Keep Your Seawall Secure

Untitled Document

How to Ensure Proper PHI Disclosure Management Across an Enterprise

By Don Hardwick

Seawalls are built to both protect and sustain. The sea side of the wall withstands a constant barrage of ocean waves and wind. The top part of the seawall conserves coastlines and supports leisure activities for entire communities. Seawalls provide long-term protection from extreme events and everyday erosion, but they must be updated continually to maintain effectiveness—much like protected health information (PHI) disclosure management processes.

Like seawalls, health information management (HIM) departments serve two important roles when it comes to protected health information (PHI). HIM professionals must protect patients’ privacy and ensure proper PHI disclosure to authorized individuals and organizations. While protection is a priority, HIM departments release millions of medical records every year to verified requesters to support patient treatment, healthcare operations, and payer reimbursement, as well as for many other purposes. The duality of PHI disclosure management gives HIM professionals the opportunity to collaborate with multiple departments across the healthcare enterprise while also fulfilling the important role of PHI guardian. This article provides expert guidance on how HIM professionals can effectively balance the role of patient privacy protector with sharing PHI from locations throughout an enterprise.

PHI Disclosure Across the Enterprise

HIM departments have long been perceived as the top disclosers of PHI within a healthcare enterprise. However, recent trends in PHI disclosure management paint a new and different picture. Combined requests from other areas such as radiology, business offices, and physician practices are matching—if not eclipsing—the PHI disclosure volumes in HIM. Even nurses are often asked to release patient information.

The problem with other departments managing PHI disclosures is twofold—high risk and high volume. Here are four common challenges observed when non-HIM departments release patient information:

  1. Release of information (ROI) isn’t typically part of their core responsibilities. Other departments must manage their own responsibilities and priorities—making compliant ROI practices a second- or third-tier priority.
  2. Non-HIM personnel often lack sufficient training and effective checks and balances to properly disclose PHI.
  3. High volumes of records may be requested with short deadlines for response—leading to human errors if staff are not properly trained.
  4. Cursory ROI training results in ineffective disclosure management processes and higher risk for a privacy breach. Other departments don’t keep up with new rules, regulations, and laws governing the compliant release of patient information.

To properly process PHI requests in non-HIM departments, HIM leaders must be aware of these risks and work to mitigate them. A practical first step is to conduct an enterprise-wide audit of all disclosure points.

Know the Risky Spots

The most common non-HIM areas for PHI disclosures include radiology, business offices, and physician practices. While many of these disclosures are part of treatment, payment, and operations according to the HIPAA Privacy Rule—and therefore are permitted without patient authorization—other common disclosures by these areas are not. Knowing the difference is critical to compliant enterprise-wide ROI. The chart on page 21 lists important points for HIM professionals to consider and questions to ask in these three departments.

An audit of all PHI disclosure points, including responses to pertinent questions, should be performed and updated annually as part of the organization’s overall privacy compliance assessment. Based on audit findings, the next step is for ROI experts to conduct targeted training and create ROI procedures to meet the specific PHI disclosure management needs of each department.

Audit Your PHI Disclosure Check Points

HIM professionals can audit non-HIM PHI disclosure areas in order to ensure compliance with relevant laws. During the audit, HIM should review the following for PHI disclosures:

  • Date received
  • Date stamped on form
  • Date delivered
  • Calendar days between date received and date delivered, or stamped date if earlier
  • Business days between date received and date delivered, or stamped date if earlier
  • Did the disclosure comply with the federal release deadline of 30 calendar days? (Y/N)
  • If the request was for discharged inpatient records or emergency room records, did it comply with state release deadlines? (Y/N or n/a)
  • Fee charged—Was the fee charged according to state or federal guidelines? (Y/N)
  • Was an extension letter used? (Y/N) If so, note whether it was sent within the first 30 days and if processor complied with the 30-day extension. Extension letters apply to federal time only.

Train and Educate Based on Needs

Training is essential for safe and compliant enterprise-wide release of information. This is true within the HIM department and for any other personnel that release PHI. Based on the individual department’s most common requests, ROI training should be focused on accuracy, include all HIPAA privacy basics, and include the following six PHI disclosure management fundamentals.

  1. Track and monitor type of request being received. For each department, begin by keeping track of requests received and the workflow used to fulfill the request.
  2. Define each type of request. Train personnel on which requests fall under HIPAA’s treatment, payment, and operations provisions and which do not. Create tip sheets and checklists for each department.
  3. Emphasize accuracy. Ensure non-HIM personnel know the right documents to provide for each type of request and encounter. Include a step to verify correct patient and encounter for each document before releasing.
  4. Reiterate minimum necessary. Define which documents represent the minimum necessary when filling requests. Build standard document sets based on the most common types of disclosures for each department.
  5. Coach personnel on patient requests. Prepare non-HIM staff to respond properly to patient or patient family requests for information. These requests will continue to increase as younger, more tech-savvy patients request PHI. Balance patient satisfaction with ROI processes.
  6. Direct requests to HIM. Take responsibility for filling requests whenever possible to minimize breach risk and standardize ROI processes across the enterprise. At a minimum, insist that HIM handle all legal requests or cases of patient complaint or a potential patient lawsuit.

When non-HIM departments that process high volumes of requests still insist on managing their own PHI disclosures, the best approach for HIM professionals is to collaborate and innovate.

Risk Mitigation in Common, Non-HIM Departments that Release Information


Common PHI Requests

HIM Questions to Ask


Reports, digitized images, and films are requested by:

  • Other providers for continuing care
  • Attorneys to support injury claims
  • Patients for specialists and referrals

Are requests tracked properly for accounting of disclosures, and under what circumstances is an authorization required?

Business Office

High volumes of PHI are sent by billers and collectors, including:

  • Unsolicited releases during initial claims submission and claims processing to expedite payment
  • Disclosures for government and commercial payer audits and reviews
  • Attorney requests for itemized bills

When is an authorization required?

Physician Practices

Office managers try to do the right thing by giving information without proper authorizations. For example:

  • Patient requests a copy of chart following an office visit
  • Family requests a copy of chart
  • Other providers request information

When is an authorization required?

Haste Makes Breaches

Annual HIM reviews and ongoing communication with other departments that release information are effective best practices to alleviate information breach, expedite payer reimbursement, and prevent a requester dissatisfaction crisis from happening in hospitals and health systems. Non-HIM staff are focused on their core competency areas and rarely trained in proper PHI disclosure management. The result is often hasty PHI processing and increased risk of breach. To mitigate risk while also ensuring the appropriate release of information, HIM departments should maintain oversight of PHI disclosure management across the entire enterprise—not just within HIM.

Don Hardwick ( is vice president, client relations and account management at MRO.