[BreachExchange] The future of PHI disclosure management

Audrey McNeil audrey at riskbasedsecurity.com
Mon Mar 6 19:46:13 EST 2017


http://www.beckershospitalreview.com/healthcare-information-
technology/the-future-of-phi-disclosure-management.html

Staying on top of today's complex and ever-changing regulatory, privacy and
technology issues required for successful Protected Health Information
(PHI) disclosure management can be a daunting task for hospitals and health
systems.

That said, there are several trends and emerging market drivers that will
impact disclosure management in even more significant and profound ways in
the future. This article will identify these seminal issues and describe
how hospital and health system executives can position their organizations
for future success.

Let's start by looking at the macro trends. First, there is the increasing
need to provide more health information (primary and specialty care, PT/OT,
lab, imaging, medications, demographic and other data) to more constituents
(patients, providers, attorneys, payers and other third party requesters).
Second, there is an evolving need for effective control and oversight over
health information as record request volumes continue to soar. Third, as
value-based care, at-risk contracts, and other collaborative arrangements
expand across the healthcare ecosystem, there will be an escalating need to
provide accurate and timely health information to manage quality and
payment initiatives.

In addition to these macro trends, there are also a number of market
drivers impacting PHI disclosure management, Release of Information (ROI)
and other related services, in some very concrete ways including:

• Payer-Provider Collaborations – Accountable Care Organizations (ACOs) and
a growing number of provider-payer partnerships are gaining traction across
the country as over 24 million Americans are part of approximately 750 ACOs
that exist in all 50 states. As these and other collaborations continue to
expand, they will create new disclosure management challenges for providers
including the need to determine appropriate rates for payer requests for
health information and the establishment of secure connections with high
volume payer requesters.

• Expanding Number of Breaches – Since 2009, there have been more than
1,700 large breaches impacting over 500 people and over 180,000 small
breaches impacting fewer than 500 people, often resulting from human errors
such as those in the ROI process. The Office for Civil Rights (OCR) is
taking an increasingly active stance in enforcement of HIPAA regulations
and investigations into small breach violations by all providers. Over the
next few years, providers will face the challenge of managing risk during
what may well be a breach investigation epidemic. The stakes are high as
even HIPAA violations unknown to the covered entity have serious
consequences i.e., a maximum penalty of $50,000 per violation with an
annual maximum of $1.5 million per year – and offenses committed with the
intent to sell, transfer or use individually identifiable health
information for commercial advantage, personal gain or malicious harm
permit fines of $250,000 and imprisonment up to 10 years.

• Growing Number of Disclosure Points – As more health systems acquire
hospitals, and hospitals acquire physician practices, they will experience
an increase in the number of PHI disclosure points. In addition, healthcare
enterprises are accelerating their use of smart phones, mobile applications
and remote monitoring devices – and are expanding record sharing via HIEs
as well as increasing deployment of electronic health records (EHRs),
patient portals, and secure messaging. As the industry continues to provide
innovative ways to connect patients and providers, the number of PHI
disclosure points and the associated liabilities will continue to grow.

• Increasing Patient-Generated Health Data (PGHD) and Telemedicine –The
rise of PGHD and telemedicine continues to impact disclosure management and
present ongoing challenges including how to address the increased use of
patient portals and unencrypted personal devices. Deciding how to
incorporate these new data types into health records, along with developing
a plan for managing and releasing patient-generated data will need to be an
integral part of PHI disclosure management and information governance
strategies moving forward.

Keeping Pace with the Disclosure Management Trends

Here's a checklist of seven key initiatives that hospital and health system
executives should consider as they prepare their institutions for the
future of PHI disclosure management:

1. Deploy enterprise-wide disclosure management systems and ROI processes
to provide better control over the growing number of disclosure points.

2. Ensure you have access to the expertise to help you capitalize on
payer/provider collaborations including the capabilities to determine
appropriate rates and the use of new technologies to handle large volume
requesters.

3. Ratchet up your efforts to incorporate best practices to minimize
breaches. This includes having access to a highly-trained workforce
specialized in disclosure management that understands the complexities of
federal, state and facility regulations to ensure the proper handling of
complex record requests. In addition, make sure you provide multiple layers
of quality assurance on authorizations and PHI disclosures and utilize
record integrity checks to enhance your breach prevention initiatives.

4. Re-assess your HIPAA compliance program in light of the increased
scrutiny coming from OCR and amend any policies or procedures that could
cause a finding of noncompliance.

5. Evaluate if you have the expertise to drive system integration with
hospital IT systems and government agencies like CMS and SSA. In addition,
fast track deployment of record integrity technologies and electronic
delivery methods including direct secure messaging, portals, etc. These
initiatives will both enhance compliance and improve productivity.

6. Begin now to evaluate whether and what type of PGHD and telemedicine
information to include in the patient record, as well as how to ensure data
integrity and address the increased liability and accountability issues.

7. Make sure you are able to support various requesters of health
information especially patients who will want personal touch/customer
service even in this age of self-service technology.

Don't Go It Alone

According to the Association of Health Information Outsourcing Services
(AHIOS), nearly 80 percent of hospitals nationwide have already outsourced
some or all of their disclosure management functions to alleviate the
administrative burden of fulfilling medical record requests. Given the
industry trends and the complexities that lie ahead, healthcare providers
should consider expanding their outsourcing to organizations that
specialize in disclosure management and who have the expertise and
technologies to ensure compliance with federal, state and facility
regulations. These organizations employ industry best practices and utilize
innovative disclosure management systems that can effectively manage
skyrocketing record request volumes while mitigating the associated risks.

Outsourcing disclosure management should be a key consideration as you look
to "future-proof" your institution and gain peace of mind in what is
fast-becoming an incredibly complex and high risk world of disclosure
management.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170306/3a2587c3/attachment.html>


More information about the BreachExchange mailing list