Home  |   Subscribe  |   Resources  |   Reprints  |   Writers' Guidelines

January-February 2021

ROI Report: Get Compliance Efforts in Line
By Diane E. Ferry, MS, RHIA
For The Record
Vol. 33 No. 1 P. 8

To the public and other parties who wish to obtain copies of health records, release of information (ROI) seems simple. However, as HIM professionals are well aware, the process is actually quite complex. There are federal, state, and local legal requirements, plus hospital policies and procedures. In addition, there are multiple IT systems to navigate and what can seem like an infinite number of detailed aspects such as EMR interoperability and information blocking.

Ultimately, each individual request must be completed in a secure, timely, and accurate manner. Easily said. However, the process of releasing protected health information (PHI) is constantly being challenged by security threats, processing delays, and inaccuracies. Failure to meet those challenges can adversely impact a patient’s treatment, violate HIPAA standards for release of PHI, and lead to legal proceedings.

HIM professionals are the gatekeepers of health information. However, HIM must also be the enablers of secure, timely, and accurate ROI. To achieve that goal, technology and collaboration can help improve ROI processes.

There should be no reason for delays in releasing health information and yet we hear stories every day of patients who experience extraordinarily long waits to receive their information or who go for a second opinion and are not able to be seen because their medical records have not yet been received. Also, there are instances when a provider of continuing care is unable to read a CD and the patient is sent home untreated. There are also instances of careless ROI that discloses PHI to unauthorized persons or organizations and of ROI comingled with records. These stories are all too common.

The Cures Act
We are the gate keepers of the information. However, we must be the enablers of information flows when needed. We cannot block information. Under the Cures Act, due to take effect April 5, entities will be fined for information blocking, which is defined as a practice that is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

For an HIT developer, exchange, or network, it is information blocking if it knows or should know that a practice is likely to interfere with, prevent, or materially discourage the access, exchange, or use of electronic health information. For a health care provider, it is information blocking if it knows that such practice is unreasonable and is likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.

The Cures Act defines interoperability as HIT that does the following:

• enables the secure exchange of electronic health information with, and use of electronic health information from, other HIT without special effort on the part of the user;

• allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable state or federal law; and

•does not constitute information blocking.

Information blocking has become a real issue in ROI. HIM professionals must ensure that correct health information flows to where it is needed without holding it up and thereby being responsible for information blocking. The “Open Notes” rule requires that patients be provided access to all the health information in their EMR without charge by their health care provider.

Accurate release is essential, too. Accuracy covers a number of things, but most importantly the focus is on the accuracy of releasing the correct patient documents to fulfill the request. This includes a correct authorized requestor, the correct patient, the correct records, the correct dates of care, the correct recipient address, and the correct release medium.

Components of Authorized Requests
Adhering to the basics helps ensure secure, timely, and accurate ROI. First, the authorization form must be HIPAA compliant. Most hospitals have HIPAA-compliant authorization forms, but many physician offices do not. Some industry experts believe this disparity could be remedied by the adoption of a universal HIPAA-compliant authorization form. This would alleviate many issues that cause delays in the ROI process. It would also provide faster access to requestors.

Many insurance companies have asked for a universal authorization form. Inasmuch as they request health information from just about all health care facilities, they find that each facility has its own authorization form and ROI requirements. This causes delays, confusion, and errors.

Is it possible to agree on one authorization form to be used by all health care facilities/providers? Although past efforts have not gone well, it may be worthwhile to take another look at possible solutions.

To satisfy those health care facilities that insist that their own wording be on the authorization form, perhaps space could be allocated on a universal form to accommodate their wishes. If every care provider and authorized requestor can be assured of compliance with legal requirements and protection from liability through use of a universal form, acceptance will likely follow.

HIPAA-Compliant Authorization
Each HIPAA-compliant authorization for ROI should contain the following:

• the name of the facility that is releasing the information;

• the health care provider’s address;

• the name of the individual/facility/organization to receive the information;

• enough information to accurately identify the patient;

• the purpose for which the information is to be used (The statement “at the request of the individual” is sufficient.);

• specificity of the information to be released, including dates of care and any exclusions;

• the signature of the patient or his/her legal representative;

• the date of signature (The date must be later than the dates for which the information is to be released.);

• the expiration date or statement of expiration of the authorization;

• a statement of the individuals’ right to revoke the authorization; and

• identification of the format/medium (such as paper, CD, or flash drive) that the records are to be released in.

Another aspect is “sensitive” information. What does your facility consider to be sensitive diagnostics? Most hospitals consider the following to fall into that category:

• HIV/AIDS testing, results, and diagnostics;

• drug and alcohol testing, results, and diagnostics; and

• mental/behavioral health assessment and treatment.

Some hospitals also include the following:

• genetic testing;

• domestic violence;

• sexual assault; and

• sexually transmitted disease.

The question has been raised about whether additional diagnostics should be included. For example, should another category be created in which patients can identify specific information they do not want shared, such as sexual orientation? Universal standards can be valuable in these matters.

It’s a good idea to place the following statement on an authorization to cover the facility in the event of a sensitive diagnostic slipping through: “This authorization may include disclosure of information related to alcohol, drug abuse, mental health treatment, and HIV/AIDS results.”

The designation of the delivery method is also important. According to HIPAA, patients have the right to choose how they would like to have their information delivered. This includes the following:

• mailed paper;

• mailed encrypted CD;

• pick up;

• encrypted e-mail;

• encrypted CD/DVD;

• encrypted USB or flash drive;

• patient or web portal; and

• fax.

Whatever the delivery method, all health information must be encrypted or sent securely. Some authorization forms include an indication that the information may be sent unencrypted or via nonsecure e-mail, but that strategy is overwhelmingly frowned upon—all PHI should be sent securely.

In terms of patient identification, the following elements are essential:

• name;

• date of birth;

• Social Security number (Only the last four digits are necessary.);
• address;

• telephone number;

• cell phone number; and

• e-mail address.

— Diane E. Ferry, MS, RHIA, is president and CEO of Star-Med.

Do you have questions about ROI processes? How about interoperability? What are your thoughts on a universal authorization for ROI processes? Feel free to send questions and comments to edit@gvpub.com and a Star-Med expert will answer selected inquiries in an upcoming column.

We look forward to hearing from you.