MRA Thought of the Day – Breach Prevention

Charlie Disclosure Management Leave a Comment

RHIA, Vice President of Release Of Information

RHIA, Vice President of Release Of Information

As part of the Final modifications to the HIPAA Privacy, Security, and Enforcement Rules mandated by the HITECH Act, several new rules have impacted a Covered Entity or Business Associates (BA). There has been a big emphasis placed on Breach Prevention. In order for Business Associates or Covered Entities to prevent breaches it is suggested for best practice to establish an effective Release of Information Training Program. Our role and responsibility in protecting our Patient’s privacy is to make sure our staff is educated constantly on the changes set forth by the HIPAA rules and regulations.

Below is an example of an ROI training program:

Once an employee is hired, an Initial Orientation is given. Ongoing Training on existing procedures and new procedures are continuous. Quality Improvement Audits are performed quarterly. And after one year as an ROI Abstractor, a comprehensive CRIS test is offered. CRIS (Certified Release of Information Specialist) test is given to recognize the knowledge and understanding in releasing Protected Health Information (PHI). Continual Release of Information & HIPAA Training and an Annual Review should also be part of your training program. You may also incorporate Tips of the Month, Email reminders and have Quarterly Meetings to discuss hot topics to continually educate your staff; keeping them well informed about ROI.

When responding to a request for PHI you must remember these key factors:


  • Review each request thoroughly to determine the information being requested.  And compare the request letter to the patient’s signed authorization form.
  • Examine the health information carefully to ensure that the correct patient’s health information is being abstracted.
  • Verify that the patient’s name and date of birth on the request letter is an exact match with the information to be released.
  • Abstract the medical record by locating the information required to fulfill the request. Do not include any information or dates of service that is not being requested.
  • Review each document requested for the presence of legally protected information.
  • Copy/Print/Scan ONLY the health information and/or dates of treatment requested.
  • Verify that every single page belongs to that patient before sending.

And always release the minimum necessary to fulfill the request

HIM Departments cannot afford NOT to have well trained release of information specialists handling and releasing PHI.

How do you train your staff?

Leave a Reply

Your email address will not be published. Required fields are marked *