Unauthorized Disclosures, MGMA and Kathryn Ayers Wickenhauser

One of the inevitable demons in healthcare is that of accidental disclosure of protected health information (PHI). There is a solid risk that your healthcare organization has already experienced this and if you haven’t, you will probably face this demon in the future. Arming yourself with the knowledge on how to handle the situation is the key to successfully managing these disclosures, should they occur.

Our own Kathryn Ayers Wickenhauser addresses the key takeaways from her discussion with Shannon Geis from MGMA about the variety of ways that organizations can handle situations where health information gets into the wrong hands including:

  • Categorizing unauthorized disclosures – utilizing a stoplight analogy, Kathryn helps easily identify the differences in disclosure degrees and how to react when disclosures happen.
  • How technology can add complexity — EHR technology can add an additional layer of opportunities for accidental disclosures.
  • The impact on procedures — how much or how little should your organization do to handle internal processes and procedures should an unauthorized disclosure occur.


Want to learn more about violations, breaches, and beyond? Come and see Kathryn Wickenhauser at the MGMA Annual Conference in Anaheim, California October 8-11.  Kathryn will be presenting “Violation or Breach? Identify and Report HIPAA Incidents” on Tuesday, October 10. Not attending MGMA? No problem schedule a meeting with us today to learn more about mitigating compliance risk and offloading release of information.

How Much Could One Data Breach Cost Your Organization?

In light of the recent Equifax data breach which has effected roughly 143 million Americans, protecting personal information has come to the forefront of thought for many people in the United States. To put that number into scale, that is roughly 44% of the United States population that may have had their identity exposed or stolen due to this breach.

Accidental breaches and violations are a risk associated with any industry that deals with sensitive information. However, with changes in technology and HIPAA laws, healthcare is particularly at risk for costly breaches similar to those experienced by Equifax. According to Becker’s hospital review, an average of 1 reported healthcare breach incident per day occurred in the U.S. in 2016 and approximately 90% of hospitals have reported a breach in the past two years.

It should come as no surprise that healthcare related breaches have staggering financial consequences directly affecting the bottom line. Breaches in the U.S. healthcare field cost $6.2 billion each year beyond legal costs and fines, there are many ways a clinic stands to take a hit financially including:

  • An average of $560,000 in breach notification costs: depending on the size and scope of the breach this could include anything from credit monitoring services and setting up a toll-free number for those potentially affected to notifying HHS and the media of breaches.
  • Loss in brand value averaging $500,000: This is the financial quantification of how your organization’s reputation may be effected by the breach.
  • $440,000 average in post-cleanup “housekeeping”: After taking such a substantial financial hit, clinics will of course be looking at ways to not have this happen again. This can be manifested in tangible items like technology upgrades or intangible costs such as staffing changes and turnover.

With devastating consequences both financially and to an organization’s reputation, it’s apparent that one accidental breach could significantly impact an organization. Possibly even resulting in the organization’s demise.

How We Differ

As a business associate – DataFile is acutely aware of the consequences for a large healthcare data breach. We are subject to the same HIPAA laws as covered entities, and assume responsibility should a large healthcare data breach occur within our scope of work. We maintain patient privacy as one of our top priorities, though we know accidents can happen. Be assured that we have a plan in place to protect our clients and their patients.

Our numbers speak for themselves though. In our 2016 Incident Report, our CIO and Manager of Compliance Team here at DataFile stated, “The best part of our compliance program is our people, as evidenced by our excellent training and our low incident rate. Even though DataFile continues to grow, our incident rate has declined for the third consecutive year.”

The proof is in the numbers here at DataFile as though our goal is zero errors, we know accidents can happen, so we have instituted a stringent auditing process of all records that we are releasing. Paying additional attention to areas where mistakes occur frequently within a health record – such as misfiles due to name or date of birth along with our fulfillment team taking special care when fulfilling requested records to ensure that careless errors in addressing or delivering requests are avoided to the best of our ability. With our impressive processes, we are proud to state that our error rate through hundreds of thousands of fulfilled records is a mere .0301%.

What Can You Do

The easiest way to offload liability in the case of an accidental breach or violation is to work with a trusted business associate, like DataFile, to handle tedious and risky processes like release of information. We have spent more than 14 years partnering with organizations nationwide and have become a trusted associate to work with. Contact us today to see how DataFile can assist you with your release of information and assume liability for breaches – so you don’t have to.

AHIMA’s New Model Form Draws Attention to Right to Access

The American Health Information Management Association (AHIMA) recently released a model form, taking the lead in providing a resource when a patient requests a copy of their health information.

AHIMA is making strides to reduce the confusion for patients and streamline the process for providers, both of which are important aims.  AHIMA is the only group that has created a form template for organizational use so far. While HIPAA requires a fairly standard written authorization for disclosure of PHI to a third-party, Right to Access under HIPAA has largely been overlooked until recently. We commend AHIMA in its efforts and feel it sparks healthy additional conversation around the Right to Access process and how it differs from Authorizations — as they are often combined and sometimes confused under the release of information label.

While Right to Access is not a new law, it was often misunderstood until Health and Human Services (HHS) in conjunction with the Office of Civil Rights (OCR) issued additional guidance in early 2016. At the center of the confusion is the process in which a patient or their personal representative request PHI under the Right to Access stipulation. While a form is not required by HHS for Access requests, a covered entity or business associate may require the request to be in writing if it is in the Notice of Privacy Practices. As healthcare organizations require an Authorization for release of PHI to a third-party, they consider it a best practice to require patients to complete their Access request in writing. To answer the need for a complementary form to Authorization requests, AHIMA created a model form to be utilized in the Right to Access process.

In particular, AHIMA’s model form addresses two issues with Right to Access:

1 – AHIMA’s model form draws attention to a frequently overlooked provision within HIPAA. Following the additional guidance from HHS and the OCR on HIPAA, Right to Access has become a hot topic. Yet, for many organizations, Authorizations far exceed the Right to Access requests they receive, so they have not placed much emphasis on the Access process in the past. As organizations try and navigate this additional guidance, AHIMA has stepped in to provide a starting point via the model form request. AHIMA’s attention to the Right to Access additional guidance illustrates organizations cannot overlook these provisions as perhaps they once had, or they will face repercussions from the OCR.

2 –  AHIMA’s model form assists organizations in verifying personal representatives.

The Right to Access specifications allow a patient or their personal representative to request records, however Access requests are subject to different pricing stipulations than a traditional Authorization request.  As such, attorneys and other entities are taking advantage of the guidelines for the pricing benefits and having patients designate them as their personal representative.  There are real costs associated with producing medical records, and third-parties are taking advantage of what is supposed to be a benefit to patients. As the Access request is not required by HIPAA to be on a specific form, third-parties under the guise of personal representation are submitting requests pretending to be the patient. At DataFile, we have seen boilerplate letters issued “from the patient” with a copied and pasted signature of the patient, leading to uncertainty if the patient themselves is requesting the records, or a third-party representing themselves as a personal representative instead. AHIMA’s model form helps curb this possible exploitation by having the patient complete the form personally, as well as designate their personal representative in writing. HIPAA will allow a healthcare organization to use their specific form and require an Access request in writing, provided it is noted in the Notice of Privacy Practices as well as does not prevent a barrier to the patient receiving their records.

As healthcare organizations see their Right to Access requests are on the rise, in part due to additional awareness of the process and the personal representative designation, the OCR notes their guidance has created some unintended consequences.  At the Health Care Compliance Association conference in March 2017, Iliana Peters, Senior Advisor for HIPAA Compliance and Enforcement, expressed the OCR would issue additional guidance on the Right to Access process to curtail third-parties like attorneys utilizing the personal representative designation misleadingly.

While the healthcare industry can expect to see additional guidance on Right to Access under HIPAA, AHIMA has assisted organizations in addressing Right to Access needs by developing their model form for Access requests.

Want more information on why a standardized ROI form is not enough in responding to your patient and requestor needs? Request our white paper.

Allscripts Milestone Points to Industry Shift to Streamlined Records Processing

“The Times They Are-A Changin’……” Can’t you just hear Bob Dylan singing right now? ….We’re sorry for that!

As evidence of the rapidly evolving healthcare space, DataFile Technologies partner Allscripts just announced eChart Courier hit a major milestone with the exchange of 10 million medical records since inception in 2015.  This news spells more opportunity for practices to streamline back office health information management (HIM) functions.

Allscripts eChart Courier service helps physician practices automate the appropriate sharing of medical records with affiliated health plans. It encrypts and electronically delivers the medical record to the payer, streamlining the reimbursement timeline by sending the required information quickly. The service is available to health care providers at no charge. As a complement to Allscripts eChart Courier, DataFile offers a niche solution for release of information for medical records services.

Hitting the milestone of exchanging 10 million records electronically is a significant accomplishment for eChart Courier and offers a substantial integrity and labor savings for providers. And it’s just scratching the surface of opportunity for practices that want to gain efficiency and eliminate HIPAA liability.

“There are 100+ million records being requested of providers annually, and 90% of them are still being exchanged via traditional paper or analog faxing methods,” said Janine Akers, CEO of DataFile Technologies. “These legacy methods do not offer discreet or structured data to be exchanged effectively and can cause unnecessary issues and inefficiencies.  Allscripts is paving a path of interoperability that benefits patients, providers and payors alike.”

Providers face a number of challenges in today’s healthcare landscape. From ballooning regulations and overhead costs to labor and staffing, running an efficient medical practice can be difficult. DataFile and Allscripts eChart Courier services combine to make it possible for organizations to save money, reduce HIPAA risk and maintain an efficient practice that is able to offer exemplary patient care.

At DataFile, we commend Allscripts for their commitment to offering ways for providers to lower the costs and liability associated with running a practice. As the demand for technology and advanced solutions continues to grow in healthcare, DataFile is proud to partner with EHR companies such as Allscripts that address client needs through turnkey options and allow for a renewed focus on patient care.

To learn more about how DataFile compliments Allscripts and eChart Courier, join us for an upcoming webinar or contact us today.

Wickenhauser a Guest Feature on Compliance and Ethics Blog

Our compliance team, including Gary Powell and Kathryn Ayers Wickenhauser, were in attendance at this year’s HCCA Compliance Institute annual meeting at the National Harbor in Maryland. Wickenhauser, an author and speaker in the industry, penned her thoughts after one the sessions she attended. Her post, titled “Right to Access: Peters States Additional Guidance Forthcoming”, was recently featured on the Compliance and Ethics Blog. In this post, Kathryn shares insights from a question that was directed to Iliana Peters, the Senior Advisor for HIPAA Compliance and Enforcement at the Office of Civil Rights (OCR), during the live session.

Here’s an excerpt from Wickenhauser’s blog:

“The attendee asked Peters how to handle a situation when an attorney contacts the provider on behalf of the patient to produce records. The attendee states that attorneys have been “taking advantage” of the “Right to Access” guidance in an effort to receive the same cost-benefit a patient might for requesting a copy of their records, and the patient may not truly be aware of what is being delivered to a third-party. Peters indicated a suggested solution is to call the patient and see if they personally requested the records be delivered to their attorney, as well as what should be delivered, as nothing in the current “Right to Access” guidance prevents a provider from doing so. Additionally, she stated that more guidance was forthcoming to clarify the process and verification of a patient directing their health information to a third-party.”

To read more from Wickenhauser on this topic and the additional guidance that will be forthcoming, please continue on the Compliance and Ethics blog.





Moving the Needle of Interoperability; Can We Expect it to be Seamless, YET?

As we all get used to writing the digits “17” in our signature lines, at DataFile we’re reflecting back on 2016 and the many advancements that were made towards interoperability across all stakeholders in the healthcare continuum. One of our consultants started this past year at an educational event in the Midwest where a representative from a small private practice asked if “digital fax” was considered participation in interoperability. As we wrap up this year we know the amount of health information exchanged has hit unprecedented levels and will only continue to grow. Providers at all levels, from the hospital to private practice in rural America, are utilizing digital tools and relying on technology to communicate with their patients and with other providers in a variety of settings. HealthIT systems are working together to make the transmission of information easier between systems and achieve the goal of seamless data exchange.  But what do we do until then?

While we continue to advance interoperability, there is much more work to be done before we can consider the exchange of health information to be “seamless” or “automated”. Our CEO, Janine Akers, has coined the phrase, “Interoperability Does Not Equal Automation”. In February of 2016, the ONC published the “Nationwide Interoperability Road Map” and sets up a number of milestones to measure advancement and success along the way. With the ultimate goal of a “seamless data system”, actions related to key components such as security and consistency are highlighted in this guide. It states that for the years of 2015-2017, the measure of success is to “send, receive, find and use priority data elements to improve health and health care quality.”  A recent article published in the January 2017 Journal of AHIMA states that the ONC and HHS will continue to focus on three areas to advance interoperability in the upcoming year:

  1. Promoting common standards to facilitate the seamless, secure exchange of data.
  2. Building the business case for interoperability; particularly through delivery system reform efforts that change the way CMS pays for care to reward quality of quantity of services.
  3. Changing the culture around access to information.

Our Regulatory Compliance Advisor, and member of AHIMA, Kathryn Ayers Wickenhauser, believes the ONC is on the right track. Wickenhauser and Akers share the sentiment of the Journal of AHIMA article that much more work is to be done to achieve full, seamless (or automated!), interoperability. “While we continue to support and work as a unified stakeholder in the nationwide interoperability roadmap, DataFile realizes a continued need of providers across the country will be to help fill the gaps where automation does not happen quite yet.” Akers continues to share that, “the human element is still very important. In many current instances of data exchange, we need a well-trained eye to ensure that information flows correctly from the different healthIT systems and is in a usable format for that crucial moment of patient care.” As interoperability does become more automated, Akers acknowledges that leaders will need to determine how to ensure that automation is working and most importantly, compliant. “We are actively involved in better understanding what audit protocols will need to be implemented for our clients and the industry as a whole,” Janine states. “It’s the next step in further discussions of interoperability and we’ll hear more  about audit protocols in the coming year.”

Seamless. Automated. We’re getting there. And in 2017, the healthcare data experts at DataFile look forward to continuing to move the needle of interoperability, while delivering real-time, important data exchange support to providers and health systems alike.

HIPAA and the Designated Record Set

Bottom Line

In most electronic health records systems, patients have one chart that all doctors share. Because all doctors in that facility use that chart to make treatment decisions, all the records in that chart constitute the designated record set for all the doctors that use that chart. Therefore, Dr. Smith’s and Dr. Jones’ records are the same group of records.

DataFile Technologies processes a lot of requests, and it’s not uncommon for many of those requests to be directed to a specific doctor. Periodically, after receiving records, some requestors will call with concerns about receiving records that have other doctors’ names on them, sometimes concerned that this is a HIPAA violation. As healthcare data experts, we want to ensure DataFile provide requestors with accurate information based on their authorization.

When DataFile provides records, we are providing what the HHS refers to as the “designated record set.” The HHS defines this as: “A group of records maintained by or for a Covered Entity that is:

    1. The medical records and billing records about individuals maintained by or for a covered healthcare provider;
    2. The enrollment, payment, claims adjudication, and case or medical management record systems maintained by or for a health plan; or
    3. Other records used, in whole or in part, by or for the covered entity to make decisions about individuals. [1]

When DataFile receives a compliant request for records, we provide the medical and billing records about patients, maintained by a healthcare provider who uses the records in whole or in part to make decisions.

This is generally understood by requestors, who understand that if they request records from Dr. Smith, a covered healthcare provider, they will receive records Dr. Smith used while treating the patient. Occasionally it is presumed that Dr. Smith only uses records he or she made. However, this is rarely the case.

In most clinics, doctors share a patient chart with one another and often receive records from providers outside of their clinic or health system. Because the designated record set is both a set of records maintained (not necessarily created) by a healthcare provider and is used in whole or in part to make decisions about individuals, if Dr. Smith receives records from another provider which have been placed in the patient’s chart, those records become part of Dr. Smith’s designated record set for that patient because he or she can use it for making decisions about the patient.

This same scenario applies to doctors within the clinic itself. In most health systems, patients have one chart that all doctors treating the patient share. Because all of those doctors both maintain and use the same chart to make decisions about individuals, all of the doctors in the same clinic have the same designated record set. Consequently, if a requestor sends a request for Dr. Smith’s records, and another request for another doctor in the same practice, the requestor will receive the same information twice because Dr. Smith uses the same set of records to make decisions as any other doctor with access to that EHR.

Occasionally requestors believe that this scenario constitutes a HIPAA violation because records that do not have Dr. Smith’s name on them have been provided. Requests for Dr. Smith’s records are for his or her designated record set. Because Dr. Smith’s designated record set may contain information from other providers, and because requests for Dr. Smith’s records are asking for his or her designated record set, providing records from other providers does not constitute a HIPAA violation or breach.

[1] 45 CFR 164.501

The MIPS Advancing Care Information: Your Score Rests on Your SRA

In October, Centers for Medicare and Medicaid Services (CMS) released the updated Quality Payment Program information containing the guidelines and metrics for the Merit-based Incentive Payment Systems model impacting reimbursement.

What’s different about MIPS from previous pay-for-performance programs is the departure from the all-or-nothing attitude of achieve all of the measures or receive a score of zero. MIPS functions on a scaled basis – get credit for the measures you perform and report. But like anything CMS does, there’s an exception: The Security Risk Analysis.

One of the categories, Advancing Care Information (ACI), replaces the Meaningful Use (MU) pay-for-performance program. Like its predecessor, ACI requires a Security Risk Analysis. ACI is broken down into two parts, the Base Score and the Performance Score. In order to achieve any points in the Base Score category, the Eligible Clinician (ECs) must have a valid Security Risk Analysis. Without achieving points in the Base Score category, ECs cannot achieve the maximum points possible for ACI.

Long story short? You need a Security Risk Analysis, every year, for both HIPAA and MIPS – your reimbursement depends on it.

In those infamous words, “But wait! There’s more!” Unlike the attitude that some previously held towards the SRA with MU, this is not just a checkbox on a long list of requirements. The OCR HIPAA Audits have taught us that the OCR is now not just checking to ensure the SRA is complete – they are studying the quality and comprehensiveness of answers to verify the SRA has been executed properly.

Don’t take the risk of an inadequate SRA. Your MIPS reimbursement and HIPAA compliance rely on it.


As healthcare data experts, DataFile Technologies offers a comprehensive HIPAA compliance solution, which includes a team of experts conducting your Security Risk Analysis for you. If you’d like to learn more about the DataFile Security Risk Analysis solution, please email Kathryn Ayers Wickenhauser, our Regulatory Compliance Advisor, at Kathryn.Wickenhauser@DataFileTechnologies.com. Kathryn will provide a customized quote based on your total number of employees (including providers).

It’s the Final Countdown! Complete Your SRA Before Year-end

Our apologies if THAT song from the 80s is now playing in your head, but it may be the reminder you need to get this required year-end to-do crossed off your list!

It’s that time of year again! The end of the year is quickly approaching, which signals the last opportunity to have a Security Risk Analysis completed for the 2016 calendar year. Have you fulfilled your obligation?

The Security Risk Analysis, or SRA, is required by HIPAA. Covered Entities and Business Associates must meet the HIPAA requirement to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of protected health information held by the organization.” Not only is a SRA required by HIPAA, but Meaningful Use and now Advancing Care Information under MIPS also demand the execution of the Security Risk Analysis process.

What’s at risk if you don’t complete an SRA during the calendar year as required? Well, a lot. The Office of Civil Rights is conducting audits and organizations are being fined to the tune of $5.5 million for lack of an appropriate Security Risk Analysis.

There’s still time! Fulfill your obligation and complete your Security Risk Analysis before December 31st.


As healthcare data experts, DataFile Technologies offers a comprehensive HIPAA compliance solution, which includes a team of experts conducting your Security Risk Analysis for you. If you’d like to learn more about the DataFile Security Risk Analysis solution, please email Kathryn Ayers Wickenhauser, our Regulatory Compliance Advisor, at Kathryn.Wickenhauser@DataFileTechnologies.com. Kathryn will provide a customized quote based on your total number of employees (including providers).

DataFile Celebrates Corporate Compliance & Ethics Week

At DataFile Technologies, we recognize that our greatest compliance asset is our people. To celebrate our commitment to compliance, we participated in Corporate Compliance & Ethics Week (CCEW) for the first time. This year’s global event ran from November 6 through November 12, and centered around the theme “Provide. Protect. Prevent.” Together, members from our Compliance Team and the DataFile Engagement and Cultural Ambassadors (DECA) Committee put together a week of daily activities designed to entertain, educate and reward our team of healthcare data experts.


paris-and-shannonTo kick off Corporate Compliance & Ethics Week, Friday November 4th we hosted a Lunch & Learn event. Compliance Manager Gary Powell, Regulatory Compliance Advisor Kathryn Ayers Wickenhauser and Chief Information Officer Trent Peters were present to answer any compliance questions our team had. Employees who submitted questions prior to the event were entered to win a raffle prize. Attendees at the event were also encouraged to ask any questions they had in the open forum manner. For nearly an hour our team asked great questions and lively discussion ensued. In accordance with the CCEW theme “Provide,” attendees were offered pizza.



scott-and-michaelFollowing the CCEW theme “Protect,” DECA hid fictitious PHI in locations around our office each day of CCEW, an event we deemed the “PHI Prowler Challenge.” For our valued remote employees, DECA also designed activities for them to find fictitious PHI in unsuitable locations as well. The first team member to identify the inappropriate placement and identify the PHI to DECA committee members was rewarded with “HIPAA Hippos. The event became progressively more challenging as the week went on as team members searched to find and identify the decoy PHI. We’re proud to say our healthcare data experts identified and corrected every incorrectly placed piece of false PHI!



Aligned with the theme “Prevent,” the Compliance Team postedscott-and-jody a daily compliance question on our intranet. Employees submitted answers for a chance to win a $10 gift card raffle prize. The following day, the correct answer was posted, along with an educational article about the answer. Topics included:  “Why We at DataFile are #HIPAAnerds,” “The DFT Compliance Team and What It Does,” “Don’t Pass on Creating a Strong Password,” “Breaches, Violations, and Beyond” and “Getting Social.”

This activity was a great way to provide our healthcare data experts with timely information to continue to prevent compliance concerns. We also introduced the “Confidential Compliance Corner” through our internet, a platform that allows team members to anonymously submit any comment, question or observation they may have related to the DataFile Compliance Team.

CCEW Conclusion

Overall, Corporate Compliance & Ethics Week was a great way to share knowledge and connect with our healthcare data experts. Compliance Manager Gary Powell expressed, “This was a great inaugural compliance week! This annual event is central to our mission to build and maintain a culture of compliance in our organization and we look forward to a bigger, better compliance week next year!”