MRB asked HIM and release of information (ROI) professionals about their ROI practices for its first quarterly benchmarking survey of 2015. (The survey was completed in October 2014.) Half of survey respondents are HIM directors or managers (52%). Other respondents identified themselves as non-managerial HIM staff members (18%) or ROI directors or managers (4%). The majority of respondents (65%) work in hospitals.
RC.01.01.01, Content of the Medical Record, did not top the list of the survey findings for hospitals in the first half of 2014, according to the September 2014 issue of Joint Commission Perspectives. Nor was it on the list for critical access hospitals at all! However, 49% of hospitals surveyed received a requirement for improvement for this standard, primarily in the EPs related to timing and dating entries. This indicates hospitals are still using a lot of paper records. That said, the downward swing is encouraging as more and more hospitals fully implement the EMR.
In September 2014, CMS and the Office for the National Coordinator (ONC) released a final rule that offers enhanced flexibility for eligible professionals, eligible hospitals, and critical access hospitals using certified EHR technology (CEHRT) and working toward meaningful use attestation (https://s3.amazonaws.com/public-inspection.federalregister.gov/2014-21021.pdf). The final rule regulations became effective October 1, 2014.
Q: I was recently hired for a position at a long-term care facility. Upon getting acclimated, I learned that the facility has completed handwritten logs for every fax that was sent out since 2003. This document is referred to as the HIPAA fax log and contains the date the fax was sent, to whom it was sent, by whom it was sent, the number of pages, and whether a cover sheet with confidentiality statement was included. I would like to do away with this form since fax machines can generate their own logs. However, if this is a necessary process then I would like to follow official guidelines and update the facility's policies and procedures accordingly. Does the HIPAA Privacy or Security Rule require these logs? If so, what information must we include?
While organizations should focus on performing regular risk assessments and analyses, there are also other ways in which they must review their systems for compliance. Often, these other evaluations are overlooked despite their value, says Kevin Beaver, CISSP, an information security consultant in Atlanta. In particular, organizations should be careful not to forget about performing vulnerability assessments and penetration tests, which are components of an overall risk assessment or analysis, says Beaver, who is a BOH editorial advisory board member.