Tips on how to successfully manage protected health information disclosure
In today’s quality- and performance-driven healthcare environment, staying on top of the complex regulatory, privacy and technology issues required for successful PHI disclosure management can be a daunting task.
To help hospital and health system executives address these challenges, the Association of Health Information Outsourcing Services (AHIOS) has developed the following top 10 list of release-of-information (ROI) best practices based on the collective experience of its members who are executives from the leading ROI companies.
1. Centralize ROI.
With many hospitals and health systems acquiring smaller hospitals, physician practices and other facilities to better serve their communities, it’s not unusual these days for growing healthcare enterprises to have more than 20 points of PHI disclosure, managed by staff with varying levels of skill and training on complex regulations. It is a best practice to centralize ROI to ensure consistent implementation of procedures and to eliminate the significant risks associated with having multiple points of disclosure throughout the healthcare enterprise.
2. Ensure ROI staff has real-time access to regulatory experts.
When complex record requests are submitted such as those from attorneys working on workers compensation or malpractice cases, ROI staff need immediate access to the organization’s compliance experts or legal counsel. If your organization is unable to ensure immediate access to regulatory expertise, then it should consider outsourcing ROI to an organization that does, as one misstep here can result in your institution’s violation of state and federal laws which can lead to financial penalties and even litigation.
3. Establish an independent quality assurance (QA) review team.
Most HIM departments understand the importance of QA and train their staff to incorporate it into their standard operating procedures. However, it is a best practice to have QA performed by an independent QA specialist who is not distracted by the high volume of daily tasks that inundate most busy ROI departments. A pre-disclosure QA process is critical to identifying potential breaches and serious quality issues before the information is released.
4. Utilize specialized disclosure management technologies.
The complexities of ROI require specialized systems with tools, comprehensive workflow and quality checks that support the governance of enterprise-wide disclosure management. This includes the ability to manage the disclosure rights for each component of PHI and for each constituency, i.e., other hospitals, physician groups, imaging/radiology centers, labs, and third-party requestors. ROI modules that are built into EHRs simply don’t have the robust capabilities of a disclosure management platform built specifically for ROI. Using specialized disclosure management technologies is a best practice which provides powerful tracking and reporting systems that put institutions in control, optimize financial returns, and mitigate risk.
5. Move to electronic submission of Medical Documentation (esMD).
The Centers for Medicare and Medicaid Services (CMS) has provided a way to electronically submit records via the esMD program which provides a gateway to securely transfer PHI between a sender and a receiver. Employing the esMD gateway for submission of CMS audit requests is a best practice that helps reduce provider costs and cycle time by minimizing paper processing and mailing of medical documentation to review contractors. esMD is a ROI best practice that helps providers meet audit deadlines and reduces the risk of technical denials.
6. Go direct.
It’s time to put those fax machines out to pasture and move on to Direct Secure Messaging. It provides a secure, compliant and efficient way to exchange PHI electronically between healthcare providers. Provider organizations should look for Direct Secure Messaging tools that adhere to federal HIT standards, can integrate with third-party EMR platforms, and that include features such as patient restriction filters that warn when sending PHI if a patient has limited sharing of their health information.
7. Create a continuing education program.
The scope, sheer volume and rate of change of regulations presents significant challenges to HIM departments as they try to keep abreast of new federal and state regulations and related guidance, as well as HITECH and HIPAA privacy and security regulations. It’s a best practice to ensure HIM staff have access to both on-demand and scheduled training on new federal and state regulations, as well as on best practices in customer service. Consider analyzing the trends from your QA process so that you can develop customized training programs based on the needs of your workforce.
8. Ensure ROI workforce competency.
Hand in hand with creating a continuing education program is the best practice of testing staff competencies with a tool like AHIOS’ Certified Release of Information Specialist (CRIS) test. The CRIS exam covers the contents of a medical record, the components of a valid authorization for a record’s release and asks test takers what they would do when presented with a wide variety of hypothetical situations; for example, a sheriff asking for a patient’s medical records as part of a criminal investigation. Testing for ROI workforce competency is a best practice that helps ensure institutions have access to staff with the requisite quality control, technology and healthcare expertise.
9. Consider an ROI patient advocate.
Many HIM departments spend countless hours and significant emotional energy responding to patient complaints about record requests. A best practice here is to establish a patient advocate in the requestor services call center. This can help reduce patient complaints and the time to resolve them, while inspiring staff to be part of a patient centered culture.
10. Ensure ROI technology integrates with your EHRs.
Given the rapid rate of mergers and acquisitions, hospitals and health systems need to ensure they have the capability to integrate their EHR systems from newly acquired facilities and practices with their ROI systems. Ensuring your specialty disclosure management systems integrate with organizational EHRs is a best practice that drives ROI efficiency and improves quality.
Now that we’ve reviewed the top 10 ROI best practices, how do hospitals and health system executives begin to implement them? Often provider organizations find that they can fast-track implementation of these best practices by working with a disclosure management outsourcing organization. These outsourcing firms typically embed these best practices into their service offering and have the regulatory expertise, proven disclosure management processes and specialty technologies to streamline the ROI process, reduce administrative burdens and expenses, and mitigate compliance risks while enhancing protection of patient privacy.
In today’s performance-driven health environment, the most effective path to adopting ROI best practices is by outsourcing to an organization that lives and breathes those best practices.