Enterprise-wide PHI disclosure management: Closing the compliance gaps

by Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB

Rita Bowen (rbowen@mrocorp.com) is Vice President, Privacy, Compliance and HIM Policy at MRO Corporation in Norristown, PA.

Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, healthcare organizations are seeking ways to mitigate risk by implementing new technology and Health Insurance Portability and Accountability Act (HIPAA)-compliant policies and procedures to ensure proper disclosure of protected health information (PHI). Many are embracing the benefits of enterprise-wide PHI disclosure management to close the compliance gaps.

Increased focus on small healthcare breaches

Although the primary focus has been on large cyberattacks, small breaches affecting fewer than 500 patients at a time are actually more frequent. These breaches are often the result of improper disclosure of PHI during the release of information (ROI) process. Since the Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted in 2009, the Health and Human Services (HHS) Office for Civil Rights (OCR) has received a total of 347,090 reports on breaches of patient data as of March 31, 2018, according to reporting by Health Information Privacy/Security Alert. Roughly 344,823 of those breaches affected fewer than 500 patients each.[1]

With increased frequency and impact on patient privacy, small breaches are getting more attention from the OCR. In 2016, OCR increased investigations of small breaches to identify the root causes, improve efforts to measure HIPAA compliance, and address compliance gaps across the industry. Small breaches can be just as costly as large ones in terms of penalties and reputational damage.

Trends leading to the rising tide of small breaches include a greater demand for PHI among third-party requesters and patients, expanding points of PHI disclosure across health systems, and quality assurance gaps in the ROI process. The risks involved with multiple disclosure points and the lack of standardized processes make PHI disclosure difficult to govern and track, making breaches more likely. An enterprise-wide approach to PHI disclosure management is the recommended solution to the challenges faced by healthcare organizations.

PHI disclosure across the enterprise

Although HIM departments still hold primary responsibility for handling PHI disclosures, other areas, including Radiology, business offices, and physician practices, increasingly receive requests to release patient information. The issues around this trend pose risks that can lead to privacy breaches. Here’s why:

  • ROI is not a core responsibility of non-HIM staff — and it is not a top priority.

  • Other departments lack sufficient knowledge of rules and regulations governing the compliant release of patient information.

  • Specialized training and multi-tiered quality assurance are required to properly disclose PHI.

To assess potential risks, the next logical step is to conduct an enterprise-wide audit of all disclosure points. For example, a recent audit of a large health system’s PHI disclosure compliance revealed 40 different disclosure points — 39 other than HIM. That is a lot to handle for HIM and compliance leaders concerned about mitigating risk.

Risk due to multiple disclosure points

In Radiology, business offices, and physician practices, the core competence is not centered on proper disclosure of PHI. For example, business office personnel release millions of medical records annually to commercial health plans and government payers to expedite payment of claims, appeal denials, or fulfill auditor requests. This is not their area of expertise — they should be focused on reimbursement. Their core competence is to maintain cash flow for the business office, working with payers to collect bills. ROI is not a primary objective. HIPAA risks are a concern when ancillary departments or practices release PHI versus having HIM professionals manage that task. In each department or practice, it is critical that staff know when an authorization is required and how to handle compliant PHI disclosure.

Here are common PHI requests received by the three areas:

Radiology – Reports, digitized images, and films are requested by:

  • Other providers for continuing care

  • Attorneys to support injury claims

  • Patients for specialists and referrals

Business offices – High volumes of PHI are sent by billers and collectors, including:

  • Unsolicited releases during initial claims submission and claims processing to expedite payment

  • Disclosures for government and commercial payer audits and reviews

  • Attorney requests for itemized bills

Physician practices – In an attempt to fulfill their responsibilities, office managers sometimes give information without proper authorizations in situations such as when:

  • Patient requests a copy of their chart following an office visit

  • Family requests a copy of chart

  • Other providers request information

Other disclosure points do occur, such as in the Emergency department, but the greatest liability — and where quality assurance methods help the most — is in physician practices. Overall, their record-keeping methods are less accurate than those of larger organizations.

The two most common concerns in physician practices are comingled records and misfiled documents. Comingled records occur when patient information is placed in another patient’s chart or electronic file (i.e., mixed patient records within a single chart). Misfiled documents are another frequent issue in physician practice settings. Practice staff need specific training to prevent comingled records, avoid misfiles, ensure access to the right records, and release of the right information to the right requester.

Due to inadequate staffing and training to support HIM practices, centralizing ROI would result in significant benefits, including meeting regulatory compliance and managing the increased ROI request volume. HIM and other disclosing parties can then focus on their core competencies to help the healthcare organization avoid breach and deliver higher quality care.

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings