5 Steps for Safeguarding PHI in the New Healthcare Environment

Rapid changes in technology and regulation are creating an increased flow of protected health information among providers, patients and other stakeholders.

In the rush to figure out how to exchange patient information, less attention has been paid to ensuring that the proper controls have not been overlooked to mitigate disclosure risks to hospitals and health systems. Those risks can be significant.

For healthcare organizations, a breach of PHI can result in reputational damage, the potential loss of patients and steep financial penalties. An American National Standards Institute hospital survey, for example, found the costs associated with a breach ranged from $8,000 to $300,000. This illustrates that even at the low end of the spectrum, there is a potentially hefty financial impact each time PHI is improperly disclosed.

The migration from paper to electronic processes is quickly altering the way healthcare organizations deliver, track and manage the disclosure of PHI. Further compounding these technology challenges is the ongoing tightening of state and federal regulations, such as HIPAA and HITECH. Stricter guidelines with steeper penalties for a breach — combined with the public's increasing awareness of patient privacy rights — are forcing hospitals to look for more efficient ways to manage PHI.

During this time of industry transformation, it is critical for hospitals to ensure proper management and security of PHI for the long-term health of their organizations. Here are five immediate steps hospitals can take to help avoid a breach:

1. Investigate all disclosure points. You can't manage what you can't track and quantify. A hospital that doesn't know all potential sources of information breach may risk damage to its community image and its financial well-being. A typical hospital might expect to have more than 40 PHI disclosure points.

The first step to a solid disclosure management strategy, therefore, is to identify points of risk. A few of the areas to investigate outside of health information management include risk management, billing, lab, radiology, hospital-owned clinics and physician practices. Once those sources have been identified, a hospital can then develop policies and procedures that dictate the appropriate circumstances under which disclosures are made, to whom disclosures can be made and the proper steps to follow.

2. Create an enterprise-wide strategy. Release of information involves a multitude of high-risk moving parts. Proper ROI requires organizations to authenticate and track requests, retrieve the right information from disparate systems and document all along the way. The sheer volume of disclosures, paired with increased scrutiny on security of PHI, has created an environment in which it is difficult to control documentation electronically — and nearly impossible to do so manually. For these reasons, centralizing the ROI process is an optimum solution to the challenges of accessing, exchanging, tracking and reporting PHI.

An enterprise-wide approach enables hospitals to deploy software and services for use as a common tracking platform. By processing disclosures through one comprehensive solution, all hospital departments that disclose PHI receive the benefits of better information security, workflow efficiencies and quality assurance checks on the information sent through the system. Providers can coordinate workflow, capture all process documentation in one location and benefit from centralized database tracking and reporting for all departments.

Centralizing ROI also helps organizations standardize policies and procedures. It allows for more consistent interdepartmental communication, policy enforcement and level of oversight — all key elements necessary for compliance within the increasingly complex regulatory environment. With this level of standardization also comes greater opportunity to provide a consistent experience for patients and other requesters. 

3. Recruit your physician practices. Hospitals are increasingly responsible for managing the disclosure of PHI across acquired physician practices, with the volume of records in a physician's office adding to the hospital's liability. Physician practices not only house their own records, but they also, in many cases, maintain records they have received from various hospitals for the continuation of care.

To recruit and help physician practices reduce the risk of improper disclosures, hospitals can adopt one of two methods:

  • Deploy the standards used in the hospital — in HIM, typically — to the physicians' offices. That may entail training and including the methodologies of any ROI companies the hospital has selected. The benefit of this approach is that everybody follows the same guidelines and the same rules.
  • Provide the physician practices with the same tools used in the hospital, whether they are tools embedded in an electronic health record or some other kind of disclosure tool.

Best practices call for applying the same disclosure management policies and technologies for hospitals and physician practices, whether they're owned or managed. 

4. Leverage technology. Technologies such as EHRs, health information exchange solutions, patient portals and direct secure messaging are advancing at a challenging pace. Hospitals must make sure all their information technology is secure to protect against unauthorized access to PHI on a large scale, such as when a laptop or data system is improperly accessed. There are a number of ways to secure electronic health information, including user authentication, encryption, remote wiping/disabling of data and firewalls.

Just as evolving technologies are adding complexity to protecting patient privacy, new technology solutions can also be used to better manage the exchange of PHI and guard against improper disclosure. As the exchange of health information continues to move online, utilizing sophisticated disclosure management solutions designed by technology leaders will be vital to the success of healthcare organizations.

For example, providers can strengthen policies and procedures through the use of accounting of disclosures solutions that lead staff through the disclosure process and enable organizations to track, manage and report disclosures across the enterprise should they occur. Staff members who access and/or disclose PHI are not necessarily disclosure experts who are fully trained to follow the latest guidelines; AOD technology is one way to minimize the risk of improper disclosure and breach.

The most technically advanced disclosure management firms have experience in system integrations and electronic delivery and have begun to build their own health information exchange solutions that can be easily integrated with EHRs and PHI disclosure platforms. Their embedded compliance tools and breach assessment capabilities often can help organizations properly manage their disclosure of PHI and determine when a breach has occurred so they can respond quickly and effectively when necessary. 

Integrating disclosure management tools with EHRs and other IT solutions can also improve reporting quality and turnaround time. Synchronizing with master patient indexes, for example, allows for easier data capture and restriction monitoring. Disclosures can automatically be captured (i.e., print routines) and advanced reports provided for a range of disclosure types including paper, thumb drives, film, CDs, patient portals, electronic submission of medical documentation delivery and direct secure messaging.

5. Partner with a disclosure management firm. The changing regulatory and technical landscape demands that hospitals ensure the privacy and security of patient information. Experienced PHI disclosure management firms have the knowledge of privacy laws and disclosure policies needed to help hospitals successfully navigate these complex issues. In addition, because these firms work under business associates agreements, they carry the same responsibility as the hospital to follow security and privacy guidelines, and they share that liability.

New pressures, new ways to navigate disclosure rules

Disclosure management is not a simple process anymore. The rapid adoption of new technology holds the promise of numerous clinical and financial benefits, as well as the chance for healthcare organizations to gain competitive advantages. At the same time, however, it also introduces new risks that healthcare providers must manage properly.

With stricter regulations and the threat of steep penalties on the line, hospital leaders must focus more time and attention on securely, properly and efficiently handling PHI. Organizations that take steps to centralize and standardize disclosure policies and procedures will mitigate risk and lead the charge in the new healthcare environment, ensuring the future health of their businesses.

Don Hardwick is vice president of client relations and compliance at MRO Corporation.

More Articles on PHI:
4 Top Vulnerabilities Affecting PHI Security  
8 Top Motivations Behind Intentionally Compromised PHI 
Top 6 Features of Mobile Device Policies 

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months