What HI Professionals Can Expect in 2024

What HI Professionals Can Expect in 2024

By Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS
Director of Compliance and Government Affairs

January 2, 2023

Privacy gets (more) complicated

We’ve said it before – the US is overdue for a national conversation on privacy. 2023 only increased the stakes with the increased adoption of AI, stark state-level differences on social policies, and the prevalence of cybersecurity threats.  Navigating these conflicts – in the absence of a national privacy framework – will be increasingly time-consuming and high-stakes for privacy and compliance professionals.

Patients will be the primary focus

Healthcare consumerism and patient-centered care have been hot topics in 2023 and will remain so in 2024. One area that hasn’t received as much attention is the emphasis on individual patient factors – for example, what constitutes a burden for some patients when requesting records is not for others.  Information blocking exceptions specifically prioritize individual factors in the preventing harm and content/manner exceptions. It will no longer be enough to have a black-and-white procedure manual; instead, organizations may want to consider a “playbook” of factors to be considered.

Expect regulatory activity, especially in early 2024

The last Congress will be one of the least productive in memory – and there weren’t high hopes given the ideological polarization and thin margins in both chambers. Expect to see regulatory agencies attempt to step in through rulemaking.  Early 2024 will likely see the most activity – agencies will want to publish or enact any rules prior to 60 days before a potential change in administrations.

and as always …

Executing on fundamentals is key

This one goes across all areas – we can’t stop emphasizing fundamentals while we handle increasing complexities. It’s the little things that get you in the end. Keep on top of cybersecurity by emphasizing employee cyberhygiene, patient privacy and safety by verifying patients with two identifiers, and patient access by improving request processes and adding new delivery options.

Verisma Compliance Resources

Get the latest updates written and curated by HIM compliance experts and subscribe to our weekly newsletter.
Overcoming Staffing Challenges in Healthcare Information Leadership 

Overcoming Staffing Challenges in Healthcare Information Leadership 

By Connie Renda, MA, RHIA, CHDA
In my role as the CHIA President-elect, I had the privilege of addressing our California members on a pressing topic that resonates with healthcare information leaders across the industry. Every day, managers grapple with a multitude of human resource challenges, and this struggle is particularly pronounced in the healthcare information sector. In this article, we’ll delve into these pain points, offer a comprehensive understanding of the challenges faced, and present innovative solutions to help healthcare information leaders reach their goals. 


Challenges in HI Staffing



Understaffing is a perennial issue that plagues healthcare information management. The demand for skilled professionals often surpasses the available talent pool. A report from the Society for Human Resource Management (SHRM) notes that finding suitable candidates and retaining employees will be paramount for organizations in 2023. However, this search for top talent often collides with budget constraints, creating significant challenges, especially in an era marked by concerns over inflation. Many organizations find themselves handcuffed by hiring freezes or grappling with staff shortages due to employees on FMLA leave, compounding the problem further. The critical HIM duties cannot be deferred and require a dependable workforce, which isn’t always readily accessible when needed.

Skill Gaps

In the ever-evolving healthcare landscape, skill gaps are another major headache for healthcare information leaders. As Forbes aptly points out, the industry is grappling with substantial talent shortages as skill sets struggle to keep pace with rapidly advancing technology. This disconnect between the demands of modern healthcare and the available skill sets places additional pressure on organizations striving to maintain efficiency and compliance in their operations.

Fluctuating Workloads

Fluctuating workloads compound the woes of healthcare information leaders. The volume of work can oscillate dramatically, leading to unexpected spikes in demand that strain an already stretched workforce. Coping with these variations efficiently while maintaining a high standard of service becomes an ongoing challenge.

What Can We Do?


Develop a Flexible Workforce Strategy

Maintaining staff agility is one way to ensure operational continuity and peace of mind. My colleagues had many great ideas to achieve this from cross training to assigning multiple job roles. More experienced staff (or outsourced partners) are motivated by new learning experiences and can help address staff shortages, workload surges, and unique projects. In fact, this is such an effective strategy that Verisma launched a team dedicated for this purpose called Verisma bench.  

Consider Efficiency Gains Through Outsourcing

In addition to ROI, many other administrative HIM tasks can frustrate staff who could be spending more time working at the top of their license. Outside partners can alleviate these burdens and improve efficiency, while eliminating the headaches of hiring and training. Verisma, for instance, can manage tasks like prior authorizations, purge projects, inbound document management, and referral management. so staff can focus on what matters most – patient care. 

Leverage Technology-Enabled Strategic Partnerships

Strategic partnerships are more than supplemental staff. They’re relationships built on experience, consistency, time, and effort. Better yet, technology-enabled service companies do more than complete tasks – they build for the future. Working with a trusted company like Verisma to help with staffing challenges makes sense and allows you to share the burden of finding a qualified, reliable team to address talent shortages. 

Five Ways an FQHC Can Save on Administrative Costs

Five Ways an FQHC Can Save on Administrative Costs

Federally Qualified Health Centers (FQHCs) provide critical care for underserved patients nationwide, but on a limited budget supported mostly by donations and grant funding. By focusing on decreasing administrative costs, FQHCs can make their dollars more impactful to patient care initiatives, improving the lives of millions of people across the United States. The following are five ideas FQHCs can consider to reduce their administrative costs to focus their attention on more impactful care within their communities.


In an ever-changing healthcare industry, all organizations are constantly updating process and operations workflows to meet new requirements. FQHCs can implement regular analysis of all workflows to analyze for operational efficiencies. Reviewing patient activities while in the waiting room, as well as what administrative staff may be able to do prior to the patient visit, can ensure that patients are registered, roomed and seen as quickly as possible.

Because of the demand for FQHC visits and services, FQHCs need to make every minute a patient is in the office count. Part of the analysis may include whether offsite staff or partners can provide a more focused, cost-effective way to remove burden and time-consuming administrative tasks from patient-facing personnel. Streamlining staff, provider and patient interaction can create more impactful visit time and allow providers to see more patients in a day.

FQHCs can also find efficiencies by analyzing workflows and refining their tasks and best practices. By optimizing everyday functions and administrative tasks, FQHCs can find areas of savings and eliminate waste. Good examples of common culprits are paper and ink/toner, which can be greatly minimized with smarter filing and scanning workflows.

Streamlining staff, provider and patient interaction can create more impactful visit time and allow providers to see more patients in a day.

Information Technology is often seen as an investment and expenditure, but it comes with an upside. In many situations, IT updates can improve and thereby cut administrative costs for the future. Some government incentives like Pay-for-Performance programs also exist to help organizations offset the costs of implementing technologies. Using information technology to capture structured quality data about patient care can be reported to government and commercial entities, in some cases leading to increased reimbursement.

Additionally, as the industry moves from paper to electronic records, converting paper charts to electronic documents stored in the Electronic Health Record (EHR) can reduce administrative spending on chart storage, as well as free up space for FQHCs to pay less rent or utilize space in other ways that support the patient care mission. Ultimately, IT improvements can lead to increased efficiency and functionality and decreased administrative spending in the future.


Compliance doesn’t just mean HIPAA. Other regulatory programs require complying with certain objectives in exchange for funding. As the industry changes, meeting grant requirements and alternative payment model metrics is critical for keeping the doors open. By focusing energy into maintaining compliance protocols, FQHCs can avoid losing invaluable revenue sources. Of course, HIPAA is also important! Ensuring the proper protocols are implemented, staff is periodically trained, and quality assurance is in place in accordance with the HIPAA Privacy and Security rules is critical for preventing threats. Good compliance practices also help FQHCs avoid a costly and unexpected HIPAA breach adding to administrative costs and detracting from the mission.


One of the biggest administrative costs to a FQHC is staffing. These costs not only include payroll, benefits and other overhead expenses but also where the staff expends their time while they are on the clock. As FQHCs have a laundry list of items to achieve throughout the day, many staff members find they have too much on their “to do” list and something has to give.

Ultimately, staff members being tasked with too many duties can cause burnout, distractions and procrastination, all of which lead to costly mistakes, extra expenses and, in some instances, tasks not getting done altogether. Organizations like Verisma can help FQHCs reduce administrative costs by providing focused expertise related to specific administrative functions.

Utilizing a Business Associate can reduce the need for certain admin staff functions, in turn alleviating some payroll costs as well as the management tasks inherent in supervising hourly staff. Where workforce is in short supply, one of the greatest benefits of utilizing a partner for functions like document filing and release of records is the ability to focus or repurpose existing FQHC staff. When a partner is handling the administrative tasks, the FQHC staff can focus on patient needs and care. In an era of patient satisfaction and engagement tying to reimbursement, focusing on patients is of the utmost importance to FQHCs maximizing their dollars and serving the community.


Changing goals means fluctuating costs; by deploying and following a clear mission FQHCs can zero in on their wildly important purpose. Because FQHCs rely heavily on funding sources, planning too far into the future can be challenging. The mission of the organization, though, will remain steadfast and is the ultimate litmus test in financial planning for FQHCs. If an administrative expenditure doesn’t directly support the mission, is it worthy of investment? Administrative costs can often seep out unexpectedly, especially when the goal line is constantly moving. Reviewing the budget with the mission statement in mind can help FQHCs analyze their supportive and detractive administrative spend.

Need help implementing some of these strategies for maximizing your staff and minimizing administrative costs and workloads? Get in touch at verisma.com/contact-sales.

How Leveraging an HIM Partner Helps Decrease Staff Stress

How Leveraging an HIM Partner Helps Decrease Staff Stress

“Everything Everywhere All at Once” isn’t just the title of an award-winning movie that many viewers found quite confusing. It’s how a lot of health information management (HIM) employees feel about their jobs. There aren’t enough hours in the day, and one person can’t do everything at once.

Many providers are exploring HIM support from outside partners to take all or some of the weight off their shoulders. The right Release of Information (ROI) and HIM partner can be a reliable and cost-effective solution for ensuring your quality standards are met without burdening you or your internal staff.

Following our acquisition of ScanSTAT Technologies, Verisma now offers a full suite of outsourced HIM solutions in addition to our industry-leading ROI service:

Prior Authorizations

Inbound Document Management

Chart Abstraction

EHR Conversion

Forms Completion

Document Scanning


Contact us to learn more!

Imagine a world where your team’s health information management responsibilities are supported by industry-leading experts at Verisma. What would that look like?

1. You would spend less time recruiting, hiring, training, retaining and scheduling employees.

Finding and hiring new talent has never been more challenging. HIM partners ensure you have the resources required to meet the demands on your organization. Your employees take time off for vacations, illnesses, and leaves of absence, but Verisma is always ready. We have the people and resources to meet your needs every day.

2. You could finally address your backlog.

When you partner with Verisma, you can breathe. Because Verisma:

  • Allows your in-house staff to focus on patient care
  • Keeps your medical records department current on requests
  • Assumes responsibility for HIPAA compliance
  • Fills the gaps in your department while you still maintain your own processes and standards


A dedicated team of experts can improve turnaround time and thus reduce staff stress while improving patient satisfaction.

3. You would reduce risk and achieve or maintain compliance.

As stewards of data integrity, health information managers understand that Protected Health Information (PHI) responsibilities—from compliance, workflows, training, and coding to document completion—are top priorities. But, realistically, each one of these PHI responsibilities is a full-time job. Recent regulatory changes related to release of information (ROI) are a potentially expensive pitfall as there are steep fines for violations. Verisma has in-house experts dedicated solely to staying on top of compliance and legislative activities. Working with an outsourced team of knowledgeable HIM experts can help you feel confident that your organization meets the new requirements for releasing electronic information. Furthermore, your organization will be compliant with laws regulating strict timeframes under which requests and information must be handled to avoid stiff fines.

4. You would have happier, more focused employees who are more likely to stay with your team.

Additional HIM functions, such as prior authorizations and faxing and scan filing, often fall on staff members with multiple other responsibilities. This necessity to multitask drains staff and contributes to lower job satisfaction.

By working with Verisma, you’ll know dedicated experts are:

  • Completing forms and requests efficiently and accurately
  • Improving your physicians’ satisfaction by eliminating the additional work and stress of tracking down accurate patient information
  • Helping ensure your processes are compliant with current regulations
  • Available to help train internal staff on new technology or processes

Get back to being in one place and thinking about one thing at a time. Reach out to us today to get started.

AHIMA22 Overview and Takeaways

AHIMA22 Overview and Takeaways

AHIMA22 brought us to Columbus this year, the capital and heart of Ohio. It’s been three years since we’ve all been together and there was so much catching up to do! The American Health Information Management Association (AHIMA) is the leading voice and authority in health information where the associated experts work at the intersection of healthcare, technology, and business. Today more than ever, in an era where technology drives change and efficiencies on one hand and on the other hand increases the risk of interfering with privacy and security, managing the complexity of patient’s information is critical. Healthcare professionals must ensure that sensitive health stories remain accurate, accessible, protected, and complete at all times.

We all know the tremendous effects COVID had on our healthcare and the gaps it highlighted in our systems. It changed the workforce landscape with an increased need for healthcare professionals and the reality that jobs require more technical skills than ever before. AHIMA22 highlighted the emerging changes and responsibilities that healthcare information management professionals face today.

The conference kicked off with sessions on “Design Thinking for Innovation in Healthcare” and “What Does it Take to Become a Revenue Cycle Executive” and a marching band performance! There were over 40 in-person sessions led by health data experts and visionaries, new product tech demos in the exhibit hall, networking opportunities, and social events with over 3,00 attendees. Thinking back on all that I heard and witnessed at this convention, there are a few key takeaways I’d like to share:

Design Thinking for Innovation in Healthcare

This workshop kicked off the conference and set the tone for the rest of the week. Design thinking process is a theory that many startups and innovative companies use to solve real end user problems and it’s one of my favorite methods to use to develop user centric products. Design thinking is taught at top universities like Harvard and is adopted by brand name companies such as Apple, Google, and Samsung. It’s a 5-part problem solving approach you can apply in both your organization and your daily life. It centers around end user challenges and how to put aside limiting beliefs and our own perspectives to solve a problem based on observation and thinking outside the box.

“Healthcare requires continuous innovation to meet the needs of patients and providers,” says Mary Ann Sullivan, MA, CCMP, senior director, professional development and education operations and innovation at AHIMA. But important stakeholders are not always considered when new interventions or processes are designed. This can lead to products and services that do little more than gather dust, while the underlying issues remain unaddressed. “Design thinking,” Sullivan says, “can be used to improve clinician-patient workflows, healthcare spaces, customer service, and community programs.” In a healthcare landscape where there are so many silos, this methodology can be useful to bridge the gap and deliver real solutions that bring back the patient to the center of care.

Privacy and Security

AHIMA22 had top experts on information blocking, electronic health record vendor efforts to protect privacy and achieve interoperability, cyberthreats, and risks associated with the Internet of Medical Things (IoMT). There is an ongoing responsibility to understand and comply with laws that govern the privacy and security of health information. It’s important to learn unique security gaps and how to mitigate the IoMT risk as healthcare increases its use of devices that interact directly with patients. Furthermore, understanding the current drive to achieve an interoperable landscape requires heightened privacy and security.


The last several years was a turning point in healthcare with consumers finally empowered to make more informed decisions about their health. AHIMA22 included a focus on consumerism with sessions that offered incredible insight for health leaders to learn about new and emerging technologies and roles in health information that place the patient at the center of it all. Returning consumers to the center of patient care will impact healthcare for generations to come. Healthcare professionals can be both patient advocates and liaisons to help patients better understand the ever-changing environment. The pandemic has accelerated patients’ usage of health-related digital devices, which can provide more productivity, but also isolates the patient from human care. Healthcare professionals need to understand technology and find ways to humanize the experience.


There were many lectures and vendor demos of products related to data. Because we use the science of collected information to have predictable results in a complex system, more data can lead to more informative decision making. This is vital because health data, including population health information, must be accurate and trusted as many strategic and patient care decisions rely on it. Also, health data and data models have a significant impact on business intelligence and initiatives. It can shed light on gaps in the systems or reasons for failure in the workflows and showcase and inefficiencies. Data governance is the yellow brick road to health data integrity and must be followed to ensure the reliability of the data. Organizations seek to improve patient care and outcomes through the collection of Social Determinants of Health data. Health data lies at the center of interoperability and interoperability is the key to getting the right information at the right time to the right person. Here at Verisma, we have a leading data and analytics tool, that is easy to use and all the reports related to Release of Information can be customized in a easy to understand format to drive real engagement with the process of providing real and accurate health records.

It was interesting to flow between so many fascinating topics while acknowledging how much the role of Health Information Managers is changing. That’s why Verisma is changing ROI for a changing world. I look forward to showing you the new products and services we’re developing to support you!

If you or your colleagues plan to attend AHIMA’s virtual conference in November, don’t miss Verisma’s session on the top disclosure management trends.


AHIMA 22 Verisma Team
Webinar Recap:  Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

Webinar Recap: Software Supply Chain Risk – Effective Third-Party, “Nth”-Party Management

On August 10th Verisma hosted a webinar where Verisma’s Chief Information Security Officer, Jim Staley, provided the HIM community with vital information on how to protect Protected Health Information (PHI) from third-party cyberattacks. This topic is not only timely, but something all of us need to be aware of and take steps for in order to protect our critical PHI.

The top 2 enforcement actions by the Department of Health and Human Services and OCR in 2021 were: 1) Patient Right of Access to their medical information and 2) ransomware attacks. In 2021 there was a 21% increase in cyberattacks in the Healthcare Industry. Supply chain attacks are an emerging kind of threat that target software developers and suppliers. The goal is to access source codes, build processes, or update mechanisms by infecting legitimate apps to distribute malware. The proliferation of third-party, patient-facing technologies makes healthcare organizations more vulnerable. When a single organization has multiple apps or technologies integrated into its systems, any of these technologies could be the weak link and act as a point of entry.

Jim explained that third-party attacks leverage trust between two or more organizations, making them difficult to defend against. Third-party attacks allow attackers to breach multiple targets at once, providing attackers with both scale and efficiency. A traditional cyberattack targets a person, organization, etc. which then gives the attacker access into that one organization’s data or systems. Phishing emails are the most common way used to gain access.

Third-party attacks work a bit differently in that an attacker will try to compromise a vendor. Once the vendor is successfully compromised the attacker then leverages the trust relationship between the vendor and ALL the vendor’s customers to (potentially) compromise all the customers’ systems and data. The initial attack takes the same amount of effort for the attacker, but the payoff is orders of magnitude higher.

Types of third-party attacks:

  • True third-party attacks: one of your vendors is attacked and the attacker then uses that to get to you. (Ex. Target in 2013 where Target’s HVAC vendor was compromised)
  • “Nth”-party attacks: one of your vendor’s vendors is attacked and then the attacker pivots to get to your vendor and then to you. (Ex. The law firm that your vendor uses is attacked, leading to an attack on your vendor, and then from the vendor to you. Law firms are a very popular target right now because of this leverage!)
  • Software supply chain attacks: some piece of commonly used software is attacked, usually by inserting malicious code into the patch cycle (Ex. Solar Winds attack in 2021). When the patch is pushed to all the vendor’s customers, all the customers get infected as soon as they apply the patch.
    • Note: this type of attack is rare and requires a high level of sophistication. DO NOT be hesitant about deploying patches. Unpatched environments create a much higher level of risk!

As a covered entity or business associate who engages a vendor, it is your responsibility to understand the completeness of the vendor’s security control environment. One tool we use to do this is leveraging established and accepted security frameworks that provide either guidance or tools to ensure security. There are many widely accepted security frameworks that describe the controls (“safeguards” under HIPAA) that are appliable to a given type of business or situation. These frameworks are designed to provide “commercially reasonable assurance” that the vendor is meeting the minimum legal requirements for security controls. It is important to understand the different frameworks and the types of assurance they offer.

Before diving into the different frameworks and some of the differences between them, let’s take a look at the three types of controls that are measured by the frameworks:

  • Administrative Controls – these are typically policy (what to do or not to do) and procedure documents (how things are to be done).
  • Technical Controls – firewalls, anti-virus software, and encryption are all examples of technical controls
  • Physical Controls – examples include having designated secure areas for people, data, and systems with locked doors and secure badge entry systems

One way to differentiate between the types of security frameworks is to look at those that are externally certified by an auditor vs. those that may not be. It is important for HIM leaders to be aware of these frameworks so that they can adequately evaluate a vendor and the vendor’s security prior to signing a contract for service from them.

Risk management frameworks that don’t necessarily provide external validation and certification include:

  • NIST – National Institute of Standards and Technologies (nist.gov): This is required by law for all Federal agencies and many State agencies and for companies wanting to do business with those companies. Highly flexible because the same framework has to be applied to agencies as different as NASA and your local Parks & Rec department. Because of this it can be highly complex to implement. Because it is issued by the Federal Government, it is considered the “gold standard” from a legal perspective.
  • CIS Critical ControlsCenter for Internet Security (cisecurity.org): Widely used commercially for performing rapid assessments of the most critical controls. Very simple and flexible and is easily customized to any type and size of business. Focuses highly on the technical controls that have been proven to be the most effective in stopping real-world attacks.
  • HIPAA Security Rules: HIPAA is also a type of framework that provides both required and “addressable” safeguards (i.e., controls) that covered entities and business associates must follow. One of HIPAA’s safeguards is that it requires detailed Business Associate Agreements (BAAs) to be in place not only for all contracts between covered entities, and between a BA and their vendors. But it’s important to note that just having a Business Associate Agreement that requires the vendor to be HIPAA compliant does not in itself necessarily constitute due diligence on the part of the covered entity; additional due diligence is often required. Another important but often overlooked HIPAA safeguard is that all covered entities and business associates are required to perform an annual HIPAA-centric security risk assessment, and these assessments (or the lack of them) are often used by OCR to determine the severity of penalties. Make sure that you and all of your vendors are doing these!

Risk management frameworks that do provide required external auditing, verification, and certification include:

  • SOC 2 – American Institute of Certified Public Accountants (aicpa.org)
    • There are other types of “SOC” audit reports, but “SOC 2” is the one that applies to a company’s security controls
    • Annual audit performed by an accredited CPA firm
    • Can be Type I (“point in time”) or Type II (“over a period of time”)
    • Failing any of the Trust Criteria can result in a “qualified” report, at auditor’s discretion
    • Not as prescriptive as some other frameworks because the company has the flexibility to write its own control statements
    • Should be done every year, but “Bridge Letters” may be issued by the company if they don’t do a SOC 2 within a given year. The Bridge Letter is the company’s official statement that there have been no significant changes in their control environment.
    • Typically, 75 to 150 controls that are audited
  • HITRUST r2 Validated Assessment – (hitrustalliance.net)
    • There are several HITRUST assessments that provide varying levels of assurance; the R2 validated assessment provides the highest
    • Full audit every other year, with “interim” assessments in the off years
    • Failing any of the 19 domains results in failing the certification
    • Very prescriptive, controls are provided based on scoping, and then scored based on the completeness of policy and procedure documentation plus evidence that the control has been implemented.
    • Typically, 300 audited controls, and can be over a thousand depending on the scoping
    • Leverages NIST and provides a report that shows how the company is doing against the relevant NIST standards.
  • ISO-27000 – International Standards Organization (iso.org)
    • An internationally recognized standard that provides an externally audited certification that is accepted around the world, not just in the US. In healthcare this is typically used by medical device manufacturers who sell in multiple countries, and by larger international law firms.

As HIM leaders are charged with protecting PHI, we should be looking for vendors who are leveraging security frameworks that provide some level of externally validated certification. We don’t have to be experts in all the details of cyber security, but we need to understand what these various certifications mean when evaluating a vendor. Understand not just your third-party, but also your “Nth”-party risks, all the way down to your entire vendor supply chain. Require ALL vendors who provide software or who have any kind of direct access to your systems to have at the very least a SOC 2 Type II report that is renewed annually. HITRST is a high bar for small vendors but is rapidly becoming the standard in healthcare especially for larger technology vendors who deal with large volumes of PHI, such as Verisma. Any certification requirements should be written into your Business Associate Agreements. Ask the vendor to supply a SOC 2 or HITRUST r2 certification report. Read reports and ask questions about findings and corrective action plans. It is possible for your vendor to be certified but still have gaps. Understanding any relevant gaps is key to understanding and managing your risk, so read the reports carefully! Do an annual inventory of your vendors and identify what they have access to and assess whether the access they have is the minimum required for them to do their job.

In conclusion, protecting PHI from cyberattacks is not just the job of the IT Department, but it is also the responsibility of Healthcare Leaders to ensure the many vendors we deal with and who have access to our PHI are certified to protect our most valuable information.