MRB asked HIM and release of information (ROI) professionals about their ROI practices for its first quarterly benchmarking survey of 2015. (The survey was completed in October 2014.) Half of survey respondents are HIM directors or managers (52%). Other respondents identified themselves as non-managerial HIM staff members (18%) or ROI directors or managers (4%). The majority of respondents (65%) work in hospitals.
Preventing readmissions is a hot topic these days. CMS has imposed new financial penalties for organizations that don't successfully prevent 30-day readmissions for patients with certain medical conditions, and organizations are always looking for new strategies to ensure patients are successfully able to move to the next level of care.
At this point, there are no federally recognized HIPAA certification standards for covered entities (CE) and business associates (BA). However, that doesn't mean there are no good assessment tools out there to gauge information security and regulatory compliance. The Health Information Trust Alliance (HITRUST) published its first common security framework (CSF) in March 2009 with the goal of focusing on information security as a core pillar of the broad adoption of health information systems and exchanges.
As the new year kicks off, many opt to make resolutions for the months ahead. BOH asked some privacy and security professionals to share their best tips for a productive 2015. What advice would they offer others in the industry to ensure the year ahead is a success?
Q: My facility no longer registers patients under aliases, but will allow them to opt out of the patient directory. However, opting out of the registry will not exclude our patients from the operating room (OR) list. At one time, the facility's CEO received the daily OR list with full patient names so he could visit board members, donors, or others whom he knows at our facility. HIM changed this practice so that patients' names would not be on the OR schedule provided to the CEO. The CEO took this matter to the hospital attorney, who said the names could be included because the use of PHI by the CEO to determine whether and when a patient visit is appropriate is permitted by HIPAA as it is part of healthcare operations. Is it a violation of HIPAA for the CEO to use PHI to track patients in this manner?
