Instituting an Enterprise-wide PHI Disclosure Management Strategy

By Collette Zeiour, RHIA, and Mariela Twiggs, MS, RHIA, CHP, FAHIMA

With more than 1,000 large breaches of protected health information (PHI) on record, it’s not surprising that PHI disclosure management is currently top of mind for healthcare leaders.1 Many of these breaches have cost organizations between $1 million and $5 million in penalties, not to mention damages related to their reputation and patient trust.2 As organizations prepare for the next round of US Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) audits, a centralized and enterprise-wide PHI disclosure management strategy can help create a more airtight compliance environment while streamlining workflows in busy organizations.

One hospital system that chose to institute enterprise-wide PHI disclosure management was East Jefferson General Hospital (EJGH). EJGH, which has seen their centralized strategy standardize processes and create consistency, provides healthcare for the eastern Louisiana region through its 2,700 employees and more than 600 physicians. In addition to a 420-bed hospital, EJGH offers a broad spectrum of healthcare services via a regional cancer center, cardiovascular services, radiology and interventional care, ambulatory services, and 23 physician practices.

Collette Zeiour, RHIA, health information management (HIM) director at EJGH, first saw the need for a strong, standardized PHI disclosure management strategy across all departments and facilities in 2011. Creating an enterprise strategy would be a large-scale effort, but Zeiour felt it would ultimately enable consistency, standardization, and efficiency throughout the growing health system.

To help launch the enterprise PHI disclosure management strategy EJGH partnered with release of information vendor MTT Enterprises, which was acquired by vendor MRO during the course of the initiative. At its inception, the enterprise PHI disclosure management project began with the HIM, radiology, and billing departments, adding a cardiology clinic several months later. The largest phase of the project came when EJGH added its 23 physician practices to the strategy. Given EJGH’s fast-paced growth in its physician practice groups, this phase of the project was particularly important.

Addressing Workflow Challenges and Standardizing Processes

Early on, the team acknowledged several challenges that needed to be addressed. For example, the way various staff handled release of information (ROI) requests varied widely. While each team handled PHI correctly, the lack of consistency created inefficiency and varied timelines for fulfilling ROI requests. As EJGH continued to grow, expanded departments and new physician practice locations led to even greater variations in PHI disclosure management.

When EJGH launched its enterprise disclosure management strategy, the team’s goal was to implement a centralized program that would enable the entire EJGH staff to leverage a consistent workflow across the organization. A centralized approach would not only streamline workflow but also ensure standardization, which would mitigate potential risk. In addition, the enterprise project was an opportunity to identify inefficient workflows and create a faster, more efficient process that would allow staff to be more productive.

One disclosure workflow that was standardized across EJGH as a part of this initiative was the accounting of disclosures (AOD) log. The physicians network, imaging center, and HIM departments previously maintained separate AOD logs. Now, all releases are logged and maintained in one database. Another workflow standardization example is the accessibility of pending requests via the “Documents Required” list. An employee that works at the imaging center, for example, now has the ability to view the request and authorization documents for the hospital and assist with retrieving and uploading the records to fulfill and complete the request remotely. This allows for increased productivity at a location that may not be as busy while also assisting the main HIM department with the workload.  

Creating Consistency, Reducing Workload

In late 2011, EJGH brought its numerous physician practice locations under the centralized PHI disclosure management program. In addition to having their own processes for ROI requests, practices were using disparate technology systems. Many were also engaged with different disclosure management vendors. Consequently, practice locations had different needs regarding the PHI disclosure management process. For instance, some locations still used paper; therefore, the assisting vendor’s management team needed to determine how and when to pick up paper-based ROI requests.

The vendor team visited all practice locations and evaluated their workflows, ultimately developing processes that were compatible with each practice’s technology and would allow them to offload work to their vendor. While EJGH maintained its standardized and consistent disclosure management program, their vendor made minor workflow adaptations based on the practice locations’ varying circumstances. EJGH soon implemented a technology platform offered by their vendor that enabled staff across the enterprise to submit ROI requests. While the transition to this platform was an adjustment for employees, it ultimately allowed them a new level of visibility and efficiency since staff could track requests, view their status, and access reports.

In addition, the new platform allowed EJGH staff to offload many duties to their vendor, such as invoicing, mailing, sending notifications to requesters, generating a variety of correspondence, and fulfilling other clerical duties. As part of the move to the new online platform, the vendor also took over the quality assurance (QA) process. HIM leadership decided to maintain its own QA check as well, which doubled QA efforts to ensure the organization remained compliant and error-free.

Initially, some physician practices were reluctant to move to the centralized strategy because they had to relinquish control and learn the new online platform. Now, many practice managers are quite vocal in their appreciation, indicating their satisfaction with knowing they are maintaining their patients’ data privacy and security. Despite the varying cultures and technology systems among practices and departments, EJGH has achieved a level of consistency and standardization that brings peace of mind.

Since reducing the backlog of ROI requests at the inception of the project, EJGH has maintained a three-day turnaround on requests, often fulfilling requests in less time. This consistent timeliness has enabled EJGH to provide excellent service to patients while also adhering to legal and regulatory demands.

The new workflows and technology have also drastically reduced the time EJGH staff spends on certain activities. Recovery audit contractor (RAC) and Medicare administrative contractor (MAC) requests, for instance, once took days to fulfill due to the boxes of paper records that had to be assembled. EJGH staff is now able to use their new processes and electronic submission software to meet these requests, which eliminates hours of printing and administrative work. In addition, the team can log in to the online platform and check the status of any RAC appeals.

Regulatory Environment Increasingly Complex

The EJGH team makes frequent communication and ongoing training a priority, which keeps staff abreast of changing regulations. The team acknowledges several factors that enabled their successful implementation of an enterprise-wide PHI disclosure management strategy, along with a few lessons learned:

Get leadership on board in advance. Implementing a centralized approach to PHI disclosure management is much easier if leadership conveys its importance to all team members across the enterprise. Establishing why it’s necessary—and not optional—can go a long way in ensuring success.

Work through the kinks prior to implementation. Bring in the IT department about a month before implementation to work through any issues in technology and workflows. This helps IT identify and resolve any problems before go-live.

Prioritize ongoing communication and training after implementation. During the initial go-live phase, the team will need frequent and more intensive communication. After everyone is comfortable with the new processes, though, project leadership should still offer regular forums for communication and collaboration. Why? Regulations frequently change and staff often has questions or ideas after the initial flurry of implementation has passed.

Offload and centralize PHI disclosure management tasks as much as possible—even if staff initially disagrees. Even though physician practices had their own processes, technology, and solutions for PHI disclosure management, EJGH implemented an enterprise approach. Now, physician practice teams are grateful they can focus on patient-facing or revenue cycle staff activities rather than fulfilling ROI requests. Centralization not only created consistency and mitigated risk, but also gave practice staff much-needed time for other tasks.

Tracking and reporting capabilities are a necessity, not a luxury. EJGH staff across the enterprise realize the necessity of logging into a system and being able to find out when a record was released, if the party received it, or other information related to status. When recipients claim they didn’t receive a document within the requested timeframe, having transparency into the process has proven invaluable. When embarking on a PHI disclosure management project, be sure to evaluate the tracking and reporting features to ensure staff will have what they need.

As healthcare organizations continue to grow, it is important to stay on top of plans to acquire practice locations or expand into new service areas. Proactively addressing PHI disclosure management for new departments can help an organization stay compliant, consistent, and efficient in the years to come. As patients and HHS both continue to demand new levels of safety and privacy, a centralized, enterprise-wide PHI disclosure management strategy can help ensure a healthcare organization adheres to requirements and keeps patients’ trust in the years to come.


[1] The Advisory Board Company. “One in 10 Americans Has Been Affected by a Large Health Data Breach.” The Daily Briefing. June 17, 2014.

[2] Department of Health and Human Services. “Health Information Privacy: Case Examples and Resolution Agreements.”

Collette Zeiour ( is director of HIM for East Jefferson General Hospital. Mariela Twiggs ( is national director of training and compliance for MRO.

Article citation:
Zeiour, Collette; Twiggs, Mariela. "Instituting an Enterprise-wide PHI Disclosure Management Strategy" Journal of AHIMA 86, no.4 (April 2015): 24-26.