September 2019

Eight ROI Missteps to Avoid
By Lisa A. Eramo, MA
For The Record
Vol. 31 No. 8 P. 10

Release of information requires nimble moves. Does your team have fancy footwork or two left feet?

The story is the same—only the characters change. Someone wants a copy of a medical record, and they want it as soon as possible. That “someone” could be a patient using the information to improve their health, a payer using it to measure quality, an attorney using it to support an argument for litigation, or a whole host of other entities using it to glean insights or even drive profits.

As HIPAA regulations continue to evolve, the release of information (ROI) process is more complex than ever before. ROI staff must retrieve records from multiple systems within specified timeframes all while keeping track of what information they disclose and to whom they disclose it.

“What used to be a very straightforward copy service has become something far more sophisticated,” says Andrew L. McManus, founder and executive vice president of Verisma. “You need subject matter experts who can really scrub through information to find the correct data points for each request.”

Experts agree that given the complexity of ROI, it’s easy to make mistakes. This article addresses eight common missteps and how to avoid them.

1. Exceeding the Requisite 30-Day Turnaround Time
Per the HIPAA Omnibus Rule, covered entities must act on requests for protected health information (PHI) within 30 days (or 60 days when an extension is applicable). The only exception is when state laws are more stringent, in which case covered entities must abide by those laws.

Hiring sufficient staff—or outsourcing the ROI process to a vendor—is critical because organizations must act quickly as requests come in, says Lesia Peck, MS, RHIA, PMP, CHDA, CHPS, CPHIMS, HIM manager at Grand View Hospital in Sellersville, Pennsylvania. “This was one of the reasons we opted to outsource,” she says. “With the tight regulations in the new rule, we wanted to get our records out in a timely manner.”

Working with a vendor allows organizations to consistently meet the 30-day turnaround time, even when there’s a sudden spike in requests, Peck says.

2. Releasing More Than the ‘Minimum Necessary’
HIPAA’s minimum necessary requirement states that covered entities should release only the amount of information needed to accomplish the intended purpose of a particular use, disclosure, or request.

Organizations continue to struggle with this requirement because they overlook the basics, such as giving requesters the option to identify specific dates rather than the entire record, Peck says. “You need to look at what the requester wants and then provide only what they’re requesting,” she notes.

Payer audits, in particular, can be tricky, says Zachary Perry, CEO of Record Reproduction Services. “The data we’re talking about are some of the most highly regulated data in our country,” he says. “We spend massive amounts of money on building a perimeter around that data to secure it.”

Providing payers with the minimum information necessary to perform the audit—and nothing more—is critical, he adds.

“The challenge is not having the right level of control over this process—not knowing exactly what patient information you’re sending out in response to these audits or not having an effective audit approval process,” McManus says. “When a request comes in, what checks and balances are in place to ensure proper use of patient information?”

Barry S. Herrin, CHPS, FAHIMA, FHIMSS, FACHE, Esq, an attorney at Herrin Health Law, PC, in Atlanta, agrees, adding that some organizations automatically release information to payers for the purposes of quality improvement, even though payers may not be entitled to that information without explicit patient authorization.

“If you’re not getting money as a result of meeting certain quality initiatives, then releasing additional information to an insurer may not technically fall under TPO [treatment, payment, and operations],” Herrin says. Best practice is to obtain the patient’s permission in the Notice of Privacy Practices or put the onus on payers to obtain it as part of their enrollment process, he notes.

3. Having a Decentralized ROI Process
“A centralized approach to ROI supports greater accountability and transparency, both of which are important as more entities seek access to PHI,” McManus says. Centralization could mean using an external vendor to handle all requests or establishing one internal department that handles all requests systemwide. Either way, organizations must be able to answer the following five questions:

• To whom or what entity was PHI disclosed?
• Why was the PHI disclosed?
• When was the PHI disclosed?
• What specific PHI was disclosed?
• Who disclosed the PHI?

Perry says having a centralized ROI process is important as hospitals continue to acquire physician practices. “In physician practices, staff are balancing a variety of tasks,” he says. “They may not have had the latest compliance training, and they are likely not credentialed release of information professionals who understand all of the rules and nuances to those rules. This can potentially present risk to the organization.”

ROI requests for outpatient records are unique in that they may span multiple dates, multiple providers, and multiple EHRs, while requests for inpatient records generally require access to a defined single admission (with clear start and end dates) within a single EHR, Perry says.

Another reason for centralization? It helps ensure consistency across the entire health system in terms of what the organization charges for copies, Peck says.

4. Limiting the Accounting of Disclosures to Patients
Under the HIPAA Omnibus Rule, covered entities must provide patients with an accounting of disclosures for all third-party requests made in the last six years with the exception of the following disclosure types:

• for the purposes of TPO;
• to the patient and to the patient’s personal representative, friends, or family members;
• pursuant to the patient’s authorization;
• as part of a limited data set or facility directory, or as part of incidental disclosure; and
• to law enforcement, correctional institutions (in certain circumstances), or for national security purposes.

The accounting of disclosures does need to include the following:

• government-mandated reporting (eg, birth and death, communicable diseases, cancer and other registries, domestic violence and abuse, incident reporting, government discharge, and other planning databases);

• research conducted under an institutional review board or privacy board waiver (for example, if the individual did not sign an authorization); and

• disclosures by business associates that are not for treatment, payment, and health care operations.

Some organizations accidentally omit disclosures that should be part of the accounting—particularly those for subpoenas, court orders, and Joint Commission requests, Peck says.

Even though covered entities are not required to track disclosures for TPO, they may want to start thinking about how they would handle this task, especially in an age of greater ROI accountability, McManus says. “That would be a massive responsibility for providers to capture this activity across their enterprise,” he says.

5. Overlooking Restrictions Set Forth by Patients Who Pay in Full Out-of-Pocket
According to the HIPAA Omnibus Rule, patients who pay in full out-of-pocket can specify that they don’t want their provider to report information to their payer. This includes scenarios where payers request records for audits, says Herrin, who adds that organizations must be able to flag records in the EHR as ‘privacy protected, paid in full’ so these records are excluded from disclosures.

6. Not Distinguishing Between Patient and Third-Party Requests
Making this distinction helps organizations correctly charge for fulfilling record requests. HIPAA requires covered entities to charge patients a reasonable cost-based fee that includes only certain labor, supplies, and postage costs associated with fulfilling the request. If organizations don’t want to calculate this amount, they’re permitted to charge $6.50. However, they may charge third parties the maximum fee allowed by state law.

Recent guidance from the Office for Civil Rights (OCR) muddies the waters because it states that a reasonable cost-based fee limitation applies “regardless of whether the individual has requested that the copy of PHI be sent to herself or has directed that the covered entity send the copy directly to a third party designated by the individual (and it doesn’t matter who the third party is).”

However, the guidance goes on to state, “Where the third party is initiating a request for PHI on its own behalf, with the individual’s HIPAA authorization (or pursuant to another permissible disclosure provision in the Privacy Rule), the access fee limitations do not apply.”

“The guidance continues to cause confusion throughout the industry,” McManus says. “Many third-party entities, especially those that represent patients, have interpreted this guidance to mean that any request, regardless of purpose, [will] be treated as a patient access request. This includes standard third-party requests with an accompanying patient-signed HIPAA-compliant authorization form.”

This likely wasn’t OCR’s intent, he says, citing several examples in the guidance that point toward health care–related scenarios (eg, a patient requesting a copy of her discharge summary be sent to her primary care physician or a patient asking her OB/GYN to digitally transmit records of her latest prenatal visit to a new pregnancy self-care app that she has on her mobile phone).

“The issue is that this all leads to serious inconsistency on how record requests are handled across the country, resulting in an economic disparity where certain requesting third parties get access to patient records at a different financial scale than others,” McManus says.

Danielle Wesley, Esq, vice president and general counsel at MRO, agrees. “Attorneys argue that they represent the patient, but that was never the intent behind patient access,” she says. “ROI companies are doing their best to combat this, but the problem lies with the retrieval companies and attorneys that are dead set on getting records for commercial purposes. They want the records at a discounted rate, and they’re manipulating the system and OCR guidance in order to do that.”

Attorneys aren’t the only ones making third-party requests, Wesley says, citing data aggregators and record retrieval companies that obtain records at one price and then resell the information at a higher price as others that are using the practice.

Wesley says it’s not uncommon for record retrieval companies to bypass the HIM department altogether and go straight to the compliance and legal departments. The hope is that these other departments will put pressure on HIM staff to produce the records.

“People who are manipulating the system are being trained on how to do this,” Wesley says. “Training needs to be provided to the HIM world and everyone in the health system to combat this.”

She says it’s not uncommon for third-party entities to threaten organizations with an OCR complaint before anyone has an opportunity to respond to the request. “Rather than let an attorney or record retrieval company call and harass your staff weeks on end about this, the best thing to do is contact the OCR and ask them to deal with it. That’s the only thing that will get this issue before the OCR,” Wesley says.

The industry needs the OCR to provide an explicit definition of a third-party entity, Perry says. Is the definition truly limitless, or does it include only health care–related entities?

In the meantime, if there is a question as to the authenticity of the request, ROI staff may contact the patient and ask several questions for clarification, says Rita Bowen, MA, RHIA, CHPS, CHPC, SSGB, vice president of privacy, compliance, and HIM policy at MRO. For example, consider the following:

• Did you authorize this request?

• Do you understand that we will release our designated record set that includes clinical and financial information?

• Do you understand how the third-party entity will use your data?

• Do you know whether the third-party entity will protect your data? Under HIPAA, they are not required to do so.

“Covered entities and business associates are subject to HIPAA, but anyone who falls outside of this umbrella isn’t subject to HIPAA, and rules start to change,” Perry says. “They don’t have the same obligations and responsibilities. I don’t think all patients understand this.”

7. Neglecting the Patient Portal
Experts agree that portals provide a path to quickly release information to patients. However, when using a portal, organizations should follow these best practices:

• Encrypt the portal. This may seem obvious, but Herrin says some organizations forget or incorrectly assume that because the EHR is encrypted, the portal is automatically receiving the same protection.

• Consolidate portals. As organizations become more integrated, multiple portals could exist (eg, one for the hospital, one for the urgent care center, and one for the physician practice network). Moving to a single portal with robust functionality (eg, the ability to order and receive records virtually) reduces complexity from a security standpoint and adds to an improved self-service patient experience, McManus says. “It all goes back to control management and ease of use for the patient,” he says.

• Obtain and retain proxy forms. “This allows you to validate authorization for access to an individual’s record,” Peck says.

8. Ignoring Key Performance Indicators
Peck says that establishing KPIs helps organizations stay on track in terms of HIPAA compliance and turnaround time. They also provide insight in terms of ROI staffing and budgeting, she adds.

Peck recommends implementing the following KPIs:

• total number of monthly requests systemwide and by setting (eg, hospitals vs physician practices);

• total number of monthly requests from patients vs third-party entities;

• total number of monthly requests from Medicare vs commercial payers (including a breakdown by specific payers); and

• turnaround time by request type (eg, for patient personal use vs continuity of care vs legal requests vs insurance requests).

Avoiding these eight ROI missteps helps organizations ensure compliance while also meeting patient demands, Perry says. “Everyone in the ecosystem should do their part to make sure information is flowing as freely as possible but that it flows in a compliant and secure way,” he says.

— Lisa A. Eramo, MA, is a freelance writer and editor in Cranston, Rhode Island, who specializes in HIM, medical coding, and health care regulatory topics.