E-News Exclusive

Where EHRs Hit a Wall in the HIM World
By G. Michael Bellenghi

As healthcare begins adjusting to all the changes created by ongoing healthcare reform, new sets of HIM-related issues arise. One of these issues involves the release-of-information (ROI) process. The perception may be that fulfilling an ROI request is made significantly easier by the existence and usage of both EHRs and legal health records (LHRs). The reality is that the addition of technology and related regulations complicates the ROI process.

One reason healthcare organizations maintain an LHR—also known as the business health record or postdischarge health record—is to adhere to ROI requests made by authorized requestors. However, there are very complex processes that must be followed to legally provide any portion of an LHR, which requires significant human oversight. Few outside the HIM arena know the full levels of intricacy and risk involved in providing medical records. There are critical, time-sensitive, and strictly regulated steps by which well-trained HIM specialists must abide to ensure that both patient information is protected and healthcare organization liability is minimized.

The Five Roadblocks in the ROI Process

Roadblock 1: Multiple Databases
An EHR is composed of data from multiple databases, including clinical documentation, laboratory, radiology, and e-prescribing. This presents a paper-chase challenge that most ROI specialists tackle using a variety of well-established procedures.

All protected health information must be assembled into a specific format to create an LHR. When an ROI request is made, a trained specialist first verifies the request to ensure it is legitimate. Then the specialist works to gather all patient information from all databases, compile it, and track it into one record. This is a manual process and would be difficult, if not impossible, to do electronically.

Roadblock 2: Federal Regulations
When an ROI request is processed, each documentation page must be carefully reviewed to ensure that no legally protected information is released without the patient’s authorization. Steps must also be taken to quality review the documentation, making sure there are no misfiled reports belonging to other patients. These steps are the most critical and time-consuming part of the ROI process.

To protect patient privacy, there are many state and federal laws and regulations that govern exactly how, what, when, and to whom protected health information can be released, the most important of which is the HIPAA Privacy Rule, which ensures the utmost level of patient confidentiality. Other rules that HIM professionals handling ROI requests must know include the following:

• The Red Flag Rule: This federal regulation specifically focuses on an organization’s ability to prevent identity theft and medical identity theft. HIM professionals must comply with this at all times to avoid heavy monetary fines and/or other legal action taken against the healthcare organization. In some settings, Social Security numbers are redacted by the ROI professional to prevent identity theft.
• Privacy regulations: Not all conditions are treated equally when it comes to privacy. Without human oversight, it would be impossible to differentiate how medical records that contain sensitive information, such as an HIV diagnosis, should be handled.

Roadblock 3: State Regulations
There are many variations as to what subset of an LHR can be reproduced, depending on the purpose of the request and the statutory and contractual regulations that apply to a specific ROI request. ROI professionals are trained to recognize and act according to the specific state laws and regulations to avoid lawsuits or penalties. As there is no standard uniform state privacy law used by all 50 states, healthcare organizations must develop, implement, and maintain thorough policies and procedures around ROI to ensure that all employees specializing in the ROI process are educated about their state’s specific laws.

Roadblock 4: Third-Party Requestors
Third-party requestors, including authorized parties such as private and commercial payers and attorneys, add another roadblock in the ROI world. These requestors must be logged, verified, and tracked by the ROI professional. The person or entity requesting information must have legal reason to receive the requested information. Evidence of legal authority may require a witness signature or notary public seal on the paperwork submitted with the request. For requests considered routine (rather than an emergency), this may require direct contact with the patient only, and therefore the requesting entity may not be known to the healthcare organization processing the request.

Roadblock 5: Adhering to HIM
HIM professionals must always ensure they are complying with their hospital’s or health organization’s own HIM policies, procedures, and processes. Some of these procedures and policies include redacting Social Security numbers on the pages of the printed or copied medical records and accepting authorizations specifically naming the provider rather than the generic “any healthcare provider.”

Though EHRs are an important clinical tool that significantly enhances the quality of patient care, they do create some difficult situations once they become LHRs in the HIM world. HIM departments need to be staffed with highly trained specialists who possess the necessary knowledge and expertise to complete each request correctly and in a timely manner. One way to guarantee this is to consider outsourcing the ROI function to an HIM outsourcing-specialty company with trained, certified professionals who can handle the entire ROI process for your organization.

— G. Michael Bellenghi is executive vice president of the Association of Health Information Outsourcing Services.