Racing Pulse

© Nyul | Dreamstime.com

Realizing a revenue-generating business opportunity exists in providing medical release of information (ROI) services, more records centers are offering this additional line of service. Because records centers already have access to medical records, it seems natural to provide this service to current clients seeking to outsource ROI. However, a records center should acknowledge some important factors if it is considering entering this line of business.

This article will address the current state of the ROI industry, describe the evolving regulations and technology that are making the ROI process more complex, spell out the unique challenges of the ROI industry and outline a strategic approach to breaking into this business.

Release of Information Overview
The ROI process includes distributing copies of a health care providers’ patient medical records to a variety of requesting entities, such as attorneys, auditors, insurance companies, patients, record retrieval services, other health care providers, research institutes and various government agencies. Requesting entities require copies of medical documentation for a variety of reasons spanning from litigation support and postpayment audit purposes to follow-up care and Social Security disability claims adjudication. While the number of ROI requests a hospital receives varies according to the size of the institution, it is estimated that the average hospital processes more than 1,000 requests per month. ROI services are typically offered on site through the hospital’s health information management (HIM, or medical records) department; however, depending on a facility’s needs and capabilities, the model may change from one organization to the next.

In the past, ROI involved photocopying and distributing paper copies of medical documentation. Those activities have been left in the dust with the onset of rapidly evolving technology requirements in addition to state and federal privacy regulations. Photocopying still may be a part of ROI; however, it is only one step in a multistep process. The Association of Health Information Outsourcing Services (AHIOS) has identified 32 steps in properly releasing health information. (See diagram at www.SDBmagazine.com/sdb0713-serving-health-care-industry.aspx.) Some of the steps include logging, verifying and tracking a request; retrieving patient information from multiple locations; authenticating the requester; determining the minimum information needed to meet the request; safeguarding sensitive information; and reproducing, packaging and distributing the documents with an invoice—in either paper or a variety of electronic formats.

Privacy Law
The AHIOS multistep diagram illustrates that the ROI process is more complex than meets the eye. Further complicating the process of disclosing PHI (personal health information), the government has upped the ante with stricter privacy and security regulations that are accompanied by steeper penalties for noncompliance.

The Health Information Technology for Economic and Clinical Health

(HITECH) Act of 2009 introduced rigorous privacy and security regulations, stricter penalties for breaches, the Meaningful Use EHR (Electronic Health Record) incentive program and talk about maintaining better documentation for accounting of disclosures (AOD). Additionally, HITECH requires the U.S. Department of Health and Human Services (HHS) to formally investigate any complaint of a violation if willful neglect is indicated. If a violation is deemed a result of “willful neglect,” HHS is required to impose a penalty.

In January 2013, HHS published its Final Omnibus Rule for the Health Insurance Portability and Accountability Act (HIPAA). The final rule enhances patient privacy protections, provides individuals new rights to their health information, strengthens the government’s ability to enforce the law and increases penalties for noncompliance. It is within this final rule that many of the requirements placed on providers are expanded to their contractors and subcontractors.

The final rule also removes the harm standard and modifies risk assessment to focus on more objective standards to determine whether the privacy or the security of PHI has been compromised. Covered entities (CEs) and business associates (BAs) now have the burden of proof to demonstrate that all breach notifications were provided or that an impermissible use or disclosure did not constitute a breach. It also requires that disclosing entities maintain documentation sufficient to meet this burden of proof. Health care organizations and their business associates have until Sept. 23, 2013, to comply with the final rule.

In addition to the stipulations of the final rule, providers will soon be challenged to meet impending AOD requirements. Once the AOD rules are finalized, health care organizations will be called to further examine how disclosures are handled, both from within and outside their organizations. AOD rules may require that health care organizations provide patients with details concerning not only which individuals within an organization accessed their records, but also the circumstances and purposes for which PHI was provided to outside sources. Additionally, tracking access to records and disclosures made for purposes of treatment, payment and operations (TPO) may be demanded of health care organizations. These probable changes will add evident complications to the way health care providers and their ROI partners manage, track and report PHI disclosure.

All in all, health care organizations are operating in a highly regulated environment and are challenged to comply with evolving requirements. And, as the industry becomes laser-focused on compliance, hospitals have begun to look for outsourced ROI vendors to assume liability for improper disclosure of PHI. (Recall that federal privacy law applies not only to providers but to BAs as well.) This opens a door for outsourcing vendors to provide disclosure management services; however, such firms should be prepared to comply with the new variety of federal regulations.

Payer Audits
In addition to complying with the aforementioned federal policies, health care organizations also are faced with the government’s implementation of audits for fraud and overpayment. Buoyed by the success of Medicare recovery audit contractors (RACs) recouping more than $1 billion in improper payments in recent years, other payer organizations have jumped on the bandwagon and initiated their own audits to ferret out possible fraud or overpayment. The increasing volumes of audits are forcing health care organizations to establish defense mechanisms to properly manage audit requests, track audit limits and ensure proper billing according to each payer’s contract. And, to add to the complexity of the audit process, the upcoming transition to the 10th revision of International Statistical Classification of Diseases and Related Health Problems (ICD-10) coding—that includes an 800 percent increase in the number of available codes—may bring about more coding disputes and a surge of additional audits.

Evolving Technology Requirements
Along with tightening regulations to secure PHI, steepening penalties for breach and implementing fraud and overpayment audit programs, the government is simultaneously pushing the health care industry toward an electronic health information exchange that will consequentially increase the amount of access to and the disclosure of PHI (and also increase a hospital’s exposure to risk). As a result, health care organizations and their ROI partners are challenged to balance the two contradictory demands of stricter regulations and more exchange of PHI.

Meaningful Use. May 22, 2013, HHS Secretary Kathleen Sebelius announced that more than half of all doctors and other eligible providers have received Medicare or Medicaid payments from The Centers for Medicare and Medicaid Services’ (CMS) Meaningful Use EHR incentive program. And, as providers continue to implement Meaningful Use certified technologies, the ROI process is further complicated. First, with more health information stored and managed electronically, it is easier for multiple departments within a hospital to access PHI—imposing an obvious risk for improper disclosure from unmanaged disclosure points. Additionally, some of the core objectives outlined in stages one and two of the Meaningful Use program require health care organizations to produce patient information electronically—specifically through patient portals and secure email messaging—and set the stage for more electronic exchanges of PHI between providers, patients and payers.

Electronic Health Information Exchange. This electronic exchange of health information is taking place across the industry through a number of methods. CMS and the Office of the National Coordinator for Health Information Technology (ONC) are using a gateway to the Nationwide Health Information Network (NwHIN) through electronic submission of medical documentation (esMD) to provide a more efficient way to deliver medical records to payer audit contractors. Also, the federal government’s Direct Project, which is pushing to establish a means for health care providers to exchange information through direct email messages, is gaining momentum and will one day eliminate the need for faxes between providers and reduce the volume of paper that enters and exits their facilities. Health care organizations must be equipped with the capabilities to disseminate health information through new electronic formats while appropriately managing, tracking and reporting the disclosures. Additional challenges are bound to emerge from the development of HIEs, both public and private, and will inevitably create more disclosure points and require health care organizations to control access and manage authorizations accordingly.

Managing Roi Fees
In addition to reviewing the privacy- and technology-related challenges of ROI, it is also important to point out that managing fees adds complexity to the ROI process.

ROI is a transaction-oriented business with recurring revenue traditionally generated from third-party (nonpatient) requesters. With the exception of requesting providers, third-party requesters are charged fees for records. While outsourcing vendors have an opportunity to generate a profit from collecting fees, the task of managing a variety of fees is challenging.

CEs and BAs must abide by strict pricing regulations. The fees vary by state and are typically regulated by state legislation, except requests from CMS, Social Security Administration (SSA) and patients. While average transactions typically generate $35, that figure differs based on several factors, which include:

• The state’s fee regulations;
• The type of health care organization releasing the information; and
• The class of requester.

Moreover, managing the variety of fees is further complicated by a need to prebill to avoid issues in the accounts receivable department. A hospital or ROI vendor must track which requesters are eligible for prebilling, e.g. insurance companies for claims substantiation.

The chart on page 29 illustrates the variety of fees that HIM professionals and their ROI partners need to manage. This pricing grid applies to the state of North Carolina as an example, though each state has its own set of guidelines to which CEs and BAs must adhere.

Success Strategies For Outsourced Vendors
All in all, ROI is a highly regulated, complex and multistep process that requires sophisticated systems for managing, tracking and reporting the disclosure of PHI. From the constant stream of new privacy and security regulations and the impending AOD requirement to compliance with meaningful use criteria to the rapid deployment of HIEs, the rate of change in how medical information is disseminated is reaching epic proportions.

In upcoming years, the challenges for hospitals and health systems in managing PHI disclosure across the enterprise while using new technology and complying with regulations will start to grow beyond the capabilities and bandwidth of most organizations. Within this dilemma for providers lies an opportunity for outsourcing companies to step in with their expertise, refined disclosure systems, technology and services to meet the needs of clients and requesters alike.

Breaking from the past stigma of offering a “free service,” successful ROI vendors increasingly will become focused on positioning themselves as compliance-based service providers with an enterprise value.

Records centers wishing to provide such outsourced ROI services to their clients may want to consider partnering with a vendor that already operates in the disclosure management space and is equipped to handle the complexities of new regulatory and technological requirements. Through a strategic partnership with an ROI company, a records center may have a greater chance of successfully deploying a disclosure management system that standardizes a health care organization’s ROI process across the enterprise while minimizing liability and financial risk and driving compliance.

Steve Hynes is president of MRO Corp., a provider of disclosure management solutions, and president-elect of the Association of Health Information Outsourcing Services (AHIOS).