Organizations that process medical Release of Information (ROI) requests are racing against time to respond to requests within 30 days and meet HIPAA compliance regulations. Failure to respond on time is frightening as the HHS lists settlements spanning from $10 to $16 million.
While Requestors do pay for the copying and distribution of their data, this cost is just the tip of the iceberg. The vast cost of identity verification, tracking information, passing through PII filters, determining which Requestor gets access to what level of details, etc. is the lion’s share of the cost. According to some agencies, the actual cost vs. the billed fees has a 500% difference. These organizations end up doing the work and paying for the service.
Found between a rock and a hard place, organizations that process medical ROI requests have only one way to look for help: technology.
What is Release of Information (ROI)
In a nutshell, ROI is a legal framework allowing patients/insurance companies/attorneys to request and gain access to medical and billing records held by healthcare providers. They can submit an ROI to a healthcare provider, and the organization is mandated by law to respond to this request within 30 days.
For better reference, here are a few direct quotes from the HIPAA Medical Records page (emphasis mine):
- The Privacy Rule gives you, with few exceptions, the right to inspect, review, and receive a copy of your medical records and billing records that are held by health plans and health care providers covered by the Privacy Rule.
- A provider cannot deny you a copy of your records because you have not paid for the services you have received.
- However, a provider may charge for the reasonable costs for copying and mailing the records. The provider cannot charge you a fee for searching for or retrieving your records.
- If you think the information in your medical or billing record is incorrect, you can request a change, or amendment, to your record. The health care provider or health plan must respond to your request. If it created the information, it must amend inaccurate or incomplete information.
- If the provider or plan does not agree to your request, you have the right to submit a statement of disagreement that the provider or plan must add to your record.
So, release of medical information is a complex two-way operation that healthcare providers and health plans must perform every time a client makes an ROI request.
While the complexity of the task is daunting in and of itself, there is added legal pressure. As scary as this sounds, it is not the biggest problem. The major challenge in processing these release of medical information requests is the complexity of the task and the granularity of the legal framework.
In the sections below, we will first go over the legal challenges and then the technical complexity of gathering the requested information.
Legal Challenges of Processing ROI Requests
The US has adopted the ROI as a way to enable citizens to gain access to their medical files in a reasonable timeframe. However, there is no standardized state privacy law that would be accepted by all 50 states and territories. Each state sets its own rules of who gets access to medical data, the extent of detail that different entities can receive and has different rules about specific medical information, like HIV details.
This legal complexity means that organizations need to set processes in place so that employees can do their job on time and within the law using complex policies and workflows.
According to AHIMA, unfortunately there is no cookie-cutter approach to managing requests of medical information. However, there are specific tasks that can ensure acceptable and compliant performance. These include:
- Comprehensive facility-specific procedures that are documented, current and easily accessible to staff
- Access to appropriate state and federal regulation references
- Training programs for new staff members
- Education programs for current staff members
- Regular review of work performed to ensure standards are met
- Compilation of performance statistics
- Routine feedback to individual ROI staff regarding performance criteria
- Solicitation of feedback from requestor
In such a complex landscape, health information managers (HIM) struggle to strike the right balance between preserving patient privacy, timely sharing of medical information and maintaining legal compliance.
Technical Challenges of Processing ROI Requests
Usually, people who are not hands-on processing ROI requests think that the healthcare institution has all the records neatly organized in a single filing system. Then retrieving this information boils down to a few clicks, and that’s it.
HIMs would dream of such a scenario because the reality is that hospitals keep records in different specialized systems spanning from electronic medical records (EMR) systems, X-Ray images, audio/video recordings, digital files, microfilms, printed files, etc. This reality means that even getting to the required record is a challenge. Not to mention the rest of the workflow of performing all the legal checks mentioned in the previous section, combining all the requested information through an auditable process, and finally securely providing the records to the Requestor.
According to a survey performed by the Green Mountain Care Board from Vermont, the process of answering ROI requests is far more complex.
Just until recently, the primary data storage device was paper. Now, medical facilities face a significant cost of digitizing all their historical data in a single, unified document management system, and cost seems to be the reason why many organizations say they will continue using the existing hybrid approach to document management.
Furthermore, the ROI processing cost is high because medical documents are not as straight-forward (i.e. standard forms). When a patient requests a few years’ worth of medical data, a skilled health information manager needs to review each document that the facility has on the patient before releasing that information.
Things are even more complex when a third party is requesting medical information. In this scenario, the organization must ensure that no medical information is released without verifying that the requestor has the right to view that data under state laws. This means that the healthcare provider needs to have highly skilled staff who can perform these reviews who know about HIPAA and state laws.
Lastly, unfortunately, 50% of the medical facilities from the survey responded that having an EMR system does not make ROI processing easier. This, however, isn’t because the EMRs are to blame. It’s the old problem of having hybrid data management and the high up-front cost of digitizing everything into a single data storage location.
The Financial Challenge of ROI Processing
Most of the time when we hear of Requestors complaining about high fees, they’re talking about paying for ROI requests.
While each state has different regulations about what and how much Requestors get to pay, the breakdown of costs, as mentioned previously, is only covering the cost of copying/printing and mailing the packages.
There are law firms that compile these figures, but there’s also the US Government Accountability Office that issues update on fees and pricing that facilities can include in their invoice for any ROI. While Requestors claim the fees are too high, medical facilities have a different story to tell.
According to the Green Mountain Care Board survey mentioned above, one provider reported that annual costs for fulfilling requests totaled $273,000, 93% of which was devoted to paying full-time healthcare IT professionals. This total doesn’t include service fees for its third-party ROI vendor. Another provider estimated its total annual ROI costs at $242,000 with a total revenue at $47,600.
Practically, for every $1 billed to the Requester, medical facilities have processing expenses of $5. This cost cannot be transferred to the Requestor given the regulations controlling ROI billing. So, medical facilities end up amassing expenses that are strictly tied to ROI processing.
Failing to comply is not an option. HHS is strict about ROI processing. Their website is a testament to the serious dedication to enforce compliance by medical facilities. The HHS compliance enforcement agreements page shows just how expensive it is to not comply with how facilities handle the ROI issue:
- 2018: $28 million in settlement fees, with the highest-ever 16 million settlement, a three-fold increase from the previous 5.5 million settlement back in 2016
- 2019: $13.3 million in settlement fees spread across 12 settlement cases
- 2020: $13.5 million in settlement fees by November 20th, spread across 13 settlements
It seems that medical facilities are under pressure from all sides. Requestors, using the legal framework, have the right to get their medical files. But, the legal framework is very strict about timeframe and costs transferred to the Requestor. Medical facilities then are faced with a race against time to find all the information, filter out any information not privy to the Requestor, send the response on time and under-budget.
The only solution for this problem is automation via technology.
Sharecare: Technology Solution for ROI Processing
Who here hasn’t heard of Dr. Oz? Anyone with a TV at home probably knows him, and at least some of us have seen his shows more than once.
Other than being a TV celebrity, Dr. Oz is actually one of the people behind Sharecare, “the leading digital health company that helps people manage their health in one place.” More specifically, Sharecare Health Data Services (HDS) is a provider of secure electronic exchange, delivery and integration of protected health information (PHI). Among other things, Sharecare HDS is a medical release of information (ROI) provider.
As a platform, Sharecare is patient-centric. This means it’s built with ease of use in mind, so just about anyone with a computer and an internet connection can use their platform to submit an ROI. This approach enables Sharecare to boast 99.999% quality delivery. This client-centered platform helps healthcare providers and their patients with quick and easy ROI processing, effectively eliminating almost all risk and drastically reducing the cost of ROI processing. As a SaaS platform, Sharecare HDS handles all the data using a secure AWS cloud infrastructure, which means eliminating most of the cost organizations face under a hybrid data management deployment.
With eliminating human errors with data breaches, Sharecare’s system helps organizations minimize legal fines. As Sharecare claims, “We have specific Cash Flow Cycle improvement processes built around safely releasing medical records where claims have been denied which drive reduced reimbursement times.”
ArkCase: Technology Provider Behind the Sharecare Solution
ArkCase is an open-source, industry-agnostic case management system built to scale as needs grow. With built-in case workflows and workflow builders, ArkCase can adapt to any data-driven process with multiple points of data entry, multiple access levels, and the entire process is auditable from start to finish.
This is why Sharecare opted for using ArkCase. In one product, Sharecare gets all the functionality needed to enable end-users’ key features like:
- Personalized dashboard
- Reporting and analytics
- Automated queue-based workflows with integrated business rules
- Integration with Microsoft Dynamics CRM
- People and organization Management
- Document management with annotation and redaction
- Electronic delivery with MFA
- Collaboration with role-based access control
- Fax integration with document OCR
- Indexing and metadata extraction
- Document categorization
- Full auditability of workflows
- Encryption of information throughout the process
- Automated updates/notifications of requestors, case managers, auditors.
- Integration with billing system
Medical Release of Information can be a serious drain on resources for healthcare organizations. It has been a significant liability for healthcare organizations that violate the rules. Over the past few years HHS reports increased settlement fees that organizations have to pay to people who think their rights have been ignored.
Since the cost of processing ROI requests is costing up to five times more than what organizations can bill the end-users, this problem can only be solved with technology automation. More specifically, an open case management system that uses workflow automation and advanced document management capabilities.
Sharecare HDS, one of the largest ROI service providers is a leading solutions provider for healthcare organizations. Sharecare HDS has partnered with Armedia, a veteran-owed small business, to modernize and automate their ROI processes using ArkCase, an open-source case management system. For healthcare organizations looking to automate their ROI processing, look no further that Sharecare HDS to leverage their solution built on ArkCase.
Armedia, a veteran-owned small business that is CMMI Level 3 and ISO 9001 certified, is a platform-agnostic solutions integrator that has partnered with organizations since 2002 to automate their business processes using COTS and open source technologies. As an AWS Technology and Public Sector partner, Armedia provides the DevSecOps to automate your business processes as well as the configuration management and deployment.
For more information, don’t hesitate to contact us.
The Access to Information and Privacy Act (ATIP) of Canada came into effect in 1983. With this act, under the control of a federal government institution, Canadian citizens, permanent residents, or other individuals or corporations in Canada have the right of access to information. This act defines the procedures for processing ATIP requests including deadlines for response and the circumstances under which government agencies can withhold information.
The Information Commissioner was created to investigate complaints about non-compliance with the act’s requirements.
The government recognizes ATIP as an essential element of democracy, transparency, and openness. Even so, according to the Information Commissioner, federal agencies are struggling to keep up with that transparency.
Old Age: The Root Cause of ATIP Complaints
According to the Information Commissioner Caroline Maynard, ATIP is very outdated:
“I was surprised by how complex the Access to Information Act was. It’s a very complicated part of the law … and very outdated, unfortunately.”
Bill C-58 should provide a long-overdue update of the ATIP framework that hasn’t seen any changes since its inception. The outdated framework and the growing number of ATIP requests (up 225% in the past 5 years) is placing a heavy burden on government agencies.
The old legal framework accompanied by old software and a growing number of ATIP requests results in a growing number of complaints.
“(We) are struggling to respond to the demand for access. (Institutions) don’t have the resources and we don’t have the technology to respond to that kind of increase,” said Maynard.
It is obvious from Maynard’s statements that Canadian agencies lack a modern technology that could help them respond to all the received requests in a timely manner.
Expedience isn’t the only problem Canadian agencies are facing.
Top Challenges of Canadian ATIP Agencies
Let’s start from the very beginning – the submission of requests. Citizens can file for the disclosure of information through an online portal. But online requests can be subjected to security issues, especially when requesting a document from a public space.
The whole process of submitting a request is very complex, and depending on the type of request, the citizens can easily be overwhelmed with the required documents.
Image Source: https://www.canada.ca/en/treasury-board-secretariat/services/access-information-privacy/access-information/request-information.html
Submitting a request to the wrong department is a common mistake, and in that case, most requests cannot be transferred across the institutions.
Security, complexity, and collaboration between departments are some of the key challenges Canadian government agencies are facing today. Since government agencies are working with personal information, data security is the first thing they should think of.
Staﬃng issues are another problem Canadian agencies are facing on a daily basis. Many federal agencies have reported the lack of staff and expertise needed to process requests effectively. This is one of the major causes of delays. To retain and attract personnel, employees are promoted before they possess the required skills. This lack of knowledge hinders efficiency.
Job classifications vary between departments, reducing flexibility. The skills required to perform in multiple functions is not well-defined.
Budget constraints are another challenge for reducing backlog of requests and resulting complaints. According to the Information Commissioner, the government’s “stopgap approach” to funding is jeopardizing the efforts to clear the backlog of complaints from dissatisfied requesters.
In her latest annual plan, Maynard said, it is difficult to set goals and maintain momentum because of the financial instability her office is facing.
Deadline extensions and search volume are also problematic. The ability for agencies to manage information successfully is key to a sustainable access regime. The speed with which ATIP records are created has outpaced the traditional record-keeping practices. This has a direct impact on the ability for agencies to search and locate records needed to fulfill a request.
As a result, government agencies are increasing deadline extensions, so they can effectively search for the needed information and process massive volumes of documents.
Email communications themselves have added to the number of records processed without adding to their quality.
Government agencies also struggle with the review and redaction of records. Although some agencies use software for this purpose, other agencies are still struggling to manually review and redact requests. Government agencies do know that automated tools help reduce the processing time, but by focusing on up-front cost alone, decision-makers deem these solutions as too costly.
Obviously, there are many challenges government agencies are struggling with. The ATIP process has numerous issues, not surprisingly since the system is over three decades old and administered by a law that has never had a complete overhaul.
What can the agencies do to reduce the time spent on processing requests and still stay in budget?
Invest in a modern yet cost-effective ATIP solution.
ArkCase ATIP Solution: A Modern, Cost-Effective Solution for Canadian Agencies
ArkCase provides an adaptive, dynamic open-source case Management platform to support your ATIP needs. ArkCase for ATIP reduces the time spent on request processing and improves the effectiveness of the entire process, increasing efficiency throughout the entire public request lifecycle: from submission to final response and delivery of the requested documents.
The ArkCase ATIP solution is created to meet all the requirements to provide necessary security.
Here are some of the key features and their benefits of the ArkCase ATIP software solution:
1. Automation of the Entire ATIP Process
Processing a vast number of requests is one of the biggest problems government agencies face. To assist in reducing backlogs, the ArkCase ATIP solution is fully automated and easy-to-use.
From online public request submission to delivery, this solution accelerates and automates processing. No more piles of paper. No more backlogs. No more complaints.
2. One Interface for Communication
The ArkCase ATIP solution uses one interface for internal and external communications. This allows fast and easy communication between departments and agencies as well as citizens.
3. Pre-Configured Workflows
When a request is submitted, the ArkCase ATIP solution stores it and creates a pre-configured secure workflow. The standard format of the workflow makes the whole process easier for staff.With ArkCase’s ‘multi-track and automatic status update feature, ATIP staff will always know when and what they are supposed to do. This makes public request processing much simpler, easier, and faster.
4. Online Submission of ATIP Requests
The ArkCase solution allows online submission of requests. Citizens anywhere can easily request government information.
5. Data Storage & Access to Records
As cloud-based software, our solution stores and maintains all the records and correspondences on a secure AWS cloud infrastructure that meets Canadian security requirements.
This allows employees to have secure access to data from anywhere in the world on any device with an Internet connection.
These are just a handful of features that make the ArkCase ATIP Software Solution a reliable, scalable, secure, and cost-effective solution.
With the ArkCase ATIP solution, government agencies can significantly simplify request submission and fulfillment. From the online submission of public requests to digital delivery, the ArkCase ATIP software solution improves the process from beginning to end.
This way, government agencies can get more done, in less time, with less manual work, and with fewer complaints to the Information Commissioner office.
The purpose of ATIP is to provide Canadian citizens a right of access to records under the control of government agencies. Agencies are facing many challenges that contribute to large backlogs and a huge number of complaints.
The biggest challenge is that most of the agencies still lack the technology needed to effectively accept and process requests in a timely manner.
Luckily, there is a modern, cost-effective solution to their challenges – the ArkCase ATIP solution. With ArkCase, Canadian agencies can reduce backlogs and get more done, in less time.
I hope that this blog post will be helpful for you as an ATIP department manager or staﬀ member, to see what challenges government agencies to struggle with, and how a solution like ArkCase can help overcome those challenges.
If you want to discover more about the ArkCase ATIP solution, or you have any questions or comments, don’t hesitate to contact us.
And don’t forget to share this blog post with your friends on social media networks so they can also see how the biggest challenges of government agencies can easily be solved with one modern solution.
For years now, cyberattacks targeting local governments and organizations are making headlines. The most threatened, however, is the healthcare sector. With outdated technologies and a relatively low IT security literacy, medical workers are a perfect target for network and social hacks that result in expensive and embarrassing data breaches.
Every year, we get to hear terrible stories of security breaches in medical organizations. In 2016 the Hollywood Presbyterian Medical Center paid an equivalent of $17,000 ransom fee in bitcoin to retrieve their encrypted files. This attack got so much coverage that the medical center now has a section explaining the attack on its Wikipedia page.
The same year, MedStar Health was under a cybersecurity attack, and it had to turn away patients or treat them without important computer records.
Unfortunately, these two cases were just the beginning of ransomware attacks against healthcare data servers.
Attacks like these create confusion, disrupt patient services, and in 2019, have forced many healthcare providers to shut their doors permanently. Healthcare cybersecurity attacks across the world, such as the WannaCry ransomware attack, have only highlighted how quickly personal information can become compromised when technology is the weak link.
Why are legacy applications are a threat to healthcare cybersecurity?
Common Social-Hacking Threats Plaguing Healthcare Organizations
To effectively manage patient information, the healthcare industry needs to digitize the data and automate processes. Unfortunately, the problem in healthcare organizations is the high complacency with outdated technology and generally low IT literacy of medical staff.
Utilizing poorly managed legacy applications makes hospitals vulnerable to cyberattacks. Low IT security literacy of medical staff makes them an easy target for social hacking. These two issues are among the reasons hospitals face significant risks with potential high-impact consequences for both them and their patients.
Cyber attackers hit wherever systems are most vulnerable. This is usually the medical staff, who are concerned with customer service. Some common exploitation schemes include:
- Email phishing: users are requested to click to open an email or website. Cyber attackers often send an email providing an infected link for the users to click on.
- Usage of default passwords. Cyber attackers take advantage of weak passwords in cases where password strength has not been enforced.
- Insecure configurations. Configurations with unintended security holes are obvious vulnerabilities which can be addressed through a combination of greater awareness and improved testing during system configuration.
- Lack of essential network security. Very often, security takes a back seat to other priorities. Healthcare providers need to standardize practices around the network and data-access security and undertake proactive steps to monitor and ensure adherence.
Healthcare organizations that take serious steps to solve these issues will protect themselves from attacks that would otherwise probably be successful.
How Legacy Applications Pose a Threat for Healthcare Organizations
Although digital transformation is enabling greater patient engagement through the rise of Cloud Computing and the Internet of Things (IoT), it also contributes to a growing threat for potential cyberattacks. Increasing connectivity is a catalyst for exploits. This is especially true with legacy applications, where cybercriminals can exploit ‘back doors’ to compromise data centers of health organizations.
It is common for institutions to continue using legacy applications to store historical data that is not migrated to modern, more secure solutions. The driving force behind this practice is human and/or financial resource constraints, as well as unfamiliarity with modern technologies.
Adopting modern technologies to reduce exposure to vulnerabilities has become more important than ever as healthcare organizations have become top targets for cyber-criminals.
Below are some alarming statistics about healthcare cybersecurity threats in the US in the last couple of years:
- From 2009 to 2018, there have been 2,546 data breaches in the healthcare industry, impacting more than 189 million medical records
Source: HIPPA Journal
According to these statistics, cybersecurity doesn’t seem to be effective, especially in healthcare organizations. Obviously, there’s plenty of room for improvement. Any hospital that continues to use legacy applications is simply inviting risk. The longer these vulnerable systems are in use, the greater the threat they are presenting. The infection can rapidly spread and affect mission-critical applications with catastrophic implications.
Modern ECM Systems: The End of Healthcare Cybersecurity Nightmares
One of the biggest concerns when thinking about the modernizing ECM systems is how secure your patient data will be, especially if it’s a cloud-based solution on a third-party server. Data security is the first concern for medical organizations which must comply with regulatory frameworks like HIPAA (Health Insurance Portability and Accountability Act) for secure data portability.
On-premise modern ECM solutions can be one option, but the organization will need to work with a trusted, reliable service provider. On-premise IT infrastructure will be the facility’s responsibility. If the equipment fails, healthcare organizations may lose all their data. If the equipment isn’t maintained and updated regularly, network breaches can happen again. If the data/server room isn’t secured properly, there’s the threat of physical access to data storage devices.
Cloud-based ECM systems solve the IT infrastructure problem and not only allow users to access data remotely, but include automated backups and disaster recovery options. Cloud solutions will leverage Platform as a Service deals with large technology companies like AWS.
Addressing the cybersecurity issue in healthcare organizations requires a multi-faceted approach. This can include everything from bare-metal infrastructure solutions, to server virtualization, data storage solutions, secure networks between systems, and secure yet user-friendly ECM interfaces. This also includes on-premise training for the integrated system and ECM.
With an all-encompassing approach, healthcare organizations can get drastic improvements in several key areas:
- ECM systems have advanced safeguard capabilities, particularly when it comes to data access. User roles and access levels are easy to set up, and digital signatures ensure that each employee’s login credentials are secure. Electronic signatures, audit trails, detailed activity logs, etc., help close as many security gaps as possible.
- Quick Recovery. Modern ECM systems deployed as hybrid solutions (on-premise and cloud integration) can be set up to run data backups in the cloud. Data stored on providers like AWS will be easily retrievable, making local data loss a non-issue. These data storage solutions will be usually HIPPA, FedRAMP, HITECH, etc. compliant.
- Collaboration & Communication. Since healthcare organizations are usually running multiple departments, collaboration and communication between the doctors and other staff across those departments are crucial.
Using a cloud-based ECM system, healthcare providers can easily transfer data between each department using one interface for communication. A modern ECM system will allow for secure, easy, and fast access to documents. It will also allow for cross-department collaboration based on predetermined permissions and workflows, and so on.
- Scalable Data Storage. Healthcare organizations are working with electronic medical records and have numerous other devices generating data. Wearable monitors, MRI scans, X-ray scans, etc., all end up as digital documents shared and attributed to specific patients. This is a lot of different data that should be stored securely, on a platform that allows easy scalability.
A modern ECM system that’s either cloud-based or uses a hybrid deployment will be built with scalability in mind. Expanding storage capacity on the Cloud, especially with AWS, is a non-issue.
- Instant Data Access & Searchability. When all of your data is on the Cloud, accessing it is much easier.
With Cloud-based ECM software, you can access data much faster and much easier. This means that anyone with given permissions can access patients’ data from anywhere in the world.
Modern ECM systems will usually have the ability to search for key phrases within the document texts as well as through the documents’ metadata. These systems enable medical workers to easily find any piece of data from anywhere in the world, via a secure connection.
Armedia, as an ECM solution Integrator, can also help your healthcare organization with migrating data from any legacy system onto any new ECM system of your choosing. For fast, reliable and secure data migration, we built Caliente, an ECM data migration application that has enabled us to move petabytes of data at 100% data accuracy. Using Caliente, our team can perform quick one-time data migrations from your legacy system.Additionally, if your healthcare organization struggles with paper-based patient files, with Ephesoft, we can help you achieve full digitization. Ephesoft’s capture solutions help large organizations increase data accessibility, organization, and data extraction from your paper-based documents.
For HIPPA and DoD-compliant data storage, we use Alfresco, and for a customized case management platform, we rely on ArkCase.
Threats to healthcare cybersecurity are real. Legacy applications leave healthcare organizations exposed to cyber-attacks. Ransomware attacks on healthcare organizations have led to an inability to access patient data, forcing hospitals to a fallback scenario of pen-and-paper patient management. To make things worse, these cyberattacks expose sensitive patient data and lead to substantial financial costs for healthcare organizations.
Considering all the issues legacy systems present, it is advisable to migrate patient data and daily operations to a modern, cloud-based ECM system.
Over the years, Armedia, as a platform agnostic ECM solutions integrator, has helped organizations migrate away from their legacy systems onto modern ECM solutions. Whether it was an on-premise, cloud or hybrid deployment, organizations benefited from our expertise in fast data migration at 100% reliability, every time.
So, what do you think about healthcare cybersecurity? Do you think a cloud-based ECM is the right solution against threats on healthcare cybersecurity? Will technology help us protect our data from prying eyes?
We’d love to hear your thoughts in the Comments section below. Or if you have specific ECM Modernization questions, please feel free to contact us.