Healthcare in the digital age is evolving rapidly, and it’s up to HIM professionals to keep up with the latest laws, threats, and technologies. Unfortunately, it can be difficult finding the time to stay up-to-date while prioritizing the patient experience and providing high-quality care. That’s why health information management technology exists.
In this article, I will cover the legislation that shapes the release of information today, the threats that drive further improvements, and what ChartRequest does to ensure the secure transmission of protected health information.
Health Information Management Technology Regulations
Laws exist at the federal, state, and local levels to regulate the handling and transmission of protected health information, but this wasn’t always the case. Before the Health Insurance Portability and Accountability Act in 1996, there were no federal privacy regulations limiting medical record sharing.
This freedom, however, was potentially harmful to patient privacy. With no federal regulations, some doctors shared sensitive information with people not involved in the patient’s care. For example, employers could request medical documentation to help determine whether they would hire an applicant.
The potential for medical record misuse grew substantially as better methods of release grew prominent. The first modern fax machine, invented in 1964, predates the first email and EMR systems by less than a decade. In 1996, the first faxes were sent using the internet instead of telephone lines. Now, health information management technology helps providers move PHI even faster.
It’s easier than ever to share information, so it’s important to secure patient data with health information management best practices. This section will cover the federal regulations that enforce the baseline health data storage and transmission requirements.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 was the first federal medical privacy law. Since then, the U.S. Department of Health and Human Services has enhanced HIPAA with additional rules and other acts.
Compliance with every aspect of HIPAA is mandatory for healthcare providers and their business associates, but health information management technology can make it easier. Failure to adhere to the requirements and best practices outlined by HHS can result in steep fines from the Office for Civil Rights.
The Privacy Rule
Passed in 2000, the Privacy Rule was the first major expansion of HIPAA regulations. This rule protects patients’ right to privacy and their right to access their medical records.
Many of the common causes of HIPAA violation stem from noncompliance with the Privacy Rule. Generally speaking, Privacy Rule violations are directly attributable to employee action or inaction.
For example, the 2019 Right of Access Initiative enforces the 30-day release of information deadline outlined in the Privacy Rule. The financial penalties from this initiative are severe, reaching 6 figures in multiple cases. Preventing these avoidable ROI delays is one of the major benefits of using reputable health information management technology.
How does the Privacy Rule protect patients?
The Privacy Rule prohibits using or disclosing PHI for reasons unrelated to patient care. There have been several instances, however, of medical workers snooping on the records of friends, family, and celebrities.
This rule also requires covered entities to acquire a signed authorization form from a patient before releasing their medical records in most, but not all, situations. This form must include the required core elements to clearly communicate patients’ rights and identify the specific records needed.
Even with a compliant, signed authorization form, not all requests for records can be fulfilled. For example, doctors may withhold certain medical records like psychotherapy notes to prevent potential harm to the patient or others.
Secure health information management requires a firm understanding of the factors that determine whether a release of information is lawful.
Finally, the Privacy Rule enables healthcare organizations to charge a reasonable, cost-based fee for the release of information. State and local statutes may further limit this pricing outline.
The Security Rule
The Security Rule, passed in 2003, lays out the administrative, technical, and physical safeguards covered entities must meet for compliance. These safeguards protect PHI from unauthorized access, use, and disclosure.
Maintaining compliance with these safeguards is crucial, as they lay out the groundwork for how PHI must be handled both at rest and in transit. The Security Rule provides a baseline structure designed to make medical records harder to breach.
Health information management technology companies like ChartRequest must adhere to the same regulatory standards as healthcare providers. Thorough knowledge of the Security Rule is crucial to protect the reputation of our partner organizations and the privacy of the patients they serve.
You can read our in-depth breakdown of the Security Rule safeguards here, but I’ll summarize the basics.
The Administrative Safeguards
The Administrative Safeguards mitigate the chance of PHI breaches caused by human error. The administrative safeguards are split into 2 major parts: part A and part B.
Part A outlines the key administrative requirements of this rule. This includes:
- Workforce training and permissions,
- Security management and authorization policies,
- Response plans for security incidents and ePHI system damage, and
- Periodic technical and nontechnical evaluations.
Part B is significant because it allows covered entities to disclose records to business associates once they sign a Business Associate Agreement (BAA). This enables healthcare organizations to seek help from other companies or professionals, such as lawyers, practice management services, and release of information software.
Health information management technology companies like ChartRequest must perform regular internal audits to ensure there are no gaps in compliance.
The Technical Safeguards
The technical safeguards for storing PHI are split into five sections, including access controls, audit controls, integrity controls, authentication controls, and transmission security.
To comply, entities must implement policies and procedures to prevent unauthorized access, log activity, ensure integrity, authenticate requestors, and encrypt PHI during transmission. While these are the baseline standards, organizations should continually improve their security to protect against evolving threats.
The Technical Safeguards significantly impact the development of health information management technology.
The Physical Safeguards
The physical safeguards are divided into four sections, and they focus on protecting physical formats of PHI storage, the computers that store PHI, and access to areas used to store PHI.
To comply with the four sections, organizations must:
- Implement controls for facility access
- Define proper workstation use
- Restrict access to workstations
- Have policies for handling ePHI in hardware and electronic media
These policies include secure disposal, accountability, data backup and storage, and controlling access to authorized personnel. Health information management technology can reduce the duplication and disposal of PHI by integrating directly with EMR systems.
The HITECH Act
The HITECH Act of 2009 was part of the ARRA. This aimed to improve the HIPAA Privacy and Security Rules and encourage the adoption of electronic health records (EHR) systems.
This act introduced 5 health outcome pillars for the meaningful use of certified EHR technology, and these include:
- Improving medical record exchange
- Patient engagement
- Care coordination
- Public health
- PHI privacy and security measures
To attest to meaningful use, eligible hospitals must report on at least 4 of 6 EHR measures, and eligible healthcare providers must report on at least 2. These requirements fulfill the CMS’s EHR interoperability goals and patients’ PHI access.
The HITECH Act closed HIPAA loopholes and expanded its accountability to business associates like ChartRequest. This eased the burden of covered entities and enhanced trust in health information management technology solutions.
The HITECH Act also enforces HIPAA regulations, and the OCR now investigates and determines penalties for breaches caused by noncompliance. These penalties are based on the cause and impact of the breach, the types of records breached, and the responsible organization’s response.
Health information management technology helps further expand the potential uses of certified EHR systems. Also, by specializing in a specific function, health information management technology can solve EHR system weaknesses. For example, ChartRequest specializes in the transmission of medical records to solve the issue of data silos in healthcare.
The Cures Act
President Barack Obama signed the 21st Century Cures Act into law in 2016. The Cures Act aims to accelerate the development of new medical treatments, increase funding for medical research, and reform the US healthcare system. The law includes several regulatory changes that affect the healthcare industry, including the following:
Electronic Health Records (EHRs): The Cures Act requires HHS to create a program supporting the development and adoption of EHRs. This program includes grants to assist healthcare providers in implementing and using EHRs and the development of standards for exchanging health information.
Interoperability: The Cures Act also requires HHS to establish interoperability standards and guidelines for EHRs. This will allow different EHR systems to communicate with each other, making it easier for healthcare providers to access and share patient information.
Information Blocking: The Cures Act prohibits healthcare providers, health IT developers, and health information exchanges from engaging in practices that restrict the exchange of health information. This includes practices that make it difficult or expensive for patients to access their health information.
Learn more about the 8 information blocking exceptions.
Patient Access to Health Information: The Cures Act requires providers to give patients access to their health information in a timely manner and accessible format. This includes lab results, imaging studies, and more.
Medical Device Innovation: The Cures Act provides new funding and regulatory pathways for the development of innovative medical devices. This includes expedited review processes for breakthrough medical technologies, as well as new funding for research and development.
The Threats Facing Health Information Management Technology
The healthcare industry has seen a significant increase in the use of digital systems, such as electronic health records (EHRs) and telemedicine, in recent years. While these technologies have improved patient care and made access to medical information more efficient, they have also brought new challenges to the forefront of healthcare: security and compliance.
The sensitive nature of PHI makes it a prime target for cyber-attacks and data breaches. To protect patient data, organizations like ChartRequest must comply with security regulations at the federal, state, and local levels.
Failure to comply with these regulations can lead to severe consequences, including financial penalties, loss of reputation, and legal action. That’s why ChartRequest stays vigilant and takes proactive measures to protect sensitive data and comply with regulations.
Hackers Target Healthcare Organizations at High Rates
The rate of cybercriminal attacks against healthcare organizations is on the rise. In 2022, there were an estimated 1,426 attacks per week against healthcare organizations, a 60% increase from the previous year.
So why do cybercriminals target healthcare organizations?
- Healthcare data is highly valuable. Cybercriminals can sell patient data on the black market for a high price. Once purchased by another cybercriminal, it can also be used to commit identity theft.
- Cybercriminals often see healthcare organizations as easy targets. Some organizations have outdated security systems. Also, they may not have the resources to invest in cybersecurity enhancements.
- Healthcare organizations are essential services. A serious ransomware attack can practically be a blank check from organizations relying on PHI for informed care.
The Ways Hackers Target PHI
In 2021, the average cost of healthcare data breaches was over $10,100,000 per incident. Healthcare organizations need to take steps to protect themselves from cyberattacks, including investing in cybersecurity, training employees on cybersecurity best practices, and developing incident response plans.
These are some of the most common types of cyberattacks that healthcare organizations face:
- Ransomware attacks: In a ransomware attack, cybercriminals encrypt the victim’s data and demand a ransom payment in exchange for the decryption key.
- Phishing attacks: In a phishing attack, cybercriminals send fraudulent emails that appear to be from a legitimate source in order to trick the victim into clicking on a malicious link or providing sensitive information.
- Data breaches: A data breach occurs when unauthorized individuals gain access to sensitive data, such as patient medical records.
- Denial-of-service (DoS) attacks: A DoS attack is an attempt to make a website or service unavailable by flooding it with traffic. If the cybercriminal conducts this attack using multiple computers, it’s a “Distributed DoS,” or DDos attack.
Data Breaches Harm Patients
A healthcare data breach is a security incident in which sensitive or protected health information is accessed, acquired, disclosed, disrupted, modified, or destroyed without authorization. Healthcare data breaches can have a significant impact on patients, healthcare organizations, and the healthcare system as a whole.
Among other issues, HIPAA breaches can lead to identity theft, psychological distress, and damaged trust.
Identity theft
Hackers can use stolen medical data to open new accounts in your name, make unauthorized charges on your credit cards, and even file fraudulent tax returns. This can lead to significant financial losses, ruined credit, and even arrest.
For example, in 2014, a data breach at the University of Pittsburgh Medical Center exposed the personal information of over 65,000 UPMC employees. While the hacker was caught, he first sold the data on the dark web. Here, cybercriminals used the stolen data to file $1.7 million in false tax returns.
Psychological distress
Healthcare data breaches can also cause psychological distress for patients. Victims may worry about their privacy, their safety, and their financial security.
For example, in 2014, a data breach at Community Health Systems, a hospital chain, exposed the personal information of 4.5 million patients. This put patients’ names, Social Security numbers, physical addresses, birthdays, and telephone numbers into the hands of malicious criminals.
Damaged trust
Healthcare data breaches damage the trust between patients and their healthcare providers. Patients may worry that their information is not safe with their providers, and they may also be reluctant to seek care in the future.
For example, in 2018, a data breach at Anthem, one of the largest health insurance companies in the United States, exposed the personal information of almost 79 million people. This raised concerns about the security of PHI across the healthcare industry, even for patients who weren’t directly affected.
Staffing Difficulties Complicate Compliance
One of the biggest challenges for healthcare organizations today is staffing. Many organizations are struggling to find and retain qualified staff, which can lead to overworked and burned-out employees. Those that can retain staff must also pay ever-increasing salaries or risk losing employees to competitors.
When employees feel burned out, they are more likely to make mistakes that could lead to a data breach. For example, they may forget to properly secure a patient’s PHI or accidentally fax medical records to the wrong person. In addition, overwhelmed employees may be more likely to take shortcuts, which can also lead to violations.
Mitigate staffing challenges with release of information software
Here are some specific examples of how staffing challenges can impact compliance with HIPAA and other regulations:
- A staff member who is overworked may not have time to properly train new employees on HIPAA compliance procedures. This could lead to new employees making mistakes that could put patient data at risk.
- A staff member who is feeling burned out may be more likely to take shortcuts when it comes to HIPAA compliance. For example, they may not properly encrypt patient data, or they may not properly dispose of medical records.
- A staff member who is understaffed may not be able to keep up with the volume of work. This may lead to delays in responding to patient requests for information or reporting data breaches. This can also cause penalties including HIPAA Right of Access Initiative fines.
Health information management technology can reduce the risks of staff noncompliance. Not only can solutions like ChartRequest ease burdens for healthcare workers, but we can even reduce the number of people focusing on the release of information. Reducing the staffing needs of records departments also empowers organizations to reallocate that staff to more impactful positions.
ChartRequest is Health Information Management Technology
ChartRequest is a release of information software solution dedicated to helping healthcare organizations across the country simplify compliance and protect patient privacy. With over a decade of expertise in the medical industry, our health information management technology makes it easy to prevent common noncompliance pitfalls.
Some other health information management technology solutions put their best interests first. Our healthcare partners who switched from the largest release of information companies have reported dissatisfaction with issues including:
- They only fulfill billable requests. In other words, they only handle requests that serve their bottom line. A true release of information solution should also be available to fulfill all types of requests to all types of requestors.
- Their turnaround times are not fast enough. While the 30-day deadline gives organizations plenty of time to fulfill requests, it should be considered a bare minimum. Speeding up ROI turnaround times also helps organizations build a positive reputation.
- They aren’t always easy to use. Providing great support and an intuitive, user-friendly design isn’t easy. Requestors of all technical backgrounds should be able to use the platform. Checking Google reviews of health information management technology options is a great way to understand the patient experience of using each platform.
At ChartRequest, we take a different approach
In our continued dedication to solving our partners’ complicated compliance challenges, we work hard to provide a comprehensive ROI solution.
Healthcare organizations, legal firms, insurance companies, and patients across the United States trust ChartRequest to protect sensitive data at rest and in transit. So far, we empower our partners to easily handle:
- Medical, billing, and imaging records. If you’re behind on Cures Act compliance, you can catch up by offering a digital, API-based release of information option for all types of health records.
- Medical forms that require a healthcare provider’s signature. This includes worker’s compensation, disability forms, sports and camp forms, and more.
- Payment information to streamline the collection and speed up records access.
- Account credentialing and verification identification (most commonly government-issued IDs).
- Conversations between physicians and requestors about patient care and important updates.
How ChartRequest Handles Data Security
With so many potential threat vectors targeting healthcare organizations, you may be wondering how ChartRequest can maintain impenetrable cyber defenses. The HIPAA Security Rule covers baseline PHI protection requirements, but our health information management technology aims higher than the baseline.
The vague yet complicated language throughout HIPAA could be interpreted in many ways. Rather than treating these regulations like a list of issues that need the cheapest solution possible, ChartRequest goes above and beyond to implement a wide range of powerful cybersecurity tools to protect patient records against any “What if” scenarios.
With over a decade of serving healthcare professionals across the country, our health information management technology has never been breached.
Some of our powerful security features include:
- Unbreakable Encryption: ChartRequest employs 256-bit SSL encryption, 2048-bit private keys, and AES multi-layered encryption. This makes PHI impossible to breach both at rest and in transit, even for the most powerful supercomputers worldwide. Learn more about encryption here.
- Data Management: Sensitive data is temporarily stored on encrypted computers, which are wiped nightly using methods that make restoration impossible.
- Threat Vigilance: To protect against the latest threats, we continually review our code for OWASP, CVE, and NVD-reported vulnerabilities.
- Physical Access Control: ChartRequest uses badges for exterior doors and biometric safeguards for the production floor and telecom room access.
- Advanced Security Measures: ChartRequest protects PHI from all angles of attack with redundant firewall protection, redundant web application protection, DoS and DDoS mitigation, monitored intrusion detection, VPN/SSL and multi-factor authentication for server management, and protection against MITM attacks, IP spoofing, Port Scanning, and Packet Sniffing.
User Protection and Account Security
Cybercriminals who target healthcare organizations and their business associates know that powerful security systems usually block their access to PHI. When breaching digital defenses isn’t achievable by skilled hackers with supercomputers, the average cybercriminal needs to take a different approach.
It’s an unfortunate truth that cybercriminals target people within healthcare organizations to bypass unbreakable security. This unfortunately makes staff errors one of the leading causes of HIPAA violations and medical record breaches.
Social engineering, or attacks that depend on manipulating the victim’s emotions and decision-making process, are these cybercriminals’ tactics of choice. Examples of social engineering attacks include phishing, baiting, pretexting, CEO fraud, and more.
ChartRequest is dedicated to minimizing the risks of social engineering attacks. Our health information management technology utilizes strategic defenses including:
- Internet Safety Training: ChartRequest employees are trained to recognize social engineering attacks and utilize internet safety best practices. Additionally, we utilize an internal alert system to ensure all staff are notified of social engineering attempts.
- Two-Factor Authentication: 2FA protects ChartRequest accounts, even if a bad actor gets someone’s username and password.
- Requestor Verification: Before submitting a request for records, ChartRequest requires requestors to verify their identities to ensure all requests are legitimate.
- Professional Credentialing: To provide an environment of trust and security, ChartRequest also credentials professional organizations. This process protects organizations from fraudulent actors.
How Does Our Health Information Management Technology Ensure Compliance?
Compliance is a moving target because the rules are continually updated to keep up with changes in the healthcare industry. New regulations are constantly being introduced, and it can be difficult to keep up with the latest deadlines and penalties.
ChartRequest is dedicated to protecting healthcare organizations from avoidable compliance issues. Sometimes, violations happen simply because the hectic nature of healthcare makes it easy to miss updates. This is further complicated when varying state statutes may impact the compliant release of information.
A recent Kansas Supreme Court case illustrates this point well.
To summarize, a requestor submitted a request for several types of records to a Kansas hospital in an electronic format. The hospital refused to provide electronic files, instead offering to mail paper records. The Kansas Supreme Court ruled that the hospital must fulfill PHI requests in their native electronic format if requested because they have the ability to do so.
ChartRequest works hard to ensure compliance for our healthcare partners by staying vigilant for regulatory updates and developing a wide knowledge base to make understanding the requirements easy. To achieve this, we:
- Perform Regular Compliance Audits: Our health information management technology undergoes constant internal scrutiny to ensure compliance best practices are rigidly followed.
- Watch For New Updates: Our team of compliance specialists keep a sharp eye on the latest rulings and legislation. When an update is necessary for continued compliance, it becomes a top priority.
- Keep Tabs on New Advancements: ChartRequest stays on the cutting edge of security and technology with powerful digital tools. This means more features, faster service, and other significant quality-of-life improvements.
Need Health Information Management Technology for ROI?
If your organization ever struggles with staffing issues, release of information turnaround times, compliance confusion, or other common issues healthcare professionals face, it may be time to seek a solution.
Shannon Raetsch, the compliance liaison at Mid Atlantic Retina, recently talked with us about their experience using ChartRequest. Before adopting our release of information software, Mid Atlantic Retina was spending upwards of 20 hours every week chasing down signatures and tracking every request in word docs and spreadsheets.
Now the entire process, from request intake and fulfillment to billing and collection, is centralized. Now, Shannon spends a fraction of the time each week working on medical records requests.
In addition to the benefits for the organization, including the digitization of over 600 boxes of old paper records, Shannon reported benefits to her personal life. Vacations are more relaxing, and the increased productivity she achieved with ChartRequest has even yielded personal financial bonuses.
Read the Mid Atlantic Retina Case Study here.
Or click here to learn how NY Orthopedics has saved nearly $1 million with their ChartRequest partnership.
Ready to learn if our health information management technology is a good fit for your organization? See our software in action and discuss your ROI needs by setting up a demonstration here.