May 11, 2009
Navigate ROI Nuances
By Elizabeth S. Roop
For The Record
Vol. 21 No. 10 P. 12
The intricacies of the release-of-information process can leave HIM departments befuddled, bemused, and beside themselves.
How difficult can the release of information (ROI) really be? A request for a patient’s medical records is submitted, logged, and authorization verified. The records are pulled, copies made, and the documents are mailed to the requester along with an invoice, if applicable.
But don’t be fooled by the seemingly straightforward, linear nature of ROI. From the moment a request is received, fulfillment is a process guided by a series of conditional statements. An error made at any point puts a facility and a patient at risk.
“It could be a breach of security issue or a HIPAA violation, and the ramifications could be severe,” says Colleen Goethals, MS, RHIA, an HIM consultant with Midwest Medical Record Association, Inc, an ROI outsourcing provider. “If you think about the big scheme of things, when you’re releasing many records on a daily basis, one may be released inappropriately in error; nobody is perfect. But it actually is a huge issue and a very big deal.”
Key ROI Trouble Spots
Authorization is one of the most complex aspects of ROI. Failure to identify improper or expired authorizations can taint the entire process if not caught at the point a request is received. Part of the complexity comes from differing state and federal regulations that govern who can and cannot give consent to release medical information.
“In most facilities, there is a lot of hands-on work connected with completing a request for information. Anywhere along the way, there is the potential for something to go awry,” says James Lantis, director of HIM for UAB Health System in Birmingham, Ala. “At initial receipt, that’s the first point where people can get tripped up. Depending upon the volume of requests, you may be in a hurry. But it’s important to take the time to verify that the person giving the request is who they say they are and that they do, in fact, have the legal authority to authorize you to release that information.”
Authorization pertaining to minors can be especially tricky. The facility must validate that the individual granting authorization is the child’s parent or guardian or has power of attorney to make care and other legal decisions. The question of who has the rights to a minor’s information also comes into play.
For example, noncustodial parents do have the right to their children’s records, unless their parental rights have been removed. However, the parents of a minor who is legally married do not have rights to that child’s information unless the child provides consent.
Other problematic ROI areas are ensuring that signatures and other details match between the request and the authorization and that what is being released from the record is only what was authorized, such as information pertaining to specific dates of service. A third is tracking patient record disclosures to ensure authorizations haven’t expired.
“Under HIPAA, you can do a certain number of disclosures within a given year without going back to the patient to get additional permission,” says Fig Gungor, CEO of OneSource Document Management, an ROI outsourcing provider, and a member of the Association of Health Information Outsourcing Services (AHIOS). “You have to have a ton of accountability and safeguards in place to ensure that the process is being handled as thoroughly and carefully as possible.”
Lantis notes that another problem area arises when the language used on the ROI request or authorization is too general or if it’s unclear whether the request is actually coming from the source it claims to be. For example, when a request comes in from an insurance company or law firm, UAB requires it to be printed on the requesting organization’s official letterhead.
Additionally, if the language of the request is too vague or too specific, a facility can inadvertently run afoul of the law. For example, if the authorization specifies one address to which records can be mailed, that address must match the mailing address specified on the request itself—even in the case of multiple offices for the same insurance company or law firm.
“You want to make sure you comply with the letter of the request. You don’t want to provide information beyond what is requested because it would be a violation of privacy and can have legal implications,” says Lantis. “If it’s a legal request, you need to be sure to satisfy it, so you need to scrutinize very carefully what you’re releasing. The thing that becomes tricky is when the language is very general. If it’s a form someone has put together themselves and not the [facility’s] own form, they may be using very general language that requires clarification.”
In fact, dealing with ROI requests from law enforcement and the courts presents its own unique challenges. Christine Rys, RHIA, an HIM consultant with Midwest Medical Record Association, notes that laws differ from state to state, and state law can differ from federal regulations.
Particularly problematic are laws governing requests for information for worker’s compensation claims, as well as when mental health and alcohol and drug abuse issues are involved. States often have different definitions about these conditions and different requirements for handling ROI. There can also be a sense of urgency from the requester when the information is needed as part of a criminal investigation.
“You have to really know and understand the law very clearly to make sure you don’t give out wrongful disclosure or [fail to] allow appropriate disclosures,” says Rys. “Grand jury subpoenas can be complicated, and law enforcement officials often think they can have everything they want when they want it. But based on the state you live in, [laws] are different. ... You can’t be intimidated by law enforcement, but many people are. You have to make sure you understand what specific state statutes are because we are here to protect the patient.”
The Human Element
Given the complex nature of ROI and the fine line separating valid release and wrongful disclosure, the professionals managing the process are critical. Not only must they be well versed in medical records but also in HIPAA and other regulations that govern release.
“One of the major challenges is finding and training qualified, HIPAA-educated staff,” says Gungor. “What we often see is that HIM departments think there are qualified people to handle ROI when, in reality, they’re not qualified or educated enough on compliance issues as they relate to HIPAA. You have to know who is touching the process.”
Even when qualified staff are in place, the ability to keep them current on the rapidly changing regulatory environment presents yet another challenge. Part of the problem is where ROI falls on the priority list of busy HIM departments that are already stretched too thin, making it difficult to dedicate resources to ongoing training, especially when that means taking someone away from their other responsibilities for any length of time.
Beyond that, ROI is tedious and often handled by hourly employees whose primary training was obtained on the job (see certification sidebar).
“It’s not a very glamorous sort of work; it’s very labor intensive. Just the nature of it makes [ROI] very prone to error. If you’re someone sitting in a chair eight hours a day, five days a week, going through these documents, it’s easy to see how someone can make a mistake,” says Lantis.
Those on the ROI front lines are also expected to handle what can be delicate customer service responsibilities.
A deceased patient’s family standing in front of the ROI clerk demanding to receive a copy of every single page of every single record immediately doesn’t understand or probably care about the impossible, complex nature of their request. The lawyer asking for a client’s records to be mailed to a post office box rather than the address listed on the authorization form often won’t appreciate being asked to resubmit the request with the correct information.
In both cases, however, if not handled properly, the result can be a public relations nightmare.
A big part of the job is “knowing how to deal with requesters who try to bully their way into getting something,” says Mariela Twiggs, RHIA, CHP, FAHIMA, an AHIOS member and the CEO of MTT Enterprises, an outsourced service provider. “Basically, we say that if it’s something we’ve never heard of before, we insist that they provide us with the law. That goes for law enforcement as well.”
Twiggs knows firsthand just how wrenching it can be to turn patients away without their records. In the aftermath of Hurricane Katrina, her employees dealt with a stream of angry and frustrated New Orleans residents whose medical records and x-ray films were destroyed.
“That is why we provide sensitivity training for our employees, because the whole customer service aspect and dealing with angry patients is something that takes finesse,” she says.
Mitigating the Risks
The ramifications of wrongful disclosure, overburdened HIM departments, and the difficulty in finding and keeping qualified staff are the primary reasons why the majority of hospitals currently outsource ROI tasks (see outsourcing sidebar).
However, there are steps that can be taken to keep the ROI process in house and manage it in a way that ensures compliance. The first is to provide staff members with adequate education and training.
“We have a very savvy correspondence secretary who is well versed in all the state and federal regulations and laws, and we are always educating the clinical staff because they often help us with ROI process. You can’t just have an employee completing an authorization form without any knowledge; education is key,” says Elisa R. Gorton, RHIA, MAHSM, director of revenue cycle and a privacy officer at St. Vincent’s Medical Center Behavioral Health Service in Westport, Conn. “Every day is a different scenario, and it is not just the person who does the correspondence. Any staff member who answers the phone needs to be educated so they can answer those frontline questions.”
She notes that there are several companies offering ROI education programs. Professional associations such as the AHIMA and state hospital associations are also good sources of ROI material. Several state associations also publish legal manuals detailing the laws governing ROI in a particular state.
But education can’t stop with the staff. Gorton advises facilities to also reach out to those organizations that frequently submit requests to educate them about the various regulations governing the process. She also recommends providing them with the healthcare facility’s HIPAA-compliant authorization forms.
“Education is really the key when dealing with [ROI],” she says, adding that it is particularly important for facilities that deal with behavioral health and substance abuse. “It’s not only education, it is also goodwill, good public relations, and it helps their clients in obtaining the necessary PHI [protected health information] for continued care, disability, etc.”
Beyond that, the best way to avoid wrongful disclosure is to have a clearly defined process spelling out the proper protocol for managing requests, including assigning priority levels. For example, Gorton says St. Vincent’s will deal with ROI for treatment purposes first, as those are typically most urgent. It will then prioritize by deadlines and also respond to patients who walk in with immediate needs, such as documentation to support a return to work or school.
Particularly in extremely busy HIM departments, a well-defined process is the best way to prevent the mistakes that can happen when someone becomes distracted by other priorities. That is why Lantis recommends a proactive approach that includes careful monitoring of critical steps in real time.
He suggests starting by documenting the workflow using any number of modeling tools, such as flowcharting or critical pathways. The workflow should include any variations in the process that are particular to specific types of requests.
From there, identify the critical steps and develop a criteria and process for conducting concurrent monitoring of the timeliness and accuracy at each of those points.
“In some places, it might make sense to pull a few requests at each stage on a daily basis and examine them against your criteria list. In other places, you can do it weekly,” Lantis says. “But you have to have some kind of process for keeping a handle on it.”
— Elizabeth S. Roop is a Tampa, Fla.-based freelance writer specializing in healthcare and HIT.
The Benefits of Outsourcing
The Association of Health Information Outsourcing Services (AHIOS) reports that nearly 80% of all hospitals outsource release of information (ROI) to vendors that specialize in managing the process—and for good reason. ROI fulfillment is a complex, labor-intensive process that carries significant penalties if managed incorrectly. It also typically falls on busy HIM departments that are already overburdened and understaffed.
“The HIM department is juggling seven different priorities, while the vendor is handling just one,” says Fig Gungor, an AHIOS member and CEO of OneSource Document Management. “We’re not pulling records or billing. We’re focusing on the receipt and release of health information requests. As a result, we’re able to put in safeguards and quality control measures to reduce or eliminate any looming legal issues.”
Vendors are also able to attract and retain specialists who are well versed in regulatory issues governing ROI. Because ROI is their sole focus, vendors also invest in the ongoing education and training of their staffs to ensure that, no matter how odd the request may be, they know how to handle it compliantly and expediently.
For example, MTT Enterprises looks for professionals with a deep understanding of ROI and HIPAA and preferably with HIT credentials. It will then provide any additional training necessary to ensure they are proficient in all the nuances of ROI.
“The ability to know that someone is competent and knows what they are doing is the biggest plus for outsourcing ROI,” says AHIOS member and MTT Enterprises’ CEO Mariela Twiggs, RHIA, CHP, FAHIMA. “We take on the liability, so it’s a win-win situation. Our employees really become part of the organization.”
Extensive training is especially important when it comes to dealing with the customer service issues that can arise when ROI requests require clarification or cannot be fulfilled for any reason. Experienced ROI specialists are also comfortable with collaborating with in-house counsel, which is important when particularly tricky situations arise.
“It’s all about training, understanding, and being confident. You do have everyone trying to circumvent the system and test you, whether it’s an attorney or law enforcement,” says Christine Rys, RHIA, an HIM consultant with Midwest Medical Records Association, Inc. “So if you outsource to a vendor, that vendor needs to partner with legal to make sure they’re on the same page.”
When it comes to selecting an ROI vendor, the primary qualifications to look for are experience and proficiency in handling the types of requests a facility receives most frequently. Also important is a proven track record of working within an environment similar to the client facility.
“For the most part, vendors are offering the same kinds of solutions. The things that vary are the kinds of service the facility can expect,” says Gungor. “Some are looking for a lot of leadership, while others are looking for the vendor to be invisible. The vendor should also be able to demonstrate that their staff is trained, has HIPAA compliance knowledge, and has the experience to process requests with confidence for the hospitals.”
The Need for Certification Standards
Unlike other professionals who fall under the HIM umbrella, there are no industrywide certification standards for release-of-information (ROI) professionals—an oversight some would like to see corrected sooner rather than later.
“There is a crying need in the industry to improve the state of practice when it comes to ROI. … Many who are the front-line people are often trained on the job, and there really is no standard,” says James Lantis, administrative director of HIM for UAB Health System in Birmingham, Ala.
There are clearly defined educational tracks for HIM and certification exams that demonstrate qualifications and competency. However, nothing similar exists for facility-based ROI professionals, who must possess an understanding of regulations governing authorized release and the basic contents of a medical record.
The Association of Health Information Outsourcing Services (AHIOS) does offer certification of its members’ employees. The certified release of information specialist (CRIS) designation is only available to AHIOS member employees who score 80% or higher on an exam that includes a broad range of questions covering the contents of a medical record to the components of a valid authorization for a record’s release. The largest section of the exam tests candidates on what they would do when presented with a variety of hypothetical situations.
Beyond that, most hospitals and vendors do offer their own training, often on the job but also through specialized programs. However, they are not standardized, so the information may not translate from one organization to the next. Further, because ROI positions tend to be hourly and not highly paid, there is little incentive for someone to pursue an education program.
“So the burden really needs to be on the industry,” says Lantis. “We’re the ones who need to perform this function. There really has to be some level of standardization, which would really improve the state of the practice.”