Watch the recorded webinar below…


Hi. Good afternoon, and good morning to you guys out actually on the West Coast. Thank you so much for joining today Ciox webinar, which has asked the experts to compliance edition.

Super excited about this webinar just to let you guys know.

We have had a total of nine hundred and five registers registers for this. So that just, you know, says a lot about all of the topics that you guys asked us about, and how that you are in our responses. But let me start out actually doing an introduction for our presenters.

My name is Elizabeth Delahoussaye. I am corporate compliance and the chief privacy officer for Syox Health. I’ve been with the organization a little over twenty years. I’m excited to have two of my colleagues on this call as well.

Amy Derlink, who actually is our director of compliance and privacy for our provider side. Amy has actually been with our organization for over twenty five years, and has been very active at the federal and state regulatory levels as far as helping us and having discussions about HIPAA and HyTech and patient right of access.

Super proud of her that in twenty fourteen, she was actually the CIO impact award winner.

For meeting data and network resilience with innovation technology and the privacy health information.

Also, with us today is called probes Kyle is our Deputy General Counsel and Director of Government Relations.

We, and compliance work very closely with Kyle, because needless to say he’s the one who’s always got boots on the ground dealing with any type of regular regulatory that’s coming out at a state level and also assist was at a federal level.

He’s been with the organization for several years as well. He’s actively engaged in drafting and negotiating testifying both for and against medical record, related legislation. A matter of fact, we actually had a conversation last night. He was on the heels of dealing one dealing with one actually in the state of Tennessee.

I think that the questions you guys have asked and given to us have been great. We’ve done a lot of research.

Had several calls to discuss these questions. Hopefully, we understood your questions appropriately. If for some reason we didn’t, we do have a chat function on, this webinar. So please, if you were the one who had asked a question and we misunderstood it, feel free to ask us re ask us the question.

We do have everybody obviously on mute. Again, you know, we’ll be trying to monitor the questions that are coming through on the chat function.

So then that way we can make sure that we get our experts to be able to weigh in on everything. But with that being said, I do wanna make sure that we put this sling around there. So everybody’s aware of this. This does not constitute and nor is intended to be legal advice.

This is obviously information for general purposes.

We always recommend. If some reason, if you’re asking a very specific legal question, either about your site or your state that you go and make sure that you have conversations with your own respective legal department, because we always, obviously know that there’s always, you know, certain specific state policies or site policies that may actually either be more stringent or maybe go against to what we’re necessarily talking about. So what we’re gonna be covering today is actually, we kinda put these in some buckets by the questions that came in. We’re gonna talk about health data privacy and state legislation. Kyle’s gonna be kind enough to talk to us about that. And then Amy’s gonna be talking about compliance and privacy, and then some information security questions that came through as well.

So we’re gonna start actually with Kyle. Kyle’s gonna give everybody an update to help data privacy and state legislation. As I said just a moment ago, I know that he was working very del diligently last night. In reference to one particular state where he was addressing a bill. And, he’s gonna talk about what he’s being. And, that’s going on in the landscape right now. So Kyle, I’m gonna punt this over to you and let you talk about permissible fees and the short time frames that you’re seeing that’s coming through in legislation.

Sure. Thank you, Elizabeth. I appreciate everyone attending today and having an interest in these topics.

Again, I kind of wear two hats as the deputy general Council for Sykes services, but also as the director of state government relations.

And, today, my part of this presentation will focus more on the regulatory front and on the state legislation that we’re seeing, and we’ll talk a little bit more about the federal, regulation as well, but I wanna start off with the state legislation. So you’ll see on the slide that there are really, there’s really three categories of legislation that I’m seeing a lot of in this legislative session, meaning twenty twenty three. And it should be noted that every state’s in a session right now, there are some states like Texas that is in every other year state. Some states have sessions throughout the year. Some have shortened sessions.

Could one as to, as an example, there, Virginia and Georgia, for instance, summer regulated where they can only be in session thirty days or or forty days in a calendar year.

And so I I keep my finger on what is going on at a state level across the country. And so there are three main bills that I’m keeping my attention on. This slide talks to two of those, and then we’ll jump to the third one. One is the permissible fees that you can charge to third party requesters And those are regulated by state law. And as you know, HIPAA regulates patient rates, but then the states are in charge of what can be charged to a third party requester.

Forty three states actually have legislature or have statutes in place or regulations in place that limit what you can charge And right now, we have legislation in, thirteen states that is live that could possibly amend those fee schedules. And for the most part, those bills would reduce or would propose to reduce the amount of fees or the the dollar figure in those fees that you could charge for records. You’ll see in the, center of the slide that it’s currently about twenty three bills. Actually, I think Since this slide was prepared, we have more.

We just received notice that on March sixth, for instance, Arkansas introduced a bill On March sixth, it was referred to committee. We learned late on the seventh because we have to wait for it to pop into our system on a search based on search terms it actually has a hearing today. So we are not able to be at that hearing today in Arkansas. We are preparing to, testify on that bill when it goes to the floor and then when it would proceed over to the other house.

You’ll see that we’ve got these twenty three plus bills in thirteen states that range, you can see the states listed there. It’s in the Northeast, the south, the west, the north. I mean, you’re you’re talking the whole country here. Some of these states, we see bills on a repeated basis. Some are are new to the game, like in Kansas.

We also have a bill in Kentucky right now. That would actually propose to raise the fees from what’s in the statute right now. South Dakota is another one. They’re actually proposing fees where they’re currently unregulated.

So if that bill passed, that would actually be good for the industry and good for providers. So there’d be actually set fees and statutes so you know what you could be charged and reduce your legal risk lawsuits.

We keep an active eye on all of these bills we engage whenever there’s anything regarding the permissible fees.

We engage contract lobbyists, and and I work hand with them to get them the information they need so that we can either oppose or or support these bills. And then we also from time to time have to negotiate various fees. I would say that the the primary focus of the the fee bills is electronic records right now.

Those who introduce these bills tend to think that electronic records should be at a reduced rate So they’ll try and lower the rate. It seems to be common right now to see bills that say you can’t charge more than the HIPAA rate for a third party. Or maybe they’ll set a flat rate that says if it’s an electronic record, you can’t charge more than twenty dollars. Period. If it’s an electronic record, you can’t charge more than twenty five dollars. Those are two examples that I’ve seen in the bills that you’ve got on the screen right now.

Sometimes we see bills that would take an entire class of requesters say workers comp and change the fee for them or disability requests. Another common approach is to take If rec request is related to, a disability, social security disability request, then the record is free of charge.

So we see those bills from time to time. We had a couple this year. Actually, there’s one in Mississippi. There’s one in Missouri right now that go for the fees for a certain group of requesters.

So now we’ll move on to the the next category there, which is the, shorter time frames to respond.

It was if we can go back to that former slide. Yeah. So we’ve got three states now, Connecticut, Tennessee, and Utah, where they’re shortening the time frames for how long you can take to respond to a request. And in Connecticut and, Utah, those bills would actually impose a penalty.

Utah, we were actively negotiating with the trial attorneys there who had proposed this bill And and the bill sponsor was committed to passing something, but he was very willing to listen to, our concerns with that bill. And we were able to negotiate some terms that were favorable, but at the same time complex.

Those terms would basically build in a tolling period for things that would typically fall into a force majeure clause in a contract. So if we don’t have access to the EHR, for one reason or another, like a fire, a flood, an emergency, a strike, or possibly like a ransomware attack, something of that nature, that that would toll the period so that we aren’t punished for not responding in a timely fashion.

Utah actually, will likely adopt this. It’s made it through both houses, and it will have to go to the governor for signature.

And so, basically, if you do not respond within thirty days, this bill would say that you’re only able to collect fifty percent of your invoice amount. If you don’t respond within sixty days with the record, then you’re not entitled to any fee for the record. So We’re seeing us push to try and push compliance to respond to these requests within a shorter time frame. Thankfully, we were able to get it up to the thirty and the sixty days, which is is consistent with HIPAA.

And these are, again, for third party requests. This isn’t even patient requests. The Connecticut bill, which passed a a well, it didn’t pass a joint committee. It’s it’s in the joint committee right now, and we presented public testimony on that what it would do is if you do not respond within thirty days to a third party request for workers comp requests, then you would be subject to a twenty five dollar a day fine.

If you’re a hospital or if you’re an ROI vendor such as, Ciox, then you’d be responsible for a fifty dollar a day fine.

Once you produce the record, the fine is due and payable within thirty days of the day that you send the record. If you don’t pay the fine, to the requester within thirty days, you then build another hundred and fifty dollars a day, for each day that your delinquent past the thirty days.

So, these these, bills are quite draconian and and really trying to attack the providers and the release of information vendors to say, we want these records faster. So that’s what we focus on here at Syox. We’re trying to to get these records In the hands of those people who need them faster and more accurately while protecting patient privacy.

Louis, can we go to the next slide?

Now speaking of that patient privacy, that brings up the third type of bill that we’re seeing quite a bit of that we’re monitoring at a state level, and that is this reproductive health privacy act.

We currently have over twenty bills in eight states that would address reproductive health privacy. You’ll recall that last year, after the DOB’s decision, we have four states, Delaware, Connecticut, New Jersey, and California that passed reproductive reproductive health services privacy bills that you would not be able to produce the record unless you received expressed consent from the patient to disclose reproductive health services information.

We now have, eight eight or more states that are considering legislation that’s similar to that. So we’re keeping an eye on that because that would basically put more onus on the providers and on the release of information vendors to make sure that we’re complying with those laws and only disclosing that reproductive health information when it is expressly consented to by the patient.

Now I anticipate that this is going to increase.

We’re going to see more of this type of legislation as We see other legislation come out that is, shall we say against, various reproductive health services that could be provided, such as related to pregnancy or related to transgender, health services, you’re going to see more and more bills that are trying to protect those protect the patient’s privacy within those services. So this is just the tip of the iceberg. I think we’re going to see more and more. We’re just now grappling with what is involved in obtaining the authorization from the patient to disclose these records. What’s included in these records? How are we going to set up standard operating procedures to make sure that we’re complying with these laws.

Elizabeth, can we go to the next slide?

Thanks, Kyle. So the next section that we’re gonna kinda talk about and and by the way, just so everybody knows on this call, because Kyle, obviously, just discussed, some of the bills that we’re monitoring right now with reproductive health. I do know that Ciox does plan. Obviously, we’re watching these very carefully.

And we will more than likely do an additional webinar. I know Kyle and I did one back at the beginning of the year.

And, you know, we’ll probably do an additional one sometime in the midyear just to update everybody. But we did have some additional regulatory questions it came through. So how we’re gonna do this is I’m gonna read the questions to you guys.

Sorry. I I clicked too fast. I’m gonna read the quest and then, our experts are gonna weigh in on this one. So the first question we had was what changes do you expect to come from the March release of the final rule impacting the HIPAA privacy law, and how it saw explaining to adjust for the proposed ROI regulations.

And Kyle, I think that probably you’re very well in touch with this. Do you wanna answer this one?

Sure. Thanks, Elizabeth.

Before, I would address that question head on and and say what changes there would be. I would like to say that, just as some background information. We have a federal lobbying team that we work with as well, and and I provide them with factual information of what’s going on at the States as well as HIPAA guidance and and interpretation as well as company policy. So I’m very involved with our federal lobbying team, and I can say that the current intelligence on the HIPAA privacy rule, the HIPAA privacy NPRM, rather, is that even though it was on the unified agenda to be finally published in March twenty twenty three. We really do not think that that is a reasonable time frame, right now, especially because right now is March eighth. And before this NPRM is to be finalized, it would have to go through the office management and budget, which it has not even been sent to them yet. Now to give you an idea of the timing of all that.

The ONC interoperability proposed rule is already OND.

The reproductive health privacy proposed rule it’s already a LND. And those came out after the privacy rule, notice of proposal making.

So just from a procedure standpoint, it’s not in a place where it’s ready to become law yet. It’s still gotta go through the OMB process, then it’s gotta go to the Office General Council, and then it could possibly become a final regulation. So, our intel right now, along with some of the information we’ve been gathering from various, congressmen and senators is that This is not likely to happen during March of twenty twenty three. The unified agenda that placed it on March twenty three calendar will next come out in the fall. Unified agendas are published every spring and every fall. It it will most likely make it onto the fall agenda.

But who’s to say if it will even be published then? So rather than get into the nitty gritty of how we would address it and what we’re planning to do at this point, I think we’ll just leave it at that Elizabeth to say We really, based on what we’re hearing and what we’re learning on a day to day basis, don’t anticipate this happening in March of twenty three based on that information.

Yeah. I agree with you on that one call. I appreciate you jumping in and answering that question.

So the next question we have is we have issues with clarity of releasing records to adopt the parents. Is this a trend in other areas as well? And what is your stance on this? And, Amy, I’m gonna actually call out you on this one because I know you and I’ve talked about this quite often and we get questions from a lot of our providers and our field staff about it. So do you wanna answer that question?

Sure. I’d be happy to. So Yeah. I agree that adoption records do bring about questions and concerns around the privacy aspect of that information.

And it’s really recommended that those health records, are treated with extra care, and they should be clearly marked They are adoption health records to avoid, you know, inappropriate releasing.

You know, in general, these requests, if they come from the biological parents, Those parents should be really referred to the agency that handled the adoption.

If, you know, a request comes in from the, adopted children.

You know, and they’re trying to trace their biological parents, they should really be referred back to the agency as well that can handle their request for, access and information regarding, their you know, biological parents.

As far as the adoptive parents, you know, they should be able to provide and they are should be required to provide a birth certificate showing that they are now the parents of that child.

They would need to, you know, obviously sign that authorization And then upon releasing, taking those extra steps to redact any identifiable information about the biological mother and father, keeping in mind, you know, checking every single image or page, looking also for the insurance provider at that time, maybe a health insurance ID, you know, thinking outside of just, you know, the, medical, the patient, you know, the mother and father’s name think about, you know, obviously addresses, any identifiable information that could link back to them. And then obviously releasing it in that form and format, But keep in mind you also wanna check your state regulation, to where you’re located if you have any specific privacy laws around adoptive records.

Yeah. I think that’s a great best practice.

So the next question is, what is the one stop location where you can find current and pending regulation legislations state and federal that applies to your organization. Of course, when I saw that question, my answer was I go to Kyle.

So when I said Kyle, I’m gonna let you answer that question.

Yeah. Thanks, Elizabeth. And, for those at Ciox, I think that’s probably the the right answer, right, is is go to Kyle.

That is my one of my roles that I hold here at Ciox is monitoring the state legislation, and and we use a service that, bases their search terms based on what we come up with and certain statutes that we wanna monitor. And then I get a a live feed update as these bills pop up in the state websites for their general assemblies as to when bills are coming up for a hearing, when they’ve been referred to a committee, when they’ve been inter produced when they passed, when they’re up for a vote. I get a live feed update on that. And I go in and I check that every day to make sure that we know the bills that we’re following we know the current status. And so we’ve got over I think it’s over eleven hundred bills that are in that right now. I break those out and keep my own spreadsheets related to, like, pricing and related to process, related to privacy.

And so we monitor those bills on a daily basis. And, to that question about miner’s records, I just wanna add that’s an additional thing that we keep an eye on. For instance, New Hampshire, Texas and West Virginia all have bills that are pending this year that relate to a parent’s ability to access their minor’s records. And I’ll say that those three states law or bills, rather, currently are related to the reproductive health of genre. So it’s like okay, is can a parent access a child’s record when it’s related to reproductive health services? So that’s kind of the focus combining what we talked about earlier with the parent child relationship.

So, you know, there are all kinds of sources out there that I could give names, of who who you might go to, but you would have to subscribe to their services. You would have to pay them a fee and you would have to go in and monitor the legislation yourself. So I know that we’re looking at, coming up with, maybe a way of communicating with our customers state legislation that would affect affect them in the release of information field. And, I know that’s forthcoming.

I continue to update our marketing team as well as our ops team and our appliance team on the state legislation, and we’re trying to figure out best how to utilize that for our customers.

Yeah. And I would add into that just real quick.

Just to kinda piggyback on that one, Kyle. Is that just so everybody knows. One of the things and, again, if you’re looking at pending legislation and you’re you’ve got a legal department like we do that’s monitoring those pending relations. The beauty of it is is that when Kyle sees something, he will reach out to us in privacy and compliance, because one of the questions we try to always look at is how do you operationalize that?

Because if we all know, sometimes the legislation seems like it makes sense on paper. But when you actually put it into operations, it may not be as easy as it seems to be. So that’s fantastic that we have that kind of partnership and everything. And Amy, you utilize another tool too.

Don’t you? Yes. I was just gonna add in that, you know, we frequently will go and purchase the, you know, I’ve purchased the state legal manuals from the local associations for health information management. So Your state associations often have tools out there that are current updated around the release of information laws and best practices for your state.

So it’s a really great resource.

Yeah. That’s a great idea as well.

Alright. So let’s go to the next slide in the questions.

That we saw, and we’re gonna kinda dive into this is the topic as far as ensuring compliance and privacy. And this we put quite a bit in here. We’re talking about navigating HIPAA and the medical record management. And then everybody’s favorite topic, right, information blocking.

So one of the questions we got was that they received many requests for care coordination specifically, we’re talking about kidney care or from a nurse claiming to represent that patient’s insurer. They send a letter saying they represent the patient’s insured company, and they, have apparently been very suspicious as whether or not these are fraudulent.

We ask for the patient signed authorization. Is there any reason to be lenient and just send the records? Amy, what are your thoughts around that question?

Yeah. I mean, that’s a great question. And I can honestly say I can understand your concern with wanting to be cautious and confirming that this you know, some audits or nurse is actually, representing that individual or involved in that patient’s care.

One thing that we do is we will go out you know, and investigate who the requester is, trying to get understand their business relationship to a patient confirming that they are a treatment provider.

And in that case, Demotis is a healthcare provider, coordinating kidney care for patients.

But we we agree with you that we’ve seen fraudulent requests with, like CVS Walmart Kroger pharmacies in which we are getting fax requests in asking for records maybe due to a diabetic treatment verifying home health services or, medical devices. And in fact, you know, you can tell by the phone number that the phone number, by calling it is not a valid number or cannot connect it. So, you know, you do have a reason to be cautious, maybe you know, returning it for an authorization right off the bat may not be the first step, but maybe, you know, having someone within your department, you can escalate those two. That can provide a little bit of, invest investigative steps prior to, you know, returning something for an authorization, especially if it’s for patient care. Coordination, would be probably the avenue we would take.

Yeah. That’s a great piece of advice. So the next question is recently, Local hospitals and facilities have refused to give patients total medical records and requiring patients to go to the record of source even if the material was used in the process of the diagnosis.

I consider this information blocking our team wants to match this because it lessens the administrative burden, on record release and push. What do you think? Amy, what do you think about? Because we get a lot of questions about information blocking.

But what do you think about this question?

Did we lose Amy?

So sorry there. I was on I had bumped the mute. Yeah, it’s a very great question.

That for information blocking, you know, they’re looking at all the electronic health information that’s available to those patients within the designated record set. So, you know, you don’t wanna be blocking that information if it actually was provided to you and involved in the patient’s care. I realized, sitting in some of our roles, we cannot tell whether or not when the patient was treated if that information was in fact used.

So if it is included in your designated record set, it’s in a it’s it is EHI that falls into, the information blocking category, you really need to be able to provide be providing that access to the patient. We don’t wanna become a barrier or not giving access to them.

Like we said, you know, the electronic health information that’s part of that designated record set really needs to be available to that patient. In accordance with the Cures Act.

Yeah. Okay. So here’s the next question. When patients sign consent to release information during registration, does that pertain only to PHI disclosure for TPO purposes and for communication between clinical and billing teams?

Amy, I’ve been picking on you a lot. I’m a pick on you again. What do you think? Okay.

Yeah. So your consents that are signed when the patient is coming in is actually voluntary. Right? It’s not required that a covered entity get a consent signed.

And that consent is, coincides with your notice of privacy practices. So when they they do sign the consent, you wanna give them your notice of privacy practices. So they can understand exactly, how your organization handles requests for patient care through the TPO or for treatment payment or operational purposes.

And actually, an authorization, you know, is the permission of the patient for that typical disclosure. So when you have that consent, you utilize your notice of privacy practices and that allows you to share information with, your provider. So, you know, an example that they give within, the OCR guidance is if you have a physician on your medical team, that, is needing to bill for lab work that they’ve been, you know, they ordered and they need that patient’s insurance information that was updated. You are able to share that information with those physician that’s within your organization.

You can also share with an ambulance service that delivers a patient to your facility in the emergency room if you have up to date, insurance information.

So You know, that’s kinda what you wanna think about with your consent, providing that patient your notice of privacy practice so they understand what you’re utilizing your record, their records for in a TPO situation.

Okay. Alright. And then the next question kinda to flip it a little bit. This is talking about EHRs. And the question was, when you use, different EHRs and connected via interfaces, So what additional privacy and security measures must be taken to protect that EPAI?

And I know, we didn’t have the opportunity to have our security person on call, but, Amy, I think he reached out to Robbie and asked her that question. And what was her recommendation? Yeah. I mean, her recommendation was credit critical monitoring around PHI with a DLP tool is what is a must for this.

You know, you can even block that data should you should it not be moving, should it be moving by an unauthorized source? So it gives you that ability with your SISO to be able to lock that information down.

Great. And then to stay in on the topic with electronic, medical records, this one was a question about we currently have an electronic medical record and moving to finally destroying the paper records that have been scanned into the patient record. Any tips, any on how to ensure that they stay compliant with the instruction of this, that information?

Right. Yeah. So, I mean, obviously, you’re gonna follow your state, laws around retention.

But once you know and you’ve identified that record, that the years and dates of what record you can actually destroy There’s a lot of really effective tools out there that certify the destruction of the records. I mean, they obviously come up a cost. But that would be our recommendation, or you can also have a tool developed for this process as well within your own organization.

But, those are those are really helpful purchases because it it helps you stay in line with the legislation and the laws governing the PHI retention in your state.

Yeah. That’s a good piece of advice. Okay. So here’s our next slide and some questions, and we’re gonna kinda jump into the medical re record management piece of it. And the question we had on this one was when a physician disassociates or retires from an organization, who is responsible for their medical record retention? The physician or the healthcare facility.

Amy, what do you recommend on this one? So, I mean, it depends on who that physician is, if they happen to be retiring and selling their practice, who are they selling the practice to? Are they selling their, you know, information to say, health care system that, and they’re, you know, that they offer those patients to join a clinic, then the the systems HIM coordinator would become that legal studying of the record.

If they are no longer, you know, going to be practicing and giving the patients the opportunity, to just transfer to a new physician. Obviously, those records need to be made available.

But the custodian of record that takes over for that retired records has that legal duty to maintain, the security and integrity of that information, and make it available to patients so that they know where they can get it.

You know, lists it’s really good to have a list of patients that’s treated. Advise some of the fact this physician will be retiring. Kinda get an idea of you know, when is this happening? So, you know, who’s gonna wanna copy to be transferred out?

Who’s gonna be staying? So, you know, who who the custodian will be? Yeah. And there’s usually a lot of states that regulate this as well.

So I’d recommend to make sure you you review your state regulations just to see what rules they may have around it.

Okay. So the next question is I’d like to know more about medical record release timeliness guidelines. And what a hospital can do for a request goes outside the time frame. I mean, we get this question all the time. Yes.

Yes. And I mean, and this is definitely can be a challenge for release of information, right, being able to produce that record within those guidelines. So as we know, HIPAA, has a regulatory guidance that you must provide the patient access record within thirty days. If you’re going to be outside those thirty days, you need to provide them a notice of delay letter.

But then you have to preempt that with your state regular regulation. Right? So we do know there are states out there that have much shorter time frames, even as short as three days in some in a state. So What you need to be doing is, you know, obviously providing that patient a delay letter if you’re gonna be unable to provide them access with an explanation as to why.

Perhaps that records in off-site storage.

Perhaps, you know, it’s not complete yet.

The physician is still working on that information. Whatever that may be, you provide them a notice of delay, letting them know when that information will be made available and then ensuring that you provide that information to them within that time frame. Yeah. And just for the audience, just to kinda keep it fresh in line. Kyle kind of touched upon some of this timeliness that he discussed during his slide as well because obviously we’re seeing some states that are pushing a tighter response time for the reproduction of medical records.


I think it’s important too that it it goes beyond just letting them know that you have the record and sending the record. What if they don’t send you entirely enough information in the authorization or request letter. So I think you’re it’s incumbent upon us as, releasing specialist to make sure we communicate with the requester and say we don’t have complete information to respond to your request. And I think that’s gotta be sent timely as well so that they know that that they haven’t fulfilled their as a requester?

Oh, that’s a really good point, Kyle. Thanks for pointing that out. I appreciate that. So, Okay.

So let’s go to the next slide. This is actually a poll question, which I think that I know that everybody’s so excited that I get to flip slides, but I do believe that either Brent or Way are gonna be taking my my presentation over here in just a second but the question that we ask is, is what’s your biggest challenge in your organization that you’re facing right now that’s pretty that’s preventing information blocking. Is it lack of resources? Maybe there’s a limitation of understanding of the regulation or resistance from staff or other stakeholders or other So we’re gonna open up the poll.

I think it may already be open.

Yep. It’s open. And we’ll see what everybody’s responses are.

And, Brent, you may have to tell me because I’m not getting to see it on my slide as to what the responses are.

Let’s give it another second, and then we’ll close the poll out.


And so what was our answers on that one?

It’s saying organize our most high poll results to enable screen sharing. I guess that’s me. I have to have yearly forty five percent. I can help you.

Thanks, Amy.

Yeah. Have limited understanding of the regulations. And you know, I I kind of agree. Information blocking has been challenging for many with the fact that, you know, what information are they is covered?

You know, what electronic health information and pulling that all together. And then you’ve got, you know, requesters who insist that your information blocking. So, you know, we’re we’re glad we can hold a session like this today. So we have Kyle here and just other professionals that can share their knowledge base with you.

So, it’s interesting to see that as a response.

Nineteen percent came in with the lack of resources.

There was twenty five percent that said other. I’d be interested to know you know, what that other challenge may be, that they’re facing, and then eleven percent were resistance from staff or other stakeholders.

Great. Thanks Amy for reading that out for me. I really appreciate it. So, yeah, so hopefully, you can see my next slide as it goes across.

And we’re gonna talk about since we asked about information blocking, we actually got that was one of the questions we got from, this group, and it is how is Ciox actively monitoring and preventing risk associated with information blocking. Amy, you wanna talk about what we’ve done as an organization around this? Yes. So in preparation for when, you know, the effective, date for information blocking came into play, We re reviewed all of our correspondence letters.

Some of you may call them status letters. It’s that letter that through the release of information process, when you’re having, an inability to process the request. For example, you know, the authorization doesn’t meet the HIPAA requirements that are required in a HIPAA valid authorization form, or you don’t have enough patient identifiers to be able to identify that patient, to be able to properly, you know, get a get the record and provide them what they need.

So, or you need proof of a power of attorney or an executor for a deceased patient’s record. Right? HIPAA speaks to all of those areas. So with information blocking, they allow you some exceptions, as to what is when you are not blocking information.

So what we’ve done is, obviously, we revamped those letters to reference any privacy regulation, or statute that may provide us an exception that falls within the exceptions.

And then we took those letters. We lump them into an exception category.

Obviously, some of our letters would be potentially information blocking, so we identified those. And then we created a dashboard that our clients as well as ourselves can see. You know, here’s the letters that were sent out this month Here’s where they fall within the exceptions. Here’s the ones that fall that might be information blocking. You know, one that we’ve seen a that has been a hot topic with our clients is electronic signature policy.

So we have sites that either don’t have a policy or have a very stringent policy on the exception of a val of an electronic signature. So in that case, we were seeing where we were sending a lot of correspondence letters back in relation to their policy around electronic signatures and when we’ve we’ve felt that some of those may be the potential blocking. We’ve actually reviewed the letter, come up with a different policy, or let’s look at some examples. Like, what are these signatures were seen, did some better, you know, training or outlines for the team so that we know, okay, we can accept these, and we’re not you know, rising to the risk of, potentially information blocking.

Yeah. So we actually have question that came in, Amy, just so you know, and it was where can I find information that states the penalties for information blocking, and specifically if the facility does not meet the turnaround time? And I think that’s two questions, and I’m gonna actually jump in real quick on that one.

As far as the penalties for information blocking, it’s, you know, obviously there’s been general, you know, rules around it where the penalty can be up to a million dollars, but no specific guidance has been issued around this yet. So there’s not anything just in general around information blocking. There’s not anything that’s know, specifically when pushed out, like what you would see under OCR’s website where it talks about the specific civil monetary penalty for each violation, for HIPAA.

And that with when you talk about turnaround time, because Turner Time is really managed by the OCR’s regulation under patient right of access, and that was what Amy was talking about with the thirty calendar days That is, on OCR’s website.

And it is and again, you know, just keep in mind, it depends on how many violations they could So it could be that you didn’t provide the records in a timely fashion. They could also add in their other issues such as you didn’t provide it in the form and format. So even though it’s twenty five thousand per incident, it could be one complaint, but you could have easily four incidents under there. So it could actually to a hundred, thousand dollars just so you know that.

And then, The other questions I got asked, and I apologize, but we just now getting some of these questions coming through is our verbal request for records accepted. And I think this may be question that we have on here. So I might table that one, and we’ll go to that, here in just a second. So let’s go to the next slide real quick.

And this is, some additional comments or questions that came through that we really have a bucket for. So we kinda put it under the additional compliance and privacy questions. So one was looking for more information on the cures act. How did do you get providers decide what they want readily available to their patients?

Right. So I think this goes back to, like, what we talked about.

They really define what is considered electronic health information where that falls within your designated record set and really outlining that within your policy as what should be available.

And, making sure, keep in mind that should include you know, your medical records, your billing records, payment information, medic medical and case management, systems, you know, really looking at the entire EMR and in determining what what is part of that EHI that’s in that DRS and giving those patients access to it. Okay. And then the next question we had, and it was just a general question. And it was about you know, being prepared obviously for the, you know, information blocking next regulation around January first of twenty twenty four that’s coming up which is required, for the EHI experts.

And the question was, will Ciox be able to assist for processing patient requests for a machine readable EHI export that are required by January twenty twenty four, or will that respond to relief solely fall on the healthcare facility? Really, it needs to fall on your EMR system. This is something that’s actually been effect prior to information blocking. OCR addresses it in their FAQs that they issued in January twenty sixteen about having the information somewhat machinery re readable readable.

Readable. I’ll get the word out here in a minute.

So, you know, you really should already have that piece in place. Obviously, Stiox will definitely be working with our providers on this. We do have it where the information, as long as, you know, we can easily move it from one location to the other that our system should not modify that readable function whatsoever, and be able to help you in complying with that piece of making sure it’s available.

So, you know, we do I would say that it’s some it’s kind of three pieces to the answer to your question. Right? It’s what does your, EHR vendor have right now? Is it able to be downloaded in a machine readable? And then, you know, are you guys gonna be able to, you know, partner with them if they don’t? And making sure that you’re pushing that out.

And then, obviously, Sykes and our responsibility in it, as it gets, you know, put into that process and we are then turning around and moving that information to that requester and maintaining that native format of how that information got pulled out.

Elizabeth, can I just add that, on the provider side of the business, that is a question we get from law firms specifically who are requesting records because they wanna be able to take the file and do like a a search term and look through the entire document looking for you know, some surgery or some drug that was prescribed or some injury that someone might have? So we, for some time now, I’ve been receiving these calls from law firms that they wanna have these machine readable, medical records so they can more easily get through the record when they have it. Oh, that’s a great point, Kyle.

Thanks for jumping in on that one. I really appreciate it. So, we had a couple of other questions. I wanna try to quickly go through before we go to the next slides, one is and I think this is in here.

We had so many questions I got emailed to. So I actually think this question is in presentation, but we’ll go ahead and answer it now just in case. And the question was, our verbal request for records accepted.

So It’s a it’s a great question, and we got asked that a lot when COVID hit.

Because the illicit day you know, when COVID hit, hospitals were not opening up the doors. They didn’t want individuals coming in, obviously, to fill out a release of information.

That at the same time, you know, an individual could be contacting them and saying, Hey, I need you to direct this to my physician ASAP, you know, so there was a lot of needless to say craziness.

It’s actually mentioned in the OCR twenty six fifteen FAQs about accepting verbal orders. And of course, you know, it says you can, but you still need to do your due diligence Meaning that you need to ensure that you’ve gone through some sort of reasonable process to identify that the individual that’s reaching out to you is actually the individual who should be releasing that information.

So it could be something as simple as, you know, if I contacted the facility that you look at telephone number, on my medical record, and you say, you know what? Let me call you back and you call back and I answer the phone.

So I do highly recommend a couple things if you decide to do this is that you need to have a very clear policy and procedure and how you’re gonna do it And then the second play second piece is is within that procedure, you need to make sure very clearly how you’re gonna document, the receipt of that verbal request.

And, how the manner in which you validated it.

And then the next question was regarding the registration consent and signed notice of privacy practices.

Can we rely on a form signed by the patient when they are new, or do we need to renew it every year?

So at this moment, you have to renew it.

Now I do know that, you know, the notice of proposed rulemaking actually is talking about the notice of, privacy practices.

And one of the things that they are talking about within there is the removal of that requirement. But at this time, that has not passed, so you have to follow what the regulations are at this point.

And then, Kyle, there’s a question for you. And it is, what is on your professional reading list, Kyle, daily and weekly?

My professional so, I I like to stay abreast of state legislation. So there’s a lot of state, websites that I’ll check out just to see what’s going on at a state level I also will follow various, Supreme Court, holdings, like when the Dops decision came out. So I would say that you know, I’m very interested from a professional standpoint on what case law is out there. And and that goes beyond just like the release of information and HIPAA and privacy. I just like to stay abreast of the, Supreme Court issues to see where are the countries headed and professionally, like, what cases are out there that interest me. Right? And just keep me professionally involved and educated.

Okay. Great question.

The next question we have is, we have a patient portal connected to our EHR.

Notes and results automatically go in, but patients have the ability to request their records through the portal.

This request goes to a work Q for HIM to process.

Often, the patient says all records, which may include records from historical systems and as it applies to information blocking, if a patient requests records through the patient portal, and it includes historical records can you direct the patient to request historical records through a different process since they are not available in the EHR?

Also, can the time frame be a disclaimer to requesting records through the patient portal? So I’m not sure about the last piece as far as the time being a disclaimer because, again, there’s no definitive, timeframe written into, the twenty first century cures act, information blocking around the, turnaround time for medical records.

But to answer your question, as far as can you ask them to go a different route? So the answer is yes because it is a store information that is not gonna be located within the EHR system.

And we actually have a correspondence letter that covers that to alert the patient and it’s a feasibility. And that’s what this would fall under as an exception under feasibility. Because, again, it’s not gonna be readily available, and so you have to go into a completely different system in obtaining that information.

I don’t know if Amy and Kyle, if either one of you guys wanna jump in and and add anything to that.

And if you don’t, that’s fine. I mean, I I I kind of agree with you. If it’s historical information and it’s not maintained electronically, it’s really you’re not it’s not part. It’s not EHI. Right? So I don’t think it would be considered information blocking by referring them or delivering it, you know, in a different format to them at a later time.


Okay. So let’s go to where, information security.

There were several questions we had around that, but we’re gonna ask a poll question And that is how often does your organization conduct security assessment and audits? And it is your answers are either quarterly, annually, every two to three years infrequently or never.

We’ll give it just a second. So everybody Alright. So let’s go ahead and close the poll out.

I’m sharing the so I think Amy, you can see it. Can you tell me what the poll results were? Yes. It forty eight percent came in as quarterly, which is excellent. And, forty three percent came in as annually.

Eight percent said infrequent and never and three percent said every two to three years. Okay.


So let’s kind of talk about some of the questions that came through around security. So when a health system has Is it typical for the entire health system or is it limited to a specific site? I mean, I know you encountered this.

A couple at the end of last year of this year. So you wanna jump in on that one? Yes. I would like to do that. So, you know, we have seen it where it has impacted an entire health system, but certain, health, you know, hospitals within that system had different levels of impact.

Based on whether they were, you know, what what areas within the facility had, you know, the updated EHR what applications were impacted, the level of use of those, applications within that EHR.

And it’s been interesting for us as an ROI vendor, having been impacted by health systems that have been a victim to the such, you know, ransomware, etcetera.

You know, really having to go back to that downtime procedure, right, do you have those downtime procedures in place and being prepared? You know, you know, and even when they do come back up, they’re coming up at different times. You know, registered patients is a challenge. So Yeah. I mean, we do see where it impacts the whole health system. Maybe not every facility at the same extent, but we’ve seen it across the system.

Great. Alright. So let’s go to the next one, and I know we got a couple more slides. So I might have to kinda rush through this a little bit because I think we’ve got six minutes left. But the question on this was, what do you give the what’s the best time for you to give patients when they ask you to email them something? Do we have to be able to do this and how do we encrypt? So this was actually asked, several years ago of Devin McGraw, who, at that time, was with OCR.

And she actually said that if a patient requests the information to be unencrypted, that you do have a right to do that, but you need to give them and her exact quote was a light morning. Basically, not inundate them with a lot of security language that they’re not gonna be able to understand.

So then when the twenty sixteen FAQs came out, they actually expanded upon a little bit more about emailing the medical records.

Again, making sure that if you are gonna email the medical records out, that you’re doing your due diligence invalidating the individual, who is requesting them. And then COVID, like I said, a second ago, changed almost everything because tons of people were, you know, asking for this information, their information to be emailed to them. A couple best practices that we talk to our providers about is that when a patient requests information to be emailed validate the email address that’s listed on the patient’s medical record matches to where it needs to be emailed to.

If it does not, then you definitely need to reach out to the patient. And validate that, you know, hey, is this you maybe ask some key questions of them that only they would have the answer to An example I give is like my insurance information.

My husband are a different insurance plan, so obviously he wouldn’t know what my member number is. So maybe ask something to that effect.

And then going back to the question that got asked earlier about verbal acceptance of authorizations, the same would apply with email releasing the records via email. You need to ensure that you have a very thorough policy and procedure that’s gonna outline all of this process. So then that way, if by chance, you know, something does happen, you can say, look, we had a policy. We thought everything was gonna be covered.

You know, if you get a complaint, I think OCR would be completely understanding that, hey, there’s still gonna be individuals out there that unfortunately have nefarious intent, that may have found some sort of loophole in trying to obtain that patient’s information.

So we’re gonna go to the next question.

Actually, it’s a survey, and we’ve got The survey is how confident are you in your organization’s current privacy and security measures for EHR interfacing?

So are you very confident, somewhat confident, or not very confident, or not confident at all?

So I’ll give it a second and we’ll see what the responses are. And you know what, Amy? I’m a have to lean on you again, right, to read me what the poll answers are. So Got it. Yeah. So we’ll just give it just a second and And then once we get that poll closed, we’ll go back and look at some of the questions that have come through chat because I think we’ve had a couple more.

Yeah. We do. We do have a couple.

Regarding HIPAA forms and Yeah.

Alright. So let’s go ahead and close the polls out. And what do we end up with?

So, what, sixty percent of our attendees are very confident in their organizations current privacy and security measures for EHR interfacing, thirty nine percent stated that they were somewhat confident and two percent was not very confident.

Alright. Great. So let’s just very quickly go. It takes these last couple of minutes that we’ve got because I know we got about two minutes left.

One question we got, and this was actually a follow-up to a previous question. And this individual goes regarding my previous question about signing a registration or consent annually, what is the current source document requiring annual signatures?

I’m not a hundred percent sure what exactly do you mean by source document.

If you don’t mind, I mean, yeah, I know we’re about to, you know, run out of a little bit time here, but you’re more than welcome to ask that question and give me some, you know, additional information. Also, we will have all of our email addresses on this PowerPoint. So you’re more than welcome to email us directly, and then we can see if we can help kinda answer that question.

The next question is, does the OCR HIPAA form have an expiration date and if no such date is noted, Amy, do you wanna talk about this? Sure. So, the OCR’s HIPAA authorization form requires either an expiration date or an event So in other words, you could, you know, an attorney’s author might have a patient sign authorization form that says at the ending of my case regarding, you know, whatever. The class action may be of something of that nature or, so it’s an event or a date.

But they do not give a date. Now keep in mind, if there isn’t a date or an event, some state laws have a shorter turnaround time, regarding the how long they’ll accept an authorization or when it has to be signed. So you wanna keep in mind of the state regulation too. But they do not give a date. They give either the, you know, the patient puts a date or an event for expiration.

Morath, actually, at the bottom of the hour.

Again, I know a lot of you guys are jumping off, but I just, for those of you guys who are staying off for a couple of seconds, Thank you so much for these questions. It was fantastic. We really appreciate your all’s engagement with this. And, Amy, I wanna thank you guys because I know I picture brain a lot when these questions were coming through.

So thank you so much for you guys, providing your subject matter expertise. And helping me with this webinar today. Oh, you’re welcome. It was great to be here.

Thanks, everyone, for attending. We’ve had it really. Great number of attendees. So we’re happy to do it.

Thank you.