The following is a HIM Scene guest blog post by Mariela Twiggs, MS, RHIA, CHIP, FAHIMA, National Director of Motivation & Development at MRO. This is the third blog in a three-part sponsored blog post series focused on the relationship between HIM departments and third-party payers. Each month, a different MRO expert will share insights on how to reduce payer-provider abrasion, protect information privacy and streamline the medical record release process during health plan or third-party commercial payer audits and reviews.
Millions of payer requests for medical records are sent to hospital business offices every day. Business office staff are often tasked with pulling, compiling and sending Protected Health Information (PHI) to meet these requests.
Many payer requests are part of treatment, payment and operations (TPO) according to HIPAA. Payer requests are the “P” in TPO. However, others such as Medicaid assistance applications and disability requests are not covered under TPO. Knowing the difference and managing each request with the upmost regard for patient privacy is the focus of this month’s HIM Scene post.
Business Office Disclosures: Haste Makes Breach
Time is of the essence in the business office. Staff are focused on submitting claims, appealing denials or responding to audits and reviews as covered in last month’s HIM Scene. During the rush to get claims paid, key steps in the Release of Information (ROI) process may be skipped, compromised or mistakenly omitted. It’s during these situations that privacy concerns arise and PHI breaches may occur.
To ensure business office disclosures are kept safe and secure, organizations should train their financial staff using the same information, curriculum and courses presented to Health Information Management (HIM) teams. The ROI steps are the same. And disclosure management processes must be consistent to reduce breach risk. Here are five key areas of disclosure management to cover with your business office employees.
1. ROI and HIPAA Basics
Ensure employees understand the definition of HIPAA, the privacy rule, ARRA HITECH Omnibus, PHI and differences between federal versus state law. Each state is different and laws apply to where the care was given, not where the organization is headquartered. This is an important distinction for central business offices processing requests for care locations across several states.
Also emphasize which types of payer requests fall under HIPAA’s TPO exemption and which don’t. For those that aren’t considered disclosures for TPO, a patient authorization is required.
Another important topic to cover is the Health and Human Services (HHS) minimum necessary guidance under the HIPAA privacy rule. This guidance helps organizations determine what information can be used, disclosed or requested by payers for a particular purpose. Payers don’t need entire copies of records. They only need specific documents depending on the type of request. By helping business office staff thoroughly understand and apply the minimum necessary guidance, organizations tighten privacy compliance and mitigate breach risk.
2. The Medical Record
Define the various components of the medical record to business office staff. These include common documents, various types of encounters, and properly documented corrections and amendments.
3. Confidentiality and Legal Issues
Outline the legal health record concept and what it includes for your organization. All the various confidentiality and legal issues should also be fully explained. For example, with regard to state subpoena laws, one needs to know quash periods and whether special documentation must be provided. Louisiana requires affidavits while Virginia requires certifications from attorneys saying a notice of patient objection was not received.
4. Types of Requests
List all the various types of requests that might be received in the business office. For each category, differentiate which are part of TPO and which are not. Those that fall outside of TPO require a patient authorization and should be forwarded to HIM for processing. The types of requests to discuss with the business office include:
- Treatment requests
- Internal requests
- Patient requests
- Government agency requests
- Disability requests
- Insurance requests
- Post-payment audit requests
- Attorney requests
- Law enforcement requests
- Court orders
- Research requests
5. Sensitive Records and Other Special Situations
Identify and describe specific disclosure management practices related to sensitive records. These cases can include information on genetics, HIV/AIDS, STDs, mental/behavioral health, substance abuse and other sensitive issues. There are also special situations surrounding disclosures for deceased patients and minors. Sensitive records require special handling. Complex federal and state legal issues may be involved with these cases and business office personnel should be aware of them.
With so many details to know, many hospitals and health systems are opting to centralize all disclosures within the HIM department or with a single outsourced ROI vendor.
Make the Case for Centralized ROI
There is a national trend toward centralized disclosure management versus each department handling information requests internally. Beyond the business office, requests are also frequently received in the radiology department, clinical locations, human resources, physician practices, nursing units and HIM.
Maintaining oversight and privacy compliance for all these areas is an arduous task—and opens the door for breach risk. If you are in doubt about the ability of business office or other staff to properly and securely process requests, a centralized ROI model may be your organization’s safest approach.
About Mariela Twiggs
In her role as Director of Motivation and Development, Twiggs leads MRO’s internal motivational efforts and manages MRO Academy, a rigorous and required online educational and testing platform for all employees, which is comprehensive and current with external developments and regulations. Prior to joining MRO, she was CEO of MTT Enterprises, LLC, a Release of Information business. Previously, she worked as a Health Information Management (HIM) Director. Twiggs is the past president of the Association of Health Information Outsourcing Services (AHIOS), Louisiana Health Information Management Association (LHIMA) and Greater New Orleans Health Information Management (GNOHIMA); a fellow of the American Health Information Management Association (AHIMA); recipient of LHIMA’s Distinguished Member & Career Achievement Awards; past treasurer of LHIMA and GNOHIMA; and serves on the advisory board of the Delgado Community College Health Information Technology Program. Twiggs holds a B.S. in Medical Record Administration and a Master’s Degree in Health Care Administration. She is also certified in healthcare privacy (CHP) and is a Certified Document Imaging Architect (CDIA+) with expertise in electronic document management.
If you’d like to receive future HIM posts in your inbox, you can subscribe to future HIM Scene posts here.