September 26, 2011
By Lisa A. Eramo
For The Record
Vol. 23 No. 17 P. 14
Set your sail in the right direction to stay afloat amid a sea of changing requirements.
Stricter timelines, electronic requests for information, and an increased number of requesters (including auditors) are just a handful of the challenges that HIM professionals face in today’s rapidly changing release-of-information (ROI) environment.
Amid these changes, the ever-present question is: What’s the best way to manage the intricacies of releasing information while also meeting state, federal, and HITECH Act requirements?
Experts agree that these days, ROI management essentially requires some type of software solution to track requesters, timelines, and other specifics. As more patients and third parties request information—particularly when the requests demand information in an electronic format—hospitals better have a plan in place to respond quickly.
“Hospitals that don’t place trained staff with automated technology in the ROI roles are potentially setting themselves up for failure,” says Chad Tillman, vice president of client services at ScanSTAT Technologies.
The timeliness of the release process related to electronic information, in particular, has placed added pressure on hospitals to manage ROI—and manage it well—says Amy Derlink, RHIA, privacy and compliance officer at IOD Incorporated. This is, of course, in addition to ensuring accuracy and protecting patient confidentiality—both of which have always been essential ingredients to a successful ROI process, she adds.
Experts say hospitals should reevaluate ROI management in terms of new regulatory requirements. Consider the following steps that reflect today’s audit-intensive and electronic environment.
Step 1: Enhance Logging and Tracking Processes
Even before HITECH, logging and tracking requests for ROI were of the utmost importance. Now that hospitals are trying to meet meaningful use criteria and recovery audit contractors (RACs) and others are vying for information under strict timelines, it’s imperative that ROI specialists log requests the moment they come in, says Matt Rohs, vice president and general manager of ROI services at HealthPort Technologies, LLC.
“The facility must have an immediate ability to log and start tracking that request so that if there’s any follow-up from the requester, you know when you received the request, what the status is, and if there’s any complications related to it,” he says. “The tracking system should allow you to see the request throughout its stages of evolution until it’s actually fulfilled and then on the back end, allow you to report on the transactions.”
A basic manual tracking system simply won’t suffice, says Derlink. “Tracking systems really need to be much more advanced now, and the technology really needs to be at a higher level that meets the meaningful use, accounting of disclosure reporting capabilities, as well as breach reporting requirements,” she says.
At a minimum, experts say all hospitals should log and track the following information for each request:
• The date the request was received.
• Who or what entity made the request for information. Consider general categories such as compliance (eg, RACs), payment related (eg, commercial insurers and government payers), legal (eg, subpoenas), and patients, says Rohs.
• In what format the information is being requested (eg, paper vs. electronic). Note that if a patient requests electronic copies of his or her own diagnostic tests, problem lists, medication lists, allergies, or procedures list—and this information is stored electronically—hospitals must provide the information within three business days to meet meaningful use criteria.
• The type of information requested. In particular, flag requests for diagnostic tests, problem lists, medication lists, allergies, or procedures list, as these could potentially relate to meaningful use when the information is stored electronically and patients request electronic copies.
• Whether there are any restrictions on the requested information. For example, per HITECH, patients who pay out of pocket for treatment and services have the ability to restrict disclosures to third parties regarding those treatments and services.
• Where the information is stored (eg, on microfilm, off site, on paper, or electronically). Electronically stored information may have implications for meaningful use, depending on the type and format of the information requested.
• The date the request must be fulfilled per state, federal, or HITECH requirements.
• The date the request was completed.
There are many reasons it’s important to log and track requests. For example, tracking the information listed above allows hospitals to generate reports that demonstrate they’ve met meaningful use criteria, says Derlink.
Managing and tracking restrictions, in particular, helps ensure HITECH requirements are met, says Angela K. Dinh, MHA, RHIA, CHPS, manager of professional practice resources at AHIMA. For example, if a patient pays out of pocket for an HIV test, he or she has the right to restrict that information from employers, health insurers, and other third parties.
“Systematically and operationally, this will be challenging. You have to make sure that on every release that you give, this is a restricted item,” Dinh says, adding that the restriction does not apply to continuity of care. Dinh is part of a team of HIM professionals charged with the task of creating a new AHIMA ROI practice brief that will be released later this year. The practice brief will explore ROI in an electronic environment, including productivity, turnaround time, and other operational challenges.
Restricting information poses operational challenges because facilities must implement a mechanism to trigger the restriction, Derlink says. The accounting and/or registration departments will likely need to flag self-pay patients who have specified certain restrictions and ensure that ROI specialists and others understand the patient’s wishes, she adds.
Step 2: Determine the Turnaround Time Requirement
With so many different requesters, keeping track of turnaround time requirements can be a nightmare if not properly managed. Consider the following pointers:
RAC Requests for Information
Hospitals must respond within 45 days of the date on the request letter.
Patient Requests for Information
Per HIPAA, hospitals have 30 days to respond; however, this time frame doesn’t usually promote customer service satisfaction, says Rohs. Instead, a three- to five-day turnaround time for mailed requests is average, and walk-in requests are typically fulfilled that same day while the patient waits, he says.
Tillman agrees. “If a patient or requester perceives that a hospital cannot efficiently manage a simple request for PHI [protected health information], they begin begin to question other aspects of the care they’ve received,” he says.
Accounting of Disclosures
Per HIPAA, hospitals have 60 days to respond to a request for an accounting of disclosures with a 30-day extension, if needed. However, per the proposed accounting of disclosures under HITECH regulation dated May 31, 2011, hospitals will have only 30 days to respond to this type of request with a 30-day extension, if needed, says Dinh.
Requests Related to Meaningful Use
If hospitals are trying to meet meaningful use criteria, they must provide electronic copies of diagnostic tests, problem lists, medication lists, allergies, and procedures list within three business days, assuming this information is stored electronically, says Derlink. If a patient requests other types of information (not pertaining to meaningful use), hospitals technically have 30 days to respond (per HIPAA) or fewer if the state regulation is more stringent.
Because of the abbreviated turnaround time, consider separating requests related to meaningful use from other types of requests, says Derlink. This not only helps ensure efficiency, but it can also help in terms of tracking meaningful use criteria. “If your system is not able to track [the information] the way you need it to, you’re going to be doing a much more cumbersome calculation,” she says.
“We’re going to make every attempt to provide the complete request even if part of the request falls out of the [meaningful use requirements],” says Don Hardwick, director of compliance and field operations at MRO Corp. “We, as a company, are trying to keep the patient’s best interests in mind as well.”
Other Requests and Timelines
Attorney-issued subpoenas will also include specific turnaround times, as will commercial insurers and others, making it important to pay attention to each request’s requirements, says Rohs.
ROI specialists should generate a “pending” report at the end of each day to ensure they didn’t inadvertently overlook any requests that should have been fulfilled that particular day per the turnaround time requirements, says Tillman.
Step 3: Validate Authorization and Retrieve Information
“I don’t really see anything changing in light of HITECH. HIPAA really defined what is required of a valid authorization, and the HITECH rule just simply put in place the breach notification process and the electronic delivery piece. It didn’t change what’s required to gain access,” says Derlink.
However, what will change is that patients and others may start requesting electronic copies of information. Per HITECH, patients are entitled to a copy of their medical record in an electronic format, if requested, when the hospital uses an EMR regardless of whether the hospital is trying to meet meaningful use criteria. If the hospital is not trying to meet meaningful use criteria, the three-business-day turnaround time won’t apply; however, the 30-day time frame per HIPAA (or fewer days if the state regulation is more stringent) will be applicable, says Derlink.
Hardwick says the demand for electronic copies hasn’t yet caught on. Of the thousands of requests that MRO processes per month, few have asked for electronic delivery.
Experts say the bottom line is that hospitals need to devise a way to provide electronic copies of information. Consider the following options:
• encrypted CD, DVD, or thumb drive;
• encrypted e-mail;
• patient portal;
• health information exchange; and
• an e-delivery model in which recipients receive an alert when the information is available to download, print, or burn to a CD. The recipient receives a separate confidential e-mail regarding the password to gain access to the information.
As part of the validation process, ROI specialists need to verify that the recipient has the electronic capability to receive the information, says Dinh. For example, if a hospital chooses to send an encrypted e-mail, someone must call to verify that the recipient has the technological capability to receive the e-mail. Likewise, if a patient requests that information be sent on a CD or flash drive to another provider, an ROI specialist will need to verify whether the provider has the capability to view the information.
Because information can be stored in various media, it’s important that ROI specialists can easily identify the source of the information in a timely manner, says Rohs. The master patient index should include a comprehensive record of the types of patient visits and dates so the ROI specialist can identify where the information likely resides, he adds.
Step 4: Devise a Plan to Handle Accounting of Disclosures
In addition to requesting information electronically, patients may also want to know who accessed their information and why. The accounting of disclosures proposed rule allows patients to request one or both of the following, says Derlink.
An Accounting of Disclosures Report
As proposed, hospitals should be able to generate an accounting of disclosures report for these specific reasons: public health activities, judicial and administrative proceedings, law enforcement activities, military and veterans activities, in order to avert a serious threat to health or safety, workers compensation, government programs providing public benefits, and impermissible disclosures of which a covered entity had not already informed the individual in accordance with the HITECH breach notification rule.
Accounting of disclosures excludes treatment, payment, and operations (TPO) as well as disclosures concerning victims of abuse, neglect, or domestic violence; health oversight activities; research purposes; decedents to coroners, medical examiners, and funeral directors; cadaveric organ, eye, or tissue donation purposes; disclosures for protective services for the President and others; and disclosures required by law.
As proposed, the accounting for each disclosure must include the following:
• the date of the disclosure (or approximate date or period of time for each disclosure, including a minimum of the month and year) or a descriptive date (eg, within 15 days of discharge);
• the name (and address, if known) of the entity or person who received the protected health information;
• a brief description of the type of information disclosed; and
• a brief statement of the purpose of the disclosure (or a copy of the written request for the disclosure).
An Access Report
As proposed, hospitals should be able to generate an access report that identifies each individual who has accessed the electronic designated record set regardless of whether the individual is a member of the covered entity’s workforce or an outside third party. The access report should identify the date, time, and name of the person or entity accessing the information. It should also provide a description of the information that was accessed and the user’s action to the extent that the information is available.
According to the proposed rule, “The right to an access report would provide information on who has accessed electronic protected health information in a designated record set (including access for purposes of treatment, payment, and healthcare operations), while the right to an accounting would provide additional information about the disclosure of designated record set information (whether hard-copy or electronic) to persons outside the covered entity and its business associates for certain purposes. … The intent of the access report is to allow individuals to learn if specific persons have accessed their electronic designated record set information (it will not provide information about the purposes of the person’s access). In contrast, the intent of the accounting of disclosures is to provide more detailed information (a ‘full accounting’) for certain disclosures that are most likely to impact the individual.”
The good news is that most EHRs already track access for TPO through their audit logs, so this shouldn’t be an operational burden for hospitals, says Derlink. However, hospitals may need to update their Notice of Privacy Practices and educate employees that patients can request an accounting of disclosures or an access report, she adds.
“If a patient requests an accounting of disclosures, they’re only going to get access to information that they did not already authorize to be disclosed,” says Derlink, adding that disclosures for TPO are specifically excluded from the accounting of disclosures requirement.
Although most patients don’t yet realize they can request an accounting of disclosures—and potentially an access report for TPO—it’s only a matter of time before the public becomes more aware, says Hardwick. “My guess is that for the first six months to a year, it will be fairly limited, and then it will evolve,” he says.
“Here’s the writing on the wall: These regulations are not going to get less stringent, so it behooves the facilities to get on board with making sure they have all of their T’s crossed and I’s dotted when it comes to disclosures,” Hardwick adds. “If they don’t, they’re going to create a liability issue for themselves.”
Step 5: Charge for Copies
Most states have regulations that govern what hospitals can charge for copies of medical records made for third-party requests, says Rohs.
“What HIPAA requires is that if a patient requests a copy of their medical record, you can require that they compensate you for the costs associated with producing it, but you can’t charge a search-and-retrieval fee. You can only charge a per-page fee that’s consistent with the cost associated with producing the request,” he says. “So you must essentially have some documentation in place that shows that you have evaluated what the costs are associated with producing a request and, if you’re going to charge patients for their copies, have a basis to support that.”
However, under proposed modifications under HITECH, when a facility uses and maintains an EHR and the patient requests a copy of the record in an electronic format, the hospital is able to charge labor costs.
The phrase “labor cost” has yet to be defined; however, hospitals can get an idea of what this might entail by using a simple mathematical formula, says Derlink. Divide the average number of requests processed within an hour by the actual labor costs, ie, the average employee’s hourly rate to process the request as well as a percentage of their benefits and overhead costs, she says.
“As an ROI vendor, we know that the labor cost involved in providing release-of-information services is great as far as the steps involved,” says Derlink. “Very generally speaking, you’re looking at the logging and tracking, the verifying of the request, releasing only authorized information, safeguarding your sensitive information, as well as retrieving the pertinent info from the EHR, and then completing that information and releasing it in the most confidential and efficient format.”
Hospitals may require prepayment before providing copies of information; however, most hospitals choose to release a copy of the information along with an invoice, says Rohs. When invoices remain unpaid, follow-up is necessary to ensure payment. This can be both time consuming and expensive, he says.
“The average invoice for ROI is about $40, which isn’t a significant amount for a large healthcare facility, but you’ve got to set up a relatively intense collection process for low-dollar invoices. That’s truly one of the best reasons to outsource. An outsourcer is going to have a tremendous incentive to collect $40 whereas a healthcare facility may not be able to expend the time and resources to follow up,” Rohs says.
— Lisa A. Eramo is a freelance writer and editor in Cranston, R.I., who specializes in healthcare regulatory topics, HIM, and medical coding.