By Barbara Carr, RHIA
On our January 26th Webinar we learned what disclosure management trends would be forefront for the upcoming year. Verisma’s Director of Compliance and Privacy, Debbie Lobb and Verisma’s SVP of Operations, Julia Applegate, shared first-hand knowledge and steps being taken operationally to prepare for these challenges and helping health system clients navigate through these changes.
COVID-19 continues to challenge our healthcare operations. The trend of a hybrid workforce and seeing increases in both digital requests for healthcare information along with increasing payor audits will continue to put an increased burden on the Health Information Management Departments disclosure management operations.
In addition to the ongoing COVID-19 challenges, the deadline has passed for comments on the proposed changes to HIPAA and we are all waiting on OCR to let us know if there will be any further changes and revisions based on the comments. While the proposed changes are to modernize the regulations, the new rules present new challenges for organizations to ensure compliance. For now, I believe it is important for all of us to prepare for these changes and educate our organizations. How will organizations ensure compliance? Will additional staffing be required? How will you train your organization on the changes? On the Webinar we explored what each of these changes mean to your HIM Department operations and how having the right vendor partner and technology can help you manage the changes and ensure compliance.
Debbie Lobb, Verisma’s Director of Compliance and Privacy reviewed the upcoming changes as well as the rationale behind the changes. The overall goal of the upcoming HIPAA changes is to move further toward a more patient centered process and delivering PHI efficiently and accurately to the requestor. Julia Applegate, SVP of Operations at Verisma, reviewed the operational challenges related to the proposed changes as well as demonstrated how having the right technology can help HIM Departments meet these challenges and remain compliant.
Proposed HIPAA changes and the challenges that were discussed:
Reduction in turnaround time from 30 days to 15 days
The clock starts when the request is received by the organization. The request must be fulfilled, with all authorized information to the requestor within 15 days.
Julia explained that the challenge to this requirement is many. Information being requested can be stored in multiple locations. Sometimes requests can float throughout several departments before reaching the release of information professional’s desk to be processed. Sometimes records with statutorily protected PHI require an additional level of review before being released, based on health system protocols.
Providing on-line access through your website, such as the Verisma Request App®, to request and receive records can reduce many of these challenges and ensure fast and accurate receipt and delivery of the records. In addition, Verisma Spotlight™ reports (our rule-based workflow engine) automatically alert you and your team when sensitive or high-risk requests are entered into the system. This too can cut down on any delays in processing the requests.
Patients Right to Access PHI in-person and allow taking of notes and/or photographs of their PHI
Both Julia and Debbie explained that this will require an additional layer of staff needed to queue up the electronic record, a secure/private area for the review and the presence of a HIM person will need to there in person throughout the onsite review. Many times, the record is not all neatly in one place on the system for review and this may require either signing onto different systems, printing, or actual paper chart or microfilm review. None of this is ideal.
Julia noted that one way to solve the in-person review is to make it easy to request and retrieve the records for the patient. Currently at Verisma, we partner with our clients to integrate with their patient portals and allow the patient to easily request records not available in the portal and once the records are retrieved, we then push the records back into the portal. If an organization does not have a well-functioning portal that can handle this, we then provide direct access for the patient through our Verisma Request App®.
Improved Information Sharing
Allowing for good faith disclosures to avert a threat to health or safety. The definition of healthcare operations has been broadened to cover care coordination and case management. This will ensure a pathway for individuals to direct sharing of ePHI amongst covered entities. An individual will be permitted to direct a covered entity to send their ePHI to a personal health application if requested by the individual.
Operationally, as Julia mentioned in the Webinar, not much would probably change with the current process of allowing “good faith” type of disclosures. Julia presented some operational challenges with these new proposed changes to information sharing. Again, one challenge is multiple sources for the information being requested, records that require special attention, per HIM policy for additional review around sensitive information. Some records being requested aren’t stored in a manner that will allow them to be uploaded to personal health applications. Keeping track of the requests pending review for good faith disclosures or records to be uploaded to personal health application present a challenge to ensure they are reviewed and processed timely, especially given that the turnaround time will be changing to 15 days. Some of the ways to meet these challenges are to have a centralized process, if possible, of ingesting requests from various sources such as fax, snail mail, email, hand delivery and more, and have it all gone into one system for one group of qualified people to account for each request and process for distribution. Having the technology to provide reports and alerts on pending urgent requests and those reaching the timely processing limit. Create protocols specifically detailing, where to go for what records is very important and should be clearly available to all ROI staff processing requests.
Reduced ID Verification Requirements
The proposed changes also reduce the ID verification requirement. For instance, a covered entity cannot require that a patient show up in person and present their ID. Other means of verification can be two factor identification for digital requests. Each covered entity will need to determine their procedures around ID Verification should this change go into effect. They should work with a ROI vendor that has the technology to assist them with this.
Posting Fee Schedules and Notice of Privacy Practices (NPP)
Covered entities will be required to post fee schedules on their websites for PHI access and disclosures. In addition, an estimate of the fees for providing an individual with a copy of their own PHI and if applicable when ePHI may be provided without charge. Some healthcare organizations already post this on their websites. If yours does not, now is the time to work with your IT Department to prepare to post the fees. A patient acknowledgement of receipt of the NPP will no longer be required, which will eliminate the administrative burden of having to require a signature of the patient’s receipt be kept on file. However, the following changes to the NPP will be required:
- Changes to the header to provide instructions to the individual how to access their medical records
- Information on how to file a HIPAA compliant
- Right to receive a copy of the NPP
- Right to discuss the NPP with a designated person
- Provide information regarding the designated contact person. Is the designated person on-site and include their phone number and e-mail address?
Debbie reviewed information blocking as it relates to HIM and release of information. While most of the information blocking regulation is technical in nature and relates to technical barriers such as hardware and software, there are administrative barriers such as fees, forms, policies, and authorizations that HIM should be aware of and be prepared to address.
If a request is not fulfilled for a requestor when it would be allowed under HIPAA, that is considered information blocking. Having stricter security for access than what is required by HIPAA would be considered information blocking. Requiring more information than is needed to fulfill a request would be considered information blocking.
HIM leaders should be reviewing their policies and procedures as well as their authorizations and ID requirements to ensure they are incompliance with the information blocking rules.
Julia strongly recommends reviewing the rejection letter policies to ensure your best practices align with the new rules. Rejecting requests for reasons such as electronic signatures, original signatures, stricter rules around expiration dates, requests for any and all, etc. may represent information blocking concerns.
Continued Disclosure Management Trends Aside from HIPAA and Information Blocking
Digital requests are expected to continue to increase. Having the technology to intake these requests and manage them in a timely and accurate manner is of utmost importance. Working to centralize those requests to a group of individuals for managing, processing, and accountability is something to strive for in ensuring you can meet these demands. This is where it is vitally important to have the right vendor partner who has the technology to support your organization.
Hybrid workforces and staffing challenges will be a continuing trend. Verisma has workforce training and support centers located throughout the country with a main distribution center located in Syracuse, NY. Verisma can also supply on-site support as well. Again, having the right vendor who can be flexible and work with you to meet your needs will help your organization through these continuing workforce challenges.
In conclusion, it is not too soon to prepare your department and your organization for these proposed changes and ongoing disclosure management trends. Prepare your organization by educating your administration, legal, risk, and other department leaders on the proposed changes and what they will mean for your organization. Review your current policies, procedures, and authorizations and make the changes now. Seek out technology that can help you and work closely with an ROI vendor who can support you to achieve your goals. HIM leaders should be the ones to lead the way to their organization’s compliance and success!