Vol. 13 •Issue 20 • Page 37
Release of Information Services: More than just Copying
Compliance with the privacy regulations of HIPAA will be a significant legal and financial burden on hospitals, health care providers, release of information (ROI) providers and other constituents in the health care industry. Indeed, the federal government estimates that implementing and complying with the privacy regulations, which affect every aspect of the industry, will cost a minimum of $100 million over 10 years—by many accounts a conservative figure.
However, no corresponding revenue sources exist to fund this implementation and compliance. For example, HIPAA limits the amount that health care organizations can charge for providing patients with copies of their medical information to a “reasonable, cost-based fee” and narrowly defines what costs can be included in that fee. At the same time, it substantially raises the bar on the requirements for fulfilling ROI requests.
Assessment of what constitutes “reasonable” has become a subject of great debate in the industry. Without a clear understanding of the complexity of the ROI process and the risks and associated liabilities of improper information release, information requestors often expect to be charged 10 cents per page, or what their local copy center would charge. By contrast, charges for ROI services may vary substantially by state but can run as high as $1.18 per page plus retrieval and handling fees.
What distinguishes the ROI process from what goes on at the local copy center? Photocopying is only one small step in a multi-step ROI process closely governed by internal, state and federal regulations. Logging, verifying and tracking a request, retrieving patient information from multiple locations in multiple formats, selecting only relevant documents, reviewing every page for sensitive information, and finally reproducing, invoicing for and mailing the documents are labor-intensive tasks that require the skill and expertise of trained ROI specialists. Each step of the way, these specialists take painstaking care to protect the patient’s privacy and the health care organization’s liability in information release.
Log, Track, Verify
As soon as the request for patient information comes in, the ROI specialist creates a log to track each action. The log gives patients a record of who has looked at their medical record and details the efforts made to meet ROI turnaround goals. Under HIPAA, patient requests must be fulfilled within 30 days for records kept on site and 60 days for those stored off site.
Next, the patient in question must be located in the health care organization’s master patient index (MPI). Did the patient actually receive care at the hospital at the time specified?
The request is then verified to ensure it meets the minimum requirements under the HIPAA guidelines. Among other elements, HIPAA requires a proper signature and date, identification of the specific information to be released, an expiration date for the authorization, identification of the party who is authorized to receive it and restrictions on redisclosure by that party. If any of these elements are missing, the requestor must be contacted to fill in the blanks, which consumes financial resources in the form of staff time, postage and supplies before a single copy is produced.
Some questions are not easily resolved. Who is authorized to represent the patient if he or she is a minor, incompetent, deceased or the child of divorced parents? To make the right decision, the ROI specialist must be highly trained in both federal and state regulatory requirements and even then may have to consult experts such as the hospital’s legal counsel.
Where Is the Medical Record?
One of the most time-consuming steps in the ROI process is locating the requested information. Patient information may be stored on site or off site, on paper, microfilm or microfiche, or in a number of information systems—in any combination.
Although many organizations strive to achieve a true unit record for a patient—a complete set of information about that patient’s care, which the move to electronic health records will greatly facilitate—many factors challenge this goal. Often, information must be tracked down in the emergency room, physical therapy or other hospital departments. Records may be batch filed, or stored by date of service, making their retrieval a multi-step process. Thousands of loose paper reports reach the health information management (HIM) department each day and must be identified and properly filed; those pieces of information may not have found their way into a patient’s folder by the time an ROI request is received. The entire patient file may be in use elsewhere in the facility or awaiting analysis, transcription, coding or completion.
Information stored off site presents its own set of challenges. If the hospital owns the storage facility, it may not be climate controlled or well organized, while records stored in a vendor facility may require additional retrieval costs.
All in all, the paper chase can add up to significant phone time, legwork and detective work before the ROI specialist can retrieve all the pieces of the record needed to fulfill a request.
What’s Really Needed?
Armed with a complete record, the ROI specialist next must authenticate the request by matching the signature in the file with that on the request form. Then comes a question of judgment: What is the minimum amount of information (a restraint urged by HIPAA) required to meet the requestor’s needs? Training and mature judgment play vital roles in this process.
The ROI specialist may need to consult requestors, patients themselves, HIM management or legal counsel to determine what is appropriate.
Is It the Right Patient?
Once the ROI specialist has accumulated the patient’s medical information, he or she has another important step to perform: making sure another patient’s privacy is not violated in the ROI process.
Because of filing errors, which occur due to similar patient names, pages stuck together or myriad other reasons, a medical record may contain information that does not indeed belong to the patient whose name is on the folder. Therefore, each page must be individually checked for the proper name and identification number.
Safeguarding Sensitive Information
The final step before reproducing or scanning the information may be the most time-consuming of all: reviewing each page for sensitive personal details that, if released, could damage the patient’s employment status, personal relationships, reputation or more.
HIPAA, as well as many state regulations, specify that the health care organization and its associated service vendors can be liable for a breach of confidentiality by releasing information on treatment for mental health disorders, drug or alcohol abuse, HIV and other sexually transmitted diseases, and other personal information. Reports on behavioral health may be too sensitive to release even to the patient.
The trained and experienced ROI specialist will err on the side of caution as well as consult treating physicians, other experts or the patient before releasing sensitive information, even if it results in further delay and cost.
Reproduce, Invoice, Mail
Reproducing the authorized information is always more challenging than feeding paper into a copying machine. Legible copies must be made from reports that are hard to read or larger or smaller than standard paper sizes. Reports may need to be generated from a computer, microfilm or microfiche. Color images, if required, must be reproduced on a color copier or through a photo processor.
The information must then be collated, checked again to ensure it meets the request, logged and packaged with an invoice. Generally, health care organizations may charge attorneys, insurers, certain state agencies and Social Security for the cost of record search and retrieval, reproduction and mailing expenses. Under HIPAA, however, patients may be charged only for the cost of supplies, the labor of copying, and postage—all of which constitutes less than half of the full cost of the ROI function. Then, the information is mailed or transmitted electronically if scanning technologies are used.
Finally, the original medical record components are carefully replaced in their proper sequence and returned to the HIM department. Then begins the formidable task of collecting payment on thousands of $15 to $50 invoices.
The Attractions of Outsourcing
Clearly, the complexity and risk associated with the ROI process make it very different than the activities performed at the local copy center, which simply takes the documents it is given and makes photocopies. Then, consider the sheer volume of requests, each of which is quite unique: A suburban community hospital typically receives 20 to 50 requests each day, while a tertiary care facility may receive hundreds.
HIM leadership often finds that fulfilling and billing for ROI requests distract from the HIM department’s core mission of facilitating the flow of information throughout the organization itself, which assists with patient care and expedites reimbursement for services. Nonetheless, noncompliance with ROI regulations carries the risk of fines and even jail sentences.
With a workload this demanding and the stakes this high, a majority of hospital HIM departments not surprisingly choose to outsource some or all of the ROI process to outside vendors. These ROI specialists handle thousands of medical records requests per day with built-in processes for ensuring quality, security, confidentiality and efficiency. By outsourcing this labor-intensive, critical function, HIM departments can breathe more easily knowing that ROI requests are being managed by well-trained ROI specialists who view safeguarding confidential patient information as not just a job but a mission.
G. Michael Bellenghi is executive vice president of AHIOS, the Association of Health Information Outsourcing Services.