By Mariela Twiggs, MS, RHIA, CHP, FAHIMA
Release of information (ROI) is a complex job in HIM. There are numerous competencies that need to be mastered amid various regulations, facility protocols, EHR systems, document management systems, billing systems, picture archiving and communication systems, protected health information (PHI) disclosure management platforms, and more. Having well-trained ROI staff is critical to protecting patient privacy and avoiding missteps that can put provider organizations out of compliance, facing fines, reputational damage, and even imprisonment.
That said, it takes time to adequately train ROI staff. A typical training profile will include the following:
• HIPAA, including privacy, security, breach notification, patient rights, and federal vs state law decision-making and authorization requirements;
• federal drug and alcohol abuse regulations;
• state laws addressing sensitive records such as adoptions, genetic information, HIV/AIDS, mental health, sexually transmitted diseases, and substance abuse, as well as special situations such as decedents, minors, and powers of attorney;
• other laws such as the Genetic Information Nondiscrimination Act, the Family Educational Rights and Privacy Act, and now the General Data Protection Regulation;
• HIM department functions;
• health records covering common documents, encounters, and media types;
• facility systems such as master patient indexes, EHRs, paper records, and other systems storing PHI;
• designated record set and legal health record;
• types of requests including court orders, disability, government agencies, insurance, internal, law enforcement, legal, patient, postpayment audits, research, subpoenas, and treatment; and
• customer service and professional communications.
For many years, the industry lacked an effective methodology to evaluate ROI competencies. However, when the Association of Health Information Outsourcing Services (AHIOS) was formed in 1996, one of its first initiatives was to create a Certified Release of Information Specialist (CRIS) certificate. The CRIS exam is a rigorous test that evaluates ROI staff knowledge on how to protect the confidentiality of patient health information when that data are released to requesters. Employees or clients of AHIOS member companies may take the CRIS test if they have worked in ROI for at least six months prior to taking the test, although the waiting period is waived for AHIMA-credentialed members.
The CRIS test, which consists of 100 questions, is divided into the following sections: medical records theory, ROI theory, HIPAA, standard definitions, and application. It includes a broad range of questions covering everything from the contents of a medical record to the components of a valid authorization for a record’s release. The largest section of the exam asks test takers what they would do when presented with a wide variety of hypothetical situations. The following is a sample question:
A female patient has expired in your hospital. Your state law specifies that in the case of a deceased patient, all the following individuals may have equal access to the patient’s records: executor of the estate, administrator of the will, surviving spouse, surviving parents, and surviving children. She was a widow with two daughters, Sally and Beth. Both daughters admitted their mother into the hospital and are listed in the record as next of kin. Beth is the executor of the will. Sally calls you, explaining that the sisters are amid an argument concerning their mother’s will. She asks you to copy the records for her (she offers to come in to sign the release) and asks that you deny disclosure to her sister, Beth. You should tell Sally:
a) To write a letter stating why Beth should not have access to the information.
b) To bring proof of her identity for the records before she picks them up.
c) That Beth has a right to receive a copy of the records as executor and as a surviving child.
d) B and C.
The correct answer is “d.”
The CRIS test is not easy. Those receiving a passing grade of 80% or higher will receive the designation of a CRIS, which indicates mastery of ROI core competencies. The test is updated every two to three years; a new version is expected to be released this summer. There is an accompanying handbook, which outlines the material covered on the test with sample test questions. The CRIS certificate program is the gold standard in the ROI industry, with more than 2,500 individuals participating in the program over the last 10 years.
Because the ROI process is complicated and the liability threats so significant, it’s vital that provider organizations evaluate the ROI competencies of their staff. The CRIS test is a powerful tool that HIM departments can use if they are a client of an AHIOS member to ensure that staff are able to think through the complex situations in a complex job. Using the CRIS test to evaluate ROI competencies is a best practice that every provider organization should consider to protect patient privacy and mitigate risk. More information about the AHIOS Institute and the CRIS test are available at www.ahios.org/ahios-institute.
— Mariela Twiggs, MS, RHIA, CHP, FAHIMA, is education chair at the Association of Health Information Outsourcing Services and director of motivation and development at MRO Corporation.
The views and opinions expressed in this article are those of the author and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.