Breach Risk in Release of Information Don t Leave Risk to Chance Key trends impacting healthcare providers
INTRODUCTION Privacy and security within a healthcare enterprise are topics often on the minds of many stakeholders. As of February 2016, the U.S. Department of Health and Human Services (HHS) reported that over 250 million patients have been impacted by breach since 2009. 1 Approximately 1400 large breaches have been reported to the Office of Civil Rights (OCR), and during this same time over 180,000 small breaches impacting fewer than 500 patients at a time have been reported as well. 2 While small breaches can be oneoff incidents resulting from sending the wrong patient s records to the wrong person, they can be equally detrimental to a healthcare organization. Key trending factors related to the rising tide of small breaches include: Expanding points of Protected Health Information (PHI) disclosure and requests for health information Increasingly complex regulations for sharing health information Quality assurance gaps in the Release of Information (ROI) process Steepening penalties and financial impact to provider organizations Don t leave risk to chance. In this ebook, you ll learn more about mitigating risk with a strategic, enterprise-wide approach to PHI disclosure management.
Small is Big, and Costly Although small breaches affecting less than 500 patients per incident are not usually broadcasted as widely as a large cyberattack, the financial impact is real. Each breach can cost $8,000 to $300,000, not including HIPAA violation civil penalties. 3 Penalties are rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences. 4 As many as 10 states now consider HIPAA to be the relevant standard of care for state privacy violation claims brought by individuals. 5
bad news travels fast While cyberattacks or device thefts make for sensational headlines, breaches due to employee or organizational errors are also reported in the news. One news outlet reported that a 2014 clerical error at St. Vincent Breast Center in Indianapolis resulted in 63,325 patients receiving a mailing containing incorrect information, including the names, addresses and appointment times of other patients. 6 In 2013, Oakland, Calif.-based West Coast Children s Clinic notified patients of a PHI breach after it faxed just one patient s information to an incorrect fax number. 7 As the clinic explained to news outlets in a written statement and to patients in a letter, a number of PHI disclosure protocol steps were not followed, including checking the fax number and notifying the recipient that the fax was sent. According to Deloitte s 2014 global survey on reputational risk, a negative reputation event, such as a data breach, can cause a loss of brand value for healthcare providers. 8 Word of a breach can also spread online through social media platforms, such as Facebook and Twitter, through consumer rating sites, such as Yelp, and even through Google results when someone searches for the hospital.
Risky Business As large health systems acquire more hospitals and physician practices, PHI disclosure policies, procedures and technology may vary greatly between facilities and add to risk levels. Another factor driving breach risk disclosing PHI electronically, or ephi has emerged as more organizations recognize electronic disclosure s efficiencies over paper. Electronic Medical Records (EMR) systems allow more people to access PHI from within a healthcare enterprise, including those who are not specially trained in the ROI function. When onboarding one Pennsylvania-based health system, MRO discovered 40 points of disclosure in the system not including physician practices. Most of the disclosure points were managed outside of the Health Information Management (HIM) department by individuals who were not specially trained in ROI and PHI disclosure compliance. Talk about risky.
Release of Information - The Ticking Time Bomb Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches last year, but almost as many 40 percent were due to unintentional employee action, according to 2015 survey results from the Ponemon Institute. 9 Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. There are multiple points in the ROI process where a misstep can result in breach. 40% of breaches are due to unintentional employee action
20-30 % Invalid Authorizations 10 % Invalid Authorizations Processed 5 % Data Integrity Issues.7 % Releases Including Mixed Patient Records With typical ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. 10 However, with over 100 possible combinations of errors or omission points across a wide variety of request types, as much as 10 percent are processed with errors if the only line of defense is the person onsite logging the request. Five percent or more of patient data in EMRs have integrity issues, including comingling of patient records. Well-trained ROI specialists will catch the majority of mixed records; however, with just one level of quality control, 0.7 percent will contain mixed patient data. PHI breaches are not isolated incidents. Ninety-one percent of healthcare organizations surveyed by Ponemon reported a PHI breach in the last year, while 40 percent reported more than five. Also of concern is that 69 percent of organizations did not discover the breach until an audit; therefore, the improper disclosure may have occurred weeks or months earlier.
Gaps in the typical release of information Workflow In the typical ROI workflow, requests for health information come into a facility and are logged by onsite ROI staff that also handle many other responsibilities. There is no second set of eyes for Quality Assurance. This approach results in inefficiencies, distractions and increased errors. SUPPORT AND ISSUE RESOLUTIONS REQUESTER CALLS RECORD RETRIEVAL INVOICING AND COLLECTIONS PRODUCING COPIES DELIVERING THE RECORDS
Don t leave risk to chance At MRO, we focus on two things: service and quality. With MRO s industry-leading Quality Assurance program, our clients can have full confidence they are HIPAA compliant. Not one, but two teams check each ROI authorization for accuracy, and then a combination of our optical character recognition (OCR) validation technology and human intervention check for comingled records. An additional quality check is done through a barcoding system to maintain shipping integrity. This all results in a 99.99% accuracy rate. MRO s technology and people can manage PHI disclosure across multiple departments and locations to standardize policies and procedures and safeguard your organization against the risk of breach.
THE MRO DIFFERENCE MRO, headquartered in Valley Forge, PA, was founded in 2002 on the premise that a better ROI service could be created with better workflow, improved quality assurance, and use of innovative technology. Because of our focus on service and quality, we have been recognized by KLAS as the leader in ROI services multiple times. 8 % Client Retention 20 % GROWTH Rated # 2 ND LARGEST ROI PROVIDER Clients LARGE and SMALL >3700 Implementations Follow the latest trends with us on social media.
FOOTNOTES 1 U.S. Department of Health & Human Services. Breach Notification Rule web page. HHS.gov. https://ocrportal.hhs.gov/ocr/breach 2 Ornstein, Charles. Small Violations Of Medical Privacy Can Hurt Patients And Erode Trust. Shots: Health News from NPR. Blog post. December 11, 2015. http://www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-ofmedical-privacy-can-hurt-patients-and-corrode-trust 3 The American National Standards Institute (ANSI), The Financial Impact of Breached Protected Health Information. Report. March 2012. https://webstore.ansi.org/phi/ 4 American Medical Association. HIPAA Violations and Enforcement. Solutions for Managing Your Practice. Web page. http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/ hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page 5 Thompson Hine LLP. De Facto Private Right of Action Under HIPAA: Is Ohio Next? Health Care Law Update. http://www.thompsonhine.com/publications/de-facto-private-right-of-action-under-hipaa-is-ohio-next 6 Auslen, Michael. St. Vincent Breast Center mails 63,000 letters to wrong patients. The Indianapolis Star. July 4, 2014. http://www.indystar.com/story/news/2014/07/04/st-vincent-mails-letters-wrong-patients/12234059/ 7 McCann, Erin. Fax mishap leads to HIPAA breach. Healthcare IT News. April 25, 2013. http://www.healthcareitnews. com/news/fax-mishap-leads-hipaa-breach 8 Deloitte. 2014 global survey on reputation risk. October 2014. https://www2.deloitte.com/content/dam/deloitte/ global/documents/governance-risk-compliance/gx_grc_reputation@risk%20survey%20report_final.pdf 9 Ponemon Institute. Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Research Report. May 2015. http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare 10 MRO research based on client data.
888.252.4146 www.mrocorp.com Don t leave risk to chance. Cover your assets with MRO.