HIM Briefings (formerly Medical Records Briefing) asked HIM and release of information (ROI) professionals about their ROI practices for its first quarterly benchmarking survey of 2016. (The survey was completed in October 2015.) We introduced several new questions this year about the medical record itself as well as ROI practices.
As we embark on our 30th year of delivering you the latest in HIM, we would like to invite you to celebrate the HIM profession with us. Each month this year, HIM Briefings (formerly Medical Records Briefing) will include a special feature that highlights the changes to our publication and the HIM profession over the years.
The Joint Commission's September 2015 Perspectives encourages "hospitals to design systems to ensure accurate and complete medical records." Although this is not a new concept, it becomes more important as more hospitals' medical records become electronic while still maintaining a certain amount of paper documentation.
When President Barack Obama issued Executive Order 13636 February 12, 2013, Dena Boggan, CPC, CMC, CHPC, took notice. Boggan is the HIPAA privacy and security officer for St. Dominic Hospital, a 535-bed, 27-clinic facility headquartered in Jackson, Mississippi.
Engaging the board
An August 2014 American Hospital Association (AHA) article, "Cybersecurity and Hospitals: What Hospital Trustees Need to Know About Managing Cybersecurity Risk and Response" (www.aha.org/content/14/14cybersecuritytrustees.pdf), reported that hospitals and healthcare are part of the United States' "critical infrastructure," meaning "their systems and assets are considered so vital to the country that their impairment as a result of a cyber attack would pose a threat to the nation's public health and safety."
That's why Boggan and St. Dominic found it critical to ensure they have a robust cybersecurity program. A major part of that program was to get the hospital's board of directors and board of trustees in the know about cybersecurity. Boggan notes that at some of the organizations that suffered major breaches of PHI, investigators found that board members were generally unaware that cybersecurity programs even existed.
"They had that deer caught in the headlights look when asked about their program," she recalls of her research.
The AHA recommended, Boggan says, that organizations get their board of directors in the know. She started by developing a cybersecurity overview for her board. She reports up to St. Dominic's compliance committee, which includes some board members.
"We gave them a good definition of what cybersecurity is and identified that board of directors and trustees need to be responsible for understanding, at a high level, their organization's cybersecurity risks and vulnerabilities," Boggan says. "They need to understand the security response plan that is in place, who in management is responsible for delivering that plan, and when it's appropriate for board insight over that plan."
Providers often struggle with modifiers‑even those they've had available to report for many years‑due to the unique scenarios they face at their facilities, staffing changes, and/or unclear or lacking authoritative guidance.
