A Future Anchored in Integrity, Access, and Connection

A Future Anchored in Integrity, Access, and Connection

By Linda Kloss

Health information remains a critical part of the current and future healthcare environment and is no less important in the midst of a global pandemic” stated Dr. Wylecia Wiggs Harris in opening remarks on last week’s webinar entitled Integrity, Connection, Access: A Framework for the Future. Dr. Harris, CEO of American Health Information Management Association (AHIMA), shared the principles and assumptions that shape AHIMA’s 2020-2023 Enterprise Strategic Plan via Webinar instead of delivering the keynote address at Verisma’s 4th Annual Disclosure Management Summit cancelled due to COVID-19.[i]

The Strategic Framework bridges HIM’s legacy, today’s crisis, and tomorrow’s imperatives. Dr. Harris emphasized three grounding principles undergirding the Framework: Integrity, Access, and Connection.  These sustaining principles are reimagined for what Dr. Harris described as a time when AHIMA and health information professionals need to “show up as transformational leaders.” She noted that the health information professional may be more important in the pandemic and post pandemic world.

In a world where people are more engaged in their health and health care and where health is finally understood to be broader medical services, Dr. Harris stressed that AHIMA’s Strategy is “People-Centric “ and that health information professionals must always remember that their work is uniquely important because  “Health information Is Human Information.” In fact, we have seen this play out in recent years as health information professionals proactively help people gain access to their health information in portals and health information exchanges. More recently, the use of request Apps is transforming patient access and release of information specialists are stepping into new roles of supporting innovation in access.

Dr. Harris and I discussed how the Framework’s grounding principles of Integrity, Access, and Connection might guide transformational improvement in access and disclosure management. The table shows examples of desired outcomes for some well-known areas of vulnerability and those in need of transformational change.

Principle

Examples of Desired Outcomes

Integrity

·    QA processes confirm that the right information is released and that there is a record for accountability.

·    QA processes confirm that the release complies with minimum necessary rules and there is a record for accountability.

·    Authorizations are complete and valid and they are convenient to execute.

Access

·    People have access to their digital health records through a secure web App with rigorous authentication.

·    Paper request and release processes are replaced by smart technology.

·    Release of Information staff help patients and third party requestors learn to use e-tools.

Connection

·    Release of information processes are standardized across health systems.

·    Centralized access to “complete” record from ambulatory and acute care encounters.

·    Workflow technology with compliance prompts and rigorous security supports end-to-end processes.

AHIMA’s initiatives will be guided by the Framework in the years to come. The guiding principles are also useful in anchoring needed change in access and disclosure management and in other HIM domains such as  coding, revenue cycle, EHR management, privacy, data analytics.

What’s required is a commitment to achieving measurable improvement.  As reported in our recent blogs about HIM leaders’ responses to COVID-19, there is currently momentum for modernizing outmoded processes and a spirit of empowerment for transformational change.  Dr. Harris summed this up so well for us, “When surrounded by uncertainty, we must be crystal clear about what grounds us, what will guide our decisions, what will help us navigate our new norm.”   

Once again, we congratulate Wylecia Wiggs Harris and the AHIMA Board of Directors for its compelling Vision and Framework and we thank Dr. Harris for sharing it so eloquently with the Verisma community.

[i] American Health Information Management Association.  2020-2023 Enterprise Strategic Plan.
http://bok.ahima.org/PdfView?oid=302888

OCR Update on HIPAA Policy and Enforcement

OCR Update on HIPAA Policy and Enforcement

Date: May 27, 2:00 pm – 3:00 pm EST

Presenters:

Timothy Noonan, JD
Deputy Director for Health Information Privacy at the HHS Office for Civil Rights (OCR)

Michael Salsbury, JD, MBA
Counsel and Privacy Officer, Verisma

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) administers and enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules and federal civil rights laws that prohibit discrimination in the delivery of health and human services based on race, color, national origin, disability, age, sex, religion, and the exercise of conscience. Timothy Noonan, OCR’s Deputy Director for Health Information Privacy, is the featured speaker for this timely Webinar.

Throughout March, April, and May, OCR issued important COVID-19 and HIPAA-related bulletins, notifications of enforcement discretion, and guidance explaining how protected health information may be used and disclosed in response to the COVID-19 public health emergency. Mr. Noonan will discuss OCR’s recent HIPAA materials and answer participants’ questions, which you have the opportunity to submit when you register for this Webinar.

OCR has consistently advanced policies supporting the Individual Right of Access to health information to empower patients to be more in control of their health and health care. In 2019, OCR announced the Right of Access Initiative as an enforcement priority, and resolved two investigations by the end of the year with settlements. In 2020, a court issued a decision affecting the right of individuals to direct copies of their health information to another person. Mr. Noonan’s update will help all attendees understand the changes in the health information privacy legal landscape and move forward with greater confidence.

Webinar objectives:

This webinar will enable Privacy, HIM, compliance, and R-O-I teams to:

  • Review recent COVID-19 actions and the materials available
  • Reinforce the importance of advancing the Individual Right of Access
  • Describe OCR’s Right of Access Initiative

 Approved for 1 AHIMA CEU Credit

REGISTER NOW

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

Protecting PHI in the Pandemic: Good Faith Compliance (Part 4 of 4)

By Linda Kloss

In the midst of the COVID-19 pandemic, HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina taught us powerful lessons about rapid adaptation and change. Over the past month, we shared their insights in two webinars and three blogs. This fourth blog, addresses the privacy and security of protected health information (PHI) as health systems lock down to protect staff, patients, and visitors. This public health emergency requires facilitating the flow of information while preserving essential privacy protections and stepping up security; a difficult balancing act in the best of times.

The Office for Civil Rights (OCR) acted quickly to issue guidance for covered entities and business associates waiving penalties and sanctions and exercising its enforcement discretion regarding certain good faith disclosures of PHI. For covered entities, these focused on helping family members get information on their loved one’s even as they were blocked from in-person visits.  For example, staff involved in the individuals care may speak with an involved family member or friend without the patient’s express agreement; the Notice of Privacy Practices need not be distributed; patient rights regarding opting out of a facility directory and requesting restricted communication of certain PHI may be temporarily set aside.

Under ordinary circumstances, when federal and local public health and public safety officials seek PHI from business associates, the disclosure may be prohibited unless explicitly authorized in the business associate agreement. The OCR enforcement discretion removes this barrier, providing the business associate can show good faith use of the disclosed information for public health or health oversight and informs the covered entity. These OCR actions are relatively narrow in their focus.  They do not, for example, relax other obligations such as breach notification.

Our panel of HIM leaders acknowledge that these temporary relaxations are helpful and are used as a backstop. The default is to fully comply with HIPAA, but when this is not possible, these temporary modifications allow staff to proceed without undue worry. They remove barriers to acting quickly.

Our panelists point to areas not covered by OCR modifications for which workarounds have had to be put in place:

    • The increase in requests by phone and the need for reasonable authentication of the identity of requestors.
    • Accumulating mail in closed medical practices and the potential difficulty to process requests on a timely basis.
    • Up to date and accurate authorization for access to EMR data by new healthcare workers from outside the system who have been quickly pressed into service.

As each health system finds ways to deal with these and other privacy challenges, the watchword continues to be good faith efforts to protect PHI as fully as possible from unauthorized access and disclosure.

An unfortunate truism of life in the digital age is that the bad actors attack when we are most vulnerable. Health care is experiencing a sharp increase in cyberattacks, ransomware, and phishing incidents. Working with PHI, access and disclosure is a high security risk activity. Our panel discussed the following steps:

    • Tighten the security of the work from home platform. The transition may have been made quickly and the platform may not need to be hardened.
    • The environment in the home may not be secure due to space limitations. Each situation should be assessed to ensure that PHI is protected.
    • Keep security front and center in routine communications and staff conferences. Include security staff and examples to underscore the need to check before clicking.

Let me once again thank the HIM leaders who taught us so much during the month of April 2020, a month that none of us will ever forget. They have shown us just how much can get done by seizing the momentum. They have kept information flowing, yet confidential; they kept staff safe, while introducing improvements.

Please continue to share your access and disclosure challenges and breakthroughs so we can continue to learn from one another.

HIM and Virtual Health: Emerging Best Practices and Lessons (Part 3 of 4)

HIM and Virtual Health: Emerging Best Practices and Lessons (Part 3 of 4)

By Linda Kloss

This is the third blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of the COVID-19 pandemic. Their experiences teach us much about release of information best practices. They also identify broader health information access and disclosure challenges of dealing with this public health emergency. The first blog focused on best practices for protecting the safety of staff through rapid transition to work-from-home and protecting staff that must continue to perform their work on site.

The second blog addressed best practices in adapting release of information practices. By optimizing electronic workflows, health systems are flexing to ensure compliant and accurate work from request through fulfillment. A game changer is use of the Verisma Request App (VRA), which when integrated with the Verisma Release Management, is providing seamless continuity of work regardless of shifting workflows, who is doing the work, and where it is being done.

Our interviews with HIM leaders also described stepped up involvement with patient portals and a new focus on policies and procedures for telemedicine. I might not have anticipated these two areas of best practice as early responses, but it has quickly become clear that this pandemic is accelerating all aspects of virtual health services. In addition to experiences with Verisma’s VRA, interviews highlighted an uptick in use of patient portals. Thus, we identified Support for use of patient portals as a best COVID-19 practice for HIM working in collaboration with IT and others.

Despite years of somewhat sluggish use of patient portals, many health systems are now seeing a marked uptick as patients seek ways to connect and communicate, get test results, and general information. HIM leaders report stepped up involvement in helping patients enroll in patient portals and in supporting them in their use. This has required allocating HIM staff to focus on portal support. An important lesson is to be certain that current portal policies and procedures are documented and capturing changes or special procedures relating to reporting COVID test results and handling questions about those results.

Long standing barriers to broad adoption of telehealth services have been eliminated by recent federal and state regulatory changes. Virtual visits and remote monitoring services have surged for routine primary and specialty care, behavioral, and employee health. In the midst of the pandemic, this is a lifeline. Rapid adoption, however, may strain organizations who may not have robust policies and procedures or a broad understanding of them.

HIM leaders report greater involvement with the ramp up of telehealth and Support for telehealth information needs is another important HIM emerging best practice.  As with portals, they recommend telehealth policies and procedures be reviewed and adjusted as needed. Issues such as enrollment procedures and consents may need sharpening. Identity proofing — provider and patient, handling attachments, coding and health record protocols are cited as areas where HIM expertise is needed.  Telehealth may also increase patient access requests because patients and providers need to review current information to have an effective virtual encounter.

Long after this public health crisis comes under control, virtual health and health information applications will be indispensable elements of care delivery and patient engagement. There are sure to be many important health information best practices associated in this nascent era of virtual health and now is the time to capture these lessons. There is no going back…only going forward.

Once again, I want to thank the HIM leaders who continue to share their experiences as they learn and adapt for business continuity while supporting the needs of their staff, health systems, and the communities that they serve. Please join us on April 29th for our Webinar, COVID-19 Response:  Emerging Best Practices for Health Information Disclosure Management – Part 2

Optimizing Workflows While Decreasing Paper: Emerging Best Practices and Lessons (Part 2 of 4)

Optimizing Workflows While Decreasing Paper: Emerging Best Practices and Lessons (Part 2 of 4)

By Linda Kloss

This is the second blog highlighting lessons learned by HIM leaders at health systems in New York, New Jersey, Boston, Delaware, and North Carolina in the midst of responding to patients ill with the COVID-19 virus.  Once again, I want to thank these leaders for agreeing to be interviewed to share their experiences in the midst of this chaotic and frightening professional and social experience.

Their experiences pointed to 8 emerging best practices based on these leaders first several weeks of COVID-19 response efforts. We label them emerging because they describe adaptive, not static changes. Adjustments will continue to be made as disaster–and recovery–response circumstances evolve. The best practices comprise three key initiatives:

  • physical distancing – staff and patients
  • optimizing electronic workflows, and
  • adapting policies to remove barriers

The first blog described two best practices for protecting staff through work at home and by changing the on-site environment. Today, we share two more important best practices directly relating to release of information practices.

Best practice #3: Close in-person R-O-I request services turned out to be easier than expected. First, health systems were limiting all public traffic in and out of buildings. Interviewees uniformly reported that in-person requests dropped off abruptly simply because traffic was so diminished.  Second, routine and elective referrals were delayed, physician practices closed and this further depressed the volume of routine requests. In closing in-person services, interviewees advised careful attention to posting clear instructions, updating signage, web pages, and automated messaging systems.

Protected health information may be requested in five ways :  1) by completing request/authorizations at an in-person service window, 2) accessing a request/authorization on the health system website and submitting it via mail, 3) accessing a form on the health system website, scanning and e-mailing it, 4) processing verbal requests, and 5) using a request App.

Five routes have rapidly become four.  Routes 2, 3 involve handling and processing residual paper and these routes represent the biggest barriers to work from home. Verbal requests, route 4 may be tolerable alternative in a public health emergency, but shouldn’t become a new routine.  It is labor intensive, does not permit rigorous authentication, and can’t easily be audited.

The need to optimize electronic workflows is thus the key initiative and a key lesson from health systems on the front line. Thus, another best practice is to Use R-O-I workflow technology and the Verisma Request App.  Workflow technology and request apps eliminate paper, permit rigorous authentication, and create records of requests and their fulfillment.

One of the health systems interviewed had fully implemented the Verisma Request App (VRA) and integrated it with its patient portal 18 months ago.  For this large health system at the epicenter of the pandemic,  minimal adjustments were needed in request procedures. The HIM leader noted that the VRA provided “peace of mind” because the request, authentication and release processes were fully automated. Another interviewee was planning to implement VRA to eliminate in-person requests for security reasons.  This health system accelerated implementation, delaying full portal integration, but getting the App in place to ensure an electronic route.

In addition to using request apps, other workflow best practices involve redirecting whatever work you can to your R-O-I vendor. Because health system staff and the vendor staff use the Verisma Release Management (VRM) workflow platform, work distribution can keep pace with changing demands. Health systems that have centralized R-O-I across facilities and practices using VRM are in the best position to respond to the rapid changes in workflow required for these vexing times. One health system that was in process of centralizing R-O-I from hundreds of physician practices at the outset of the crisis. Their current challenges are with the practices that have yet to be centralized and are now closed, with unprocessed requests buried in incoming mail and virtually irretrievable. This health system also implemented a call center operated by Verisma, so all requests are processed uniformly and seamlessly.

In August of 2005, Hurricane Katrina hit the gulf coast and New Orleans leaving millions of people displaced and caregivers without any trustworthy information about their health conditions and medications.  We all remember the photos of people with their pill bottles in paper bags.  We remember photos of wet piles of records, detritus of the flood. Only the Veteran’s Administration hospitals could easily access electronic medical and medication records when people relocated. COVID-19 and the lessons being learned will irrevocably change health information access and disclosure. It is already clear from the experiences of the HIM leaders interviewed that automated ROI systems, including the request application,  is providing R-O-I business continuity and security flexibility.

Next week we will feature lessons learned about the importance of HIM engagement with portal and telemedicine workflows and policies. Our continued wishes for your safety and health in this very sad time. Please jump in and share your experiences and questions, request an archive of the April 1 Webinar by e-mailing Davy Simanivanh (dsimanivanh@verisma.com) and plan to join us on April 29 for a follow-up webinar.

HHS Steps Up Access Enforcement: Compliance Implications

HHS Steps Up Access Enforcement: Compliance Implications

By Linda Kloss

On September 9, 2019 the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced its first monetary enforcement action regarding the rights of patients to receive copies of their medical records.  Sadly, we’re all too familiar with the too long list of actions following breaches of health information.  In fact, OCR levied over $28 million in fines for 2018 breach actions.  Now, Bayfront Health, St. Petersburg, FL became the first covered entity to be fined for failure to comply with medical record access requirements.   

Earlier this year, OCR announced its initiative to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged.  Empowering patients is one of four key strategies for HHS and access to information is a key tactic.  HHS is advancing access through its policy, standards, and enforcement levers. Patient access is a right ensured by the HIPAA Privacy Rule.  However, based on evidence of persistent barriers to patient access, HHS released Patient Access Guidance in 2016 that set out limits on what patients could be charged and reiterated process requirements. More recently, HHS is encouraging the use of apps for release of information to streamline the process and improve the flow of information.

The Bayfront case is a wake up call for all compliance and disclosure management professionals and their business associates.  An investigation was initiated by the OCR based on a complaint from a new mother who had requested fetal heart monitor records on her unborn child.  Bayfront first claimed that it did not have the requested records and later provided a partial set of records after repeated requests from the mother and her attorney.  The requested records were provided twenty-two (22) months after the initial request and only after a complaint was filed with OCR.  HIPAA Rules, of course, generally require covered entities to provide medical records within 30 days.

Bayfront agreed to pay a fine of $85,000, modest by comparison to fines paid for breaches, but not modest when one considers that this involves a single patient’s record set.  Bayfront also executed a one-year corrective action agreement that largely focuses on demonstrating that it has updated access policies and procedures, educated its workforce, and has mechanisms in place to monitor performance.  Bayfront is obligated to report instances whereby its employees or those of a business associate fail to comply, along with the results of its review and investigation.   It is also obligated to comply with documentation requirements as spelled out in HIPAA’s accounting for disclosures provisions. 

Enforcement is a powerful lever that only a governing entity can apply.  The fact that HHS is using this lever for patient access should prompt covered entities to evaluate the adequacy of their practices given the very rapid changes in health information disclosure management.  Reasonable disclosure management practices today include the following:

  • Technology enabled – Managing growing volumes of requests can’t be done without end to end disclosure management software that can track and prompt all phases of the request through release processes which include compliance prompts.
  • Optimized process – Migrating from siloed and fragmented release practices to standardized and even centralized practices across the health system—that are knit together by use of compliance-based technology.
  • Patient-centered – Proactive patient facing practices that enable patients to control the request and release processes through use of apps with rigorous authentication.
  • Knowledge work –Release of information personnel who understand guiding regulations and principles and are trained to do the jobs they do.
  • Accountability – Tracking, red flagging and trending the status of all requests and maintaining auditable accounting of disclosure records. 

We empathize with Bayfront’s unfortunate experience and that of the mother who experienced anguish and frustration through inexplicable delays.  This should not happen, but I bet many are whispering “there but for the grace….”  This is a learning moment.  Business as usual in release of information is no longer in our patients’ or our employers’ best interests.  Many health care organizations are rapidly moving to a new level of practice – and not a moment too soon.