DOCUMENT SERVICES RECORDS MANAGEMENT & IMAGING SERVICES WHITE PAPER Why Health Information Managers Must Absolutely Sweat the Small Stuff CONTENTS 2 Implications of Regulatory and Compliance Mandates 10 The Value Chain in Information Lifecycles 14 Organizational Best Practices 18 How Canon Business Process Services Improves Business Performance
Implications of Regulatory and Compliance Mandates Today s news headlines about records and recordkeeping systems are often uncomplimentary regarding the organization s role in records destruction. The losses suffered by many organizations due to improper attention to sloppy recordkeeping, accounting irregularities and other executive misdeeds have focused both public and governmental attention on the need for excellence in recordkeeping. This heightened news media focus and the resulting public attention mean that organizations and their leading executives must introduce unimpeachable records management programs with consistently well-implemented policies and procedures. For its part, the Office of Civil Rights (OCR) has stepped up enforcement of Health Insurance Portability and Accountability Act (HIPAA) provisions. Massachusetts General Hospital was the subject of an OCR investigation related to the impermissible exposure This heightened news media focus and the resulting public attention mean that organizations and their leading executives must introduce unimpeachable records management programs with consistently well-implemented policies and procedures. of the protected health information (PHI) of close to 200 patients receiving treatment for infectious diseases including HIV and AIDS. (1) The unintended disclosure happened because an employee inadvertently left the files in a subway car. As a result, Mass Gen agreed to pay a penalty of $1 million and to initiate a corrective action plan to align its records-handling procedures with HIPAA guidelines in February 2011. A somewhat similar data breach resulted in the OCR s investigation of Blue Cross Blue Shield of Tennessee s (BCBST) records management practices. In this case, the theft of 57 hard drives that held PHI data of more than 1 million BCBST members compromised the privacy of the information and the individuals involved. As a result, BCBST agreed to pay a fine of $1.5 million and engage in a corrective action plan in March 2012. This case is notable for being the first enforcement action for cases reported under the breach provisions of the Health Information Technology for Economic and Clinical Health Act (HITECH). Another HITECH breach notification case involved the theft of a laptop containing the PHI of 3,600 Massachusetts Eye and Ear Infirmary patients and research participants. The electronic 2
files containing sensitive information were unencrypted. The resolution agreement was reached in September 2012. It involved a civil penalty of $1.5 million, a corrective action plan and the retention of an external monitor to ensure compliance with HIPAA guidelines. A major outcome of these cases has been increased public scrutiny of records management practices and healthcare executives accountability when it comes to safeguarding PHI. For organizations that have demonstrably supported and enforced existing records management programs, this level of visibility and management practices review does not pose a problem. However, companies that have failed to invest any significant resources to ensure health records are created and managed with the requisite attention and priority risk serious consequences should records become suspect during customary audits, regulatory review or legal actions. The most impactful factor increasing the consequences has been the legislative and regulatory responses to high-profile cases and other similar events. HIPAA guidelines stipulate that sharing PHI is permissible even without release of information (ROI) within the community of treating physicians and other providers who need access to medical records for treatment, payment and operations purposes. As defined, treatment covers provision, coordination and overall management of care, including peer consultations and referrals, and regardless of the network status of clinicians. The overriding guideline for determining access to PHI for treatment purposes is that the provider is part of the treatment plan or has agreed to be part of the care plan. Access to PHI beyond the HIPAA definitions requires a valid authorization from the patient concerned. A different set of rules apply to behavioral health records as state privacy laws govern access to these records. The HIPAA Privacy Rule does not define specific guidelines for retention of medical records. However, the Privacy Rule requires all providers and payers included as covered entities to have procedures and processes in place to safeguard the privacy of PHI and medical records for as long as such information is retained. Administrative, technical and physical processes extend to storage, retrieval and disposal of paper and electronic files. Medical records retention guidelines will vary from state to state. When HIPAA and state laws both recommend a timeline for records 3
retention, the longer timeline becomes the prevailing guideline for healthcare organizations in that state to maintain medical information. ROI guidelines are a different matter altogether as HIPAA is more specific on turnaround times. To be sure, ROI is a complicated process that invariably takes up time. Human and technology resources are needed to document and validate requests, track the process and fulfill the records request in a timely manner and within HIPAA-compliant guidelines, especially the rules related to meaningful use and minimum necessary information. Per HIPAA rules, patient requests for PHI must be fulfilled within 30 days. However, health organizations are finding that pushing the ROI limits on these requests do not bode well for patient satisfaction. When the request is immediately verifiable as with patients requesting their own records using acceptable forms, the turnaround time should be no more than a few days, an entirely doable process with electronic health records (EHR). Requests for PHI that meet meaningful use criteria, including diagnostic tests, symptom checklists, lists of medications, allergies and procedures, should be fulfilled within three business days, assuming that records are stored in electronic format. HIPAA rules allow for a 30-day response period for requests outside of meaningful use, but some states may have more stringent ROI fulfillment regulations. For this reason, health organizations may need to have a system in place that recognizes and prioritizes meaningful use requests to ensure ROI efficiency and improve quality of care standards. The turnaround time for ROI requests by recovery audit contractors examining improper Medicare and Medicaid payments is 45 days from the date of the written request. HIPAA guidelines provide for a 60-day response time for requests for an accounting of disclosures and an access report. Under the 2011 HITECH regulations, this means that hospitals have 30 days from the original date of request, with a 30-day extension if needed, to generate a report on who has accessed the patient s report, what type of information was released and the reasons for 4
the disclosure or access. Another area of growing concern for the health sector is the stringent attention paid by courts to the preservation of records when the prospect of litigation arises. HIPAA and individual state guidelines address storage, retrieval and destruction of health records, and it is important for courts to see high-quality, fully disclosed documentation as well. Spoliation is the destruction or alteration of evidence by actively destroying information or simply failing to preserve it. When records are destroyed at a defendant s site or while under management control, the courts generally will find in favor of the plaintiffs, even when ill intent on the part of the defendant may not be present. Courts have awarded fines and sanctions against organizations that failed to preserve records on digital storage devices when the data could not be read or used. In addition, the costs of electronic records discovery are often paid by the defendant, creating significant incentive to settle cases quickly. There is increasing need to assure records creation and retrieval occur accurately and quickly, subject to professional oversight and customary audits. Influence by regulatory agencies in the recordkeeping processes of healthcare entities is growing. There is increasing need to assure records creation and retrieval occur accurately and quickly, subject to professional oversight and customary audits. Some examples of the scope and complexity of the regulations include: + + The HIPAA Privacy Rule, alternatively referred to as the Standards for Privacy of Individually Identifiable Health Information, defines standards to protect the privacy and integrity of health information. Covered entities, as defined by HIPAA provisions, should ensure that policies and procedures are compliant with these regulations or risk investigations and hefty penalties. + + The HITECH Act forms part of the American Recovery and Reinvestment Act of 2009 (ARRA), which sought to incentivize healthcare information technology and hasten the adoption of electronic health records among providers. At the same time, HITECH expands the scope of privacy protections under HIPAA, increases enforcement and escalates the legal liabilities for non-compliance. 5
HITECH also imposes notification requirements for health organizations that experience an unsecured data breach. When unencrypted data faces impermissible disclosure, whether due to internal missteps or external factors, the organization needs to notify affected patients. If the number of patients involved exceeds 500, notification will extend to the Health and Human Services (HHS), triggering publication of the organization s name on the HHS website. + + The Patient Protection and Privacy Affordable Care Act, popularly referred to as the Affordable Care Act (ACA), is a sweeping overhaul of the nation s healthcare system. ACA reforms are phased in over a 10- year period that began in 2010. The successful integration of healthcare exchanges as a key component of this legislation will be influenced in part by the ways that the integrity, privacy and security of PHI will be managed as EHR systems become a fundamental part of healthcare delivery. +State + governments may have record retention laws that outlast HIPAA requirements. If a state has a retention period that is longer than HIPAA s requirement, the state regulation must be followed. HIPAA RETENTION AND RELEASE OF INFORMATION HIPAA was passed in 1996 to provide federal protections for personally identifiable health information collected, maintained and archived by health organizations and their associates who qualify as covered entities under the definition of this statute. It aims to enhance patient access to health records while permitting disclosure to qualified entities for patient care and other purposes as defined by the Privacy Rule. The Security Rule defines measures that health organizations and other covered entities need to implement to ensure integrity of the data, assure patient confidentiality and facilitate timely access by qualified entities. KEY ISSUES + + The burden of safeguarding PHI lies with health organizations and third-party associates who generate, update, access, archive and dispose of individually identifiable information in written, electronic and digital formats. + + Covered entities must establish and implement records management policies defining which class of workers can access and use PHI, the type of information that can be 6
accessed to carry out their functions and conditions under which information may be released. + + Healthcare providers and other covered entities must make reasonable effort to request and disclose only the minimum necessary health information to meet the records requirement. Proper authorizations must be obtained and validated prior to releasing the information. + + Policies regarding disposition of identifiable health data must comply with both HIPAA and state guidelines. HIPAA does not specify disposition procedures for files on paper and electronic media, stating only that reasonable measures must be taken to ensure that impermissible disclosure does not happen during the final disposition of PHI. The impact on healthcare organizations of more stringent regulations and broader enforcement of mandates has already been demonstrated by OCR investigations and the consequences for entities involved. The impact on healthcare organizations of more stringent regulations and broader enforcement of mandates has already been demonstrated by OCR investigations and the consequences for entities involved. For example, one general hospital released to local media copies of X-rays and intake sheets of a patient injured in an uncommon sporting accident. The media did one better by publishing the information together with details of the accident, a description of the patient s condition, the patient s gender and quotes from hospital personnel about the accident. The hospital disclosed the information without proper authorization from the patient because of its belief that doing so would avert serious threats to health or safety. The OCR investigation found that the disclosures did not meet established standards of the Privacy Rule. In addition, the disclosures failed to sufficiently de-identify the data so that individual authorization would have been required. As a result, the hospital was required to initiate and implement specific policies to address disclosures linked to public health and safety reasons. Staff training on these new policies was required among other penalties. 7
The OCR published details of investigations and rulings pertaining to data breach under HIPAA/HITECH guidelines in 2012. The record number of cases and the number of health entities involved suggest that the HHS through OCR is serious about enforcing data privacy benchmarks. Included among these cases is one where the data breach affected less than 500 individuals. The threshold for publication of an organization s name as being subject to sanctions based on HITECH breach notification guidelines is typically 500 and up. This action by the OCR denotes a zero-tolerance policy for data breach among those entrusted to collect and protect health records. To drive the point home even further, federal regulators have shown that they are not above going after healthcare executives for actions of the organizations they represent. Making C-suite executives personally liable for fraud, abuse and egregious cases of noncompliance with mandated standards of care is a big deterrent to fraud and misuse of resources. A 2012 medical misbranding investigation involving The Purdue Frederick Company, Inc., a pharmaceutical company, led to guilty pleas for top executives, including the vice president for medical affairs. Under the Responsible Corporate Officer doctrine, proof of intent is not required but does act as evidence of failure to prevent the violations. Exclusion from involvement in the healthcare sector was also part of the penalty dealt to these executives. In two other cases with similar penalties, the president of GSK s North American Pharma Division and the chief executive officer of Abbott Pharmaceuticals were asked by the Department of Justice to personally vouch that their companies had complied with requirements of their respective plea agreements. Personal certifications like this have to be taken seriously or face perjury charges. Clearly, healthcare executives need to be fully engaged in their company s compliance programs or face the prospect of being held personally liable for violations. Moreover, the HIPAA Omnibus Rule that went into effect on September 23, 2013, clarifies that a vendor or contractor that creates, receives, transmits or maintains PHI is a business associate of 8
the covered entity and will be held to the same accountability for compliance with applicable rules: Healthcare organizations, or covered entities, are required to obtain satisfactory assurances that their PHI will be protected as required by the rules: Breach Notification Rule, HIPAA Security Rule, HIPAA Privacy Rule, etc. Healthcare reforms under ACA have accelerated the passage of legislation and regulations pertaining to information disclosures between and among providers, payers and other entities. For instance, the Physician Payment Sunshine Act s Final Rule requires mandatory disclosures of any compensation between manufacturers and physicians, making it necessary to have systematic records open to unscheduled audits. Furthermore, the federal government has embarked on a more aggressive Healthcare reforms under ACA have accelerated the passage of legislation and regulations pertaining to information disclosures between and among providers, payers and other entities. pursuit of noncompliant providers, calling for substantial financial penalties as part of settlement agreements. HHS believes that waste and abuse account for 20 to 30% of all healthcare spending, justifying the commitment of federal resources to Medicare and Medicaid enforcement. Individual states, through their attorneys general, have pursued their own fraud recovery programs, generating significant revenues for the state. In this environment, judicious recordkeeping starting at the initial encounter is the best defense for healthcare organizations. It is necessary for physicians and health organizations to have a defensible program in place that specifically addresses compliance with federal and state healthcare laws, regulations and procedures. The risk areas include HIPAA/HITECH compliance, physician self-referral laws, and billing and coding compliance. In this highly regulated and strictly monitored environment, physicians and health entities may need to work with professional organizations with compliance expertise in the health sector. 9
The Value Chain in Information Lifecycles Health information has a lifecycle that begins with creation and ends with a final disposition of paper and electronic files that will be archived or slated for destruction following HIPAA-compliant and state government procedures. Information on paper files is handled differently from electronic files. It is common for organizations to produce both paper and electronic records materials during each encounter with the patient, especially in an emergency or urgent care environment. In many cases, records may initially be produced on computers and then merged with data gleaned from paper documents. The paper-based records would be filed in records centers and eventually scanned or stored as paper off-site. It is obvious that not all organizations are properly staffed and equipped to perform records tracking in an integrated manner for both paper and electronic files across multiple departments and locations within the prescribed time frames. Similarly, many organizations are not staffed or trained to capture and manage the records generated from complex medical processes if the documents must be scanned into images for multiuser access from many different locations within the health system or hospital. In these cases, it may be more cost-effective to contract for outside assistance with these integration issues so that internal personnel can focus their attention on the organization s line of business, delegating records management services to more highly skilled, trained specialists. Contemporary concerns about technology obsolescence and digital preservation are sources of other information lifecycle issues. All computer systems run on hardware and software platforms that begin to become obsolete from the moment they are installed and configured. Further, hardware systems such as disk drives and portable digital devices degrade over time. As a result, the information recorded with those devices may become inaccessible at some point. As desktop computer software versions change yearly, the various data formats being created may not be reusable in the future, depending on the backward compatibility of each vendor s software offering. Medical records are by no means confined 10
to the patient physician encounter. Computer-based patient assessment systems, EEGs, MRIs and X-ray results pose additional access and preservation issues. These records may be saved digitally and transmitted to users through an organization s EHR, a physician s practice EHR via an HL7 interface, or to the patient directly via a patient portal. Many organizations are creating digital document preservation strategies that include a migration of electronic records over time from the original native file formats within the electronic health record system to a permanent digital record repository that enables the transfer and preservation of structured data. Without a sound data migration strategy, organizations may, in the future, try to retrieve electronic files that are not readable on the then-contemporary Without a sound data migration strategy, organizations may, in the future, try to retrieve electronic files that are not readable on the then-contemporary computer equipment. computer equipment. This will greatly impact organizational success in addressing records retrieval needs and could negatively impact the overall success of the organization. Defining the information lifecycle within the operating framework of business processes and value chain is vital to the identification of critical records needing long-term retention. Each business process that generates revenue must have the critical records for that process defined in a records retention schedule, retention periods assigned, and applicable policies and procedures developed to address them. In addition, appropriately trained personnel must be assigned to assure that those records are captured and preserved. In the healthcare setting, medical records governance is a crucial component of the information exchange that drives the interaction among providers and between providers, payers and patients. Regulations are in place to govern how and why patients PHI can be collected and stored and who can access, retrieve and use these records. Unfortunately, 11
Fig. 1 Closing the Loop on Chain of Custody On Site Management in Accordance with Facility s Processes Capture Collect & Sort On-Site Paper Charts/ EMR Content Capture, Collect & Sort Off-Site Digital Images/ Paper Charts state laws may not always align with federal regulations. The diversity of cases in healthcare makes it difficult to define uniform standards for records management and creates a difficult balancing act for healthcare organizations that have to ensure timely delivery of health Create Invoice Package & Verify Information with On-Site Staff Release of Information Process Improvement Coordinate Validation of Requester with Hospital Compliance and Quality Management Collect Fees Deliver Content Send Fulfillment Notification Authenticate & Track Adherence to Retention Schedules Improved Customer Service and Communication records while respecting patient privacy at the same time. Now that hospitals have migrated to EHR systems, information should become more accessible and usable for providers. However, healthcare organizations should have a system of ROI procedures in place to ensure privacy and security of PHI while ensuring compliance with federal and state guidelines. However, this process can prove difficult if the information requested lies within paper files, currently stored off-site, and within the EHR in a digital format. Healthcare information management (HIM) employees must be conscious of delays with turnaround times and issues of locating files in storage with off-site vendors. It is important to have a procedure in place that is, ideally, a closed-loop release of information process that demonstrates, and audits, chain of custody from request to delivery. Figure 1 demonstrates the best practices process for the release of information. 12
An ROI request for a patient receiving treatment in the emergency department should have a quicker turnaround time than a request for records by a patient needing them for an appointment within the week. Organizations should log the details of every information request, validating information such as date and time received, name, designation and purpose of the requesting party, type of format and a valid authorization if needed. Any number of logs can be used to track the request as it moves through the processing cycle. Tracking logs can be as simple as database or spreadsheet programs or a more advanced ROI software where the output can be used to gauge fulfillment efficiency and turnaround times. Verification of authority is central to efficient ROI turnaround. ROI processing will also include verifying the patient s identity and validating the requester s need-to-know status. It is also important for health records managers to verify the content of records being released to ensure that only the minimum necessary data is disclosed, that the data being released meets the requester s needs and that authorizations, if needed, are in place. In completing the records request, it is equally important to verify that it goes only to the entity specified in the authorization and that the data is delivered in the format requested. Organizations should establish reasonable turnaround times linked to the type of request. An ROI request for a patient receiving treatment in the emergency department should have a quicker turnaround time than a request for records by a patient needing them for an appointment within the week. These turnaround benchmarks must be HIPAA and state law compliant and should be consistently monitored and measured. 13
Organizational Best Practices Health organizations focused on best practices recognize and act on the growing need for formally defined and consistently administered records management programs. This program should meet government requirements for records compliance as well as deliver substantial cost savings and productivity gains associated with the ability to quickly find and access health information. Although programs may vary widely in size and scope, they share common elements. These elements are global policies, specific procedures, IT support systems, ongoing records management training, and personnel dedicated to assuring that this organization-wide responsibility is wholly addressed. The primary components of a high-quality records management program are listed below: 1. Policies and procedures for creating and storing records in both paper and electronic format that are demonstrably supported by an organization s executives, including the chief executive officer, chief financial officer, chief information officer, general counsel and, increasingly often, the chief medical officer or other executive responsible for information governance 2. A thoroughly documented records retention schedule that lists records series (categories) and the expected retention time periods (based on legal, regulatory and best practices research) 3. An organizational file plan that lists primary records types by functional unit so that information can be located without dependence on any one employee 4. A vital records program that identifies and protects those records that are critical for immediate restart of an organization s business processes following a disaster or other interruption of the organization s business continuity 5. A records management implementation and training program that works with identified HIM staff in primary functional units to train them in the policies, procedures, workflows and systems required to assure quality recordkeeping occurs 6. Increasingly, the presence of a dedicated electronic records system repository, along with the requisite hardware/software platforms, that 14
enables employees to search for records that are not being stored currently within the EHR, but either in a digital repository or off-site based on a formally defined records retention schedule and other business rules. Periodic audits that provide an enforcement vehicle and assess the clarity of procedures, effectiveness of training and driving continuous improvement. Outsourced business services relationships provide expert knowledge and operational support for well-planned records management programs 7. Implement a closed-loop ROI process in which records, either physical or digital, are retrieved, redacted of information and supplied to the requestor with full HIPAA compliance with greater efficiency and lower cost than the current procedure Increasingly, records management program activities are outsourced to full-service document process management firms with specialized expertise in records management. These outsourcing firms can provide some or all of these managed services. Since records management is not the core competency of most healthcare organizations, outsourcing can free internal resources and investment to focus on core operational issues. In addition, and depending if the record can be digitized or not, a contractual relationship with a cloud based records repository vendor or an off-site commercial records storage center is also recommended. Digitized or not, having a partner for storage enables inexpensive and secure long-term retention of paper documents, electronic media or computer system backup devices in a disaster-resistant environment. Cloudbased repositories can store business records that would not be appropriate to store in the hospital s own EHR. It is also imperative to note that cloud based systems have double redundancy, which means backup and disaster recovery are built into the overall cost. Regardless of physical or cloud-based storage, having a storage partner also assures that expensive office space is not consumed by local storage of older low-value records. However, keep in mind the business associate rule associated with HIPAA; especially as organizations move to the cloud, if the 15
business associate uses a third-party tool such as Google to maintain protected health information related to its compliance initiative, then Google would be a business associate and a contract is required. This would prove highly unlikely that a company such as Google would enter into a contract such as this and it would prove to be an arduous task. Thus, hospitals need to be mindful of this provision relating to storage vendors. Today, it is increasingly common to see record management staff working more closely with legal counsel, auditors, compliance officers and IT personnel to assure that records are preemptively identified, located, organized and preserved before a crisis occurs. Organizations that anticipate impending litigation now are considered responsible for preserving records, even before receiving pending litigation hold orders from courts. Destruction of evidence in advance of court appearances can be considered a federal crime. For example, a patient s medical records are absolutely required to support a claim for medical malpractice. If a physician or the health organization deliberately misplaces, alters or destroys this evidence, the courts will hand down sanctions for spoliation. The concept of adverse inference typically favors the plaintiff in that spoliation of key evidence assumes that such evidence is not favorable to the defense. Aside from court sanctions, the health entity can also expect to face investigations and sanctions from the OCR. Records management is both a professional discipline and a vital organizational process within healthcare organizations. Adherence to its policies and procedures demonstrates management s commitment to operational excellence. The goals of a records management program include ensuring that high-quality recordkeeping activities and systems have integrity and reliability as well as establishing that the records being managed are authentic and accurate over the prescribed preservation time frames. 16
Historically, records management has promoted economies and efficiencies in operations. As healthcare organizations increasingly rely on informational data and documents, records management programs have become strategically and tactically critical to their ongoing operation and prosperity. Advanced strategic planning that addresses recordkeeping issues adds credibility and professionalism to organizational management. Tactically, highquality recordkeeping systems and programs enable organizations to survive audit requirements, regulatory compliance investigations, aggressive litigation As healthcare organizations increasingly rely on informational data and documents, records management programs have become strategically and tactically critical to their ongoing operation and prosperity. environmental disasters and, most importantly, protect valuable patient information. In addition, the strategic long-range benefits of a comprehensive records management program include better patient outcomes, satisfied regulators, more productive employees and a reputation for credibility and professionalism in the community. A thoroughly implemented records management program is visible proof that management expects and supports accurate, accountable internal workflow compliance. In addition, a well-run and consistently enforced records management program clearly demonstrates that executives intend for their organization to provide exceptional patient care and create viable health records, as well as manage those records to high professional standards, wholly in compliance with laws and regulations. FOOTNOTE (1) Source: www.hhs.gov/ocr/privacy/hipaa/enforcement/example/manageralra.html 17
Advancing Business Performance to a Higher Level 460 West 34th Street New York, NY 10001 2320 1 888 623 2668 Canon Business Process Services, Inc. is a leading provider of managed services and technology that enable organizations to improve operational efficiency while reducing risk and cost. Experts apply quality management principles and tools such as Six Sigma to advance performance to a higher level. The company offers services including BPO, imaging, records management, print, mail and ediscovery, and is an IAOP Global Outsourcing 100 Leader in 2013 for the seventh consecutive year. Based in New York City, Canon Business Process Services is a wholly owned subsidiary of Canon U.S.A., Inc. Parent company Canon Inc. (NYSE:CAJ) ranks third overall in U.S. patents registered in 2012 and is one of Fortune magazine s World s Most Admired Companies in 2012. Learn more at www.cbps.canon.com CANON, MAXbasic and MAXadvanced are registered trademarks of Canon Inc. in the United States and may also be a registered trademark or trademarks in other countries. All other referenced product, company or service names and marks are trademarks or service marks of their respective owners and are hereby acknowledged. 2013 Canon Business Process Services, Inc. All rights reserved. 18 Canon Business Process Services, Inc. Document Services 10.2013.v1