January 28, 2013
Key Trends Shaping PHI Disclosure Management
By Richard C. Logan, MBA, RHIA
For The Record
Vol. 25 No. 2 P. 14
When it comes to release-of-information issues, indications point to this being an eventful year for HIM professionals.
Under ARRA and the HITECH Act, significant agents of change are transforming the traditional release-of-information (ROI) function into a far more complex process. Healthcare organizations will need enterprisewide disclosure management of protected health information (PHI) to avoid liability, quality assurance, and revenue optimization concerns.
With the stakes so high, the Association of Health Information Outsourcing Services (AHIOS), an organization composed of executives from HIM outsourcing companies, has identified several factors that will affect ROI functions in 2013.
The Regs Keep Coming
This will be the year when the rubber meets the road for both existing and new regulations. For example, many hospitals will still need to comply with stage 1 meaningful use objectives that require healthcare organizations to produce patient information discharge instructions electronically on request. In addition, hospitals will need to address the stage 2 mandate that providers allow more online access to electronic records that can be downloaded, transmitted, or viewed via patient portals.
On top of those regulations, the recent release of the final HIPAA Omnibus Rule promises to be one of the most significant changes to the HIPAA regulations, one that will have far-reaching implications for PHI disclosure management in 2013 and beyond. The final Omnibus rule includes the following changes:
• modification of HIPAA’s privacy, security, and enforcement rules to implement statutory amendments under the HITECH Act that strengthen the privacy and security of patient health information;
• the replacement of the original and subjective "risk of harm" threshold for determining whether a breach has or could cause significant harm and must be reported with a more objective standard to determine if PHI has been compromised;
• an increase in penalties per violation to a maximum of $1.5 million within a calendar year; and
• stronger privacy protections for genetic information.
Complying with existing and new privacy and security regulations will be a major challenge for hospitals and their HIM departments this year.
In 2013, hospitals are likely to be in audit overload as Medicare clamps down on alleged fraud and abuse, ICD-10 coding discrepancies provide fertile ground for transition-related audits, and payers expand their own auditing initiatives.
With the passage of new fraud and abuse laws, the federal government has launched a multitude of new audits focused on overpayment that require healthcare providers to release large numbers of medical records to third parties. In addition to Comprehensive Error Rate Testing audits that have been around for years, providers now may need to comply with rules for recovery audit contractors (RACs), zone program integrity contractors, and Medicare administrative contractors. The record volumes for these audits can be daunting, sometimes requiring facilities to send several thousand records to an auditor within a short, specified timeframe. To further complicate matters, HIM departments also must manage associated issues surrounding authorizations and record charges.
Bolstered by the success of Medicare RACs, which recouped more than $1 billion in improper payments, other payer organizations are initiating their own audits to eliminate fraud and abuse.
The transition to ICD-10 also opens the door to more scrutiny of medical documentation and increasing audits. With an 800% increase in the number of codes from ICD-9 to ICD-10, there is the potential for more coding disputes and a wealth of additional audits. The already increasing volumes of audits are forcing healthcare organizations to establish new processes to properly manage audit requests, track audit limits, and ensure proper billing according to each payer contract.
PHI Points of Disclosure: Here, There, Everywhere
Traditionally, collecting and handling the release of PHI has been a challenging process but one that could be managed within the walls of the HIM department. However, in this new regulatory environment and with rapidly evolving health information exchange (HIE) technologies, there are more PHI disclosure points throughout the health enterprise.
With the rapid digitization of health records, PHI requestors are asking for transactions to be performed via online platforms such as portals. Third-party requestors want to request, check the status of, pay for, and receive electronic copies of PHI through the Internet as opposed to using old-fashioned tools such as faxes, paper, CDs, and other portable electronic devices that can be managed within the HIM department.
Additionally, provider-to-provider communication is moving online, creating new challenges for managing disclosures. For example, the Centers for Medicare & Medicaid Services (CMS) and the Office of the National Coordinator for Health Information Technology are using a gateway to the Nationwide Health Information Network for electronic submission of medical documentation to provide a more efficient way to deliver medical records to payer audit contractors. Similarly, the federal government’s Direct Project, which is pushing to establish a means for healthcare providers to exchange information via direct e-mail message, will reduce the volume of paper that enters and exits facilities. The emergence of HIEs, both public and private, are creating more disclosure points and requiring healthcare organizations to control access and manage authorizations accordingly.
This year, the challenges for hospitals and health systems in managing PHI disclosure across the enterprise while utilizing new technology and complying with regulations will start to grow beyond the capabilities and bandwidth of most organizations.
Accounting of Disclosures Rule
The proposed Accounting of Disclosures Rule that further promotes patient privacy and the secure exchange of PHI has led hospital and IT leaders to examine how disclosures are handled both from within and outside a healthcare organization.
The final disclosure rule, which is likely to be announced this year, may require healthcare organizations to provide patients with details concerning not only which individuals within an organization accessed their records but also any disclosures to unauthorized requesters. It also may stipulate that those instances are properly documented for the purpose of the disclosure. Additionally, tracking the access to records and disclosures made for the purposes of treatment, payment, and operations will be demanded. Previously, it was unnecessary to track and report such instances of PHI access or disclosure.
If implemented, the rule will require time to interpret as hospitals and HIM functions try to fully understand the implications for compliance. The announcement of the final rule is likely to occur during the frenzy to meet meaningful use requirements and during the height of ICD-10 transitions. Beyond the major resource crunch that will occur, the rule also will underscore the importance of managing disclosures across a healthcare enterprise to ensure that all access and disclosures are compliant and properly tracked and reported.
Soaring Record and Documentation Volumes
With more than 30 million newly insured Americans entering the healthcare system and Medicare/Medicaid scrutiny around reimbursements, the volume of medical records and data will increase throughout 2013. For example, the CMS is intensifying its efforts to withhold payment to providers in cases where the services rendered are not deemed reasonable and necessary for the diagnosis of treatment or illness. Even though a treatment may be considered within accepted medical practice, it does not mean the service will be covered. If the service is considered necessary, coverage still may be denied if the service is provided more frequently than allowed by policy or the treatment may not be covered because it may be limited to certain diagnoses.
In short, Medicare will require significant, new documentation to prove the level of care provided is reasonable, necessary, and within policy before reimbursement is approved.
Training ROI Staff for a New Era
From the constant stream of new privacy and security regulations and the accounting of disclosures to compliance with meaningful use requirements to the rapid deployment of HIEs, the rate of change in the HIM industry is reaching epic proportions. These changes will affect core ROI processes and require a massive investment in education and training of HIM staff to keep pace and ensure breach prevention and risk mitigation.
How will hospitals justify the cost of continual ROI staff training and quality improvement in an era of EHRs, HIEs, and accountable care? How will HIM departments carefully balance patient service with the time needed for HIPAA compliance education? How will ROI professionals learn how to effectively manage an information breach should one occur while they can hardly find the time to support basic operational needs?
Given the continual rollout of new regulations and guidelines, HIM departments will be hard pressed to develop and implement in-house training and quality improvement programs that keep patient information safe. A major area of concern will be the lack of HIPAA-compliance training outside HIM. These uncontrolled points of disclosure are where healthcare organizations are most at risk of improper disclosure and breach. However, it would be daunting to train personnel at all points of disclosure.
This makes communicating the concept of enterprisewide disclosure management to various departments within healthcare organizations imperative. Centralized disclosure policies and procedures will help prevent improprieties and ensure that best practices are in place.
In today’s complex technological, regulatory, and legislative landscape, C-level executives must be more involved with developing PHI disclosure management strategies and processes across the enterprise. Issues related to disclosure management will play a major role in keeping up to speed throughout 2013. For example, CEOs, chief financial officers, chief operating officers, and chief information officers will be paying close attention to earning their meaningful use stripes to ensure they receive incentive money for implementing certified EHRs. This includes delivering discharge instructions and using patient portals to provide secure access to PHI within specified deadlines.
Ensuring adherence to state and federal privacy regulations is paramount. With Health and Human Services documenting more than 400 PHI breaches affecting 20 million individual records, executives are cognizant that a security breach can result in not only monetary penalties but also severe damage to an organization’s reputation.
The increase in EHR adoption rates and the advent of multiple reform initiatives have compounded PHI concerns for hospital and health system executives, requiring them to work more closely with HIM in an effort to better manage the disclosure management process. For years, HIM directors have been trying to get C-level executives more engaged in information management issues. This year, the industry will reach a tipping point where hospital leadership is focused on the strategic HIM issues related to managing compliance and liability while optimizing reimbursement.
The Year of HIM
This may well be the year when HIM professionals are acknowledged as disclosure management experts who the C-suite relies on to help develop solutions and resource plans to be used throughout an entire hospital or health system. HIM leaders can standardize disclosure processes and ensure enterprisewide policy enforcement to minimize liability and financial risk.
HIM will be called on to provide leadership as changes occur to PHI disclosure management. In addition to lending their expertise on ROI solutions, HIM staff will focus more time on audit compliance, meaningful use initiatives, accounting of disclosures solutions, and other regulatory and technology initiatives that affect the dissemination of PHI.
HIM directors need to move beyond their day-to-day responsibilities and become more engaged with the C-suite to address critical regulatory, compliance, and technology issues. At the same time, they will need to identify outsourced disclosure management vendors who can partner with them to develop a centralized system that supports interdepartmental communication, policy enforcement, level of oversight, quality assurance, and transparency.
In 2013, hospitals and health system executives will look to their HIM directors to provide leadership as they develop and execute enterprisewide disclosure management strategies. As hospitals tackle complex reform-driven issues, HIM directors must understand the key trends shaping the industry and identify outsourcing companies with the core competencies, solutions, and certified staff that can deliver compliance-based, high-quality, cost-effective service.
As the industry evolves to a more technology-based process, someone needs to be the gatekeeper to do the work. That someone needs to have the ongoing training and expertise to manage in a complex regulatory environment and ensure operational excellence in PHI disclosure management.
— Richard C. Logan, MBA, RHIA, is executive director of the Association of Health Information Outsourcing Services.