Oct 6, 2020 | Uncategorized
By Linda Kloss
Release of Information (ROI) functions as a gatekeeper for access and disclosure of confidential health information. ROI advances patient rights, enforces organizational policy, and complies with federal and state law. The gatekeeper role is more complex today because:
- Health delivery and information systems are more complex
- Request volumes are greater from patients and a range of requestors
- Regulatory ground rules were largely designed for a paper-based health system, and
- Privacy and security are being deliberately and inadvertently put at risk.
The first three factors above contribute to privacy and security risks. In our recent webinar, Mike Salsbury, JD Verisma’s Counsel and Privacy Officer and Jim Staley, CISPP, Verisma’s Chief Information Security Officer and Chief Compliance Officer discussed trends giving rise to privacy and security risk and important ways to harden systems to reduce risks.[1]
By design concepts
Their overarching premise is that the best way to mitigate risk is to avoid It in the first place. Contemporary by design approaches means that privacy and security are engineered in to technology, workflows and process, rather than being added after the fact.[2] Examples of Foundational principles include:
- Proactive not reactive; preventive not remedial
- Privacy and security are embedded into design
- Privacy as the default
- End-to-end security
It is not likely that there can be perfect design to avoid all risk, but Salsbury and Staley urged a by design anticipatory mindset. They emphasized the importance of up to date privacy and security risk assessments.
Privacy by design
Against the background of the industry’s response to COVID-19, Mike Salsbury reviewed the ways in which ROI has been impacted in 2020 and the implications for safeguarding privacy. He described characteristics of recent enforcement actions relating to non-compliance with Federal patient access regulations.
In addition to having an up to date privacy risk Assessment, Salsbury urges covered entities to:
- Ensure Business Associate Agreements (BAAs) are up to date
- Review staff onboarding/departure procedures
- Ensure up to date personnel training
- Carefully track ROI request intake to make certain required timeframes are met
- Review protocols and security for electronic transfer of PHI
- Review procedures for handling unauthorized disclosures (UADs)
Security by design
Jim Staley noted attempted cyber intrusions during the first half of 2020 exceeded the total for all of 2019. Healthcare organizations and their technology companies are a frequent target for intrusion attacks and health information is a high value cybertheft target.
Staley emphasized the importance of working with vendors who can demonstrate adherence to stringent security protocols and have earned security certifications. He urged attention to fundamental practices of encryption for sensitive data at rest and in motion. He urged use of multi-factor authentication in applications we use in our work and as part of our personal digital practices. Staley urged updated security risk assessment and referenced the new tool from OCR and ONC.[3]
ROI by design
ROI is a set of processes or workflows, guided by regulations, and explicit polices. It is comprised of the following four subprocesses in which risks can be identified and mitigated through smart technology, workflow design, training, and accountability:
- Request – request routes, authorizations, identity verification
- Retrieve – data sources, minimum necessary, quality checks
- Release – media-specific safe practices, compliant business operations
- Retain – accounting for disclosures, audits, process improvement
Verisma’s ROI technologies guide and prompt requestors and ROI staff to do the right things — and they create a record of that work. This is what by design is all about. It is also about taking steps to standardize ROI across the health care enterprise. ROI may be done in house, outsourced, or a combination, smart technology, workflow design, training, and accountability are keys to by design ROI.
We are in the third decade of the 21st century with privacy eroding and security under attack. It’s time to step up proactive vigilance so ROI remains an effective gatekeeper for access and disclosure of confidential health information.
Endnotes
[1] An archive of the webinar Privacy and Security by Design: A New Imperative is available upon request from DSimanivanh@verisma.com
[2] Cavoukian, Ann. Privacy by Design: The 7 Foundational Principles, Information & Privacy Commissioner, Ontario, Canada. January 2011.
[3] US Department of Health and Human Services, Security Risk Assessment Tool, v 3.2, User Guide. https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool
Nov 26, 2019 | Compliance & Regulations, News, Release of Information, Uncategorized
Date: December 17th, 2019 2:00 pm – 3:00 pm EST
Presenters:
Michael Salsbury, JD, MBA
Counsel and Privacy Officer
Linda Kloss, MA, RHIA
Regulatory Policy Leader, Disclosure Management
Keri Bay
Director of Client Operations
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently announced its first monetary enforcement action against a health system for failure to deliver medical records in response to a valid request by a patient. The health system paid a fine and entered into a corrective action agreement with HHS. The focus of OCR compliance has heretofore been on breaches of protected health information. Authorized requests and release of information (ROI) is a new area of focus, ushering in a new era for ROI. And it comes at a time when the volume of requests for release of information are increasing as are the risks.
This development should not come as a surprise. Earlier this year, HHS announced its intent to vigorously enforce the rights of patients to receive copies of their medical records promptly and without being overcharged. This should serve as a wake-up call for health systems that have yet to build robust compliance checks built into their release of information management systems.
This timely webinar will help participants understand HHS’ intent in using its enforcement authority in matters pertaining to ROI. They will learn about the elements of this first enforcement action and the compliance lessons it offers for all health systems. Participants will probe the elements of robust release of information compliance and how to hardwire compliance through sound practice and use technology to flag and identify cases that represent a compliance risk.
Webinar objectives:
This webinar is designed to help compliance, HIM, Privacy and ROI teams understand:
- The federal policy environment concerning enforcement of patient access rights,
- Elements of a first ROI enforcement action,
- A systems approach to ROI compliance, and
- How technology can be used to anticipate and red flag ROI compliance risks.
Approved for 1 AHIMA CEU Credit for Management Development
VIEW RECORDING
Oct 17, 2019 | Blog, Compliance & Regulations, Health Information Solutions, Release of Information, Uncategorized
By Linda Kloss
It’s a typical weekday for me
working from home and stopping to get a few things cleared off my “to do” list. It’s 2:30 in the afternoon and I have already
used 10 apps: I read my digital
newspapers, did online banking, scheduled service on the car, ordered dog food,
scheduled an annual dermatology appointment, booked a flight, hotel, and
airport transportation, figured out a route from the airport to my hotel, and downloaded
a book for next month’s book club. You
get it; this is now a typical day for most connected consumers. Not long ago, we would have driven to the
bank, dog food store, bookstore or library, called the travel agent, auto
mechanic, and so on. Apps have transformed
how we get things done.
Now, many consumers use an app to
access their medical records, downloading to a mobile device for their own use
and to share as they see fit with providers, other caregivers and family. Release of information, long a back office
processing function, is becoming an app-enabled, consumer-driven service. This transformation is largely driven by
consumers. When so many parts of our
life are supported by apps, consumers are not satisfied with having to contact
various hospitals and provider offices, complete forms, wait for paper or CD
and pay a fee to gain access to their own information.
Federal emphasis on interoperable
EHRs brought the issue of barriers to access to information for patients to the
forefront. Fees were identified as a
barrier, and in 2016 the Office for Civil Rights addressed this with its patient access
guidance. The Office of the National
Coordinator for Health IT (ONC) extended the focus on patient access by
including functionality in its EHR certification criteria, directly supporting
standards-based application programming Interfaces (APIs) and apps, and
promoting access through public education.
Patient access is one of six key planks in implementation of the 21st
Century Cures Act designed to unlock the power of digital health
information.
Consumer demand, supported by federal policy will
transform release of information to an app-enabled function and I believe that
this will happen very quickly. I base
this prediction on the experiences of health systems that enable web access for
patients and authorized third parties.
Adoption and update has been swift and overwhelmingly positive.
You can learn from NewYork-Presbyterian’s Susan
Tabickman about this world renowned health system’s use of Verisma’s API-based
app for release of information in a free webinar on October 30! Registration information follows.
There are inherent privacy and security risks for apps
involving confidential patient data.
Access and disclosure of patient information also requires hardened
compliance protocols. Trusted release of
information app developers must meet a high bar; a developer must have the requisite technical
and standards know how, but must also have compliance, data protection, and
accuracy in its DNA.
Against this background, CIOs and
HIM professionals should proactively advance access transformation on four
fronts:
1.
Transition from fragmented to standardized and centralized disclosure
management across the health system.
This requires adoption of enterprise release of information management
software and best practices.
2. Add
an app linking EHR and the enterprise release of information software so
information can be requested and disclosed via web portal.
3.
Design and implement policies and processes to protect the consumers’
right of access with appropriate privacy and security protections for an
app-enabled patient access environment.
4.
Develop an implementation plan that includes consumer and staff outreach
and education.
I can’t yet access my EHR via app, but when I can, you
can be sure I will keep my medical record securely on my password protected
phone. The days of taking notes,
requesting and storing paper reports, and trying to recall when I last did this
or that will be over. The timing is
right and It just makes sense.
Use this link to register for the free webinar on October 30 at 2-3 pm EDT: https://bit.ly/2peAwoK
Sep 9, 2019 | Blog, Information Sharing, Operational Outcomes, Release of Information, Uncategorized
Observations about the changing nature of health information practice
By Linda Kloss
Arriving for her mammogram, she is told that the radiologists will not read her digital mammography without the historical files. In following up, the staff at the “most wired” health system acknowledged that they had received the request, but the fax number didn’t work and they had called once to follow up but didn’t connect to a live person. The ROI team didn’t know about the digital files because those were handled elsewhere and they had no information or responsibility for that aspect of the request. Anxious follow up calls produced fairly quick responses and the mammography test results were interpreted and were normal. You have probably also guessed that I was the patient in this story. Ironic, eh?
This simple story is repeated over and over again. In this case, there were no quality of care consequences, just a frustrated delay and some worry. In other instances, such errors have real consequences. Getting access and disclosure right in the current environment is a complex systems challenge requiring coordination of three elements of change: technical, political, and cultural:
- Technical systems include workflow procedures, transaction and analytic technologies, guiding policies, business practices, regulations, and standards.
- Political systems are the ways that authority and responsibility for administering technical systems are assigned among stakeholders. Today there is a drive toward greater standardization and even centralization of ROI to improve accuracy and efficiency.
- Cultural issues include the shifting organizational and societal values and pressures for change. The emphasis on patient access, patient-generated health information and use of apps at the same time there is growing concern about personal privacy and breaches demonstrates cultural dilemmas.
The technical systems failed in this example. There was no accountability baked into the processes of either organization. Obviously, their technology did not include any flagging about open requests. For a care coordination issue, they were way outside the range of efficient information sharing. The interpretation and digital records were not handled in a coordinated manner; these were unlinked transactions with no responsible party. While I did all the right things to start the process, I made the assumption that given enough time—5 months—the systems would work on my behalf. I did not follow up. But should I have to? We live in a world where trillions of transactions across all aspects of our lives are handled reliably on line with feedback to the initiator and the ability to track transactions.
This blog, sponsored by Verisma, represents the company’s core commitment to serving patients with game-changing disclosure management technology and innovative management solutions designed for accurate, timely, and compliant disclosure management. At its 4th Disclosure Management Summit held in May, Verisma challenged participants to be working toward a goal of “your records in 5 minutes.” In the coming months, we are going to explore what it will take to meet this challenge. We look forward to your engagement and participation.
Dec 20, 2018 | Compliance & Regulations, News, Release of Information, Uncategorized
Date: Jan 16th, 2019 2:00 pm – 3:00 pm EST
Presenters:
Lyndsey Kane, RN-BSN
Project Manager, Northwell Health Physician Partners
Anupriyo Chakravarti
SVP, R&D, Verisma Systems, Inc.
This webinar will focus on key compliance and business drivers for standardizing release of information practices and procedures across physician practices that are part of an ambulatory or integrated health delivery system. Health systems often begin by ensuring consistency and efficiency of information disclosure management across their acute care facilities. But the job is not done until health information is released in a standard way across all levels of care.
During this presentation, Lyndsey Kane, RN-BSN, Project Manager at Northwell Health Physician Partners and Anupriyo Chakravarti, SVP, R&D at Verisma Systems, Inc. will explore how the ambulatory HIM department is centralizing ROI processes and implementing disclosure management solutions to automate workflows, ensuring accounting for all disclosures while improving overall compliance and efficiency.
Geared towards managers of medical practices, HIM, privacy and release of information teams and compliance managers, this webinar will address the following learning goals:
- Review current regulations and guidance on patient access and release of information
- The case for automating compliance and disclosure management in medical practices
- Review the challenges and solutions used by Northwell to improve ROI automation and compliance
- Discuss the benefits and rationale for centralizing ROI across ambulatory practices, and the processes needed to move towards technology-supported standardization
Approved for 1 AHIMA CEU Credit: Privacy & Security
REGISTER NOW
Sep 18, 2018 | Blog, Operational Outcomes, Release of Information, Uncategorized
By: Linda Kloss
The professional discipline of ROI has changed in the past two decades. Your job has changed. And, without a doubt, expectations around your performance have changed.
Once, ROI was a narrow hospital-centric workflow that could be outsourced and forgotten. No more. Now we are called upon to manage access and
disclosure across and beyond an entire healthcare enterprise – and in support of a mission-critical imperative of improving the patient experience.
3 major drivers
What is shaping the new HIM ecosystem?
- The rise of complex and community-wide health systems like Sutter Health in San Francisco, Partners Health in Boston and UPMC in Pittsburgh.
- Health information is no longer “at rest,” safely tucked away in the archives. Because it is now digitized, health information is in motion and in use, being reused, recombined, redisclosed.
- Patient-centeredness is no long a concept limited to direct patient care, but to all points where patients interact with a health system.
4 keys to transformation
You’re heard the old inspirational saying, “The bend in the road is not the end of the road…unless you fail to make the turn.” Fortunately, the past few years have seen the emergence of new tools and workflows that help you and your colleagues make this turn.
- Request apps help healthcare organizations increase the convenience for patients, accelerate the speed of request processing, and lower the cost for both patient and organization. New technologies empower patients – as well as other authorized requestors – to submit requests from their computer or smart phone.
- Automation allows healthcare organizations to centralize and standard disclosure management processes. The old playbook – where processes across ambulatory, acute care, home care and the ED were fragmented – increased cost and compliance risk.
- Auditing and analytics are now valued as critical to effective and efficient access and disclosure management processes. New tools streamline workflows, quality assurance and reporting so leaders can monitor compliance and performance issues.
- Accountability is a critical component. Work flow technology should help people do the right thing at the right time. And it should produce a record of the work performed for accountability and as a teaching tool to improve the productivity and skill of access and disclosure staff.
Of course, any transformative effort requires more than can be contained in a simple 400-word blog. If you are going to AHIMA next week, look me up for a deeper conversation. I will be at the Verisma booth #403 and will deliver a presentation on this topic at 2:30 p.m. – 3 p.m. on Tuesday, Sept. 25.
