Disclosure of the Personal Health Information (PHI) of patients is one of the biggest threats as those affected are more vulnerable to both medical and financial identity theft. Unfortunately, health care organizations are popular victims of data breaches. Criminal attacks now make up the majority of these breaches; like in March 2018 when a hacker accessed the work station of a Med Associates employee and had access to 270,000 patient records, or later in 2018 when HealthEquity data for about 190,000 customers was breached for about a month after a hack on two employee email accounts.
Considering the high percentage of organizations that have been victims of data breaches, it is important to know how to address privacy and security threats. The first line of defense against a PHI breach is having strong procedures surrounding the disclosure of patient information. With the large volume of requests for information, some organizations outsource the Release of Information (ROI).
Whether handled internally or externally, technology and information governance practices should be effective in making sure PHI is complete and timely for its intended purpose and available only to parties that have a legitimate need for the information. Here are some key management principles for ROI in areas of quality control, productivity management, and turnaround times.
Quality Control Practices address the monitoring, tracking, processing, and completion of requests for information.
- Monitoring receipt of the request: At a minimum, organizations should record the date and time the request was received (e.g. stamp or write the date/time on each receipt), identify who requested it and when it was needed, and confirm the request was authorized.
- Tracking the request: Involves some type of log (e.g. simple binder, specialized software, etc.) that is used to monitor the activity of the request. Requests should be prioritized.
ROI software facilitates the tracking of requests throughout their lifecycle. Software can aid management by analyzing data easily for monitoring purposes (e.g. staff performance and turnaround times by type of request).
- Processing the request: Includes verifying the completeness of the request, ensuring the requestor has a right to request the information, verify the identity of the patient, and assess the appropriateness of the information requested. In short, processing the request includes making sure the right data is given to the right people.
- Completing the request: requires an evaluation of the completion of the request. This is essentially looking back and verifying that all the procedures were carried out properly. If the request was not complete, was the it returned? Was the information released recorded for internal auditing and record?
Productivity management is an area where technology offers significant value. ROI software or other technology provides various tools for data manipulation, and can provide individual production statistics, request volumes, and information about turnaround times.
Even without technology, it is important to accurately record volumes of incoming requests by request type, track staff who complete requests, collect date/time of key processes and turnaround times, record date/time that information was provided to requestors, and record the method used to deliver the information (e.g. fax, mail, or in-person).
Turnaround time goals and standards should be established internally based on the type of request (i.e. a patient in an emergency room requires a shorter turnaround time than a scheduled appointment).
After establishing turnaround time expectations, organizations should staff to these requirements and then monitor compliance with these requirements. Organizations should be able to identify request types for which the expectations are regularly not met; and periodical evaluation of processes, request volumes, and staff performance can help recognize where adjustments need to be made.
These general principals can help set an organization up for success in managing PHI. Organizations that implement sound procedures addressing the points above, are ahead of the game; however, best-laid plans often go awry. Breaches can, and likely will, occur. In addition to these practices, healthcare organizations should consider implementing the following strategies to mitigate data breach risks:
- Create a team that periodically assesses risks and controls to identify privacy and security issues; set priorities; update policies, procedures, and technology accordingly; and standardize access and disclosure practices (i.e. specify who may access what PHI and what to do if a breach has occurred).
- Encrypt all electronic information using the National Institute of Standards and Technology (NIST) standard for data. Stolen unencrypted devices are presumed a HIPAA breach; but if the device is encrypted, breach notification is not required.
- Use technology to detect and prevent the unauthorized use of electronic data. Some applications can continually monitor software and system hardware for outside threats and security risks.
- Invest in cyber insurance to help mitigate the financial risks of a breach. Be sure to determine both the extent of coverage and the cost.
- Provide ongoing training to promote understanding of organizational policies, procedures, and relevant laws and regulations governing disclosure of PHI. Follow each training program with an assessment to measure effectiveness.
Many health care organizations are focusing more on privacy and security, but rapidly changing cyber threats continue to outpace investments in technologies and processes to protect PHI. Healthcare management professionals have to find a balance between guarding privacy, maintaining legal compliance, and facilitating quality patient care through information sharing and organizations to be proactive. Implementing the principals and strategies above should give your practice an effective enterprise-wide approach approach to the ROI process.
For more information about this topic, please contact:
Shari Diamond, CIA
Shari has been with Cerini & Associates, LLP since 2008 where she works primarily with the firm’s school district clients providing internal audit and claims audit services. She has over twenty years’ experience performing internal audits, risk assessments, and compliance reviews, as well as recommending processes to strengthen the internal controls environment while increasing efficiencies. Her prior experience at PWC and Northrop Grumman included performing Information Technology audits.