Disclosure Management — More Complicated Than Ever
By Elizabeth S. Roop
For The Record
Vol. 26 No. 4 P. 12
An already-complicated process is becoming more convoluted thanks to the increase in collaborative care models.
Stricter oversight, an evolving regulatory environment, and rapidly escalating volumes of medical records and release of information (ROI) requests have combined to intensify the complexity of disclosure management for US hospitals and other health care organizations. Exacerbating the process is a heavy reliance on the exchange of protected health information (PHI) under emerging collaborative care models and the expanding number of disclosure points within a typical hospital. All these factors place greater demands on facilities’ already-limited resources dedicated to ROI processes.
“A lot of providers aren’t necessarily aware of all the variables out there because they are not focused on disclosure management,” says Charlie Saponaro, president and CEO of MRA Health Information Services, a full-service health information firm. “Keeping up with the different mediums and regulations [pertaining to ROI] on top of everything else that’s going on with ICD-10 and meaningful use can be difficult, so getting providers to understand the importance of all these variables can be a challenge.”
However, staying on top of ROI must be a priority because the price of failed disclosure management policies is high—and getting higher. In addition to damaging their reputation, thanks to HIPAA, hospitals now are subject to penalties of up to $1.5 million per incident per calendar year. Criminal penalties range from $50,000 to $250,000 in fines and up to 10 years in prison.
Don Hardwick, vice president of client relations and compliance at MRO Corp, which provides disclosure management and health information exchange (HIE) services and solutions, points to an American National Standards Institute survey of hospitals that found breaches cost between $8,000 and $300,000. “Even at the low end of the spectrum, each time PHI is improperly disclosed, there is a potential financial impact to the organization,” he notes.
The best way to mitigate the potential for breaches is to carefully evaluate disclosure management processes to eliminate any gaps or areas of weakness. Doing so also will help a facility prepare for looming regulatory changes, such as the Accounting of Disclosures rule, that are expected to increase complexity levels.
Driving Greater Complexity
According to Benjamin Souede, an attorney with the Angeli Ungar Law Group, the transition to electronic records, the opportunity to exchange PHI, and the need to make that information accessible to all of a patient’s providers are the chief reasons why those in charge of managing PHI disclosure are facing severe challenges.
Most of the complications stem from the federal push for widespread EMR adoption, which is based on the belief that the technology will improve the efficiency and accuracy of information and, as a result, drive down care costs. At the same time, health care providers and technology vendors must protect PHI pursuant to federal and state privacy laws such as HIPAA and the HITECH Act.
“Providers must make the electronic information available to those who need and have permission to receive it while protecting against both inadvertent disclosures of this information and against malicious attempts to breach the protections and access this information,” Souede says. “As with any other industry that is turning to electronic recordkeeping, American health care providers have to find the balance between adequate protection and sufficient accessibility.”
Hardwick points to the multiple steps involved in managing disclosure, such as logging, verifying, and tracking requests; retrieving information from disparate systems in various formats; and authenticating the requestor’s identity as contributing to the complexity of disclosure management. However, there are several other factors that make ROI “a very complex endeavor that involves high levels of risk,” he says.
For example, the growing prevalence of EMRs under meaningful use and the need to deliver these records electronically have increased the volume of requests and the number of disclosure points in a typical hospital. In the current digital environment, an organization may contain more than 40 PHI disclosure points, including HIM, risk management, billing, lab, radiology, and hospital-owned clinics and physician practices. As a result, PHI often is accessed or disclosed by employees who haven’t been fully trained on guidelines.
And that’s just inside the hospital. HIEs add to the complexity by requiring hospitals to change their approach to disclosure management and adding to the channels across which information can flow, including direct secure messaging, patient portals, and interfaces.
“The migration from paper to electronic documentation and systems is making it easier to improve patient care and access to PHI while simultaneously making it harder for hospitals to control access and manage patient privacy,” Hardwick says. “Bottom line: Whenever there are multiple points of disclosure combined with multiple mechanisms for disclosure, managing PHI disclosure gets more complex.”
MRA Chief Operating Officer Karen Grant agrees that the plethora of options for releasing PHI makes managing the process complicated, but regulatory issues can be just as bothersome. For example, penalties for a HIPAA breach continue to climb, while state laws constantly remain in play. “One complexity is that there isn’t one way to send information,” she says. “Another is that we have various laws in the states as well as HIPAA. Between the legal issues and the electronic variations, we’re seeing complexity in the space.”
This especially is true when the requested information will be shared across state lines, a situation that is becoming prevalent thanks to the growth of regional health information organizations (HIOs) and the build-out of the Nationwide Health Information Network. For example, if a hospital in Massachusetts is participating in an HIO with a hospital in New York, it must find a way to balance variances in disclosure requirements and technical capabilities between the two states. Part of that entails identifying and adhering to whichever set of regulations offers the greatest patient protection. It also involves addressing any differences in what is considered sensitive information and even adhering to different patient consent requirements.
“Layer on top of that the different patient consent laws enacted by different jurisdictions and the rapid changes visited upon the American health care system overall, and the challenges become significant,” Souede says.
The Collaborative Care Conundrum
In fact, HIOs, accountable care organizations (ACOs), and other collaborative care models present several unique challenges to disclosure management. These initiatives attempt to improve health care delivery by building networks through which patient information and/or care can be disseminated among providers, according to Souede. “The idea is to create a more holistic model of care by providing all of a consumer’s providers with a more complete picture of the consumer’s health history,” he explains. “When HIEs and ACOs reach across jurisdictions, however, they may encounter differing laws with regard to the levels and types of consent they must acquire from the consumer to share that PHI.”
For example, HIPAA establishes the national legal requirements for consents. Individual states are prohibited from establishing consent standards that fall below HIPAA’s bottom-line protections. However, a state may—and many do—exceed HIPAA’s basic protections and provide patients with greater consent rights. When they do, the state’s standards preempt HIPAA. “For an interstate HIE or ACO, this means different member entities may need to be playing by different rules, which is bound to create challenges,” Souede says.
Jan McDavid, general counsel and compliance officer for HealthPort, which provides ROI services and audit management and tracking technology, points out that there’s no single law in place that guides what should be done when a specific inquiry is made to just one participating provider or when the inquiry is submitted to a class of providers. “If addressed to the HIO/ACO generally, every participating provider must see the request and authorization in order to see if they maintain such records, leading to the potential for breaches,” she says.
Use Centralization to Ease Complexity
It may not be possible to truly simplify disclosure management, but it’s possible to minimize the headaches it may cause. Industry experts suggest that centralizing the process into a single system overseen by a single department can eliminate many of disclosure management’s challenges. According to Hardwick, centralization enables hospitals to utilize software and services that can be deployed as a common tracking platform.
“By processing all disclosures through one system, all hospital departments that disclose PHI receive the benefits of secure technology, comprehensive workflow, and quality assurance checks on the information sent through the system,” he says. “Centralizing ROI also helps organizations standardize policies and procedures by obtaining the interdepartmental communication, policy enforcement, and level of oversight that they need to comply with the increasingly complex regulatory environment, and provide a consistent experience for patients and requesters.”
As for who should oversee the process, the general consensus is that HIM is best suited for the responsibility. McDavid says that while engagement levels vary across hospitals, HIM in particular should be actively involved in the disclosure management process “because the ‘buck stops here’ when breaches occur and/or [the Office for Civil Rights] performs an audit.”
Grant seconds that notion. “HIM understands the health information component and is the subject matter expert on data integrity,” she says.
Hardwick adds that HIM’s expertise in PHI disclosure gives it the unique ability to develop solutions and resource plans for managing ROI processes, compliance, liability, and financial risk. HIM also should be given greater responsibility for audit compliance, meaningful use initiatives, accounting of disclosure solutions, and other regulatory and technology initiatives that impact PHI delivery.
“To that end, HIM needs to be educated about the emerging technologies and be involved in the decision-making and planning processes,” he says. “It’s crucial that all these departments are working together to implement best practices for PHI disclosure and HIPAA compliance throughout the organization.”
— Elizabeth S. Roop is a Tampa, Florida-based freelance writer specializing in health care and HIT.
DURSA and Breach Notification
When the topic of disclosure management comes up, the conversation typically centers on compliance approaches to fulfilling release of information requests. However, it’s also important to understand the role of the Data Use and Reciprocal Support Agreement (DURSA).
“It is sort of like an enforceable treaty for health care providers and health care agencies. It provides a standardized ‘rules of the road’ for the organizations that join it and identifies the responsibilities and obligations of participating entities,” says Benjamin Souede, an attorney with the Angeli Ungard Law Group.
Based on existing privacy and security laws, the DURSA is intended to instill confidence within members that information provided by one DURSA participant to another will be treated appropriately. By entering a DURSA, the private companies and federal agencies involved in the transaction are agreeing to use a set of national standards, services, and policies developed by Health and Human Services.
According to Jan McDavid, general counsel and compliance officer for HealthPort, the agreement creates a framework for the exchange of protected health information, including privacy and security obligations, the use of data received from other participants, authorizations, breach notifications, and several other issues.
At its core, the DURSA is a chain-of-trust agreement between the two parties involved in the actual act of sharing the information, says Karen Grant, chief operating officer of MRA Health Information Systems. “It doesn’t take away any of the responsibilities you have when releasing the information. Rather, it’s giving permission for the technologies to talk,” she says.