By Angela Rose, MHA, RHIA, CHPS, FAHIMA, and Don Hardwick
As demands to share patient information continue to evolve, health information management (HIM) leaders face multiple challenges related to the complexities of release of information (ROI). This article focuses on common mistakes that slow down the ROI process and provides best practices for HIM directors managing internal ROI teams. Priorities include staff efficiency, workflow optimization, and process control.
Deficiencies in the ROI Process
Deficiencies such as missing signatures, invalid dates, and inaccurate demographic data lead to a series of communications with the requesting party. This requires additional time, work, and resources to get the request out the door effectively. Incomplete or inadequate ROI requests like this occur frequently, causing processing delays that prevent the compliant and timely release of information.
Technology can help or hurt depending on how records are set up within a system and where information is located. Some electronic health records (EHRs) expedite the ability to release information if records are electronically aggregated via templates that enable automatic extraction of data.
Without that capability, EHRs can slow the process and delay turnaround time. This can occur with physician practices that still rely on a fax request or phone to request information from the hospital.
Policies and Procedures
Given the rapid pace of change in federal and state rules and regulations, healthcare organizations are challenged to develop and update ROI policies and procedures accordingly. Consider these questions:
- When was the last time you looked at your ROI policies and procedures?
- When was the last time you looked at workflow of your ROI processes?
- Are your technologies, workflows, policies, and procedures current with federal and state laws?
- Can your EHR process ROI requests accurately and efficiently?
- What are your policies around managed care?
- Does your managed care contract language specifically address charges for record copies?
- When was the last time your education and training materials were reviewed and updated?
If policies and procedures are not current and complete, organizations are at risk of increased payer audits, noncompliance, lost revenue, and breach, among many other concerns.
Staff Education and Training
In a constantly changing regulatory environment, ongoing training and education for ROI staff is critical. How often do you provide training and retraining to keep up with changes? Internal HIM departments may have a limited number of employees and insufficient resources for training on new laws and regulations.
ROI can be extremely complex. What is the escalation pathway for difficult ROI questions or decisions that need to be made? With mounting pressure to ensure compliant disclosure of protected health information (PHI) as efficiently and securely as possible, creating sufficient time for education and training can be a challenge. Here are several recommendations:
- Map out a training schedule for each employee based on roles or employment level. For example, management might need general training annually to provide education on the basics, whereas a frontline employee would require thorough and detailed training more frequently.
- Provide a timetable and set expectations so employees can plan ahead to build training into their schedules.
- Incorporate multiple training methods that offer flexibility for employees and accommodate individual learning styles. Virtual training allows employees to complete training at their convenience. In-person training offers a more human touch with real-time interactions.
Top HIM Concerns
A nationwide survey of senior HIM professionals affirms that increased requests for access to and exchange of health information, compounded by stringent compliance regulations, present multiple challenges for HIM leaders.
Large volumes of government and commercial payer audits. There has been a steady increase in DRG post-payment audits and Health Effectiveness Data and Information Set (HEDIS) and Risk Adjustment reviews. This rising volume of requests from payers heightens the burden on HIM to handle the associated ROI demands.
Enterprise-wide compliance and breach prevention. Privacy and security within a healthcare enterprise are top of mind in an era of regulatory reform and breach. With risks including financial penalties, lawsuits, and reputational damage, HIM leaders are seeking ways to mitigate risk and close compliance gaps.
Patient satisfaction. New privacy rules aim to give patients control over how their information is used and ease their ability to access their records. Situations involving patients’ privacy rights are difficult to navigate. Healthcare organizations must be sensitive and proactive regarding privacy rights and disclosure of PHI.
Privacy, Security, and Compliance Concerns
HIM departments must have competent, reliable resources to mitigate privacy, security, and compliance risk. It is important to follow all requirements by requester type, such as for the patient/patient representative versus an audit, attorney request, subpoena, or court order. Determine the type of information being requested and provide timely and accurate information.
It could be a request for sensitive PHI related to behavioral health or a request for routine lab results. It is important that internal HIM departments have the compliance and legal support required to manage the outcomes of complex requests.
Furthermore, disclosure of PHI from other departments, particularly radiology and the business office, poses significant risk and liability. Those departments typically are not well informed about the ROI process as it is not their core responsibility. With risks including financial penalties and lawsuits, centralized management by HIM is essential to compliant, efficient disclosure of PHI.
Quality Assurance—Any and All Policy
Quality assurance requires verifying that each authorization is valid. For example, make sure that a subpoena or court order comes from your jurisdiction, with the right date and the right signatures.
Also, know your “any and all” policy. Many facilities are choosing to implement a ten-year release policy by which they only release for the past ten years, even though they may have retained all records since their doors opened.
Responding to requests for any and all information is a labor-intensive challenge. There is an increase in any and all requests due to some industry confusion around patient-directed requests (PDRs).
Regardless of requester or request type, always seek guidance from legal counsel, compliance, or the organization’s privacy officer to ensure compliance is met.
As HIM professionals navigate the complexities of the rapidly evolving ROI industry, valuable perspectives are needed to manage multiple challenges. Here are several recommended practices to consider:
Staff efficiency—Know your volumes and appropriate staffing needs. Specialization breeds success—proficiency, productivity, and quality. Allowing staff to focus on one or two functions improves efficiency and accuracy.
Workflow optimization—Establish a system to avoid taking extra steps in the ROI process. Going directly to the source to fulfill the request removes any middlemen. Centralize workflow in one place based on a common set of standards for PHI disclosure.
Process control/quality assurance—Implement enterprise-wide PHI disclosure management. Use technical tools including optical character recognition (OCR) technology to check for quality issues such as comingled records and improper dates of service. Conduct ongoing training and education. Consider a vendor partnership to support a centralized approach.
The views and opinions expressed in this article are those of the author and do not necessarily reflect or represent the views, opinions, or policies of MRO Corporation.
Leave a comment