Vol. 12 •Issue 7 • Page 24
Timeliness of Release of Information Requests Counts with HIPAA
Satisfying release of information (ROI) requests in a timely fashion is more important than ever because the Health Insurance Portability and Accountability Act’s (HIPAA) final privacy rules mandate strict time limits of 60 days for covered entities to respond to requests for amendments, as well as ROI requests. There is one 30-day extension possible for good cause (with documentation) and then the covered entity must produce the medical records to the requestor. Period. If you have ever been in a backlog situation with your paper-based ROI function, this mandatory response time can be a bit frightening. The presence of a business associate relationship with an ROI vendor, where you lose some control to an outside company, can make this federal requirement a bit unnerving.
Document Imaging Systems Can Help
Most organizations that have a document imaging system can turnaround ROI requests for completed records in 48 hours or less. And, that’s great for customer satisfaction, as well as HIPAA compliance.
Document imaging systems can help facilitate the ROI process in several ways. First, workflow will expedite the process of readying the record for physician completion. The document imaging application automatically places medical record documents in their correct chart order, eliminating the process formerly known as record assembly in the paper world. Because this step is eliminated, analysts are able to review the record for deficiencies and mark them for the physicians. Workflow then makes the incomplete records immediately available for physician completion.
Because document-imaging solutions can normally be accessed via fat client, thin client and through Internet portals, physicians have the flexibility to complete their records quickly and conveniently through any of these options. Within the ROI module, some document imaging systems even have a flag to let staff know if a record is complete or not, which can link to workflow threads to further simplify the process.
Make sure you can add additional documents to a patient record after the encounter is committed to permanent storage. Examples of documents that may need to be added after the period of hospitalization is complete include consents to release protected health information (PHI), request letters asking for health records, and potentially, requests to amend the record. All of these documents, and perhaps others, may need to be captured into the imaging system retrospectively.
Ensure that your imaging solution has the capability to change billing amounts to comply with the HIPAA rules, as well as state statutes. Remember that state statutes that are stricter than HIPAA rules will prevail. So, flexibility in the collection of ROI revenues software is important.
What About the Audit Trail?
Now that HIPAA requires covered entities to disclose audit trail information to patients who request it, ROI software will need to handle this new “document type.” If audit trails are not presently released through the health information management (HIM) department, your organization may need to revisit its audit trail strategy to insure HIPAA compliance. Releases of audit trail information will impact the billing function as well. According to the privacy rules, the first patient request of an audit trail is free each calendar year. Subsequent requests may be fulfilled at a reasonable charge unless state statute has specific requirements.
Many organizations currently maintain policies against releasing incomplete records. Because records must soon be released in 60 days or less in order for your facility to be in compliance with HIPAA rules, there is another reason to get medical records complete as soon as possible following discharge. Perhaps at the point where a record is incomplete for slightly less than 60 days, your organization will send a 30-day extension letter to the patient and require the physician to complete the record. Sanctions against covered entities if they exceed the 90-day HIPAA mandate may make an attempt at amending the bylaws worth pursuing. As technology, regulatory pressures and policies intertwine, HIM professionals, administrators and medical staff leadership are likely to ask, “Is a physician who knowingly places our organization out of HIPAA compliance really worth keeping on staff?”
The ROI function will continue to receive focused attention as April 14, 2003 approaches. As managers of PHI, you will need to keep a close eye on your ROI practices and the technology that is used, as “HIPAA midnight” for privacy gets closer.
Carrie Bauman currently serves as McKesson Information Solutions’ director of product marketing for the Enterprise Imaging Group and HIPAA in Alpharetta, GA.
NOTE: The entire amendment rule can be found on pages 82824 and 82825 of the Federal Register, Volume 65, Number 250, dated Dec. 28, 2000.
Some HIPAA Facts, Before You Fax
Horror stories are meant to scare people. But Gwen Hughes, RHIA, professional practice manager for the American Health Information Management Association (AHIMA), thinks that shocking, egregious release of information (ROI) tales can help demonstrate the importance of taking precautions when faxing protected health information (PHI) in light of the Health Insurance Portability and Accountability Act (HIPAA) privacy rules.
Preaching caution in ROI can feel like another sermon to the choirs of health information management (HIM) professionals, but they aren’t the only ones who release information, according to Hughes. She emphasized spreading the word to all personnel who deal with PHI via employee orientations, newsletters and even sharing the occasional horror story of the fax that landed on the local newspaper editor’s desk.
“It’s not a bad idea to use examples and teach people about the penalties for inappropriate disclosures,” Hughs said. But before the sermon, she thinks it’s important to get the facts out on faxing.
“HIPAA, for the most part, is technology neutral, so it doesn’t speak to faxing directly,” Hughes pointed out. “However, if we’re not already doing the right things, by all means, we need to make sure we do so now.” Some of the “right things” involve:
•.Getting the fax out of the hall: Jill Callahan Dennis writes in Privacy and Confidentiality, “A hallway where the public has access to documents sitting in the output tray is not the best location.” From hospital departments (HIM, nursing stations, transcription areas, etc.) to physician practices, fax machines belong in private offices or monitored areas.
•.Emptying the tray: Callahan Dennis also advises departments to designate someone to monitor the fax machine, so that PHI doesn’t sit unattended or routed in interoffice mail.
•.Brushing up on state authorization and consent laws: Remember that more stringent state laws preempt HIPAA regulations. Some states forbid faxing and/or photocopying psychotherapy notes, HIV test results, substance abuse treatment or sexual assault treatment records, without specific written patient consent.
•Updating the cover sheet: AHIMA’s updated practice brief on fax transmission has a sample “Confidentiality Notice” that includes instructions to an unauthorized recipient.
•Preventing wrong numbers: According to Hughes, the practice of preprogramming phone numbers is common, but numbers can change. “We should be checking our preprogrammed numbers. For non-programmed numbers, it doesn’t hurt to double check the number before you hit ‘send,'” she said. In addition, “We might want to include a reminder in our newsletters to physicians to contact us if a number changes, so we’re not auto faxing their dictated reports to an incorrect number.”
•Training all staff: “In the proposed security rule, the phrase ‘awareness training’ is used,” Hughes pointed out. She thinks awareness training should include fax policies and procedures in an organization. And, she added, “This doesn’t just mean hitting the subject briefly in employment orientation and never mentioning it again.”
The updated AHIMA practice brief, online at www.ahima.org/journal/pb/01.06.2.html, addresses these and other points. It has been updated to address the HIPAA regulations, but as Hughes pointed out, it’s hardly a brand new model for HIM professionals. “Many of us are already doing the right thing in terms of faxing,” she noted. “We have polices and procedures, we double check phone numbers and we test our software before we fax transcriptions. But with HIPAA, we’ve got to make sure we’ve dotted our ‘I’s and crossed our ‘T’s.”
And if the occasional juicy news byte about the clerk who faxed a chart to the local news station drives the point home, we’re all ears.
—By Linda Gross