WHILE MANY WITHIN the healthcare industry are focused on
preventing large, massive data breaches (such as those involving a missing laptop or stolen hard drive), a major component
of HIM practice is safeguarding patients’ personal medical information one chart at a time.
The release of information (ROI) function, the responsibility of
HIM professionals, facilitates treatment, payment, and healthcare operations as well as fulfills legitimate record requests from
patients, auditors, lawyers, and a multitude of quality and research entities. ROI requests have grown in number, and this
increase in requests brings with it increased opportunity for inadvertent privacy breaches from human error, system error, or
Eliminating errors in the ROI process is a key HIM opportunity to protect patients and help covered entities avoid breaches,
fines, penalties, and reputational harm. Doing so requires ongoing assessment and training.
Requests—and Risks—on the Rise
Requests for medical records and protected health information
(PHI) are fueled by increases in the number and types of audits and auditing bodies, the movement to wellness and patient
awareness, and an ever-increasing litigious society.
Beyond these drivers, there are further changes in healthcare
that promote information exchange and increase the inherent
risk of breach such as EHRs, health information exchanges, and
accountable care organizations.
Physical law states that a body in motion tends to stay in motion. Physics applies to electronic information as well. Once PHI
leaves its initial resting spot it tends to remain in motion, and
the risks of human error and wrongful disclosure expand.
At the same time that this large increase in information movement occurs, the regulations around this process have become
more restrictive, the costs to remedy a breach are now higher,
and the fines for information leaks are more onerous. HIPAA
enforcement finally has teeth.
In 2010 alone (the most recent data available), the Office for
Civil Rights investigated 4,229 reports of information breach,
and 64 percent of these, or 2,703 events, required corrective action. 1 One incident involving a nonprofit corporation resulted in
a total cost to the organization of $288,808 in legal fees, credit-monitoring services, staff time, and more. 2
Audits on the Way
Further, the age of “voluntary” compliance with HIPAA is ending. OCR contracted with KPMG to conduct up to 150 audits of
covered entities and business associates at random. These audits started in November 2011 and will continue through this
year and likely into the future. They are expected to produce corrective action plans for facilities regarding HIPAA compliance.
HITECH’s meaningful use incentives under ARRA also require
that organizations attest to a risk analysis and risk management
program. As providers start vouching for their organizations’ se-
curity they are becoming more aware of their deficiencies and
compliance risk is making it to the executive dashboard, further
reinforcing the need for HIM professionals to get proactive and
HIM’s Role: Policy, Training, Workflow, Action
HIM professionals must tighten ROI workflow to mitigate risk
of human error and breach. Every organization is at risk for
breach, but the differences between entities will be reflected in
how they implement policies, procedures, and corrective actions.
Policy and Procedures
All providers have a policies and procedures manual and conduct initial HIPAA training. Risk arises when training is done
only once and policy manuals remain on the shelf collecting
ROI policies and processes should be adaptive. That is, the
process should change to meet new regulatory requirements
and technology implementations. For example, changes to the
HIPAA rules regarding the accounting of health information
disclosures expected this year have the potential to dramatically expand HIM and ROI responsibilities and pose operational
challenges. Similarly, EHRs and health information exchanges
are pushing the frequency and scope of information transfer.
HIM professionals must remain aware and on top of all changes
to ensure HIPAA compliance and change processes accordingly.
Training is a living process requiring continual attention. If this
is not the responsibility of a chief compliance, privacy, or security officer, then HIM must fill these shoes.
Training is best delivered using a multitiered approach that
builds on each preceding course. Every step within the ROI
process should be addressed through training, with particular
focus on three areas: front desk personnel, document identification, and pre-shipment validation.
Front desk personnel should always validate the requester by
the photo ID contained with the patient’s medical or business
record (if applicable). Document identification staff should be
trained to always narrow the search for specific documents from
the EHR or paper chart. Particularly, they should use as many
known identification factors as possible to ensure the correct,
but minimally necessary, documents are pulled. Identification
factors include such things as patient’s full name, date of birth,
Social Security number and visit date, if possible.
Finally, just prior to submission to the requester, ROI staff
should always validate that only the uniquely authorized information has been included and that the information imported
into the ROI process for disclosure belongs exclusively to that
patient. Many facilities scan patient information from paper