JD
It has been one year since the HHS Office for Civil Rights issued new guidance on Individuals’ Right under HIPAA to Access their Health Information. Access to information is an important element in empowering patients and removing barriers to access is a worthy goal. The new guidance, however, had the effect of altering the business case for ROI and ushering new challenges in distinguishing whether certain 3rd party requests are in fact on behalf of patients.
HIM, ROI and compliance leaders embraced the value of the new guidance for patients and stepped up to comply. Many have leveraged the goal of access for individuals to bring about needed innovation in ROI practices. This webinar will review the access guidance and the ground rules for compliance. It will also describe the other drivers of change for ROI and best practices from health care organizations that have succeeded at leveraging the new guidance to advance their change goals.
In this webinar, Angela Rose, former Privacy Practice Excellence Director for AHIMA, Linda Kloss, President of Kloss Strategic Advisors and Jim Moore, Chief Legal Officer at Verisma will explore the policy, process, technology and business changes that healthcare organizations are making to comply with the access guidance and advance cost-effective, fully compliant ROI across the enterprise. It will provide participants with an assessment tool that they can use in driving change in their organizations.
Attend the webinar to learn:
- Why HHS stepped up focus on patient access to health information and what the guidance calls for
- The changing business case for ROI
- How leading health systems have leveraged a compliance policy change to introduce innovation
- Elements of ROI innovation for reliable enterprise compliance and cost control
1 AHIMA CEU Credit for Privacy and Security
REGISTER