This article is published in sponsorship with Ciox.

Compliance is always a critical component of medical record release, but the importance of a best-in-class compliance program is highlighted in environments like the COVID-19 pandemic when providers are faced with rapidly changing regulatory policies. Take for example the recent Centers for Medicare and Medicaid Services (CMS) policies to allow providers flexibility so they can focus attention on COVID-19 care delivery. One policy was the waiver of a Condition of Participation related to Patient Rights, that “the patient has the right to access information contained in his or her clinical records within a reasonable time frame…” While there may be temporary policies enacted, it’s important to understand that the HIPAA Privacy Rule, the HIPAA Security Rule, and the confidentiality provisions of the Patient Safety Rule are still in effect. A solid compliance framework is critical in these situations to ensure compliance with all applicable rules and regulations.

Compliance in health information management (HIM) serves several functions—it is critical in supporting patient rights, building trusted relationships with patients, and protecting providers from potential corrective actions from regulatory bodies. A best-in-class program is built on five critical components that ensure success in achieving health information management (HIM) compliance.


Unfortunately, given the complexity in policies and processes for HIM and release of information (ROI), compliance incidents or errors are a reality for healthcare organizations. However, not all incidents may rise to the level of an Office for Civil Rights (OCR) reportable breach. That distinction depends on the probability that protected health information (PHI) has been compromised. See the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, for more details.

Providers should expect full transparency into any potential unauthorized disclosures, not just ones that must be reported to OCR. In fact, HIM departments or business associates that report no incidents should attract more scrutiny rather than less. Even as we move to a more automated world, the reality is that human interaction is present in all components of HIM, such as ROI, transcription, and coding. Therefore, the probability of human error will always be present and must be evaluated.

Full and timely transparency into HIM performance provides early indicators of potential complaints in addition to identifying potential areas for performance improvement.


As with most functions, talent and the enabling structure for that talent is critically important for compliance. This importance is heightened given the nuance in processing medical record requests and ensuring adherence to overlapping state and federal requirements.

A centrally accountable compliance team that engages and partners with the rest of the organization is necessary for success. It is not effective for compliance to operate in a silo or be perceived as independent of daily operations. Instead, compliance should be positioned as an integral component of operations and proactively and consistently engage the organization. For example, hosting regular, less formal Q&A sessions with the compliance team helps to reinforce that compliance deserves ongoing attention and makes compliance experts easily accessible for issues as they arise.

In addition to structural enablers, it is important for compliance to have the talent needed, which starts with effective hiring and onboarding. It is unlikely that newly hired medical record request specialists will have the deep subject familiarity needed. This elevates the importance of a thorough onboarding that includes a grounding in policies coupled with on-the-job training and feedback. Knowledge development doesn’t stop with onboarding. Medical record request specialists benefit from daily reinforcement about the importance of compliance as well as ongoing opportunities to both refresh and extend compliance knowledge.

When it comes to refreshing compliance knowledge, best-in-class programs will analyze performance, categorize common challenges, and assign targeted training based on that performance. These types of ongoing, targeted training programs can reduce error rates by over 70 percent.1 ROI specialists should also be fully aware of their performance and areas where they may need additional knowledge support.

These considerations for compliance talent are relevant regardless of whether a provider chooses to operate HIM in-house or partner with a business associate.


The complexity associated with HIM compliance means that rather than building a one-size-fits-all approach, it is likely more effective to build a compliance program based on thresholding of performance. Like an ongoing training program that continuously assesses team members and offers targeted training, your compliance program should include a baseline assessment of performance of the program to identify the areas in need of greater attention and develop targeted actions to improve the performance and effectiveness of your compliance initiatives.

While never losing sight of your baseline, as performance improvements are implemented, regular assessments should be conducted to measure the success of your program over time and to continuously identify further improvements that allow for continued refinement of the compliance program. If you work with a specialized HIM compliance vendor, you have the benefit of their ability to conduct this thresholding across a wide portfolio of providers. Understanding how a provider’s performance compares to peers helps to further refine and improve the compliance program and overall performance.

In addition to comparing performance against prior performance and peers, best-in-class compliance programs should regularly conduct in-depth privacy assessments through both on-site and desk audits that utilize the methodology OCR developed as oversight for HIPAA Privacy regulations. Beyond just identifying issues, privacy assessments should also provide a detailed action plan so the organization can ensure it is continuously improving its overall compliance.


Compliance programs must stay abreast of federal and state regulations governing access to clinical information. The need for best-in-class compliance programs to be topical, or ahead of relevant policy discussions, has increased in importance. This is in part due to the recent focus on patient access to medical records, particularly through third-party apps, as well as concerns about privacy as access to sensitive health information for parties who are not covered entities increases.

In March 2020, the Office of the National Coordinator for Health IT (ONC) and CMS finalized rules to support patient access to health data and health data system interoperability. These rules increase the complexity of compliance for HIM by detailing information blocking requirements that layer on top of HIPAA requirements. While final enforcement dates are uncertain in the midst of a focus on COVID-19 response, compliance departments should be proactively educating and planning within their organizations and defining a path to ensure compliance.

In addition to these rules, with their December 2018 request for information (RFI) on potential revisions, OCR has set the stage for an update to HIPAA. Privacy legislation has also been a frequent topic of discussion. In the wake of the California Consumer Protection Act, there have been calls for comprehensive legislation to avoid another complicated patchwork of state regulations. Since January 2019, thirty-seven (37) bills have been introduced in Congress that address privacy. Seven (7) of these bills deal explicitly with health data though many others have health data implications. While there may not be imminent action on privacy legislation, it will likely remain a popular topic and any action would have meaningful implications for HIM.


Historically, HIM has been primarily paper-based, but as records have been digitized and consumers are also increasing their desire to interact with health data digitally, HIM must evolve as well. A foundational enabler for a best-in-class compliance program is a technology platform that provides robust support for elements like transparency and thresholding. An additional benefit of a technology platform is the ability to integrate compliance and security.

While exchange of health information via application program interfaces (API) is still developing and certified EHR technology will not need to include that capability until at least 2022, forward-thinking compliance programs should be building the foundational elements now. A technology platform that allows HIM to continue to manage paper-based needs while also building the path for digital data requests is a marker of best-in-class compliance programs that will remain relevant.

Compliance will remain a critical challenge for HIM and complexity is only increasing as expectations for HIM and interest in health information intensifies. Establishing a compliance program framework with these five components will help providers deliver excellence in health information management.

  1. Based upon Ciox tracking of results from a proprietary ROI training program over eight months with over 1,500 participants.

Ciox Health, a leading health technology company, is improving patient health by transforming clinical data into actionable insights. Combined with an unmatched network offering ubiquitous access to healthcare data, Ciox’s expertise, relationships, technology and scale make a difference for healthcare stakeholders and empower greater health for patients. To learn more:

Leave a comment

Send a Comment

Your email address will not be published. Required fields are marked *