January 2016

Digitization Complicates the ROI Process
By Susan Chapman
For The Record
Vol. 28 No. 1 P. 14

With health care organizations becoming more electronic, AHIOS has revamped its concept of the ideal ROI process by adding 13 steps to the recommended formula.

Recently, the Association of Health Information Outsourcing Services (AHIOS) released the latest version of its "The Release of Information (ROI) Process" report. What once was a 32-step affair has been increased to 45 to better reflect the complexities of the ROI process in an EMR environment. The report's goal is to educate those requesting medical information on the many steps involved in meeting state and federal ROI regulations.

Background
Amy Derlink, privacy and compliance officer at IOD Incorporated, an AHIOS-member company, notes that the 32-step process helped organizations comply when information was requested from a paper-based system. The arrival of new technology spurred AHIOS to reexamine ROI workflow. "As we've moved to an EMR, the new AHIOS graphic illustrates all the training and steps that must happen in order to release a record in accordance with all state and federal laws to protect patient privacy," Derlink says.

"Ironically, some thought that EMRs would simplify the ROI process to the point where with one keystroke you could run a report that would generate a legal health record," says Jim Bailey, an AHIOS member and the president of BACTES Imaging Solutions. "In fact, the process is so complicated in retrieving PHI [protected health information] from a multitude of systems that AHIOS has created an educational video on its website just to explain the misconceptions about the process."

The 45-step graphic was developed primarily for members' clients, such as hospitals and clinics, to help them better understand there is more to the process than meets the eye. The report also can benefit requesters who may not understand ROI's complexities.

Because third parties such as attorneys and insurance companies can request access to PHI, there are tight regulations regarding the release of general medical information. There are even tighter restrictions for obtaining data pertaining to mental health; HIV status; and drug, alcohol, and genetic status. These requests require additional paperwork beyond the standard HIPAA authorization form.

Given that ROI is highly regulated, industry experts say there must be a careful accounting of every request, which means organizations must manage record keeping while also reporting on the process, activities that require investments in both staff and technology. Staff at large health care organizations must correctly record and research potentially thousands of monthly requests, many of which may be complicated. For example, an attorney may request specific information that is embedded in a much larger record, requiring staff to conduct time-consuming research. Any mishaps along the way could result in fines, Derlink says.

The EMR Effect
Steve Socha, chief operating officer of AHIOS member BACTES Imaging Solutions, believes the advent and proliferation of EMRs has been a game-changer in terms of ROI. "A lot of facilities have more than one electronic system—some for some parts of the record, and other systems for others," he says. "Or the institution may not have liked its first system, purchased another one, and the two are not compatible. Consequently, you may have to get the record from various sources. Our productivity has actually gone down since the advent of electronic records."

Providers store records in both EMR and legacy systems, and the ability to search through all of them takes time. With such an administratively burdensome process, the likelihood of missteps increases. In fact, according to the "Release of Information Process," only 3.4% of hospitals are on totally electronic systems. "For those institutions that are electronic, their systems were designed for ease of use, but not for the ROI process," says Karen Gallagher Grant, RHIA, CHP, chief operating officer of MRA Health Information Services, an AHIOS member organization. In order for most hospitals to provide the requested information, they often have to move from module to module to provide a full patient picture, she adds.

While the challenges that accompany complicated EMR systems pose issues for ROI, Socha says that at present, there is a security benefit to having incompatible systems. "While the use of electronic medical records is a great concept in theory, it's not in principle for ROI. However, in terms of security, the wide variety of systems offers a measure of safety. If you're a hacker and can access every medical record by just hacking into one system, that also would not be a good thing for patients and organizations. I believe the day will come when all systems will at least be able to communicate, which will benefit the ROI process," he says.

What Stands Out
Experts identify the report's key points to be understanding and determining request types, being diligent about accurate logging, securing proper authorizations for the correct types of information, verifying patient identification, conducting quality assurance checks, invoicing billable requests properly, and utilizing designated delivery methods. Overall, they agree that nearly every step of the report is essential to the ROI process.

Once records are captured, there are multiple steps to follow. Then, beyond accuracy, organizations must address proper invoicing and ensure that bills are paid and collected. There also is the secondary review process in which HIM staff double check to be certain there are no privacy issues or inadvertent disclosures. In addition, because requesters often telephone organizations in an attempt to expedite the ROI process, a staff member should be tasked with answering those calls.

Not a Propaganda Piece
While it may be thought that AHIOS created the report to encourage outsourcing, Diane Ferry, MS, RHIA, president and CEO of Star-Med, which is not an AHIOS member, doesn't see the connection. "This is merely a process outlined by AHIOS. It does not mention any particular vendor or whether the process should be provided in-house or outsourced. It's simply a resource that can be utilized by HIM directors or hospital leaders if needed," she says.

AHIOS members hope the report, available at www.ahios.org, will be used to analyze internal release processes. "This tool is very helpful for someone in a hospital environment. Whether they use a vendor or are doing it themselves, they still have to go through all these steps," Gallagher Grant says.

"I think hospitals understand the report can serve as an educational tool," says MRA President and CEO Charlie Saponaro. "When the question arises regarding outsourcing, it generally has to do with pricing and regulations in different states. Often attorneys don't want to pay the fees for records and will frequently push for legislation to reduce fees because they think ROI only involves the click of a button. They don't always appreciate the steps and labor involved in the process. Providers and the American Medical Association, along with vendors, work to educate legislators as to what is truly involved in this process, which is yet another way the AHIOS report can be beneficial."

Areas of Greatest Risk
Valid authorizations, step 3 in the AHIOS model, can be one of the trickiest for organizations to master. The Notice of Privacy Practices for Protected Health Information, 45 CFR 164.508 (c), makes it imperative that individuals who review authorizations ensure the information satisfies the rule's six core elements:

• a specific and meaningful description of the information to be used or disclosed;
• the name or other specific identification of the person(s) or class of persons authorized to use or disclose the information;
• the name or other specific identification of the person(s) or class of persons to whom the covered entity may make the use or disclosure;
• a description of each purpose of the requested use or disclosure;
• an expiration date or event that relates to the individual or the purpose of the use or disclosure; and
• the signature of the individual and date, or the signature of the individual's personal representative with a description of the representative's authority to act for that person.

The provision also demands the following required statements:
• a statement of the individual's right to revoke the authorization, which is subject to some exception;
• a statement about the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the authorization; and
• a statement that information used or disclosed pursuant to the authorization may be subject to redisclosure by the recipient and may no longer be protected by the rule.

Authorizations that do not contain this information are invalid, and the requester must then be notified to resubmit a HIPAA-compliant version. That notification process should be included in the ROI tracking system. This is one area that requesters can misunderstand, leading to delays in the ROI process. "You have to send the requester a letter, letting them know the form is deficient," Socha says. "People get frustrated when you tell them that something is missing. They want you to run it through anyway, but we can't. It adds a lot of expense to the ROI process."

Saponaro says the human element is critical when trying to verify whether an authorization is valid, a point echoed by Gallagher Grant. "If the organization is not investing in quality checks, then the information can go to the wrong place, which can result in such issues as identity theft," Gallagher Grant says. "And while hospitals have HIPAA-compliant authorization forms, there can be human error. For instance, there is a different authorization required for HIV information release, and someone could release such information by mistake without the necessary form."

Also, organizations may offer information to someone not listed on the form, which can be a challenge if the person on the form is not the same individual requesting the record. For example, a record request may be made on behalf of a minor or a deceased person. Verifying the veracity of such requests necessitates additional resources.

Perhaps the greatest risk during the release of information process is the potential for any type of PHI breach. To create a hedge against such issues, health care providers must ensure that all requests are HIPAA-compliant and in line with HITECH rules. It is crucial that facilities meet the privacy rule's minimum necessary standard, correctly identify patients and dates of service, provide complete information, and abide by all state and federal laws.

Mariela Twiggs, MS, RHIA, CHP, FAHIMA, CDIA+, national director of training and compliance for MRO, an AHIOS member, points out the risks inherent in patient identification—in particular at large organizations where there can be multiple patients with the same name and date of birth. "Also, commingled records are an issue," she says. "You may have a data feed coming from the lab, or it was scanned to the wrong record. Now, someone's lab results are in a different patient's record. While it can be challenging and time-consuming to check on these mistakes, you have to verify that everything is valid. If the patient is now deceased, for example, you could have a signed authorization, but the person has since died. If you're in a small town, you may know about relationships—mother vs stepmother—but the latter claims to be the former. Or, if there is correction fluid on the authorization form, we can't accept it. All this makes verifying authorizations a really complex step."

There's also the risk that those requesting information for specific purposes will not receive complete records, an area addressed in steps five and six of the AHIOS model. For example, patient care can be compromised if the provider receives incomplete health information, or a legal case may be affected if an attorney does not receive a timely response. "It is, therefore, critical for health care providers to have an inventory of the locations of all PHI so it can be retrieved," Ferry says.

Step 19 of the AHIOS report addresses sensitive PHI, such as HIV status and drug history, which requires organizations to be knowledgeable about state and federal laws regarding sensitive health information and ROI. In these instances, the first step is to review the authorization to determine whether the patient, or the patient's representative, has authorized the release of the sensitive information. Health care providers must ensure their authorizations and ROI policies and procedures define the types of sensitive information and the corresponding state and federal laws. In some cases, court orders may be required if the request has not been signed by the patient or the patient's representative.

Next, the health care organization must conduct a quality review of the entire health record to ensure only authorized sensitive information is released. If there is sensitive information that has not been authorized for release, the request must be rejected and the requester notified to submit a valid HIPAA authorization. The rejection notice also must be entered into the ROI tracking system.

According to Socha, timing is a large part of the ROI equation, noting that individuals request a record for a specific reason, which usually carries with it an element of urgency. "It could impact treatment, life insurance, or disability, so timing is a crucial factor," he explains. "Still, even in light of time constraints, we need to be accurate and in compliance."

Socha sums up what he views as the greatest challenge in the ROI process: Getting the right records to the right people at the right time. "You only want to get what's required. Only the records for that one patient," he says. "You also want to get all the pertinent records. You want to give the truth, the whole truth, and nothing but the truth, and you want to make sure you're delivering it to the appropriate parties."

— Susan Chapman is a freelance writer based in Los Angeles.