Release of Information: The Cost of Compliance

For years, healthcare entities have been legally required to release medical records and have often received up to thousands of requests per day. The process is called release of information (ROI), and it is no longer a simple function housed solely in the medical record department. Today ROI requires 32 specific steps, each warranting its own complexities and compliance risks.

In 2010 new, more stringent HIPAA privacy and security rules under the American Recovery and Reinvestment Act (ARRA) elevated the importance of ROI even further and increased its cost. Recovery audit contractors (RAC) and other recovery audits are taking their toll as contractors request greater volumes of records. Even meaningful use requirements hold compliance ramifications for this complex function.

Here, we’ll explore the impact of the changing world of healthcare on the ROI function, and present viable alternatives for addressing these issues while minimizing compliance risk and enhancing revenue.

Growing Demand in an Evolving Industry
ROI is influenced by a variety of market drivers, which seem to be increasing exponentially and are pushing the limits of operating budgets. One driver is time-sensitive requests related to patient care, payment, insurance and litigation. Healthcare providers must rapidly respond to record requests from a growing number of recovery audit contractors and other commercial payers. All audits require the release of immense amounts of information, and technical denials due to missed deadlines are common. Finally, the “chase” for meaningful use dollars is fully underway, exacerbating the frenzy of records release with its core objectives for electronic copies and electronic access.

All three of these drivers directly impact the ROI process in terms of quantity of requested information and the timeline in which it must be delivered. Together they create an operating environment that may adversely affect revenue (through fines for noncompliance) while also raising the expense base. And the costs of people, supplies and postage are just the beginning.

HIPAA Compliance & ROI
The expansion and enforcement of HIPAA regulations adds expense to your record release operation. And there are pending HIPAA regulations that will make it even more costly.

HIPAA requires legal oversight, a privacy/compliance office, well-defined policy and procedure manuals, HIPAA-compliant forms and updated “business associate agreements.” Significant costs are incurred to retain a fully trained ROI department, legal counsel and the technology necessary to manage these high volumes of requests, meet the time constraints and comply with privacy demands. Worse, failure to do so will result in lost revenue due to fines for wrongful disclosures.

Compliance is Quick Money
Compliance with recovery audit deadlines is another important responsibility for release teams. This includes the RACs, Medicare Administrative Contractors (MACs), zone program integrity contractors (ZPICs) and the entire alphabet soup of third parties trying to recoup reimbursements through retrospective and prospective reviews. All such audits require the release of immense amounts of information, and technical denials due to missed deadlines are common.

ROI is the first step in the audit process. While meeting a deadline to produce and deliver medical records may sound simple, it is not. Missed deadlines for records submission or appeal letter processing are a leading cause of lost revenue. Staffing and logistical problems present the biggest challenge and financial risk in responding to RAC requests, especially for providers with hospitals in multiple states. Future changes in the recovery audit process will enable electronic transmission of records, but at this point, paper is the primary method of information sharing.

The following simple process and workflow adjustments ensure that your release staff meet deadlines and mitigate unnecessary risk:

  • Ensure that audit contractors have correct name and contact information for your audit coordinator.
  • Use technology to document and track all cases with alerts and reminders for record delivery deadlines.
  • When multiple cases are sent to the auditor, include a cover sheet with a detailed list of each case. Document what is enclosed.
  • Send all correspondence through a service that allows you to track the receipt of data and signature.

Meaningful Use’s Impact on Record Release
One objective within the meaningful use program directly affects an organization’s ROI process: the delivery of an electronic copy of medical records to patients. Under HIPAA, patients already have a right to receive an electronic copy of their health information. The meaningful use program includes a similar measure with different requirements for compliance and is part of the core, mandatory requirements for both hospitals and eligible professionals.

Under the objective, patients must be provided with an electronic copy of the health record, if requested in an electronic format, at least 50 percent of the time and within 3 business days. Providers can send the information electronically in the medium of the provider’s choice.

EHR Relieves Release Cost, May Heighten Breach Risk
HIM departments receive hundreds, even thousands, of record requests per day depending on the facility’s size. The response time for each varies, ranging anywhere from half an hour to several days. An EHR automates only 20 percent of the release process.

The most critical and labor-intensive part of the ROI process involves a thorough review of each piece of documentation to make sure that no protected health information (PHI) is released without proper patient authorization. Many of the human checks and balances inherent in the process are eliminated in completely electronic environments. It is much faster to click on the entire chart and hit “send” versus taking the time to select specific pages of a record and ensure that only the correct dates of service are released.

The logical inference with electronic records is that they afford greater user access to information, and they do. Increased access helps expedite processes and improve patient care. However, an unintended consequence of electronic record sharing is a greater risk of information breach. Providers must implement stronger disclosure practices to safeguard personal information.

Whether release is done in paper or electronic format, ROI professionals handling requests must be knowledgeable about the privacy regulations of each medical condition, as the rules for all diagnoses are not the same. Furthermore, they must have extensive knowledge of regulatory requirements which vary from state to state. In the case of state vs. federal regulations, the most stringent wins.

Record Release Compliance Requires Proactive Approach
The key to dealing with all these issues is to adopt a proactive approach. When evaluating critical factors — staffing, processes, technology, and outsourced services — it is important to balance compliance needs with heightened operational costs. For many provider organizations, outsourcing the ROI function provides a secure and cost-effective solution. For others, maintaining in-house staff and systems is the best route. Recent research indicates that cost effectiveness is the top consideration impacting the decision to outsource or in-house ROI. Other factors influencing this decision include:

  • Increased record requests due to audits
  • Staff expertise in ROI (regulations vary from state-to-state)
  • Insufficient funds to hire and train in-house ROI staff
  • Outsourced agency shares responsibility for HIPAA breaches

Provider organizations that maintain the release process in-house do so for three key reasons: more control over the release process, to manage customer service internally, and to generate revenue. The latest solution to balancing ROI compliance with cost is to partner with an outsourced vendor using a “shared” approach to release services. Florida Hospital is a provider organization that has embraced the partnership approach with demonstrable results. (see Sidebar below).

Faced with rising costs, decreased revenue and reduced access to capital, hospital executives and HIM directors are being forced to weigh the advantages of ROI staffing expense against the benefits of outsourcing. ROI service providers can reduce immediate backlog, handle specific tasks of the ROI process, or manage the entire process. Whether or not to outsource should be an informed decision based on careful evaluation of costs and resources available to comply with new regulations and industry demands.

Jan McDavid has served as the compliance officer and general counsel for HealthPort since 1998. She also served as legislative chair for the Association of Health Information Outsourcing Services, lobbying for increased awareness of the value of health information management service providers.

Florida Hospital Realizes Revenue, Maintains HIPAA Compliance with Blended Service Approach

Florida Hospital is a 2,188 bed system with eight locations across Central Florida. When it went live with an EHR in 2007, it centralized the entire health information management (HIM) function. With the use of an EHR and centralized HIM, the idea of bringing the ROI process in-house and becoming a revenue-generating department as a result was very appealing. However, upon closer investigation, a blended, hybrid approach was their best choice.

With the blended approach, HealthPort ROI Partner Florida Hospital handles the front end of the ROI process. Hospital staff provides the customer services and processes the requests; HealthPort handles the back end and provides quality control, secure and confidential fulfillment of the request via mail or electronically, invoicing, collections services and delivery tracking.

With over 80,000 medical records requests per month, Florida Hospital has the added benefit of earning revenue from billable medical record requests. “Even though the revenue is not a huge amount, it’s able to supplement our efforts, making the ROI Partner solution with HealthPort a perfect fit for our needs,” states Margaret Verity, Administrative Director of HIM, Florida Hospital.

About The Author