Breach Risk in Release of Information. Don t Leave Risk to Chance Key trends impacting healthcare providers

Similar documents
MITIGATING BREACH RISK IN AN ERA OF EXPANDING PHI DISCLOSURE POINTS AND REQUESTS FOR HEALTH INFORMATION

Protecting Health Information: Health Data Security Training

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

A self-assessment for GxP and HIPAA concerns

Healthcare Privacy Officer on Evaluating Breach Incidents A look at tools and processes for monitoring compliance and preserving your reputation

Updated FY15 Dignity Health General Compliance Education for Staff Module 2

MCCP Online Orientation

Advanced HIPAA Communications and University Relations

Williamson County EMS (WCEMS) HIPAA Training for Third Out Riders

AUDIT DEPARTMENT UNIVERSITY MEDICAL CENTER HIPAA COMPLIANCE. For the period October 2008 through May JEREMIAH P. CARROLL II, CPA Audit Director

Chapter 19 Section 3. Privacy And Security Of Protected Health Information (PHI)

Breach Reporting and Safeguarding PHI Outpatient Services August, UAMS HIPAA Office Anita Westbrook

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector. ANN CAVOUKIAN, Ph.D. COMMISSIONER

TAKING CARE OF LIABILITY:

PRIVACY BREACH GUIDELINES

Privacy and Security Orientation for Visiting Observers. DUHS Compliance Office

HIPAA Privacy Training for Non-Clinical Workforce

Health Information Exchange 101. Your Introduction to HIE and It s Relevance to Senior Living

Meaningful Use Achieving Core Objective #14 Montana HIMMS 2012 Spring Convention

Chapter 9 Legal Aspects of Health Information Management

Notice of Privacy Practices for Protected Health Information (PHI)

PERSONALLY IDENTIFIABLE INFORMATON (PII)

Title: HIPAA PRIVACY ADMINISTRATIVE

DO ASK BUT DON T TELL HIPAA PRIVACY RULE

ENTERPRISE INCOME VERIFICATION (EIV) SECURITY POLICY

HIPAA. Health Insurance Portability and Accountability Act. Presented by the UMMC Office of Integrity and Compliance

CLINICIAN S GUIDE TO HIPAA PRIVACY

Presented by the UAMS HIPAA Office August 2013 Anita B. Westbrook

Information Privacy and Security

HIPAA Policies and Procedures Manual

HCCA Institute Privacy Officer Round Table Discussion

HIPAA THE PRIVACY RULE

Health Information Privacy Policies and Procedures

Your Role in Protecting Patient Privacy 2018

EMPOWERING THE NEW HEATHCARE ERA

Notice of Privacy Practices

Consumer View of Personal Information Risks

Better care coordination requires streamlined, efficient, secure clinical communication

HIPAA Training

2018 Employee HIPAA Orientation (EHO) Handbook

HIPAA Breach Policy & Procedures Handbook

Compliance Program Updated August 2017

Status Check On Health IT

Electronic Health Records and Meaningful Use

Patient Privacy Requirements Beyond HIPAA

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

APPLICATION FOR CONTINUING EDUCATION UNITS

National Health Information Privacy and Security Week. Understanding the HIPAA Privacy and Security Rule

New Employee Orientation HIPAA Privacy. Marcia Matthias, MJ, RHIA, CHPC Corporate Director, Health Information/Privacy Officer

What is HIPAA? Purpose. Health Insurance Portability and Accountability Act of 1996

East Carolina University 2010 Annual HIPAA Privacy Training

It defines basic terms and lists basic principles that all LSUHSC-NO faculty, staff, residents and students must understand and follow.

MEANINGFUL USE & RISK ASSESSMENT

NOTICE OF PRIVACY PRACTICES

Does HIPAA Satisfy Meaningful Use? Two regulations with one stone

If you have any questions about this notice, please contact the SSHS Privacy Officer at:

Reporting a Privacy Breach to the Commissioner

HIPAA Privacy Rights and Operations Guide HIPAA Security Summary For the Practice of: Vail Aspen Breckenridge Dermatology

Current Status: Active PolicyStat ID: COPY CONTRACTOR, MEDICAL STAFF, REFERRAL SOURCE AND EMPLOYEE SCREENING POLICY

******************************************************************** Policy Expectation:

WHAT IS HIPAA? HIPAA is the ELECTRONIC transmission of Three programs have been enacted to date Privacy Rule April 2004

PRIVACY BREACH MANAGEMENT POLICY

A general review of HIPAA standards and privacy practices 2016

HOW TO MAINTAIN A LAB NOTEBOOK- RECORD KEEPING AND HIPAA. Fern Tsien, PhD Department of Genetics LSUHSC

always legally required to follow the privacy practices described in this Notice.

HIPAA & Research Overview for the Privacy Board March 22, UAMS HIPAA Office Vera M. Chenault, JD

Data Sharing Consent/Privacy Practice Summary

Advanced Oral & Maxillofacial Surgery, Ltd. NOTICE OF PRIVACY PRACTICES

Data Breach Notification Guide Policies and Procedures

Unique Health Safety Identifier. Across The Continuum of Care

THE FUTURE OF HEALTHCARE TECHNOLOGY CareTech Solutions

The HIPAA Privacy Rule and Research: An Overview

EMS and the Law: How to Protect Yourself from Medical Negligence Claims and other Legal Considerations. Julia A. Rush, J.D.

FCSRMC 2017 HIPAA PRESENTATION

HIPAA Compliance and Health IT

PEDIATRIC HEALTH ASSOCIATES HIPAA NOTICE OF PRIVACY PRACTICES

Southwest Acupuncture College /PWFNCFS

Compliance Program, Code of Conduct, and HIPAA

Privacy and Security Training for Connecting Ontario. PACE Cardiology April, 2017

RISK MANAGEMENT AND PATIENT SAFETY

HIPAA Are You As Compliant as You Think?

NOTICE OF PRIVACY PRACTICES MedQuest Effective April 2003 Revised January 2014

The HIPAA privacy rule and long-term care : a quick guide for researchers

HIPAA Education Program

Study Management PP STANDARD OPERATING PROCEDURE FOR Safeguarding Protected Health Information

A Better You Counseling Services, LLC 1225 Johnson Ferry Road, Ste 170 Marietta GA

The University of Toledo. Corporate Compliance and HIPAA Training. Presented by: The Compliance and Privacy Office

Learn the latest HIPAA Privacy and Security rules governing electronic record keeping and patient privacy. HIPAA Compliance

HIPAA Notice of Privacy Practices DFD Russell Medical Center Effective April 14, 2003 Updated April 10, 2013

2018 HCCA Compliance Institute HIPAA Update: Policy & Enforcement. Policy Update: Marissa Gordon-Nguyen HHS OCR Senior Advisor

Health Information Management. Copyright 2011, 2007, 2003, 1999 by Saunders, an imprint of Elsevier Inc. All rights reserved.

The 8 Mistakes People Make When Selecting an Image Exchange Provider WHITEPAPER

Headline News: Anatomy of a VIP Records Breach

NATIONAL ASSOCIATION FOR STATE CONTROLLED SUBSTANCES AUTHORITIES (NASCSA) MODEL PRESCRIPTION MONITORING PROGRAM (PMP) ACT (2016) COMMENT

HIPAA Privacy Test Overview

OVERVIEW OF THE USES AND DISCLOSURES OF PHI

PRIVACY POLICY USES AND DISCLOSURES FOR TREATMENT, PAYMENT, AND HEALTH CARE OPERATIONS

What is Social Networking?

What is Social Networking?

Senior Care Pharmacy Wichita

Transcription:

Breach Risk in Release of Information Don t Leave Risk to Chance Key trends impacting healthcare providers

INTRODUCTION Privacy and security within a healthcare enterprise are topics often on the minds of many stakeholders. As of February 2016, the U.S. Department of Health and Human Services (HHS) reported that over 250 million patients have been impacted by breach since 2009. 1 Approximately 1400 large breaches have been reported to the Office of Civil Rights (OCR), and during this same time over 180,000 small breaches impacting fewer than 500 patients at a time have been reported as well. 2 While small breaches can be oneoff incidents resulting from sending the wrong patient s records to the wrong person, they can be equally detrimental to a healthcare organization. Key trending factors related to the rising tide of small breaches include: Expanding points of Protected Health Information (PHI) disclosure and requests for health information Increasingly complex regulations for sharing health information Quality assurance gaps in the Release of Information (ROI) process Steepening penalties and financial impact to provider organizations Don t leave risk to chance. In this ebook, you ll learn more about mitigating risk with a strategic, enterprise-wide approach to PHI disclosure management.

Small is Big, and Costly Although small breaches affecting less than 500 patients per incident are not usually broadcasted as widely as a large cyberattack, the financial impact is real. Each breach can cost $8,000 to $300,000, not including HIPAA violation civil penalties. 3 Penalties are rising to as much as $50,000 per breach with a maximum of $1.5 million annually for repeated occurrences. 4 As many as 10 states now consider HIPAA to be the relevant standard of care for state privacy violation claims brought by individuals. 5

bad news travels fast While cyberattacks or device thefts make for sensational headlines, breaches due to employee or organizational errors are also reported in the news. One news outlet reported that a 2014 clerical error at St. Vincent Breast Center in Indianapolis resulted in 63,325 patients receiving a mailing containing incorrect information, including the names, addresses and appointment times of other patients. 6 In 2013, Oakland, Calif.-based West Coast Children s Clinic notified patients of a PHI breach after it faxed just one patient s information to an incorrect fax number. 7 As the clinic explained to news outlets in a written statement and to patients in a letter, a number of PHI disclosure protocol steps were not followed, including checking the fax number and notifying the recipient that the fax was sent. According to Deloitte s 2014 global survey on reputational risk, a negative reputation event, such as a data breach, can cause a loss of brand value for healthcare providers. 8 Word of a breach can also spread online through social media platforms, such as Facebook and Twitter, through consumer rating sites, such as Yelp, and even through Google results when someone searches for the hospital.

Risky Business As large health systems acquire more hospitals and physician practices, PHI disclosure policies, procedures and technology may vary greatly between facilities and add to risk levels. Another factor driving breach risk disclosing PHI electronically, or ephi has emerged as more organizations recognize electronic disclosure s efficiencies over paper. Electronic Medical Records (EMR) systems allow more people to access PHI from within a healthcare enterprise, including those who are not specially trained in the ROI function. When onboarding one Pennsylvania-based health system, MRO discovered 40 points of disclosure in the system not including physician practices. Most of the disclosure points were managed outside of the Health Information Management (HIM) department by individuals who were not specially trained in ROI and PHI disclosure compliance. Talk about risky.

Release of Information - The Ticking Time Bomb Criminal attacks and lost or stolen devices were the root cause of most PHI data breaches last year, but almost as many 40 percent were due to unintentional employee action, according to 2015 survey results from the Ponemon Institute. 9 Unintentional employee actions include more than using the wrong fax number or mailing address when disclosing PHI. There are multiple points in the ROI process where a misstep can result in breach. 40% of breaches are due to unintentional employee action

20-30 % Invalid Authorizations 10 % Invalid Authorizations Processed 5 % Data Integrity Issues.7 % Releases Including Mixed Patient Records With typical ROI workflows, 20 to 30 percent of all submitted authorizations are initially found to be invalid. 10 However, with over 100 possible combinations of errors or omission points across a wide variety of request types, as much as 10 percent are processed with errors if the only line of defense is the person onsite logging the request. Five percent or more of patient data in EMRs have integrity issues, including comingling of patient records. Well-trained ROI specialists will catch the majority of mixed records; however, with just one level of quality control, 0.7 percent will contain mixed patient data. PHI breaches are not isolated incidents. Ninety-one percent of healthcare organizations surveyed by Ponemon reported a PHI breach in the last year, while 40 percent reported more than five. Also of concern is that 69 percent of organizations did not discover the breach until an audit; therefore, the improper disclosure may have occurred weeks or months earlier.

Gaps in the typical release of information Workflow In the typical ROI workflow, requests for health information come into a facility and are logged by onsite ROI staff that also handle many other responsibilities. There is no second set of eyes for Quality Assurance. This approach results in inefficiencies, distractions and increased errors. SUPPORT AND ISSUE RESOLUTIONS REQUESTER CALLS RECORD RETRIEVAL INVOICING AND COLLECTIONS PRODUCING COPIES DELIVERING THE RECORDS

Don t leave risk to chance At MRO, we focus on two things: service and quality. With MRO s industry-leading Quality Assurance program, our clients can have full confidence they are HIPAA compliant. Not one, but two teams check each ROI authorization for accuracy, and then a combination of our optical character recognition (OCR) validation technology and human intervention check for comingled records. An additional quality check is done through a barcoding system to maintain shipping integrity. This all results in a 99.99% accuracy rate. MRO s technology and people can manage PHI disclosure across multiple departments and locations to standardize policies and procedures and safeguard your organization against the risk of breach.

THE MRO DIFFERENCE MRO, headquartered in Valley Forge, PA, was founded in 2002 on the premise that a better ROI service could be created with better workflow, improved quality assurance, and use of innovative technology. Because of our focus on service and quality, we have been recognized by KLAS as the leader in ROI services multiple times. 8 % Client Retention 20 % GROWTH Rated # 2 ND LARGEST ROI PROVIDER Clients LARGE and SMALL >3700 Implementations Follow the latest trends with us on social media.

FOOTNOTES 1 U.S. Department of Health & Human Services. Breach Notification Rule web page. HHS.gov. https://ocrportal.hhs.gov/ocr/breach 2 Ornstein, Charles. Small Violations Of Medical Privacy Can Hurt Patients And Erode Trust. Shots: Health News from NPR. Blog post. December 11, 2015. http://www.npr.org/sections/health-shots/2015/12/10/459091273/small-violations-ofmedical-privacy-can-hurt-patients-and-corrode-trust 3 The American National Standards Institute (ANSI), The Financial Impact of Breached Protected Health Information. Report. March 2012. https://webstore.ansi.org/phi/ 4 American Medical Association. HIPAA Violations and Enforcement. Solutions for Managing Your Practice. Web page. http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/ hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page 5 Thompson Hine LLP. De Facto Private Right of Action Under HIPAA: Is Ohio Next? Health Care Law Update. http://www.thompsonhine.com/publications/de-facto-private-right-of-action-under-hipaa-is-ohio-next 6 Auslen, Michael. St. Vincent Breast Center mails 63,000 letters to wrong patients. The Indianapolis Star. July 4, 2014. http://www.indystar.com/story/news/2014/07/04/st-vincent-mails-letters-wrong-patients/12234059/ 7 McCann, Erin. Fax mishap leads to HIPAA breach. Healthcare IT News. April 25, 2013. http://www.healthcareitnews. com/news/fax-mishap-leads-hipaa-breach 8 Deloitte. 2014 global survey on reputation risk. October 2014. https://www2.deloitte.com/content/dam/deloitte/ global/documents/governance-risk-compliance/gx_grc_reputation@risk%20survey%20report_final.pdf 9 Ponemon Institute. Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Research Report. May 2015. http://www.ponemon.org/blog/criminal-attacks-the-new-leading-cause-of-data-breach-in-healthcare 10 MRO research based on client data.

888.252.4146 www.mrocorp.com Don t leave risk to chance. Cover your assets with MRO.

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback