What Keeps a Compliance Officer up at Night?  Challenges with Access and Disclosure of PHI

What Keeps a Compliance Officer up at Night? Challenges with Access and Disclosure of PHI

With years of HIM leadership experience under my belt, my current role as Director of Corporate Compliance requires me to step back to see the big picture. As I read about the nineteenth OCR HIPAA settlement, it should give pause as to how we got here. HIM professionals are ingrained to protect patient privacy at all costs, but it begs the question if we are trying to protect the wrong people. Patients absolutely have a right to their information and unfortunately, too many roadblocks have existed in the past. When managing release of information (ROI), I agree it is cleaner and less complex to routinely require a written authorization from the patient before releasing any PHI to anyone. But, in some scenarios, we are doing a disservice to the very patient whose information we are trying to protect.

Patients are more technology savvy; they want their information and they want it now. We have an opportunity to speed up this entire process and in so doing, improve service to our customers. If you haven’t already, it is time to think creatively about ROI. If a patient calls your department asking for their records, figure out a process for verifying their identity over the phone versus requiring the patient to come into your department or submit a written request. Use the technology available to you for delivering records to patients, whether that is through your patient portal, an app, email or another electronic method. Speaking of email, we also need to accept the fact that not all patients will be comfortable handling encrypted emails containing their records. They may not want to make up a password and, in my opinion, it should be their choice. You may need to work with your Information Services Department to ensure you can email records unencrypted, if that is the patients’ preference.

I don’t believe we should charge our patients for copies of their own medical information. They are entitled to the information and I think it is just the right thing to do. As we increase the capabilities of apps, our patient portals and methods of delivering medical information to patients, the task of covering our costs should become easier. We also need to get more efficient at this process – 30 days is a long time to wait for delivery of anything – think how we would feel if our typical Amazon orders took this long to arrive? I applaud the 15 day turnaround requirement in the proposed HIPAA Rules. We cannot ignore requests from our patients – the HHS Enforcement Actions demonstrate examples of frustrated patients not getting what they request in a timely manner, or not getting the information at all.

I am hopeful the use of electronic signatures will be specifically noted as allowable under the Proposed Modifications to the HIPAA Privacy Rule. I have seen health information departments differ in their decisions to allow or disallow their use. The use of electronic signatures is a well- established practice and we should move away from requiring only handwritten signatures from patients.

Another thought about patient portals – we are now pushing much more information to the patient, i.e. test results, notes, pathology reports, discharge instructions, in some cases very quickly after creation. Having test results at your fingertips  as soon as they are available is not intended to replace those critical discussions between provider and patient. We need to reassure our patients that these discussions will still occur, even if they see the results via their portal account before they have spoken to their provider. Informing the patient of this during the office appointment when the tests are being ordered needs to become the norm. Placing a “results disclaimer” on the patient portal is another method to communicate this to patients.

As a compliance officer, I want to ensure we are following the law and exceeding our patient needs at the same time. It is also my job to ensure our policies/procedures minimize risk for my organization. It is very important for HIM leaders to step up controls to make certain that access and disclosure management is a sound and reliable process. With each enforcement announcement, the OCR is sending a strong message – no more barriers for patients to get their own information. If access and disclosure management has not been top-of-mind before, it sure needs to be now. If we consistently and efficiently meet our patients’ needs for access, we can all sleep soundly at night.

Wendy Mangin, MS, RHIA is Director of Corporate Compliance for Good Samaritan, Vincennes, Indiana where she served as Director of Health Information Management for over four decades with responsibilities as Executive Project Director for the health systems EPIC implementation. She served on the Board of Directors of AHIMA and its President in 2008. 

TAKE QUIZ

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

Bridging Access to Clinical and Financial Information – Opportunities and Challenges

In 2020, The Office of the National Coordinator’s (ONC) and the Centers for Medicare and Medicaid Services’ (CMS) released Regulations for Interoperability and Patient Access as required by the 21st Cures Act. Regulations increase access to medical information through application programing interfaces (API) to empower patients in their health care decisions. The API allows information to be shared and exposed within a consumer’s application-based solution of choice (e.g., wellness app). The information is portable, provides ability to share clinical information with care team, caregiver or other party and better understand healthcare costs and financial obligations. 

The focus has been on the Information Blocking Regulations issued by ONC, but the companion CMS Interoperability and Patient Access Rules also have important implications. ONC information blocking allows consumers health information access from a provider setting. However, health insurers have most of their enrollee’s financial and clinical information across care settings (i.e., provider, hospital, pharmacy, laboratory, or other setting that submits claims to health insurer) to provide a more complete picture of the consumer’s healthcare experience. 

The CMS rules require CMS-regulated plans to provide a patient access API, provider directory API and payer-to payer API by January 1, 2021. However, enforcement has been delayed to July 1, 2021. 

Patient Access API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) and Qualified Health Plan (QHP) on the federal exchanges are required to provide the Patient Access API. This API includes adjudicated claims (including Pharmacy), enrollee cost-sharing, encounter information, provider remittances, select clinical data, including lab results, formularies or preferred drug lists. 

The health insurer provides updates within 24 hours of receiving an encounter or processing a claim containing the cost and services provided to a patient. This financial information will assist consumers in tracking submitted claims, expected and current financial responsibility, in and out-of-network deductible amounts and other financial information for themselves and their dependents.  

The clinical information includes clinical notes that are written to track patient progress, inform other medical staff and explain treatment options. Typically, these notes are written using medical terminology and abbreviations that may not be familiar or understandable. The evolution of documentation narratives toward the inclusion of easy-to-understand layman’s terms and description of the patient and clinician team interaction and decision making will increase the value of the medical information to the consumer. This information needs to be boiled down into brief, understandable and actionable problem lists for the patient that add value, not burden.

Commercial payers may consider voluntarily providing this API to empower their enrolled consumers and assist providers participating in their alternative payment models. Value-based care, including capitation payment shift more of the medical risk to the provider including costs that occur outside of the facility or system. Therefore, providers need costs and clinical information across provider settings for attributed patients. 

Provider Directory API

Medicare Advantage, Medicaid, Children’s Health Insurance Program (CHIP) fee for service and managed care entities are required to provide the Provider Directory API. This API requires the provider names, addresses, phone numbers and specialties. An effective provider API will inform consumers what providers are in the health insurer’s network and if the provider is in the consumer’s specific health plan. 

Payer to Payer API

Medicare Advantage, Medicaid managed care plans, Children’s Health Insurance Program (CHIP) managed care entities and Qualified Health Plans (QHP) on the federal exchanges are required to provide the Payer to Payer API. This API requires an individual’s past health insurer to transmit their claims and encounter information, and subset of clinical information to their new health insurer. This sharing of history allows a longitudinal medical record to be compiled no matter how many times a consumer changes their health insurance. 

Commercial payers may consider voluntarily providing this API to maintain longitudinal records and ensure new enrollees are in the appropriate wellness programs and receive any gaps in current care.    

ONC and CMS’s information sharing requirements allow vendors and payers to enable a one stop shop that is secure, easy to access, actionable and meet a priority consumer need. This may include promotion of wellness through integration with wearables, reduce redundant paperwork at provider settings, make payments, appeal claim payment, store and share medical records for a chronic patient or their caregiver, provide dashboard with tracking/monitoring of hospital at home activities, maintain current drug list, order medical supplies, access care through telemedicine and more from the comfort of home. 

Expanded access to health information, including insurance-related information, has the potential to be inform and transform. Getting accurate and useful information to securely flow to consumers, across provider organizations, between providers and payers and payer to payer will be the work of healthcare over the next decade. This will be a heavy lift for consumers,  covered entities, vendors and business associates. For decades I have worked on the standards and policies to enable us to realize this vision.  Still, I have no illusion that this will be accomplished without significant challenges and protecting privacy and security will be among the most vexing. It’s an all hands on deck time to learn to use information for the benefit of consumer health and health services. 

Tammy Banks, MBA is a Healthcare Consultant with ImpactQue and previously served as Vice President Interoperability Program Development for Optum and as Director Practice Management Center and Payment Advocacy for the American Medical Association.  Outstanding Leadership and Distinguished Service Awards from WEDI.

TAKE QUIZ

It’s Block and Tackle:  Are Consumers and Providers Ready for the Heavy Lifting?

It’s Block and Tackle: Are Consumers and Providers Ready for the Heavy Lifting?

It seems not too long ago I was living a completely normal “mom life.” Normal routines, happy family, and happy life. Eight years ago, seems like yesterday. Our world changed with one routine doctor’s visit and with one diagnostic test. I can remember that day very clearly. I can remember every detail. My 11-year-old adopted daughter was diagnosed of Cystic Fibrosis. How could this diagnosis be found so many years after birth? Believe it or not, it is not that uncommon. Since that day, we live a very different kind of normal.  Our lives and routines have changed dramatically. My now 19-year-old daughter is acutely aware of her diagnosis and plays a very active role in her care and the maintenance and review of her electronic health information. She often tells everyone “Personal health information is saving Grace.” She generates and shares quite a bit of data collected by medical equipment, wearables, and other devices. My daughter’s chronic diagnosis requires her to be seen by multiple providers in-state and often across state lines. She is intimately involved in the collection, review, and sharing of her personal and electronic health information.

Our quest for interoperability is ongoing and while many believe interoperability exists, that is not always true or at least not true in every circumstance. It is often a challenge to receive access to every element of electronic health information required for care. APIs exist but are often underutilized placing the burden on the consumer. We have access to electronic health information, but it is often not comprehensive or interoperable. Electronic health information should not be leveraged to hold consumers hostage to a particular provider, service, or location. Recommended lean data sharing solutions are not appropriate for every consumer. In addition, provider utilization of legacy systems can interfere or prevent exchange of electronic health information. These systems may have checked the boxes for meaningful use but lack the capability to provide meaningful exchange of information. The challenges faced by providers and consumers are perplexing. Many times, we continue to rely on paper records to be transferred from provider to provider. Believe it or not, we still maintain scanned and indexed copies of health records to support care and in many cases the provider will request that we share. Technology is invisibly integrated into our daily lives. I am amazed that in 2021 I can electronically unlock the doors of my home and car, track items in my refrigerator, bank, shop, and be seen by a physician digitally but still struggle with electronic access to complete health information.

Information Blocking Final Rule removed intentional obstacles to patient access to electronic health information. The long-awaited rule handed patients greater control over information sharing and use of electronic health data. But will it really live up to consumer expectations? In conversations with providers, I have often been told that “our vendor will accommodate our data sharing needs.”  What does that mean? Will your vendor meet the consumer’s need for electronic health information? Will meeting the providers need, improve the quality of care for patients? I believe it can, but the journey will not be an easy lift. The burden cannot be placed solely on the vendor. It is a heavy lift that will require an ongoing commitment to an interoperable system that supports health information exchange and embraces education. Providers and consumers alike will play an important role in leading change.

For the 21st Century Cures Act to reach its potential as a catalyst for better healthcare and outcomes, advocating for and adoption of a systemic free-flow of electronic health information with a consumer-centric focus will be required. It should be a partnership between provider and consumer. Health Information Management (HIM) professionals can play a key role in accessing organization readiness and ongoing compliance. The HIM professional’s vast knowledge of HIPAA, electronic data access and exchange, as well as privacy and security standards position HIM professionals to be leaders in developing organization policies and educational programs that will benefit providers and consumers. Deliberate attention must be given to the eight exceptions outlined in the Cures Act related to information blocking. Aiding providers and consumers in understanding these exceptions are essential in achieving a successful partnership. Knowledge is key to access innovation and in mitigating future challenges.

Angela Kennedy, EdD, MBA, RHIA is CEO, Commission on Accreditation for Health Informatics and Information Management Education and former Professor and Chair, Health Informatics and Information Management Program, Louisiana Tech University.  She is a Past President of AHIMA and in recent years has become a Consumer Advocate.

TAKE QUIZ

Unifying ROI Across Your Health System:  Your Leadership Priority

Unifying ROI Across Your Health System: Your Leadership Priority

By Linda Kloss

I first wrote about the value of uniform ROI practices throughout a health system in the fall of 2016. At the time, I cited risk mitigation and cost control as key drivers. I described the experiences of health systems who had achieved centralized release processing and argued that when centralization is not possible, at minimum, release should be guided by uniform policies and procedures.

Fast forward five years. The imperative has come into even sharper focus today. First, fines and compliance plans are being regularly levied by the Office for Civil Rights for failure to comply with patient access regulations. In the past 18 months, 18 enforcement actions have been announced. What’s amazing is that in each of these cases, covered entities were notified of the complaint and received technical assistance. They were given a chance to self-correct, but still failed to come into compliance. Reasonable risk management was clearly lacking as was quality control and accountability.

Cost control remains a key driver and this too has become more urgent. Many health systems have decided that they will absorb the cost of patient requests, which comprise 15-20% of all requests. Further, per page reimbursement which helped subsidize ROI operations for decades is eroding with limits on what can be charged for electronic release. The business model for ROI has changed irrevocably. Like any other form of transaction processing, ROI must be fully automated with an emphasis on doing it right the first time. This just isn’t possible when release is handled differently across the health system.

Today there is a third driver and that is the consumer. People have a greater interest and need to access their health information. Health systems now see patient access as a customer service requirement.  Fortunately, technology supports this focus. Patients have responded positively to use of the Verisma Request App™ (VRA). It enables them to submit requests via Web and receive e-records—all with state of the art security. VRA also feeds the ROI system to eliminate data entry, reduce costs, and improve productivity. It is a key tool in the unification toolkit.

The May 19th Verisma Webinar “Unifying ROI Across the Enterprise: Large Health Systems Leading the Way” opened my eyes to how the value of unifying ROI across the enterprise can be further expanded. Lisa Perez, RHIA, Assistant Vice President Health Information Management, NYC Heath + Hospitals (the nation’s largest public health system) and Lloyd Torres, MHA, Senior Director, Health Systems Projects, ColumbiaDoctors (the faculty practice organization for Columbia University Irving Medical Center and NewYork-Presbyterian Hospital) described how their very complex health systems achieved enterprise standardization for ROI.  And then they went further.

They are leveraging  ROI technology and service to meet the access needs of internal customers including revenue cycle, case management, utilization review and others who need access to patient records to carry out their responsibilities, access permitted under the TPO (treatment-payment-operation) definitions of HIPAA. Working with managers of these services, they analyzed needs and workflows and designed new processes for access and disclosure using the ROI system. This really was a very remarkable discussion, casting the imperative for unification in a very important new light.

What Lloyd and Lisa taught me is that unifying ROI across the enterprise is not the end point of transformation, it is the starting point. Once uniform across the system, access and disclosure management processes can be optimized. Traditional ROI services can be optimized by deploying VRA, by organizing work to meet user requirements, by deploying consistent invoicing and collections, and by using smart tools to identify requests that may require closer monitoring. In fact, the proposed modifications to the HIPAA Privacy Rule call for “Covered entities having a policy to prioritize urgent or otherwise high priority requests.” How do you administer that in a fragmented non-automated system?  In a unified technology-supported system, smart tools such as Verisma’s Spotlight ™, a rules engine, can be set up to monitor the status of the types of requests you specify.  It’s automatic, it’s consistent, and managers can stay on top of high-risk requests.

In addition to optimizing ROI, Lloyd and Lisa have tackled  other access and disclosure management challenges. In doing so, they now serve a broader set of customers who require reliable access to patient information to do their jobs. This may be information to demonstrate medical necessity and support a claim. It may be information to enable the case manager to plan care continuity. In broadening the use of the ROI platform and service their investments in ROI technology and service are leveraged reducing the overall cost and amping up benefits. By bolting this on to ROI, they also improve compliance and accountability.

We often consider change from the familiar frame; in this instance, the frame of ROI. We look at how this improvement can avoid untoward events, such as compliance failure. We look at how it can improve the productivity of existing processes. We don’t often look at change from the perspective of the new opportunities it might create for the health system. That’s what Lisa and Lloyd did. They achieved the desired improvements in ROI and then considered what other functions could benefit from this new technology. They went looking for opportunity to bring even greater value to their organizations. We congratulate them for showing us a new frame for ROI managing the access and disclosure needs of a broader set of customers.

Standardization and Partnership: The Baptist Health South Florida Story

Standardization and Partnership: The Baptist Health South Florida Story

By Linda Kloss, RHIA, FAHIMA

We are all eager to put 2020 in the rear view mirror. Even knowing that 2021 will be very challenging at home and around the globe, we see a path forward through vaccinations and a gradual return to stability. As this year without parallel draws to an end, I think it deserves a different thought process. No recriminations about the things you didn’t accomplish. No resolutions for the New Year please.  Instead, focus on the many important ways you helped others throughout the year. Make a list of the best things you did this year–for your family, friends, and yourself. Make another list of how you helped professional colleagues and the people that you serve. The 2020 pandemic tested our resilience, ingenuity, and, oh yes, patience. This is a time to reflect on all you did and take a pause for a little well deserved self-congratulation!

In last week’s Verisma Webinar “Standardization and Partnership: The Baptist Health South Florida Story,” Rosie Hernandez and Karen Marhefka underscored key lessons about adapting Release of Information for not only the pandemic response, but the new realities of access and disclosure management going forward. Part of the New Fundamentals series, this case study illustrated how Health Systems Solutions (HSS), a partnership of  Baptist Health South Florida and Guidehouse, strengthened the patient experience, achieved greater efficiency and  improved compliance by partnering with Verisma. Baptist understood that these goals depended on automating the release of information workflow and selected the Verisma Release Manager™ (VRM) for use by HSS staff.  In addition to end-to- end workflow automation, Hernandez and Markefka described the importance of a uniform or standard process across the Baptist system, inpatient and outpatient. As Hernandez explained, “standardizing is doing it the same way every time and doing it right.”  

The Verisma Request App™ (VRA) was in place across most of the Baptist Health South Florida’s 7 hospitals, 54 ambulatory and associated centers just before COVID preparations began in earnest. Staff went to work from home using the very same work flow platform. HSS accelerated implementation of VRA to provide access without in-person processing or paper requests. Serving an international population made this even more compelling, offering VRA in English, Spanish, and Creole. VRA also made it easier to fulfil requests with e-records. So not only is VRA contributing to the goals of patient experience and compliance, it is bringing about new efficiencies including reduced supply costs. Reflecting from her position as CIO for health systems, Marhefka reminded us that success with this kind of change requires effective advocacy in communicating the need and securing support and collaboration. 

In a year of intense change and in the Miami area, a persistent COVID hot spot, HSS’s release of information services have delivered some pretty amazing results. Turnaround time for processing requests is 3-5 days and in just 3 months, the volume of VRA requests exceeded 600 a month. The release of information team transitioned from a siloed workflow to an end to end process that required upskilling. While some staff were initially reluctant to change, good training, support, and encouragement—and the sudden shock of work from home—paid off with a realized shift from clerical tasks to higher-value knowledge work. VRM and VRA and other technology management and analytical tools, enables HSS to be fully accountable to Baptist for the quality of the work and for evidence of full compliance. Importantly, Hernandez described the team’s overall readiness to adapt more quickly, a New Fundamental for sure.  

Congratulations to the team at HSS. Their foresight proved invaluable to their successes in 2020 and positioning for the future. 

It’s been a year of loss. But it has also been a year of finding. Congratulations for the great work you did and know that it has prepared you for the challenges of 2021 and beyond. 

 

 

Enabling Patient Access in a Pandemic

Enabling Patient Access in a Pandemic

By Linda Kloss

The tragic surge in coronavirus cases and deaths continues through the long hot summer. Healthcare systems are fully focused on caring for pandemic victims and the health of our communities. We witness heroism every day in lives saved, new treatments, and compassionate attention to peoples’ needs. And we are proud to have health care as our life’s work. While we may not directly treat a person’s illness, we know that managing their health information is an essential element of managing illness and promoting health, including public health.

We are in a time of profound personal and professional uncertainty. Decisions require continually adjusting assessments of risks about how to protect ourselves and our families and in making sound business decisions.  There have been furloughs and layoffs due to shifting patient care services and workloads. Work from home is the new normal for many more in HIM. Workflows and procedures have been redesigned to adapt to physical distancing. Long days and nights of work and uncertainty.

Against this background it is great to learn about an innovation that offers demonstrated benefit now and will also be an important bridge to a new era. That innovation is the Verisma Request App (VRA). Reggie Abadsantos, RHIT, HIM Operations Supervisor, NCH Healthcare System, Naples Florida was guest speaker at the July 15 webinar “App-Based Release of Information Comes of Age.”[i] NCH implemented VRA in 2018 to improve patient satisfaction with a convenient and secure web-based  method to  obtain their health records.

With VRA and a centralized ROI workflow firmly in place, Reggie described how NCH quickly adapted to physical distancing and work from home without missing a beat in patient access. When walk in services were abruptly suspended in March, patients were redirected to the web App.  Patients could use their smart phone, tablet, laptop, or desktop to request their medical records; and like any App, it is available 24/7. VRA enables the request, authorization, and authentication process, creating a complete record that feeds the release of information management software and triggers the release. NCH consistently averages a 24 to 48 hour turnaround in fulfilling patient requests!  This performance level was not disrupted as NCH responded to COVID-19 and the volume of requests via VRA increased sharply.

Serving an elderly population, Reggie reports that having reduced paper and fax processing, team members are freed up to help patients who may need telephone assistance in walking through the use of the App. For people who wish to pick  up a physical copy of their health record or imaging, NCH offers a curb-side delivery service.  These unique ways to serve patients are consistent with NCH’s 2018 service goals for VRA.

We spotlighted NewYork-Presbyterian Hospital’s journey with VRA last October before New York City was the epicenter of the pandemic.[ii] We revisited NYP’s experiences in April in the midst of the surge. Like NCH, NYP was able to send staff home, close walk in service, yet continue to enable timely patient access.[iii] In fact, in the past 2 months, 20+ health systems comprising over 1500 sites of care, are now live with VRA to mitigate the impact of closed request services and work from home.    Further, the rate releasing e-records rather than paper, has significantly increased. VRA fulfills the requirements of HIM for completeness, security, compliance and cost-effectiveness. And when integrated with a comprehensive ROI workflow platform, it creates a seamless record of the request and its fulfillment.

Times of great challenge bring innovation.  Apps are no longer disruptive technology, but their application to Release of Information is! VRA’s value was well demonstrated as a popular adjunct request route prior to the pandemic. The pandemic has shown that VRA is the right technology for the time and for the future.  Health systems report that they will rethink walk up services, paper requests, faxing, and release of paper documents when physical distancing is no longer needed. They have learned we can do a better job in enabling patient access while strengthening business goals such as patient satisfaction, compliance, and cost effectiveness. Release of Information will never be the same…it will be vastly improved.

[i] www.Verisma.com:  July 15, 2020 webinar “App based Release of Information Comes of Age”

[ii] www.Verisma.com:  October 30, 2019 webinar “There’s an App for That! Connecting People with their Health Information”

[iii] www.Verisma.com:  April 29, 2020 webinar “COVID-19 Response:  Emerging Best Practices for Health Information Disclosure Management- Part 2”