Software Supply Chain Risk – Effective Third Party, “Nth” Party Management

Software Supply Chain Risk – Effective Third Party, “Nth” Party Management

Information Protection; Access, Disclosure, Privacy and Security (for CEU certificate)

Barbara Carr
, , RHIA, Verisma Advisor, Former AVP of Health Information Management at Einstein Healthcare Network
Jim Staley, CISSP, Verisma’s Chief Information Security Officer

Presentation Content:
As healthcare providers continue to improve their own security, attackers are more frequently targeting third parties, vendors, and suppliers who provide services to healthcare companies. To make matters worse, they are also attacking not only your vendors, but also your vendor’s vendors! The idea that “you’re only as strong as the weakest link in the chain” has never been more true.

In this presentation you will hear from Verisma’s Chief Information Security Officer as he will share his risk management expertise and provide real world examples of third (and even fourth or fifth!) party attacks as well as software “supply chain” attacks. He’ll review what the “standards of care” are for third party management, decipher some of the ling around third party certifications, and provide some concrete “do’s and don’ts” for managing third-party risk.

Learning Outcomes:

  1. Understand why managing third party risk is more important than ever before.
  2. Understand the differences between third party attacks, “nth” party attacks, and “supply chain” attacks.
  3. Learn what different security frameworks and vendor certifications mean and what level of assurance they provide.
  4. Learn what’s important, what’s not important, and what things can even be counter-productive, when creating or participating in a third-party risk management process.
Managing Patient Requests for Amendments – One Health Systems’ Story

Managing Patient Requests for Amendments – One Health Systems’ Story

By Barbara Carr, RHIA

The 21st Century Cures Act’s goal of increasing information sharing and enabling patients to have their healthcare data delivered conveniently to their computers, cell phones, and mobile applications has increased privacy and security worries for many healthcare organizations. Having the right data security and processes in place to enable information sharing is forefront as this new era of patient access continues to drive a more educated and engaged patient population demanding governance over their health information. We can expect that the once rare occurrence of record amendment requests will soon be a regular activity that will need to be carefully and accurately managed.

Presently, the Patients’ Right to Access must be granted within 30 days regardless of record location (onsite vs. offsite), and regardless of media type. One 30-day extension applies but must be communicated to the patient and documented. Any denial of access also needs to fit within this 30 day/60 day time frame.

The growing tech savvy and health aware public wants access and control over their health information. This has led to an increase in demand for the release of information to the patient. As we are all aware, the electronic health record is not always neat and tidy and easy to digest. Patient records also have a high degree of “copy and paste” type notes leading to issues with accuracy of information from visit to visit. With more patients reviewing their records than ever before, perceived interpretations and actual transcription errors require a more robust ability to address the influx of questions, corrections, and possible amendments.

It requires a dedicated team to handle these requests to ensure consistency of process and compliance and should not be left up to each area within the organization to address on their own. Having a streamlined way in which you handle requests for amendments is imperative for HIPAA compliance and overall patient satisfaction.

During our May ROI Roundtable Webinar Series, we were honored to have Mercy del Rey, Assistant Vice President and Chief Privacy Officer for Baptist Health System South Florida, and a Verisma client, speak to us on how their 12 hospital and 200+ outpatient center health system has employed a centralized process to address the significant growth of patient record amendment requests over the past decade.

Baptist Health South FLorida began their journey to a centralized process right from the inception of HIPAA, by establishing a corporate privacy office that would also be responsible for handling all patient amendment requests. With the advent of HIPAA and Right to Access, HITECH, Meaningful Use, and the explosion of the electronic medical record, they saw the volume of requests for amendments dramatically increase. The advent of patient portals, the information demand related to a global pandemic , and the government’s increased push for information interoperability and sharing, has further increased the volume of requests. In 2003, Baptist Health South Florida received 7 requests to amend healthcare information. That number has steadily grown to well over 300 requests a year at present.

Mercy demonstrated how they carefully evaluate each amendment request with questions that include:

  • Does this error affect the care received?
  • How will this affect future care?
  • Legitimacy of the request such as “I fell at Walmart, not at home”.
  • Where are all the places in the record that we need to have addendums?
  • Will the record need to be re-coded and re-billed once a change has been made?


Having a central and dedicated trained and knowledgeable team review each request and make these determinations is essential for process consistency and overall amendment accuracy. This requires a detail review of the request and the medical record in question, as well as the ability to reach out to the clinician(s) involved who will review the request and review the medical record to determine whether the amendment can/will be made.

Some of the many roadblocks/challenges her team faces include a clinician’s willingness to review and amend a record, technical challenges that may affect the ability to capture the associated information across the record set, detangling medical records across multiple platforms, old paper records, complex requests that may require varying degrees of interpretation, and the careful management of unrealistic patient expectations. To help with these challenges, Mercy’s team looks to others in the organization for assistance in removing these roadblocks. They work hand-in-hand with the Patient Experience team to help manage to the patient communication process. For clinicians unwilling to cooperate, they have stablished an escalation process up the chain of command to their Chief Medical Officer. In addition, they work closely with Health Information Management on issues such as the detangling and updating of a medical record. As Mercy relayed, “It takes a Village”.

Key to process compliance and overall success, includes all new employees, including the physician staff, are trained on the amendment process as a part of their orientation and onboarding. This ensures that everyone is aware of the process from the beginning of their employment. Baptist Health System South Florida makes their patient amendment request form available on-line which automatically routes all new requests directly to Mercy and her Privacy Office. In addition, they receive requests from the Patient Experience team who sometimes receives the request as a part of their patient complaint filing process.

This centralized and accountable approach to handling patient amendment requests has enabled Baptist Health South Florida to maintain a scalable, highly organized, and compliant approach to handling patient requests for amendments all while keeping the patient’s needs, safety, and overall satisfaction at the forefront of their efforts.

Leveraging Technology to Address Labor Shortages

Leveraging Technology to Address Labor Shortages

By Barbara Carr, RHIA

Hospitals are facing a severe labor shortage of both skilled and unskilled workers.  COVID stress and burnout, on top of retirement of the baby boomers, as well as the new vaccine mandates have all contributed to the shortage of labor. 

American economic growth is highly dependent on the quality and quantity of workers. According to recent Forbes article, “Currently, the United States is facing a severe skilled and unskilled worker shortage that has long and short-term economic implications. In addition to the 9.3 million job openings, various economic indicators strongly support the idea that there aren’t enough workers in the United States:  The number of people voluntarily leaving their jobs rose by 164,000 to 942,000 in June 2021.” 

Labor shortages impact both the skilled and unskilled workers’ categories. Clinicians fall into the skilled worker category. While there is an acute shortage of clinicians, skilled workers with “middle skills” requiring more experience than just a high school diploma yet less than a four-year college degree are also contributing to the labor shortage. Middle skills requiring a better-than average understanding of the tools they need to do their job, technical knowledge, problem solving skills, and the healthcare landscape are in short supply. Now COVID vaccine requirements have added to the staffing issue that health care institutions need to address to keep operating. 

During our December 14th Webinar, “Managing and Maintaining Productivity During a Time of Labor Shortages” we heard from experts at Verisma on how they leveraged Verisma’s technology to help several hospitals’ Health Information Management (HIM) and Patient Financial Services (PFS)/Business Office Departments that experienced labor shortages related to processing requests for records.  PFS departments were faced with the need to keep payments coming in and any backlog in processing claims requests was going to cause a delay in payments. HIM departments dealing with labor shortages and lack of on-site staff were faced with quickly accumulating backlogs that needed to be addressed. Technology and creative out-of-the box thinking were urgently needed to address both types of challenges.

The PFS/Business Office Departments staff were working remote and experiencing labor shortages all at the same time.  The Verisma Release Manager® (VRM) platform, along with Verisma Inbox™ were deployed to allow the remote staff to enter and track claims processing requests for records, respond to denials, as well as ADR Requests. The PFS/Business Office Department was provided access so they could see the status of their requests. Confirmation of records receipt by the payors was available to them and an important tool they could then use when on the phone with a payor. In addition, they had the use of Verisma Analytics™ so they could see volume and turnaround time statistics. Prior to implementation of this tool they were just processing record requests without knowing exactly what was received by the payors and without volume information.

In another real-world example, COVID and then subsequent labor shortages in the HIM department required a solution to handle walk-in requestors.  The remaining HIM staff on site needed to take care of STAT requests and process the incoming mail requests and staff was also hesitant regarding in-person engagement with requestors. The time the existing staff on-site spent on walk-ins was taking away from processing of the paper requests received via the mail and thus a solution was needed.

The Verisma Request App® was installed on the hospital’s website along with the authorization for patients to complete with all the required information of what was being requested.  Patients were able to upload a copy of their driver’s license for verification. Flyers and announcements went out within the healthcare system regarding the new app that was available for patient requests.  Patients walking into HIM were given information for the app as well as access to a kiosk with a PC to complete their request. The request would be sent directly into VRM for processing. This freed up the on-site staff for other duties that were needed to be performed.

Another scenario addressed a health system experiencing a large backlog of requests due to high volumes and staffing shortages. Verisma Inbox™ was implemented where requests from multiple locations were centralized into one location and uploaded by bar code sheets into VRM. Requests were reviewed for duplicates and then sent for processing and distribution by Verisma staff. This relieved the HIM staff of having to process the workload for these requests and allocated time to other priorities.

All the scenarios discussed required thinking outside of the box and creatively using technology to tackle the ever-growing volume of requests coming into the hospital. 

The panelist concluded with a discussion on how to retain talented staff. Ideas such as joining daily staff huddles, keeping work/life balances in mind for your staff, competitive salaries, and showing appreciation for staff were top of mind. Letting staff know they are appreciated and celebrating their achievements goes a long way!

The Healthcare labor shortage is not going away anytime soon. Investing in technology that promotes higher staff satisfaction, reduces turnover, and increases retention is a true investment in higher quality healthcare and organizational longevity. Training and technology can improve a worker’s overall experience as well as reducing the feelings of stress and burnout.   Partner with local educational facilities, find ways to use the technology you already have in place and think outside the box to create new more efficient processes. Looking for a vendor partner that has the technology capability you are looking for and is willing to work with you to achieve your goals, is vitally important to mitigate labor shortages during these times of uncertainty. 




Managing and Maintaining Productivity During a Time of Labor Shortages

Managing and Maintaining Productivity During a Time of Labor Shortages

Date: December 14, 2:00 pm – 3:00 pm EST


Stephanie Lavoie
VP of Client Operations

Barbara Carr, RHIA
Strategic Advisor

The pandemic has led to labor shortages and challenges in all industries, in particular healthcare due to vaccine mandates and employee refusals to be vaccinated.  How are hospitals and the industry in general reacting to these shortages?  What creative practices are being put in place to recruit, train, and retain talented staff? What best practices are being implemented to ensure the consistency and effectiveness of ROI processes?

In this webinar you will hear from Verisma’s leading experts in ROI and disclosure management.  They will share their expertise and firsthand knowledge regarding the staffing shortages health systems are experiencing and provide real world examples of unique methods being taken in the industry to address staffing shortages. The ability to take the necessary steps to combat these challenges has allowed organizations to maintain productivity, compliance, turnaround times and overall customer satisfaction.

Learning Outcomes:

  • Learn steps that can be taken immediately to address staffing shortages as well as retaining current employees
  • Discover best practices in ensuring effective ROI processes during this time of uncertainty
  • Learn creative ways to recruit and train new staff

Pre-Approved for 1 AHIMA CEU Credit.



HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

HIPAA and Information Blocking: Understanding Regulatory Intent Against the Ever-Changing Environment

By Linda Kloss

HHS officials discussed the nuances of how Right of Access is handled under the HIPAA Privacy and Information Blocking Rules in last week’s Verisma-sponsored Webinar HIPAA Right of Access and Information Blocking.[i]  We are grateful to Elisabeth Myers, Deputy Director, Office of Policy, HHS Office of the National Coordinator and Timothy Noonan, Deputy Director for Health Information Privacy, HHS Office for Civil Rights for customizing a presentation to compare and contrast Right of Access elements of the two Rules, spotlighting areas that have generated questions. I urge everyone to access the Webinar archive as it is a very useful reference. 

The laws giving rise to Right of Access regulations were passed two decades apart (HIPAA in 1996, 21st Century Cures in 2016). Both are complex multi-part laws dealing with health system effectiveness from different perspectives. HIPAA focuses on health insurance and administrative functions while 21st Century Cures focuses on facilitating clinical research and improved therapeutics. How their regulatory framework handles Right of Access reflects different contexts and purposes. The Information Blocking Rule concerns electronic health information which Myers and Noonan described as a “a subset of the protected health information (PHI)” covered by the Privacy Rule.

Myers and Noonan underscored another helpful distinction that can guide compliance. Access to protected health information under the HIPAA Privacy Rule is governed by permissions.  Patients, of course, have a right to access and they or their legal designees grant permission for release to third parties. The Rule grants permission to use protected health information (PHI) for treatment, payment and healthcare operations and specifies other parties who are granted permission under certain circumstances. The Information Blocking Rule picks up where permissible requests leave off and assumes that electronic PHI (ePHI) be shared unless the request meets one of eight exceptions. This distinction reminds us that we should be advocates for legitimate and customer friendly access. We should focus on eliminating barriers,  reducing turnaround times, and shifting to e-release whenever possible. 

The Rules differ in their breadth of who must comply. Under the HIPAA Privacy Rule, we deal with covered entities (providers, health plans, and clearinghouses) and their Business Associates. The definitions of providers are aligned under the two Rules. The list of “Actors” who must comply with the Information Blocking Rule includes health information exchange entities and technology developers. This is a welcome expansion that better reflects who is involved in today’s health information ecosystem. EHR vendors, private exchanges, or other entities will no longer be able to block the exchange of health information needed for continuity of care.

Information Blocking aligns to HIPAA regarding timelines for release. Myers and Noonan reinforced that the Rule reads no later than 30 days. We should be doing all we can to reduce turnaround times by putting in place systems and workflows to avoid any “unnecessary delay.”   We were reminded that such delays are currently resulting in enforcement action by OCR, the nineteenth such action announced earlier this month. Enforcement for Information Blocking Rule will be administered by HHS’s Office of the Inspector General and the rules for this have yet to be released or approved.

Fees for ePHI are handled similarly in both Rules. Reasonable, cost-based fees for labor are allowable. The Information Blocking Rule adds a requirement that they be uniformly applied and not anticompetitive. The trend is that providers are making access available to patients on a no fee basis and this is driving adoption of use of Apps such as Verisma’s Request App ™ (VRA), a practice very much in line with the intent of both Rules. 

Verisma recognized the rapidly changing landscape by sponsoring Health Information Access Week, June 14-18. The OCR-ONC Webinar was a highlight of the week along with guest bloggers covering topics from consumer advocacy to HIM leadership. The Information Blocking Rule and proposed changes to the Privacy Rule underscore once again the need to upgrade ROI practices with technologies, including access and management tools, to stay ahead of the curve.   

We continue to grapple with a patchwork of federal and state laws and regulations concerning health information and privacy. The Information Blocking Rule provides some much needed modernization, particularly in bridging to a broader cast of actors. For ROI, HIM, and Compliance experts, the Right of Access is inviolable. At the same time, we know that when a custodian discloses PHI, today’s protections for individuals fall far short of where they should be. I know we will sort out how to comply with Information Blocking and future modifications to the Privacy Rule. But I also know that our work won’t be done until we can help people have real choice in how they want to handle their confidential health information, in identifiable and deidentified formats, when it moves beyond the protections of current law. 

[i] Please e-mail Davy Simanivanh at to receive a recording of the webinar.

Enterprise Access and Disclosure Management: Your Opportunity to Lead

Enterprise Access and Disclosure Management: Your Opportunity to Lead

This first Health Information Access Week has brought together a range of perspectives on serving consumers, mitigating risks and deploying technology. We’ve been privileged to learn from experts who bring a lifetime of experience and insight to the changing challenges of  access and disclosure.  I am closing out this week with some reflections about leadership and management of access and disclosure operations. It is my belief that there is an urgent need for HIM leaders to address the health information access and disclosure disparities within their organizations. This is a key stepping stone to being able to modernize our approaches.  We have the expertise to do this and the time is now.

As a HIM leader, I made it one of my goals to achieve centralized health information access regardless of where the patient may have been treated within the healthcare organization. I view this as having three benefits: improved patient satisfaction, risk reduction and cost savings. It was clear to me several years ago, that HIM professionals needed to broaden our thinking beyond the hospital’s four walls and reach out to our physician practice administration, outpatient satellite and other facilities that make up our health system. Ultimately, the entire organization can benefit from centralizing the release of healthcare information.   

In leading the charge at Einstein Health in Philadelphia, I first called a meeting of our Hospital Administration staff, Physician Practice administrators, Risk Management and Compliance.

I described a recent scenario where an elderly patient had to go to three separate locations to acquire the healthcare information they needed for an upcoming appointment with a specialist. I then posed questions regarding why we persisted in this approach. All the patient’s information was stored in our Clinical Information System (CIS) regardless of location of treatment. Everyone agreed this was not ideal and agreed to work with me on a solution. 

The physician practices, at the time, were all doing their own individual release of information with various copy vendors, or their own in-house staff. There was no tracking, and very little quality control. At that time, all the HIM Departments were being handled by one vendor and covered by the same policies. Therefore, it was decided that we would tackle the practices first.

We started with bringing our release of healthcare information vendor to the table and put them to the task of working with us on a solution for the physician practice locations first. Since there are over 200 locations, this was a large change project. A project plan was developed, and a team of key stakeholders was assigned carry out the project. After 6 months of planning and strategizing, the first group of practices went live, followed by the next group, until all practices were handled by one group of release of information staff. Our vendor staffed the central location. 

Once we standardized and centralized the physician practices, we were able to move quickly with outpatient locations. In all, it took about 18 months to accomplish. In the end it was merged into one centralized release of healthcare information site. Now a patient can make one request for their information, which is then processed all at the same time, and delivered to the patient via whatever media and route they have specified. We were able to monitor quality and track all released information. We reduced costs and duplication of effort. Patients were less frustrated and more satisfied with our service. 

Risk and Compliance are less concerned with surprises and have one place to go to check on any issues. We are far less likely to receive a complaint and if we do, we have protocols to  resolve any before they become investigations. Importantly, having a standard way of handling access and disclosure across the enterprise, positions the organization to broaden the scope of release of information. For example, it possible to handle access requests from financial services, case management, utilization review and other health system function that rely on access to information.  When going through our release of information we are assured of the same quality control and tracking.

This experience not only helped me grow as a HIM leader but helped to expand my role in the organization beyond the HIM borders.  I was given more opportunities to work across the organization to streamline other processes. All this really helped fulfill my own goals to grow within my organization. 

In the end, I believe it is up to us as HIM leaders to have the vision, and then use our leadership to organize and lead others towards that vision.

Barbara Carr, RHIA a Verisma Advisor formerly served as Assistant Vice President Health Information Management at Albert Einstein Health Network in Philadelphia and as Corporate Director of Health Information Management at ChristianaCare, Wilmington, DE.