Confidentiality, Privacy and Security

HEDIS Audits

Loritta M. Black, Health Information Management,RHIA,CCS,CHTS-IM22 days ago

Loritta M. Black, Health Information Management,RHIA,CCS,CHTS-IM16 days ago

  • 1.  HEDIS Audits

    Posted 28 days ago

    We have been approached by a few companies to consider allowing them full access to their requested patients EMR records.  We are on Epic so this would be via Link.  We have not allowed this in the past but our Privacy officer is asking for feedback from others on how they are managing these.  Are you allowing full access to patient records for these audits or are you limiting the information they receive through normal ROI practices?  Appreciate any feedback anyone is willing to share.  



    ------------------------------
    LeAnne Bouma
    Enterprise Director, Release of Information
    Sanford Health
    ------------------------------


  • 2.  RE: HEDIS Audits

    Posted 28 days ago

    LeAnne, we have been approached as well and denied them full access. However, we will review this in the coming days with Information Blocking in mind. 



    ------------------------------
    Deborah Gagne
    Him Director and Privacy Officer
    Garrett Regional Medical Centerdsgagne@gcmh.com
    ------------------------------



  • 3.  RE: HEDIS Audits

    Posted 25 days ago

    Hi LeAnne,

    We just went through this with an insurance company as well. They were "incentivizing" us to participate of course. That made our CEO determined to accomplish their request. I was vehemently opposed to it at first, but we were able to find a compromise. We have Meditech so we don't have a link/portal etc. for non-patients. We will allow two users from their company to have access to our system, and we require them to sign a computer security agreement just like everyone else who is allowed access to our system. They must provide a list of all patients and all accounts/visits that they are reviewing, they will not be given full access to the patient records. They will only get access to the accounts for which they were the payer.  The HIM Team will build a worklist that contains each requested visit. We have set up the access so that they are completely limited to the accounts that are on their worklist. I think it's a super slippery slope to allow the payers access to the full medical record. It's getting harder and harder to ensure patient privacy. If patients only knew where their results, visit history, etc. went who all had access, they would be shocked.



    ------------------------------
    Kathryn Wood, RHIA
    Assist Dir of Information Systems/Privacy Officer
    War Memorial Hospital
    ------------------------------



  • 4.  RE: HEDIS Audits

    Posted 24 days ago

    I hate to say that this is a slippery slope, from what I've seen and heard we can expect more and more of these requests for access, not just from auditors, payers will want access to all billing items and records too, that'll come. We are afraid that they may try to call information blocking on our providers if these other parties are not allowed access (in a fast manner ,10 days). So I'd think over the next couple of years as Cures Act implements and exchanges become more customary we'll find privacy is going to be impossible to maintain outside our entities. The information blocking rules already expand PHI into EHI and relate having EHI to entities outside of HIPAA. Our records PHI will move outside HIPAAs controls, that is going to happen regularly. The government, rightly or wrongly, is moving towards much more openness with the patient information, patients and then others being able to automatically get information, at least what's in the USCDI data set for the next 2 years. My best advice is to begin planning, these Engage discussions are very good and we need to keep informing each other how these requests and the policies being put in place to manage them are progressing. Also prepare to rebut claims of our providers having HIPAA breaches when the info really came from an outside entity, we'll see instances of our providers or BAs getting the blame for these. 



    ------------------------------
    Kelly McLendon, RHIA, CHPS
    Managing Director
    CompliancePro Solutions
    kmclendon@complianceprosolutions.com
    321-268-0320
    ------------------------------



  • 5.  RE: HEDIS Audits

    Posted 24 days ago

    We had one insurance company request access; however, our contract with our release of information company had a clause in there. At this time, we are not allowing access. 



    ------------------------------
    Susan Borden
    Director Health Information Management
    Cullman Regional Medical Center
    ------------------------------



  • 6.  RE: HEDIS Audits

    Posted 22 days ago

    Well, best laid plans................ I was just contacted by the company to begin working out the logistics of getting them access. When I requested that they provide the visit dates for the patients they need to review, they are telling me that it would be labor intensive for them to provide that information and they don't often know which dates of service they need to review, they need all of 2020 and some of 2019 in the case of pregnancies. Am I correct that if they are doing a HEDIS review for themselves, they are not entitled to any records that may have been paid for by workman's comp or another payer? Sometimes we have local businesses contract specific testing for their employees (like Covid for example) and they pay for it. The claim does not go to an insurance company, we work out a payment arrangement with the company. Also, if they are the insurer, why don't their records reflect the covered services to determine whether or not a patient had a specific service to meet their measures?

    Thanks for any insight anyone can provide.



    ------------------------------
    Kathryn Wood, RHIA
    Assist Dir of Information Systems/Privacy Officer
    War Memorial Hospital
    ------------------------------



  • 7.  RE: HEDIS Audits

    Posted 22 days ago
    Found this:
    "the HIPAA Privacy Rule permits a provider to disclose protected health information to a health plan for the quality-related health care operations of the health plan, provided that the health plan has or had a relationship with the individual who is the subject of the information, and the protected health information requested pertains to the relationship. See 45 CFR 164.506(c)(4). Thus, a provider may disclose protected health information to a health plan for the plan's Health Plan Employer Data and Information Set (HEDIS) purposes, so long as the period for which information is needed overlaps with the period for which the individual is or was enrolled in the health plan.

    https://www.hhs.gov/hipaa/for-professionals/faq/265/may-a-health-care-provider-disclose-protected-health-information-to-a-health-plan/index.html

    ------------------------------
    Lori Black, RHIA, CCS, CHTS-IM
    HIM Director
    INTEGRIS Health
    ------------------------------



  • 8.  RE: HEDIS Audits

    Posted 22 days ago

    Thank you very much! I don't know why I couldn't find this. I have spent quite a bit of time, but must have overlooked this somehow.

    Katie

     

    Katie Wood, RHIA

    Assistant Director of Information Systems/Privacy Officer

    War Memorial Hospital

    500 Osborn Blvd

    Sault Ste. Marie, MI  47983

    p: 906-635-4663   khwood@wmhos.org

     


    Confidentiality Notice: This is a transmission from The Chippewa County War Memorial Hospital, Inc. This message and any attached documents are confidential and may be protected by legal privilege, furthermore this communication may contain information protected by state and federal medical privacy statutes. They are intended only for the use of the addressee. If you are not the intended recipient, any disclosure, copying, or distribution of this information is strictly prohibited. If you received this transmission in error, please notify the sender and delete/destroy this copy from your system. Thank you.   ­­  





  • 9.  RE: HEDIS Audits

    Posted 22 days ago
    I am also interested in this topic.





  • 10.  RE: HEDIS Audits

    Posted 22 days ago
    We are also on Epic and only allow access to the specific encounters relevant to the audit.  We do this via EpicCare Link.

    ------------------------------
    Carrie Lindberg RHIA
    Analyst, Epic
    ------------------------------



  • 11.  RE: HEDIS Audits

    Posted 22 days ago
    If you have Epic, you can either perform release to Link where the release is performed as usual but the output is Link - a web-based platform where the payer can access information. Another Link option is allowing payers to have open-ish access to charts of patients on their plans. Advantage of release to Link is that the covered entity has more control of what is disclosed. Disadvantage is this requires more manual intervention on the part of the CE and the payer as a request still needs to be submitted and processed.

    ------------------------------
    Lori Black, RHIA, CCS, CHTS-IM
    HIM Director
    INTEGRIS Health
    ------------------------------



  • 12.  RE: HEDIS Audits

    Posted 16 days ago
    Thank you everyone for your comments so far.  We release quite a bit utilizing Link (Epic) and are able to limit what we share to specific patients versus just encounters in some circumstances. It's a slippery slope but I also agree with Kelly's comments. Our ROI world is evolving very quickly and we need to be prepared to manage it.

    ------------------------------
    LeAnne Bouma
    Enterprise Director, Release of Information
    Sanford Health
    ------------------------------



  • 13.  RE: HEDIS Audits

    Posted 16 days ago
    I couldn't agree more! We will need to be innovative and prepared to reexamine how we do things and WHY. We'll need to challenge the "status quo" of traditional processes and ramp up our current understanding of privacy, right of access, and interoperability rules; and learn to balance across domains.

    ------------------------------
    Lori Black, RHIA, CCS, CHTS-IM
    HIM Director
    INTEGRIS Health
    ------------------------------