MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

Transcription

1 MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION Authors: Mariela Twiggs, MS, RHIA, CHP, FAHIMA National Director, Training and Compliance for MRO Sara Goldstein, Esquire Privacy and Compliance Counsel for MRO

2 MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION News media attention surrounding a breach of Protected Health Information (PHI) usually involves a cyberattack where a hacker infiltrates a healthcare organization s network and steals data, or a physician has their laptop stolen. While cyberattacks and device theft are major security issues, a PHI breach is much more likely to occur during one or more of the tens of thousands of Release of Information (ROI) requests a healthcare organization receives each year. With more than 100 error types found across ROI authorizations, each request has the potential to result in a PHI breach. Although these breaches do not grab headlines as often as a cyberattack, they are damaging to healthcare organizations. Each breach can cost $8,000 to $300,000, not including HIPAA violation civil penalties, according to the results of an American National Standards Institute (ANSI) survey of organizations that had been affected by a PHI breach. 1 These costs included credit or identity theft monitoring for breach victims, forensic and legal fees, and reputational harm, including loss of goodwill and of business, according to survey respondents. 2 In addition, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR s) larger HIPAA violation civil penalties became effective in 2013, rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences PHI breaches that occur during the ROI process will likely rise as PHI disclosure points and requests for health information increase across organizations due to several factors. One is the increase of healthcare merger and acquisition activity. These consolidating healthcare organizations may face differing electronic medical record (EMR) systems and PHI disclosure policies and procedures, depending on the facility. The lack of standardized processes and expanding disclosure points make PHI disclosure challenging to govern and track, making a breach more likely. Another factor driving the increase in PHI breach risk is a growing volume of ROI requests due to the changing healthcare market. With payment shifting to value and outcomes, care coordination is essential, which requires more health information exchange with providers across the care continuum. Emphasis on value and quality of care also includes more audits from government and commercial payers requesting PHI to ensure care gaps are addressed and payments were accurate. Patients, who are increasingly more engaged in their care for a variety of reasons including the expansion of personal health and fitness monitoring technologies, are requesting health information more often to share with specialists and other providers to manage their health. Patient access criteria within the Centers for Medicare and Medicaid Services (CMS s) Meaningful Use incentive program add a level of complexity by requiring strict turnaround times for patient requests. This more frequent and faster PHI exchange poses increased risks for provider organizations, regardless of their involvement in emerging healthcare delivery or payment models. The OCR plans to issue new guidance on patient access in the fall of Standardizing disclosure policies and procedures across their enterprise can help organizations comply with these regulations and manage the increased ROI request volume. Transitioning to a standardized process may include partnering with a technology-driven disclosure management partner with highly trained and knowledgeable staff that can bring consistency to the organization and further mitigate risk with additional safeguards against breach. Partnering with a knowledgeable technology and services partner can relieve the PHI disclosure management burden from organizations, ensure compliance with federal and state regulations, all the while delivering complete transparency and control to departmental managers. Mariela Twiggs, MS, RHIA, CHP, FAHIMA, National Director, Training and Compliance for MRO Sara Goldstein, Esquire Privacy and Compliance Counsel for MRO Copyright 2015 MRO Corporation Page 2

3 Improper disclosure of PHI common cause of breach Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches last year, but almost as many, 40 percent, were due to unintentional employee action, according to 2015 survey results from the Ponemon Institute. 5 These unintentional employee actions, namely employee negligence, are also the top security concern among healthcare organization leaders, above cyberattacks, according to the survey. Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. With traditional ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. 6 Many invalid authorizations are caught and corrected at the facility during the initial evaluation and tracking phase. However, with a wide variety of errors found across authorizations, the importance of a secondary review is critical to accuracy and avoiding improper disclosure. PHI breaches are not isolated incidents. Ninety-one percent of healthcare organizations surveyed by Ponemon reported a PHI breach in the last year, while 40 percent reported more than five. Also of concern is that 69 percent of organizations did not discover the breach until an audit, so the improper disclosure may have occurred weeks or months earlier. With standardized, enterprise-wide PHI disclosure policies, procedures and oversight, many of these errors could be detected through a quality assurance process at the proper stage, preventing any unauthorized disclosure. Breaches costly Although PHI breaches are common, federal regulators have become even more stringent when it comes to financial penalties for non-compliance. Since the HIPAA breach notification requirement took effect in 2009 as part of the Health Information Technology for Economic and Clinical Health (HITECH) Act, the OCR has assessed approximately $27.25 million in settlement agreement fines or civil money penalties as of September In addition, the HIPAA Final Omnibus Rule, which went into effect in 2013 and raised violation penalties to their current levels, included breach-reporting requirements that were changed to a policy of guilty until proven innocent. This means in cases of improper disclosure, a breach is always assumed unless the provider can demonstrate that there is a low probability that the PHI has been compromised. When news media learns of a breach, such as when it receives a HIPAA-mandated notification from the organization because the breach impacted 500 or more individuals, the reputational damage causes an incalculable financial impact. 7 For example, if the breach diminishes the hospital s brand in the community, it can contribute to the loss of current and/or new patients, as well as physicians or business partners who leave the organization due to reputational damage. 8 While cyberattacks or device thefts make for sensational headlines, breaches due to employee or organizational errors are also reported in the news. For example, one news outlet reported that a clerical error at St. Vincent Breast Center in Indianapolis in 2014 resulted in 63,325 patients receiving a mailing containing incorrect information, including the names, addresses and appointment times of other patients. 9 Even much smaller PHI breaches may end up in the news. In 2013, Oakland, Calif.-based WestCoast Children s Clinic notified patients of a PHI breach after it faxed just one patient s information to an incorrect fax number. 10 As the clinic explained to news outlets in a written statement and to patients in a letter, a number of PHI disclosure protocol steps were not followed, including checking the fax number and notifying the recipient that the fax was sent. A qualified PHI disclosure management partner has technology and knowledgeable, trained staff to minimize errors like those described above, regardless of the size of the institution or PHI disclosure. Apart from potential reputational damage, a troubling new trend for healthcare providers could also make PHI breaches more costly. As many as 10 states now consider HIPAA to be the relevant standard of care for state privacy violation claims brought by individuals. 11 This means even if providers are penalized by the OCR for a PHI breach, they could still be sued by the individuals for negligence. One of the most well known of these cases is Byrne v. Avery Center for Obstetrics and Gynecology in Connecticut, which in 2014 was ruled on by the state s Supreme Court in favor of the plaintiff. The practice was sued for negligent infliction of emotional distress and negligence for failing to use proper and reasonable care in protecting the plaintiff s medical records, which she had forbidden from being released. The practice released the plaintiff s medical records after receiving a subpoena, but did not notify the plaintiff or object to the subpoena, as required by HIPAA. The Connecticut Supreme Court ruled that HIPAA does not preempt the state s laws surrounding the plaintiff s negligence claims, but rather HIPAA represents the standard of care that the providers should have followed. The higher court remanded the case back to the trial court to rule on the negligence claims. Copyright 2015 MRO Corporation Page 3

4 Hospital departments other than Health Information Management (HIM), as well as ambulatory practices, such as in this case, may not be as knowledgeable about PHI disclosure regulations and inadvertently fulfill an unauthorized ROI request, resulting in a breach. A highly trained and knowledgeable PHI disclosure management partner would have informed the practice that a subpoena does not always require the records to be released and would have ensured that the compliant PHI disclosure process was followed. 12 Factors driving breach risks While it is clear that PHI disclosure breaches are common and costly, numerous factors are driving an increase in breach risks, especially with the consolidation of the healthcare industry through mergers and acquisitions and more information being shared electronically. Healthcare merger and acquisition activity increased 16.3 percent in 2014 compared to 2013, and is expected to continue at that pace in As large health systems acquire more hospitals and physician practices, PHI disclosure policies and procedures and technology may vary greatly between facilities. For example, some newly acquired facilities may have varied timelines for fulfilling ROI requests or use multiple disclosure management vendors. Standardizing and centralizing disclosure policies and procedures can establish consistency and compliance across the enterprise, thus increasing the accuracy of all disclosures both within hospital and ambulatory settings. Another factor driving breach risk disclosing PHI electronically, or ephi has emerged as more organizations recognize electronic disclosure s efficiencies over paper. EMRs allow more people to access PHI from within a healthcare enterprise, including those who are not specially trained in the ROI function. Due to this expanded access, some organizations may have as many as 40 disclosure points across their enterprise, 14 which increases the risk of serious breach when patient records are released outside of the HIM process where the same level of procedural scrutiny does not occur. Some healthcare organizations may be exchanging ephi through unsecured , which is not HIPAA compliant and could result in a breach. There are, however, compliant and secure methods for electronically exchanging PHI, including patient and requester portals, secure , Direct Secure Messaging, the Social Security Administration s MEGAHIT program for Disability Determination, and esmd for CMS audits. Many healthcare organizations may not be aware these resources are available through a knowledgeable, technology-driven PHI disclosure management partner. When used properly, these electronic PHI disclosure methods can decrease days in accounts receivable and improve ROI fee collections with more accurate and timely billing, while decreasing labor and costs through eliminated paper-based processes. As a result, electronic PHI disclosure processes can safeguard hospitals from financial risk associated with breach, while also enhancing revenue through improved efficiencies. Choosing the right partner for PHI disclosure management In this changing environment, many healthcare organizations have discovered the value of partnering with a technologydriven PHI disclosure management vendor. Partnering with a vendor for PHI disclosure management processes like ROI is seen as valuable because the traditional ROI process is resource intensive requiring answering requester calls, providing phone support and issue resolutions, retrieving records, invoicing, collections, producing copies, delivery of PHI and tracking requests. Due to limited resources and escalating ROI requests, increased errors and inefficiencies can occur throughout the process. Just the request logging and tracking process can often lend itself to typos and/or improper entry that may result in records being distributed to the wrong place, especially in the case where institutions receive a large volume of requests. A PHI disclosure management partner can alleviate most of these duties from HIM departments, while ensuring compliance with all PHI privacy and security regulations of HIPAA and HITECH, as well as unique state and facility regulations. Disclosure management partners, however, vary greatly in quality and capabilities. Healthcare organizations should seek a technology-driven partner who can help improve not only the compliance of PHI disclosure and exchange, but also the efficiency. Ideal partners are at the forefront of electronic exchange of PHI, such as offering online portals for requesters; Direct Secure Messaging; interfaces with the Social Security Administration for Disability Determination requests; and esmd for CMS. These advanced technology capabilities may also include optical character recognition (OCR) scanning so that every document prior to disclosure is electronically examined to prevent co-mingled records, which, while infrequent, poses a significant breach risk. For a 300-bed hospital, which will typically have approximately 33,000 ROI requests per year, 0.7 percent of those records are likely to be co-mingled, resulting in 231 potential breaches that could be avoided by partnering with a knowledgeable and technology-driven disclosure management vendor. Copyright 2015 MRO Corporation Page 4

5 In addition, ensuring a secure and compliant ROI process and avoiding PHI breaches begins with hiring, training and managing qualified staff. Organizations should seek out PHI disclosure management partners who invest in rigorous hiring and training processes and who have reputations for delivering high-quality client and requester service. KLAS, a firm that helps healthcare providers make informed technology decisions by reporting accurate, honest and impartial vendor performance data, is a credible resource for providers in evaluating ROI partners. Taking the chance out of risk Protecting your organization from a criminal attack is important, but organizations should consider how much more likely a PHI breach could occur just due to an error in its ROI procedures. Consider again a 300-bed hospital with 33,000 ROI requests per year. In that year, the hospital likely received 6,600 invalid requests, of which as many as 3,300 would be fulfilled despite the invalid authorizations. The OCR levies a fine 18 percent of the time a PHI breach complaint is lodged. If a complaint was raised just half of one percent of the time, an OCR average fine of $25,000 per breach would have exposed this hospital to potential settlement agreement fines of $74,250 just that year. If this hospital partnered with a technology-driven PHI disclosure management vendor as described above, the number of fulfilled invalid requests would have decreased to just one with a potential $30 fine. As in this example, potential PHI breaches can occur at organizations thousands of times per year without the proper disclosure policies and procedures, and technology. Rather than attempting to manage this growing volume of requests on their own, healthcare organizations should consider partnering with an experienced, proven and technology-driven PHI disclosure management vendor. This partner can help establish standardized procedures and technology, alleviating the ROI request and compliance burden across the enterprise and mitigating risk. The HIM department and other disclosing parties can then concentrate on their core competencies to help the healthcare organization deliver higher quality, cost-effective care. Copyright 2015 MRO Corporation Page 5

6 Footnotes 1 The American National Standards Institute (ANSI), The Financial Impact of Breached Protected Health Information. Report. March ANSI, et al. 3 American Medical Association. HIPAA Violations and Enforcement. Solutions for Managing Your Practice. Web page. hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page? 4 National Institute of Standards and Technology and the U.S. Department of Health and Human Services, Office for Civil Rights. Safeguarding Health Information: Building Assurance through HIPAA Security. Annual Conference. September Washington, DC. 5 Ponemon Institute. Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Research Report. May MRO research based on client data 7 Diaz, Luis J. and Crapo, David N. The Cost Of A Data Breach: The Health Care Perspective. Metropolitan Corporate Counsel. November 18, ANSI, et al. 9 Auslen, Michael. St. Vincent Breast Center mails 63,000 letters to wrong patients. The Indianapolis Star. July 4, McCann, Erin. Fax mishap leads to HIPAA breach. Healthcare IT News. April 25, com/news/fax-mishap-leads-hipaa-breach 11 Thompson Hine LLP. De Facto Private Right of Action Under HIPAA: Is Ohio Next? Health Care Law Update The U.S. Department of Health and Human Services. Court Orders and Subpoenas. HHS.gov web site. Accessed August 18, Morse, Susan. Healthcare M&A activity to persist in 2015, report states. Healthcare Finance News. March 18, Roop, Elizabeth S. Disclosure Management More Complicated Than Ever. For The Record. April fortherecordmag.com/archives/0414p12.shtml Copyright 2015 MRO Corporation Page 6