The 21st Century Cures Act and Its Impact on Disclosure Management

The 21st Century Cures Act and Its Impact on Disclosure Management

By Linda Kloss

The 21st Century Cures Act was passed by Congress in December 2016 and long awaited final regulations were released earlier this summer.  The Cures Act is a complex multi-part law that will be administered through a number of Federal agencies.  The Verisma sponsored webinar on August 26 focused on the Interoperability, Information Blocking, and the ONC Health IT Certification Program Final Rule that was developed and will be administered by the Office of the National Coordinator for Health IT(ONC).   A special thanks to the ONC team of Elisabeth Myers, Deputy Director, Office of Policy and Michael Lipinski, Division Director, Regulatory & Policy Affairs, Office of Policy for providing a great overview of the Rule and taking audience questions. 

The Rules

We learned that the ONC Rule is really two Rules in one:  regulations designed to advance interoperability and prevent information blocking, key goals of the Cures Act that apply to providers, developers of certified health IT and health information networks and exchanges, and; regulations regarding revised and new criteria for health IT certification.  While our webinar audience primarily represents the provider community, we understand that it is helpful to understand the scope because health systems do operate information networks and exchanges and provider organizations, of course, set specifications for vendors such as their certified EHR vendors. 

From the 30,000 foot perspective, Cures Act represents a third important milestone in advancing a digital health ecosystem with its enormous potential to improve health and health care. The 1996 HIPAA law and associated regulations put in place essential preconditions for digital health – privacy, security, and standards for administrative simplification.  The 2009 HITECH Act accelerated health IT adoption through EHR incentives, certification of health IT, and the development of approaches for health information exchange.  The 2016 Cures is intended to unlock the fullest potential of digital health data to accelerate research into preventing and curing serious illnesses. 

The ONC Final Rule advances interoperability using levers of government, such as its standards setting and enforcement roles, to remove barriers. It underscores the importance of patient access to information, a principle that is foundational to all three of the health information laws.  We also learned that ONC worked closely to align with the Centers for Medicare and Medicaid Services (CMS) Cures Act Rule, the Interoperability and Patient Access final rule.  This is important because aligned concepts, definitions, and standards will bridge clinical and administrative data interoperability, too long siloed. 

The Implications for Disclosure Management

For Release of Information (ROI) professionals and service providers, the Cures Act has four clear implications:

  • We are already seeing an increase in requests from patients for access to their health information.  These Rules will drive further interest by patients and continue this trend.  It is important that ROI modernize patient access through the use of request apps to both support requests and releases.
  • While not directly addressed by the Cures Rules, ROI is today the prominent mechanism for disclosure of a single patient’s data.  The Rules accelerate the urgency of adopting contemporary practices such as standardizing ROI across the enterprise and using smart end-to-end workflow technology that improves turn around and accuracy, while ensuring compliance and accountability.
  • Move away from paper, fax and other outdated ways of handling requests and releases.  If walk up windows and mail in request have slowed due to COVID-19 responses, redesign processes to use technology to improve the efficiency of request and release processes.   
  • Make efficient and accurate patient access a central goal for the ROI team.  Shift from processing paper to helping people get access to their information.  Then, help educate patients about how they can take steps to keep the health records in their possession safe and secure.  

For HIM work generally, the interoperability-focused Final Rules from ONC and CMS include important concepts that will be part of our work in the years ahead. 

  • First, aligning administrative and clinical data standards begins to overcome the artificial separation of patient data for insurance and finance from that used in clinical care.  HIM bridges these worlds and can play an important role in helping to unify them. 
  • As custodians of the health record, HIM maintains EHI and ePHI definitions for designated record sets.  HIM should engage stakeholders in data governance for interoperability including USCDI and defining admission, discharge or transfer (ADT) and other patient event notifications addressed in the CMS Final Rule. Where needed, data capabilities, such as provenance, should be expanded.
  • Working with stakeholders, HIM should step up data quality control for interoperability.
  • The Rules do not change HIPAA privacy and security foundations, but they include a big step forward requiring privacy and security attestation for certified health IT.  Join us for a discussion of the importance of ‘designing in’ privacy and security in a September 23 Webinar.   

The Resources

Elisabeth and Michael described ONC’s commitment to providing education resources for stakeholders.  The ONC Final Rule can be found at www.healthit.gov/curesrule along with fact sheets and previously recorded webinars. 

The CMS Rule and resources can be found at https://www.cms.gov/Regulations-and-Guidance/Guidance/Interoperability/index.  Information on the CMS ADT Notice Provisions can be found at https://chimecentral.org/wp-content/uploads/2020/03/CMS-Interoperability-and-Patient-Access-Final-Rule-summary.final_.pdf

Verisma’s webinar slides and recording are available upon request from DSimanivanh@verisma.com.. 

Enabling Patient Access in a Pandemic

Enabling Patient Access in a Pandemic

By Linda Kloss

The tragic surge in coronavirus cases and deaths continues through the long hot summer. Healthcare systems are fully focused on caring for pandemic victims and the health of our communities. We witness heroism every day in lives saved, new treatments, and compassionate attention to peoples’ needs. And we are proud to have health care as our life’s work. While we may not directly treat a person’s illness, we know that managing their health information is an essential element of managing illness and promoting health, including public health.

We are in a time of profound personal and professional uncertainty. Decisions require continually adjusting assessments of risks about how to protect ourselves and our families and in making sound business decisions.  There have been furloughs and layoffs due to shifting patient care services and workloads. Work from home is the new normal for many more in HIM. Workflows and procedures have been redesigned to adapt to physical distancing. Long days and nights of work and uncertainty.

Against this background it is great to learn about an innovation that offers demonstrated benefit now and will also be an important bridge to a new era. That innovation is the Verisma Request App (VRA). Reggie Abadsantos, RHIT, HIM Operations Supervisor, NCH Healthcare System, Naples Florida was guest speaker at the July 15 webinar “App-Based Release of Information Comes of Age.”[i] NCH implemented VRA in 2018 to improve patient satisfaction with a convenient and secure web-based  method to  obtain their health records.

With VRA and a centralized ROI workflow firmly in place, Reggie described how NCH quickly adapted to physical distancing and work from home without missing a beat in patient access. When walk in services were abruptly suspended in March, patients were redirected to the web App.  Patients could use their smart phone, tablet, laptop, or desktop to request their medical records; and like any App, it is available 24/7. VRA enables the request, authorization, and authentication process, creating a complete record that feeds the release of information management software and triggers the release. NCH consistently averages a 24 to 48 hour turnaround in fulfilling patient requests!  This performance level was not disrupted as NCH responded to COVID-19 and the volume of requests via VRA increased sharply.

Serving an elderly population, Reggie reports that having reduced paper and fax processing, team members are freed up to help patients who may need telephone assistance in walking through the use of the App. For people who wish to pick  up a physical copy of their health record or imaging, NCH offers a curb-side delivery service.  These unique ways to serve patients are consistent with NCH’s 2018 service goals for VRA.

We spotlighted NewYork-Presbyterian Hospital’s journey with VRA last October before New York City was the epicenter of the pandemic.[ii] We revisited NYP’s experiences in April in the midst of the surge. Like NCH, NYP was able to send staff home, close walk in service, yet continue to enable timely patient access.[iii] In fact, in the past 2 months, 20+ health systems comprising over 1500 sites of care, are now live with VRA to mitigate the impact of closed request services and work from home.    Further, the rate releasing e-records rather than paper, has significantly increased. VRA fulfills the requirements of HIM for completeness, security, compliance and cost-effectiveness. And when integrated with a comprehensive ROI workflow platform, it creates a seamless record of the request and its fulfillment.

Times of great challenge bring innovation.  Apps are no longer disruptive technology, but their application to Release of Information is! VRA’s value was well demonstrated as a popular adjunct request route prior to the pandemic. The pandemic has shown that VRA is the right technology for the time and for the future.  Health systems report that they will rethink walk up services, paper requests, faxing, and release of paper documents when physical distancing is no longer needed. They have learned we can do a better job in enabling patient access while strengthening business goals such as patient satisfaction, compliance, and cost effectiveness. Release of Information will never be the same…it will be vastly improved.

[i] www.Verisma.com:  July 15, 2020 webinar “App based Release of Information Comes of Age”

[ii] www.Verisma.com:  October 30, 2019 webinar “There’s an App for That! Connecting People with their Health Information”

[iii] www.Verisma.com:  April 29, 2020 webinar “COVID-19 Response:  Emerging Best Practices for Health Information Disclosure Management- Part 2”

App-Based Release of Information Comes of Age

App-Based Release of Information Comes of Age

Date: July 15, 2:00 pm – 3:00 pm EST

Presenters:

Reginald Abadsantos, RHIT
HIM Operations Supervisor, NCH Healthcare System

Panel of HIM and ROI Leaders

Linda Kloss, RHIA
Kloss Strategic Advisors, Inc. and Regulatory Policy Leader, Disclosure Management, Verisma

NCH Health System, Naples FL is a true pioneer in the use of Web-based App technology to support record request and release processes.  Implemented in 2018, NCH deployed Verisma’s Request App™ (VRA) to improve service to patients. NCH Health System is a large regional health system that also supports an older “snowbird” patient population living part of the year in Florida and often needing access to their health information from afar. It experienced rapid uptake VRA and strongly positive customer satisfaction feedback.

What NCH could not anticipate was the key role VRA would play in a time of COVID-19, enabling paperless request processing and electronic release despite workflow and disruptions due to work from home and other adaptations. This is a lesson that many of our health systems clients have come to appreciate as the use of VRA has now grown to over 1,500 sites of care. While the Office of the National Coordinator for Health IT (ONC) announced rules supporting patient access to their health information, it was pioneers like NCH and others who have built the story of how the right technology at the right time can transform a process long overdue for disruption.

In this Webinar, you will learn from NCH’s firsthand experience with use of VRA for release of information. You will also learn about the goals and experiences of other health systems using VRA. The essential technical, integration, security, and functionality requirements for an ROI app will be discussed as will implementation considerations. Presenters will describe the importance of teamwork among HIM, CIO, compliance and others working together to deploy Web technology to update what is often an outmoded fundamental building block for ROI.

Learning Objectives

  • Learn from health systems’ experiences in implementing and using apps for release of information to patients and third parties,
  • Describe realized benefits and impact of use of apps for release of information on improved customer services, productivity, and cost management,
  • Understand the federal policy environment that encourages the use of apps to improve access and disclosure of protected health information, and
  • Review the technology and privacy and security requirements for release of information apps.

 Approved for 1 AHIMA CEU Credit for Information Protection: Access, Disclosure, Archival, Privacy and Security

VIEW RECORDING

A Future Anchored in Integrity, Access, and Connection

A Future Anchored in Integrity, Access, and Connection

By Linda Kloss

Health information remains a critical part of the current and future healthcare environment and is no less important in the midst of a global pandemic” stated Dr. Wylecia Wiggs Harris in opening remarks on last week’s webinar entitled Integrity, Connection, Access: A Framework for the Future. Dr. Harris, CEO of American Health Information Management Association (AHIMA), shared the principles and assumptions that shape AHIMA’s 2020-2023 Enterprise Strategic Plan via Webinar instead of delivering the keynote address at Verisma’s 4th Annual Disclosure Management Summit cancelled due to COVID-19.[i]

The Strategic Framework bridges HIM’s legacy, today’s crisis, and tomorrow’s imperatives. Dr. Harris emphasized three grounding principles undergirding the Framework: Integrity, Access, and Connection.  These sustaining principles are reimagined for what Dr. Harris described as a time when AHIMA and health information professionals need to “show up as transformational leaders.” She noted that the health information professional may be more important in the pandemic and post pandemic world.

In a world where people are more engaged in their health and health care and where health is finally understood to be broader medical services, Dr. Harris stressed that AHIMA’s Strategy is “People-Centric “ and that health information professionals must always remember that their work is uniquely important because  “Health information Is Human Information.” In fact, we have seen this play out in recent years as health information professionals proactively help people gain access to their health information in portals and health information exchanges. More recently, the use of request Apps is transforming patient access and release of information specialists are stepping into new roles of supporting innovation in access.

Dr. Harris and I discussed how the Framework’s grounding principles of Integrity, Access, and Connection might guide transformational improvement in access and disclosure management. The table shows examples of desired outcomes for some well-known areas of vulnerability and those in need of transformational change.

Principle

Examples of Desired Outcomes

Integrity

·    QA processes confirm that the right information is released and that there is a record for accountability.

·    QA processes confirm that the release complies with minimum necessary rules and there is a record for accountability.

·    Authorizations are complete and valid and they are convenient to execute.

Access

·    People have access to their digital health records through a secure web App with rigorous authentication.

·    Paper request and release processes are replaced by smart technology.

·    Release of Information staff help patients and third party requestors learn to use e-tools.

Connection

·    Release of information processes are standardized across health systems.

·    Centralized access to “complete” record from ambulatory and acute care encounters.

·    Workflow technology with compliance prompts and rigorous security supports end-to-end processes.

AHIMA’s initiatives will be guided by the Framework in the years to come. The guiding principles are also useful in anchoring needed change in access and disclosure management and in other HIM domains such as  coding, revenue cycle, EHR management, privacy, data analytics.

What’s required is a commitment to achieving measurable improvement.  As reported in our recent blogs about HIM leaders’ responses to COVID-19, there is currently momentum for modernizing outmoded processes and a spirit of empowerment for transformational change.  Dr. Harris summed this up so well for us, “When surrounded by uncertainty, we must be crystal clear about what grounds us, what will guide our decisions, what will help us navigate our new norm.”   

Once again, we congratulate Wylecia Wiggs Harris and the AHIMA Board of Directors for its compelling Vision and Framework and we thank Dr. Harris for sharing it so eloquently with the Verisma community.

[i] American Health Information Management Association.  2020-2023 Enterprise Strategic Plan.
http://bok.ahima.org/PdfView?oid=302888

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

    • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
    • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
    • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

    • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
    • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
    • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.

Integrity, Connection, Access: A Framework for the Future

Integrity, Connection, Access: A Framework for the Future

Date: May 13, 2:00 pm – 3:00 pm EST

Presenters:

Wylecia Wiggs Harris, PhD, CAE
Chief Executive Officer, AHIMA

Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management, Verisma

The American Health Information Management Association (AHIMA) enters the new decade ready to execute a strategic Framework with three key impact areas — Integrity, Connection, and Access — to improve the management and value of health information. Wylecia Wiggs Harris, PhD, CAE, AHIMA’s CEO is a special guest for this important thought leadership webinar.

Dr. Harris will discuss how the Framework reflects AHIMA’s Vision of “A world where trusted information impacts health and healthcare by connecting people, systems, and ideas.” She will describe the environmental trends that have informed the impact areas.  She will also highlight some of the plans for 2020/21 and desired outcomes for HIM professionals and AHIMA and the ways in which the direction benefits the health system and those it serves.

Dr. Harris and Linda Kloss will discuss how the impact areas of Integrity, Connection, and Access apply to the access and disclosure management of health information, important HIM and compliance responsibilities. The integrity of release of information practice is being transformed by advanced release management technology and improved quality control; workflows from request through release are being standardized and automated, and; web-based apps are streamlining access to empower people. The impact areas of AHIMA’s plan reflect the future of release of information and this webinar will connect the dots so the industry can embrace and promote AHIMA’s Framework for the future.

Webinar objectives:

This webinar will enable HIM, compliance, and ROI teams to:

  • Describe AHIMA’s Framework for the Future and its intended benefits;
  • Translate AHIMA’s Framework to access and disclosure management, including release of information (ROI) practice,
  • Consider ways in which incorporating the Framework’s direction and impact areas can help to advance transformation of access and disclosure management, and
  • Enlist ROI practitioners in advancing change.

 Approved for 1 AHIMA CEU Credit

REGISTER NOW