Skip to main content

How Release-of-Information Outsourcing Can Curb Economic Risk

By Bonnie Coffey, for HealthLeaders Media  
   December 10, 2010

A hospital's health information management department is responsible for a variety of functions, including releasing health records per request, a process that requires meticulous compliance in order to avoid financial, and other, penalties. Already dealing with the remnants of a recession, HIM departments are facing immense amounts of pressures, ranging from the HIPAA Security Rule, which establishes national standards to protect individuals' electronic personal health information, to government mandated audits, such as the Recovery Audit Contractor program, that must be adhered to.

 As a result, HIM departments have to ensure employees are constantly educated with new regulations that affect Release-of-Information endeavors in order to properly compile a patient's medical record, a very taxing and time-consuming endeavor. Given that hospitals are strapped for cash as it is, losing revenue for unnecessary ROI violations could severely impair a hospital's cash flow. Consequently, there is no better time than now for hospitals to reassess their decision on how to handle the ROI process and consider hiring a certified outsourcing company that maintains an experienced and educated workforce that ensures compliancy with HIPAA and other federal and state regulations.

History of ROI
ROI is a complex process with specific provisions to protect a patient's private medical record. The ROI outsourcing industry was founded more than 34 years ago in order for patients, attorneys, and other authorized requestors to receive medical records in confidence. Every hospital in the US either has an internal or external department that conducts the ROI process, which includes obtaining patient consent, certifying medical records, and determining what information can be released.

The ROI process has undergone significant changes with the advent of technology, as more hospitals transitioned from paper to other forms of media such as microfilm and imaging diagnostics. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 provided incentives to providers who accelerate the change to a complete electronic health record. The downside to this rapid acceleration has resulted in a hybrid paper/electronic record environment which strains the ROI process.

The Impact of EHRs on ROI
New technologies have changed the health record, and in doing so changed the process of retrieving these records. Compiling a health record has evolved from what was once a simpler process of paper records into a more complex progression into a combination of paper, film and electronic information. With more than 32 steps involved in the process to accurately and securely fulfill a request for a health record, it is essential that the individual releasing the information understands the complexity of an EHR. The co-existence of paper and electronic formats increases the margin of error when processing requests, since the likelihood of omitting critical documentation is increased, causing HIM departments to spend more time and resources compiling a HIPAA-compliant health record.

The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally recognizable regulations for the use and disclosure of an individual's health information. HIPAA was intended to improve portability and continuity of health insurance coverage, combat waste, fraud and abuse and provide protections to the privacy of Americans' personal health records.

Starting on Jan, 1, 2012, providers must transition current HIPAA transactions to a new 5010 criterion, which is designed to improve the workflow between healthcare providers, payers and clearinghouses. In turn, most healthcare organizations are in the process of providing education and establishing new protocols to ensure a seamless transition to the new standard. Given the approaching deadline, HIM departments must become familiar with the new modifications and conduct an internal impact analysis to determine how 5010 will affect business practices and systems. Months of training time is needed to ensure staff is able to successfully transition activities into the new system. Given the time and attention that is needed for this transition, ROI efforts might be better suited for outside professionals that have the workload and resources necessary to conduct this responsibility properly.

Economic Risk Management
Providers also need to weigh the financial burden that can occur when ROI violations happen. Heavy fines (starting at $50,000 to upwards of $1.5 million) can be levied against a healthcare provider who fails to adhere to HIPAA requirements. Given the economic risks associated with ROI, it may be a safer bet for providers to use an outsourcing company that maintains the experience and training necessary to prevent these violations from occurring, resulting in reducing the economic risks of healthcare organizations that are already on shaky ground economically.

 "Alphabet Soup" of Audits
The quality of an organization's coding and billing processes can make the difference between thriving, surviving, or failing in these turbulent economic conditions. In the midst of this slow economic recovery, hospitals are facing an "alphabet soup" of audit programs as payers nationwide are following in the trail of the CMS Recovery Audit Contractors (RAC) program. Some of these audit programs that are increasing in frequency and scope across the country include: Medicare's Comprehensive Error Rate Testing (CERT), Zone Program Integrity Contractor (ZPIC), Medicare Administrative Contractor (MAC) audits, The Medicaid Integrity Plan (MIP) and commercial payer audits.

HIM departments in all corners of the country are faced with the increased burdens of complying with these audits. Consequently, this has left some HIM departments stretched too thin, which is a key reason why some providers are already outsourcing ROI work to alleviate HIM professionals' time and workload.

Patient Security
Another reason why providers should consider outsourcing the ROI process is because of the increasing number of privacy breaches reported. According to a recent study conducted by FairWarning, patient data continues to be breached month after month at an alarming rate. Today, an average 200-bed hospital has had 24 breaches per month; a 20 clinic physician practice has had an average of 29 breaches per month; and the top 50 health systems in the United States have had an average of 125 breaches per month.

In addition to a patient's trust in their healthcare provider dissipating, there are financial burdens associated with these breaches that impact both the provider and the patient. On average, $211 per provider is spent on every breach. Additionally, if more than 500 individuals are impacted by a single breach, the healthcare organization must notify all local, prominent media outlets as well as the Secretary of Health and Human Services.

According to Hulme's study, patients are also losing financially while coping with a privacy breach. Some recent statistics include:

  • On average, $20,000 is spent resolving a single privacy breach
  • More than 50% of patients were not even aware that the breach occurred until after a year transpired
  • 32% faced increased health insurance costs
  • 50% switched business to a competitor

Over time, ROI tasks have become much more complex than simply clicking a mouse or photocopying sheets of paper to reproduce a health record; there are intricate laws specified by HIPAA and other regulatory bodies that have been passed by the government that must be adhered to. If not, healthcare providers not only face a negative impact to their practices, but also face severe financial burdens. Providers all across the nation are being fined for violations related to ROI endeavors because of the strains within their own HIM departments.

HIM departments are being forced to spend significant time and resources on a myriad of audits and complying with government regulations that make it difficult to conduct ROI tasks responsibly without error. As a result, it makes sense for healthcare organizations to reassess their positions on outsourcing if they conduct ROI endeavors in-house. Outsourcing ROI responsibilities to trained professionals with the expertise and knowledge of HIPAA and other regulations will provide the security that healthcare providers are looking for during these tough economic times.


Bonnie Coffey is the immediate past president of The Association of Health Information Outsourcing Services, and president and CEO of CM Information Specialists and Attain Document Services. She may be reached at bonnie@cminfospec.com.

Tagged Under:


Get the latest on healthcare leadership in your inbox.