As ever, compliance remains paramount for proper medical records management. In 2020, the industry saw significant changes in staffing models as COVID-19 began to spread. Hospitals and healthcare systems ran into challenges ranging from dramatic drops or spikes in patient counts, piles of paperwork after outpatient clinics were closed and key staff out with COVID-19, and myriad other issues which all contributed to health information management and release of information teams moving to remote and vendor-supported models. Whether your staff is onsite or offsite, or if you work with a release of information vendor, there are compliance considerations to bear in mind as your organization plans for 2021.
Document Remote Work Policies
First, take the time to formally document any ad hoc policy changes your hospital or clinic implemented in 2020. These “on the fly” policies should be recorded in official documentation, such as a handbook, to ensure ongoing companywide compliance. When healthcare systems pivoted to have staff work from home, quick decisions were made to maintain operational continuity and remote work arrangements continued to evolve as the pandemic endured.
Now is a great time to run a security risk analysis, especially for healthcare systems with remote teams. Take a systematic look at where and how medical records data are located, double-check your practices for storing and protecting data, and work with employees to ensure their at-home work environment and routers are secure. Whenever possible, use multi-factor authentication to secure logins.
Update Release of Information Vendor Agreements
Until the vaccine is made available to everyone, chances are some employees won’t be working in the office on a full-time basis. At the time of this publication, the implementation of the Information Blocking Rule has been delayed until April 5, 2021. It’s a good opportunity to protect your organization by requiring all release of information and health information management vendors to be covered under a business associate agreement that addresses the new information blocking provisions and confirm vendors have proper HIPAA training.
Pay Close Attention to Security Updates
In addition, pay close attention to government security updates. There is a growing cybersecurity threat from the federal government specifically regarding healthcare and medical records. In 2020, we saw increased cyberattacks and ransomware attacks on healthcare organizations, even postcards disguised as Office of Civil Rights communications. You can subscribe to the Cybersecurity and Information Security Agency (CISA) alerts at on their Email Updates page as well as subscribe to the OCR list-serve and other appropriate agencies to remain informed of critical developments.
Make Plans and Expect the Unexpected
Finally, if we learned anything from 2020, it’s to expect the unexpected. Review your workflows, technology solutions, and backup options. Reconnect with any vendor relationships that could support you remotely, and plan for any hiccups that COVID-19 could still present. Prepare contingency plans for remote, onsite, partial onsite, remote vendor outsourcing support, and any other scenarios as needed. Should another change rock the industry, you’ll be more resilient and prepared to adjust accordingly.
Article by Elizabeth McElhiney, MHA, CHPS, CPHIMS, CRIS – Director of Privacy at ScanSTAT Technologies
Let’s Make This Easier For Everyone
ScanSTAT makes it easier for hospitals, healthcare systems, and medical practices to manage health information. Whether you are considering making a complete transition or merely supplementing your Release of Information and Health Information Management in-house operation, we can help. We place as much importance on privacy, security, and customer service as you do. We can assume the HIPAA liability involved in transferring information and removing the burden of reporting from your staff or supporting it as needed.