There are several approaches to releasing Protected Health Information (PHI).  Methods are often driven by the size or the specific needs of the organization. Some providers have set up workflows, got them underway some time ago, and they sort of just worked.  Any pain revealed in the process may not be immediately evident, or perhaps the problems pale in comparison to other internal workflow concerns.  The old idiom “if it ain’t broke, don’t fix it” sounds fantastic on the surface, but like the illness left untreated for too long, there will come a day it can no longer be ignored, and perhaps with devastating consequences.

Taking the time to examine the viability of your current Release of Information (ROI) process may reveal security vulnerabilities, potential compliance violation pitfalls, or possibly a shortfall in projected revenue (some even find they are operating at a loss).  Categorically speaking, there are two approaches to managing the process of releasing medical records: insourcing and outsourcing (or a hybrid of the two).

Insourcing suggests that healthcare providers prefer to do ROI themselves.  Everything appears to be running smoothly and they enjoy the revenue gained from invoicing for billable records.  It is interesting how many providers feel this way, yet they are unable to quantify the number of records that they process on a weekly or monthly basis.  Does the income from an unknown number of requests truly out way the expense of various cost centers associated with ROI?  That said, insourcing can be and is a solid alternative, but carve out some time to examine afresh whether it’s still the best option for your medical practice.  Also, look again at your insourcing approach and make sure you are avoiding some of the following pitfalls.

The Whoever’s Available Approach – Expediency is a pitfall one should always be cautious of.  This may be more typical in very small practices, but size does not provide a free pass for compliance violations.  Process consistency, staff training, and other procedural concerns are top of mind here.  Consider ways to consolidate roles and responsibilities for this task, and ensure that policies and procedures are known and followed by all employees involved.

The Get a Fax, Push a Button Approach – Simplicity is great when it doesn’t come at the expense of compliance.  Simply getting the fax request, looking up the patient records in the EHR, compiling what’s requested, and pushing a button is not going to suffice.  The release of medical records is characterized by high levels of complexity and risk that must be carefully accounted for.  There are critical, strictly regulated steps that must be followed to ensure that both patient information and healthcare organization liability are always protected.   And, as we’ve mentioned before, simply placing a note in the patient EHR record, “sent on this date to John Smith Law Firm,” falls short of compliance standards.

The Multi-Department Approach – Convenience based on entry points makes a lot of sense for larger organizations.  Unfortunately having multiple points of release significantly increases risk. Compliance officers lay awake at night worried about whether all the requests have been entered in the disclosure management log, or if all the staff at various locations are following protocol.  Consider how you may be able to centralize this process and create a single point of release.

Outsourcing ROI, whether in full or in part, is an alternative option chosen by providers for various reasons.   Providers in this category desire to reduce administrative costs; free up staff to focus on other core competencies; reduce compliance worries, costs, and efforts; or to provide faster turnaround times (and happier patients).  With the increase in insurance audits and other 3rd party requestors, this option has gained a lot of popularity as of late.  Still, however, it may be time to take another look at your outsourcing provider.  Remember that just having a signed BAA does not free your practice from all liability.  Have you evaluated the Business Associate’s privacy and security policy and practices?  Do they have an Incident Response Plan (IRP)?  Reevaluate what they provide and what their approach to servicing your account is:

The Guy Who Comes by Once a Week Approach.  This may be a small, local copy service, or the 10,000 lb. gorilla Release of Information Company.  They may use their own equipment and resources, or they may use yours.  They may access the EHR on sight or leave with the requests and do it remotely.  How are the requests fulfilled?  Are they still faxing or mailing everything (more risk)?  What is the real turnaround time?  Are they staffing up onsite?  Is that necessary?  Are there other ways to improve the process?

The Copy Service has us Covered Approach.  Perhaps the ROI company is operating remotely.  One option is that the medical practice still gets all the requests via fax and mail, but they then must input and electronically transmit to the outsourcing company.  Is this the best use of your staff’s time?  Thankfully, some ROI providers provide a level of service where calls and faxes can be directed directly to them.  The beginning and the end of the process are a concern here.  Again, how are they delivering the requests once they get them?  Mailing and faxing everything is an antiquated approach inherently predisposed to exposure risk.  What about when the process starts? Rather than have the requestor fish around on your website to find a form to download, fill out, and fax – what if they could just be provided with a landing page that was easy to find, where they could log in and make a request that gets transmitted directly to the insourced or outsourced staff member that handles the requests?   Why not provide a better customer experience on the front end as well as the back end of making the request?

Whichever approach you take to ROI, it may not be broken per se, but it may well be worth your time to make it better.  For the sake of those you serve, for the sake of your staff, and even for your own sake, we invite you to take a fresh look at ROI through the eyes of ChartRequest.  If you currently insource, give us the opportunity to show you what’s possible (you can even continue to insource while leveraging the ChartRequest platform).  If you already see the value of outsourcing, then you owe it to yourself to become more familiar with ChartRequest’s release of information services, and how we may better serve your ROI needs.