Ahimajournal 2015 04 DL

k
in
pt
C r ac
io n
APRIL 2015
g E nc
y
r
DESPITE BENEFITS, TECHNOLOGY STILL

NOT WIDELY USED TO COMBAT MULTIMILLION DOLLAR BREACHES
Welcome
TO THE DIGITAL EDITION OF THE
JOURNAL AHIMA
OF
Video ExtraProtecting Adolescent

Confidentiality in EHRs
The Director of HIM at Chicagos Ann and Robert H. Lurie Childrens

Hospital discusses the unique challenges of managing pediatric and
adolescent EHRs.
More OnlineMedical Devices Face

Cyber Security Threats
http://journal.ahima.org
More privacy and security articles can be found on the Journal

of AHIMA website, including this piece that discusses just how
susceptible devices like pacemakers and insulin pumps are to
hackers.
How to Use the Digital Journal

Magnify it! Use the magnifying glass to zoom in.
Use the slide zoom tool to set the same magnification for all pages.
Share it! E-mail articles to colleagues, post them
to Facebook, and Tweet them.
Search it! Search for keywords throughout the entire issueand all back issues.
Download it! Save a copy to your computer.
Print it! Print stories or single pages.
Ad Space
NAME
1
Contents April 2015
Cover
18
Cracking Encryption
Despite benefits, technology
still not widely used to combat
multi-million dollar breaches
By Mary Butler
Vol. 86, no. 4

Departments
Presidents Message
Creating an Environment of Trust for
Patients and Consumers
10
pg. 36
Spiders have been busy creating webs on the federal privacy rules. ONCs new
Chief Privacy Officer intends to help the nation dust off these regulations.
Features
24
Instituting an Enterprise-wide PHI

Disclosure Management Strategy
By Collette Zeiour, RHIA, and Mariela Twiggs, MS, RHIA, CHP,

FAHIMA
28
Learn More to Earn More

How to further your HIM education, and
what it gets you
By Lisa A. Eramo
36
Clearing the HIPAA Cobwebs

New ONC Chief Privacy Officer Lucia
Savage focuses on balancing privacy
and security with expanding interoperable
EHR exchange
By Chris Dimick
Bulletin Board
14
Word from Washington

Decoding the Cromnibus Spending
Bill for HIM Stakeholders
17
Inside Look
New Technology Creates New
Privacy, Security Challenges
60
Calendar
61
Keep Informed
62
Volunteer Leaders
66
AHIMA Career Center
68
Addendum
Follow the ONC Road
Contents April 2015

Working Smart
40
44
By Sharon Lewis, MBA, RHIA, CHPS, CPHQ, FAHIMA,

and Kevin B. McDonald, HCISPP, CHPSE
By Grant Gillis
Navigating Privacy and Security

Where to Begin with
Cyber Defense
Standards Strategies
Security, Privacy, and Safety
Standards in Canadian Healthcare
48
42
e-HIM Best Practices

Issues in Accessing Foreign
Personal Information for Use in
US Legal Proceedings
By Jeane Thomas, JD
The Sound Record

Evaluating the Information
Governance Principles for
Healthcare: Integrity and
Protection
By Galina Datskovsky, PhD; Ron Hedges, JD; Sofia

Empel, PhD; and Lydia Washington, MS, RHIA
Coding Notes
Quizzes
56
AHIMA members may earn continuing

education credits by successfully completing
the following quizzes at www.ahimastore.org
By Mary H. Stanfill, MBI, RHIA, CCS, CCS-P, FAHIMA
23
A Call for Additional Coding Metrics
58
Cracking Encryption
Domain: Privacy and Security
By Kathryn DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA
26
Six Months and Counting

Practice Brief
50
The Implementation and Management

of Patient Portals
4/Journal of AHIMA April 15
Instituting an Enterprise-wide PHI Disclosure

Management Strategy
Domain: Privacy and Security
59

Domain: Clinical Data Management
http://journal.ahima.org
Medical Devices Face
Cyber Security Threats
With all the focus on
data breaches and lack of
encryption, other cyber
security threats loom almost
unnoticed.
Video: Protecting Adolescent

Confidentiality in EHRs
The Director of HIM at Chicagos Ann and Robert H.

Lurie Childrens Hospital discusses the unique challenges of managing pediatric and adolescent EHRs.
Privacy and Security Month Coverage
April is Privacy and Security Month. Visit journal.ahima.org

for weekly coverage on this important issue.
Share and Connect with AHIMA

Follow AHIMA and Journal of AHIMA on these social media outlets.
tinyurl.com/AHIMAFacebook
tinyurl.com/AHIMALinkedInGroup
twitter.com/ahimaresources
youtube.com/AHIMAonDemand
feeds.feedburner.com/JournalOfAhima
Journal of AHIMA April 15/5
The Journal of AHIMA is an official publication of AHIMA
AHIMA CEO
EDITORIAL DIRECTOR
EDITOR-IN-CHIEF
Lynne Thomas Gordon, MBA, RHIA, FACHE, CAE, FAHIMA

Anne Zender, MA
Chris Dimick

ASSISTANT EDITOR/
ADVERTISING COORDINATOR Sarah Sheber

ASSOCIATE EDITOR
Mary Butler

CONTRIBUTING EDITORS
Sue Bowman, MJ, RHIA, CCS, FAHIMA

Patricia Buttner, RHIA, CDIP, CCS

`
Angie Comfort, RHIA, CDIP, CCS

Angela Rose, MHA, RHIA, CHPS, FAHIMA

Julie Dooling, RHIA, CHDA

Melanie Endicott, MBA/HCM, RHIA, CCS, CCS-P, CDIP,

FAHIMA

Katherine Downing, MA, RHIA, CHP, PMP

Deborah Green, MBA, RHIA

Jewelle Hicks

Lesley Kadlec, MA, RHIA

Carol Maimone, RHIT, CCS

Paula Mauro

Anna Orlova, PhD

Kim Osborne, RHIA, PMP

Harry Rhodes, MBA, RHIA, CHPS, CDIP, CPHIMS, FAHIMA

Maria Ward, MEd, RHIT, CCS-P

Diana Warner, MS, RHIA, CHPS, FAHIMA

Lydia Washington, MS, RHIA

Lou Ann Wiedemann, MS, RHIA, CHDA, CDIP, CPEHR,

FAHIMA

ART DIRECTOR Graham Simpson

GRAPHIC DESIGNER
Jill A. Blacketer
EDITORIAL ADVISORY BOARD

Linda Belli, RHIA

Gerry Berenholz, MPH, RHIA

Carol A. Campbell, DBA, RHIA

Rose T. Dunn, MBA, RHIA, CPA, CHPS, FACHE, FAHIMA

Teri Jorwic, RHIA, CCS

Diane A. Kriewall, RHIA

Frances Wickham Lee, DBA, RHIA

Glenda Lyle, RHIA

Susan R. Mitchell, RHIA

Daniel J. Pothen, MS, RHIA

Cheryl Tabatabai Stachura, RHIA

Tricia Truscott, MBA, RHIA, CHP

Carolyn R. Valo, MS, RHIT, FAHIMA

Valerie Watzlaf, PhD, RHIA, FAHIMA
ADVERTISING REPRESENTATIVES
Network Media Partners
Jeff Rhodes
(410) 584-1940; Fax: (410) 584-8353
jrhodes@networkmediapartners.com
Brittany Shoul
(410) 584-1941; Fax: (410) 316-9865
bshoul@networkmediapartners.com
AHIMA OFFICES
233 N. Michigan Ave., 21st Floor
Chicago, IL 60601-5800
(312) 233-1100; Fax: (312) 233-1090
1730 M St., NW, Suite 502
Washington, DC 20036
(202) 659-9440; Fax: (202) 659-9422
AHIMA ONLINE: www.ahima.org
JOURNAL OF AHIMA: journal@ahima.org
JOURNAL OF AHIMA MISSION
The Journal of AHIMA serves as a professional development tool
for health information managers. It keeps its readers current on
issues that affect the practice of health information management.
Furthermore, the Journal contributes to the field by publishing work
that disseminates best practices and presents new knowledge.
Articles are grounded in experience or applied research, and they
represent the diversity of health information management roles and
healthcare settings. Finally, the Journal contains news on the work
of the American Health Information Management Association.
EDUCATIONAL PROGRAMS
The Commission on Accreditation for Health Informatics and
Information Management Education (www.cahiim.org) accredits
degree-granting programs at the associate, baccalaureate, and
masters degree levels.
AHIMA recognizes coding certificate programs approved by the
Approval Committee for Certificate Programs. For a complete list of
AHIMA-approved coding programs and HIM career pathways go to
www.hicareers.com.
Journal of AHIMA (ISSN 1060-5487) is published monthly, except for the combined issue of November/December, by the American Health Information Management Association, 233 North Michigan
Avenue, 21st Floor, Chicago, IL 60601-5800. Subscription Rates: Included in AHIMA membership dues is a subscription to the Journal. The annual member subscription rate is $22.00 for active and
graduate members, and $10.00 for student members. Subscription for nonmembers is $100 (domestic), $110 (Canada), $120 (all other outside the U.S.). Postmaster: Send address changes to Journal
of AHIMA, AHIMA, 233 North Michigan Avenue, 21st Floor, Chicago, IL 60601-5800. Notification of address change must be made six weeks in advance, including old and new address with zip code.
Periodicals postage is paid in Chicago, IL, and additional mailing offices.
Notice of Policy
Editorialviews expressed in articles contributed to the Journal of AHIMA are those of the author(s) and do not necessarily reflect the policies and opinions of the Association, editorial review
board, or staff. Articles are not to be construed as endorsing any particular product or service. Advertisingproducts, services, and educational institutions advertised in the Journal do not imply
endorsement by the Association.
Copyright 2015 American Health Information Management Association Reg. US Pat. Off.
Anxious About ICD-10?
Ad Space
NAME
7
We Code with Confdence.
Ovation Coding Services is built on the
foundation of continuous quality improvement
and combines Outsourced Coding, Quality Audit
Services and Intelligent Coding Analytics to
create the ultimate coding solution. The result
is zero coding backlog, guaranteed quality,
reduced costs, and eliminates worry over coding
resources, or shortage-driven cost increases.
Outsourced Coding
2000+ dedicated FTE coding team
4 million+ charts per month | 48 hour turnaround
Quality Audit Services

Ensure completeness of coding and assignment
of proper codes
Intelligent Coding Analytics

100% automated analysis of every chart
Developed, implemented and tested at UPMC
revenue cycle operation. Ovations services
automate manual processes, streamline
workfows, and ensure healthcare providers are
paid quickly and accurately.
Code with Confdence. Contact us: 412.432.5697 or www.ovationrcs.com.
Presidents Message
Creating an Environment of Trust

for Patients and Consumers
By Cassi Birnbaum, MS, RHIA, CPHQ, FAHIMA
FROM THE YEAR 2009 through 2014,

nearly 42 million people had their protected health information (PHI) compromised, according to data from the Department of Health and Human Services
Office for Civil Rights (OCR). Each passing year brings into sharper focus the
challenges associated with covered entities and business associates inability
to consistently safeguard PHI. This year
has proven to be no exception.
On February 4, health insurer Anthem
announced that hackers had accessed a
database containing the personal information of about 80 million of its customers, former customers, and employees in
California and other states.
Before February, the largest previously
known data breach attributable to a cyberattack occurred last year, when Community Health Systems announced that
an external group of hackers stole the
non-medical data of 4.5 million patients,
according to Modern Healthcare.
Investigators believe the hackers who
broke into Anthems network did so by
stealing the company administrators
login credentials, according to a report from The Hill. The hackers got the
credentials of five Anthem technology
workers and then used targeted phishing campaigns to lure network administrators into revealing login information or
clicking a link that granted hackers access to their computers, according to the
report. Such an approach rendered any
would-be encryption moot, according to
a security expert at Tripwire.
What keeps me up at night are the risks
that are often completely unanticipated
due to a breach of policy: social media
temptations, pictures taken of patients
and posted on social media or shared
with colleagues not directly involved
with the patients care team, nosy staff
accessing records of co-workers and
neighbors without a business need to

know, rogue employees who use their
access to steal health records or leak a
VIP patients information to the press.
As HIM professionals, we spend our
careers safeguarding PHI and delicately
balancing access privileges to ensure
four basic rights: the right data is directed to the right provider for the right
reason using the right safeguards.
I do not foresee any end to breaches,
but AHIMAs privacy practice guidance
and gold standard resources will assist
you in identifying gaps, mitigating your
risks, and ensuring a solid foundation in
privacy and security.
Creating an environment that enables
an organizations staff to see privacy as
their most important role is critical. OCR
has announced even more annual HIPAA
compliance audits, so now is the time to
get ready. There are creative and innovative ways to energize your workforce and
use techniques to get them engaged.
Dont forget about your growing remote
workforce and the need to develop a
consistent, seamless approach to safe
computer use outside of a healthcare
facility.
Remember that the biggest threats
are typically internal. Focusing on securing remote access for end users,
especially as care is extended outside
of an integrated delivery system to the
home and alternative settings, is a good
place to start.
Now is the time to realize the vision of
increased consumer confidence in our
ability to safeguard their most private information, and to truly engage patients in
sharing and exchanging their information
when and where it is needed.
Cassi Birnbaum (cassi.birnbaum@ahima.org) is
senior vice president of HIM and consulting at
Peak Health Solutions.
Ad Space
vs. Audit Relief
Audit Chaos
High volumes of audit requests arrive
and are delivered to various departments.
All audit requests are

centralized through HealthPort.
NAME
9
DEPT.
DEPT.
DEPT.
DEPT.
DEPT.
Inundated departments
process the requests
using different methods..
No communication
between
departments,
no one knows
what the other
is doing.
Constant phone calls, faxes, and visits
from third-party vendors distract
staff and increase HIPAA concerns.
HealthPort best practices are used to

process requests quickly and efficiently
by our HIPAA-trained professionals.
You will have peace of mind with:
Unlimited capacity to handle

high volumes.
Access to historical records,
tracking, and reporting.
Secure, fast, electronic record
receipt and delivery.
Elimination of third-party vendors.
Come meet us at HIMSS Booth #1619 in Chicago
!!!
For more information, visit healthport.com/auditrelief
healthport.com 800.737.2585
Bulletin Board whats happening in healthcare
HHS Sets Ambitious Expansion of Medicares

Quality-Based Payment Programs
The march toward paying healthcare
providers based on quality and not
volume took a large leap in January
when the Department of Health and
Human Services (HHS) announced a
timeline for moving Medicare to a value-based purchasing system. HHS
hope is that the healthcare system at
large will soon follow suit, according
to an HHS press release.
HHS set a goal of tying 30 percent of
traditional, or fee-for-service, Medicare
payments to quality or value through alternative payment models, such as accountable care organizations (ACOs) or
bundled payment arrangements, by the
end of 2016. The agency aims to tie 50

percent of payments to these models
by the end of 2018. HHS has also set a
goal of tying 85 percent of all traditional
Medicare payments to quality or value
by 2016 and 90 percent of those payments by 2018 through programs like
the Hospital Value-Based Purchasing
Program and the Hospital Readmissions Reduction Programs, according
to the press release.
This is the first time in its history
that the Medicare program and HHS
has set explicit goals for alternative
payment models and required valuebased payments.
HHS, ONC Release Interoperability Roadmap

Federal healthcare officials released
their plan for more efficient health information sharing and interoperable
technology with a report titled Connecting Health and Care for the Nation: A Shared Nationwide Interoperability Roadmap Version 1.0. The
roadmap, released on January 30 by
the US Department of Health and Human Services (HHS) Office of the National Coordinator for Health IT (ONC),
builds on its vision paper, Connecting Health and Care for the Nation: A
10-Year Vision to Achieve an Interoperable Health IT Infrastructure, issued in June 2014.
The roadmap, available for review
on www.healthit.gov, focuses on
three key areas:
Improving the way providers are
paid
Improving and innovating in care
delivery
Sharing information more broadly to providers, consumers, and
others to support better decisions while maintaining privacy
ONCs Interoperability Roadmap will help guide our progress

toward seamless integration of
electronic health record data, said
Christopher Miller, program executive officer for defense healthcare
management systems within the
Department of Defense, according
to an HHS statement about the report. We are proud to be working
closely with ONC and other public
and private partners to ensure that
our health care providers have a
complete picture of health information from all sources.
The availability of this information
increases the medical readiness of
US operational forces, Miller said,
and enables delivery of the high quality care that our service members,
veterans and their families deserve.
We look forward to our continued
partnership with ONC as we expand
the safe and secure exchange of
standardized healthcare data to improve the overall health of our nation,
Miller said.
In an effort to extend the pay-forperformance movement outside of

Medicare, HHS announced the creation of a Health Care Payment Learning and Action Networkwhich will
work with private payers, employers,
consumers, providers, state Medicaid programs, and others to expand
alternative payment models into their
programs, according to the release.
The network is scheduled to hold its
first meeting this spring.
The alternative payment models HHS
will be promoting as part of this change
include ACOs as well as primary care
medical homes and new payment bun-
GAO Notes Tech, VA

Issues as Trouble Spots
The Government Accountability Offices (GAO) biennial report, which
identifies red flag issues for Congress
to consider remediating, added healthcare access to Veterans Affairs (VA)
facilities and government IT project issues to its report for the first time ever
this year.
The GAO report drew on the highprofile problems the VA had in 2014
with appointment scheduling delays
and failure to provide care at all, according to the report. The report notes
that while the VA has taken steps to
address these problems, the VA has
not fully acted on 100 of the GAOs
recommendations.
Weak spots include not thoroughly
fixing IT problems at the root of scheduling delays, failing to provide adequate
oversight and accountability, and having unclear resource needs and allocation priorities.
Federal IT concerns noted on the list
include the problems that accompanied the rollout of Healthcare.gov.
dling for episodes of care. In these

models, healthcare providers are accountable for the quality and cost of
the care they deliver to patients, and
therefore have a financial incentive to
coordinate the care for their patients to
reduce duplicative tests and increase
preventative care.
This is a departure from the current
model of paying providers for each
individual service, surgery, or test,
whether or not the services improve a
patients health.
Payment through alternative models is not completely new to Medicare. In 2014, 20 percent of the $362
billion in Medicare payments were
made through alternative models,
HHS said. In addition to improving
care, another driver of this initiative is

the cost savings. For example, under
existing ACO programs HHS reported
they have saved $417 million.
Typically these models of treatment and payment require wider use
of electronic health records since, for
example, ACO providers rely on the
exchange of information to reduce
duplicate tests and redundancy in
treatment among a patients various
providers.
Health information is also more
widely used in these alternative models to show payers the quality of care
provided, and not just the services,
meaning robust clinical documentation improvement programs are also
valued.
Although there are many electronic health record (EHR) vendors in the marketplace, just a few of these vendors dominate the market share for physician
practices in the US, according to a report from SK&A. Epic took the top spot
at 11.6 percent, followed by eClinicalWorks at 10.2 percent. The top 10 EHR
vendors by overall physician practice market share are depicted in the chart
below. The report, Physician Office Usage of Electronic Health Records Software, listed the 20 top vendors by overall market share.
Top EHR Vendors by Overall Physician Practice Market Share

EPIC: 11.6 percent
ALLSCRIPTS: 8.7 percent
PRACTICE FUSION: 6.7 percent
The Association for Executives in Healthcare Information Applications Foundation,

started last year by CHIME, has added
Pursuit Healthcare Advisors as a founding member.
Mississippi ranks among the seven
best telemedicine programs in the
nation, with the states one academic
hospital connecting with 165 remote
sites, according to Politico.
Doctor on Demand and PokitDok have partnered to streamline the telemedicine

process for Doctor on Demand users.
NEXTGEN HEALTHCARE: 5.5 percent

GE HEALTHCARE: 3.6 percent
CERNER: 3.5 percent
Aetna and Virtua Medical Group have

started an accountable care organization in southern New Jersey for
about 16,000 Aetna commercial plan
subscribers.
ATHENAHEALTH: 3.3 percent

MCKESSON: 3.2 percent
AMAZING CHARTS: 2.3 percent
ALL OTHER VENDORS
41.4 percent
20%
The Department of Veterans Affairs (VA)

has determined that IT problems
contribute to the long wait times at
VA hospitals.
End-to-end ICD-10-CM/PCS testing

held from January 26 to February 3
resulted in an 81 percent claim acceptance rate for CMS.
ECLINICALWORKS: 10.2 percent
10%
A new team of experts being led by

former Centers for Medicare and Medicaid
Services (CMS) Administrator Donald
Berwick, MD, has been convened to
find ways to streamline the patientsafety movement.
The American Medical Association has

raised concerns that more clear standards need to be developed regarding
doctor-patient relationships in order
to help reduce potential liability risks
associated with telemedicine.
EHR Market Dominated By Few
0%
Several positions that hold opportunities for qualified health information

management (HIM) professionals, such
as HIM department director, quality improvement, application specialist, and
risk manager, were included on CNN
Moneys list of best jobs for 2015.
30%
40%
50%
Novant Healths EHR platform has been

connected with the VAs EHR system
via the eHealth Exchange.
Source: SK&A. Physician Office Usage of Electronic Health Records Software. February 2015. www.skainfo.
com/health_care_market_reports/EMR_Electronic_Medical_Records.pdf.
Bulletin Board whats happening in healthcare
Meaningful Use Penalties Lower than Expected

GOOGLE KNOWLEDGE GRAPH
www.google.com/insidesearch/features/search/knowledge.html
When users search Google for information about common health conditions, the search engine will now feature relevant medical facts at the front
of search results. While not intended
as medical advice, it makes searching
for health-related info easier, showing
typical symptoms and treatments, as
well as details on how common the
condition is. All the information has
been checked by medical doctors at
Google and Mayo Clinic.
PRIVACY IMPLICATIONS OF HEALTH
INFORMATION SEEKING ON THE WEB
http://cacm.acm.org/
magazines/2015/3/183606-privacy-implications-of-health-information-seeking-on-the-web/abstract
A study conducted by researchers at
the Annenberg School for Communication at the University of Pennsylvania finds that 90 percent of visits
to healthcare web pages results in
personal health information being
leaked to third parties. Researchers
analyzed 80,000 healthcare web pages
for the study and found that 70 percent
of the shared information included
information about specific symptoms,
treatment, or diseases, and that the
majority of the shared information went
to online advertisers.
2014/15 CLINICAL PATIENT ENGAGEMENT
MARKET TRENDS REPORT
www.chilmarkresearch.com/chilmark_
report/201415-clinical-patient-engagement-market-trends-report
A report from Chilmark Research finds
that healthcare organizations and
providers remain slow to adopt effective patient portals and other patient
engagement technologies. According
to the report, providers are doing
the bare minimum when it comes to
digital. The basic patient portal still
serves as the foundation of most
digital patient interactions, according
to the report.
While physicians and other eligible professionals (EPs) have long complained
about the prospect of financial penalties for failure to attest to the meaningful use EHR Incentive Program,
new data shows they have less to worry about than previously thought.
In data presented at the most recent
Office of the National Coordinator for
Health IT (ONC) Health IT Policy Committee meeting, the Centers for Medicare and Medicaid Services (CMS)
said 36,782 EPs attested to stage
2 through February 1. An additional
71,519 EPs are scheduled to attest to
stage 2, because they have already attested to stage 1 for at least two years,
CMS Elisabeth Myers, from the Office
of eHealth Standards and Services,
told the committee.
Whats more, estimated penalties are
also expected to be lower than antici-
pated. According to a Medscape analysis of the CMS data, of the 256,000

eligible professionals (EPs) subject to
payment adjustments in 2015, the data
show 87,000 (34 percent) will lose $250
or less, 55,000 (21 percent) will give up
$250 to $1,000, 36,000 (14 percent) will
forfeit $1,000 to $2,000, and 78,000 (31
percent) will be fined $2,000 or more.
CMS is considering shortening the
meaningful use reporting period to 90
days in 2015, which could ease the burden on EPs in providing reporting data.
I do want to make it very, very clear
that these are estimates, which is why
they are very pretty, round numbers,
Myers told the committee. The reason
that these are estimates is that the payment adjustment is not a flat amountit
is a percentage and it is a percentage of
the claims that are submitted for Medicare services during 2015.
Survey: HIOs are Improving Healthcare

through Services
Health information exchange organizations (HIOs) are indeed making a difference in the care of patients, especially
in areas measured by the meaningful
use EHR Incentive Program. That is the
finding of a 2014 study conducted by
the Healthcare Information and Management Systems Society (HIMSS),
which surveyed 19 HIOs about the services they provided and compared the
results to a similar survey conducted
the year before, according to an article
in FierceEMR.
The survey showed that HIOs are
making progress in helping providers
offer better, more interoperable care to
their patients in areas such as clinical
decision support, computerized provider order entry, patient reminders,
and summary of care records.
The survey results, according to an
article in iHealthBeat, include:
79 percent of HIOs said they provided secure messaging services,
compared to 59 percent in 2013

7
4 percent said they provided services or gateways to facilitate orders and deliver results, compared
to 52 percent in 2013

47 percent said they provided
patient access to health records,
compared to 32 percent in 2013
42 percent said they provided patient reminders, compared to 22
percent in 2013
We believe the results from the
2014 follow-up survey provide further
evidence that HIEs are demonstrating
broad industry momentum, wrote Mari
Greenberger, director of informatics for
HIMSS North America, and Charlie Rogers, chairman of HIMSS HIE Committee
and CEO of Core Health Technologies,
in a related blog post. HIEs are also attempting to deliver increased valueespecially surrounding the Meaningful Use
Stage 2 core and menu options.
FDA Database Tracking Foodborne Illnesses

through DNA
Public health officials have a new
weapon in the fight against foodborne
disease outbreaks. The GenomeTrakr
network is a genomic database that
compares bacterial pathogens that
cause foodborne diseases and traces
them back to their sources with greater speed and precision than previous
methods, according to an article in
Health Data Management.
The first distributed network of laboratories to utilize whole genome sequencing for pathogen identification,
the network houses data from foodborne pathogens collected by public
health and university laboratories, according to the Food and Drug Administrations (FDAs) GenomeTrakr website. This network allows researchers
and public health officials to perform
real time comparison and analyses to
speed up investigations when foodborne illness outbreaks occur.
The database uses whole-genome
sequencing to identify the complete

DNA sequence of an organisms genetic material at a single time, according to
Health Data Management. This process
can be applied to isolated pathogens
and compared with pathogens found in
sick patients. As of press time, the GenomeTrakr has sequenced more than
9,900 Salmonella isolates and 2,600
Listeria isolates, and closed more than
100 genomes, according to the FDA
website. The website notes that the
current average rate of sequencing is
over 800 isolates per month.
The database has already helped to
confirm the source of a Listeria outbreak in early 2014, according to Alice
Welch, director of the FDA Technology Transfer Program. Those interested in joining the GenomeTrakr as a
sequencing lab, providing isolates for
sequencing, or using the database as
a research tool can contact the FDA at
FoodWGS@fda.hhs.gov.
TEXT DISCUSSES HIPAA SCENARIOS

www.ahimastore.org
A new title from AHIMA Press, HIPAA
by Example, provides examples of expert reasoning on how the Health Insurance Portability and Accountability
Act Privacy and Security Rules can be
applied correctly under various real-life
scenarios. Scenarios described in the
book are based on actual situations,
and answers include best practices and
reference current state, federal, and international laws.
CHARTSPAN APP FOR ANDROID
www.chartspan.com
ChartSpan Medical Technologies has
extended the reach of its personal
health record keeping app, ChartSpan,
to an Android version. The app is designed to help patients upload their
medical records from paper to digital
format, helping to extract the relevant
data. ChartSpan CEO Jon-Michial
Carter commented that the company
decided to empower patients to manage their own electronic health records.
APP INCREASES PATIENT ACCESS
Patients and Providers to Blame in Lagging

Health IT Use
https://itunes.apple.com/us/
app/sutter-health-mobile-app/
id920850488?ls=1&mt=8
Despite available technology, healthcare still faces serious inefficiencies in

the use of technology to enable more
connected careand both patients
and providers are to blame, according
to the 2015 State of the Connected
Patient report.
The report, commissioned by Salesforce and conducted online by Harris Poll in January 2015 with 1,700
adults, found that less than 10 percent
of adults with health insurance and a
primary care doctor use the Internet,
e-mail, or text messaging to set up
appointments. Also, 40 percent of insured patients dont communicate with
their physician to manage preventive
care, such as diet monitoring, exercise
check-ins, or regular health screenings.
The majority of health consultations
still rely on in-person interactions while
STANFORD APP CONNECTS EHRS, HEALTHKIT
who keeps track of patient data varies

though younger generations are more
open to technology-based interactions
like telemedicine. Insured patients most
commonly review their health data inperson (40 percent) and get test results in
person (44 percent), according to the survey, despite electronic options. Also, 62
percent of respondents said they rely on
a doctor to keep track of their health data,
while 28 percent still keep track of their
data using a paper folder, shoebox, lockbox, or drawer, according to the survey.
The survey also illustrated a wide
misperception about health ITs use by
the average doctors office or hospital. A
total of 76 percent of respondents, who
on average have 2.5 doctors overseeing some aspect of their care, said they
are confident their doctors share health
recordswhich is rarely the case.
A free, new mobile app, available for

iOS, from Sutter Health brings patients
anytime access to the Sutter Health
network of care and services. Features
of the app include a symptom checker,
access to a secure online site where
patients may access their health information or e-mail their physician,
and consultations with physicians via
phone or video through MDLIVE, a telehealth service provider.
https://myhealth.stanfordhealthcare.
org/myhealth
An app developed in-house for iOS by
Stanford Health Care engineers, MyHealth, connects iPhones and iPads
with Epics EHR system as well as Apples HealthKit. Available for free from
the Apple App Store, MyHealth also
supports Stanford Health Cares ClickWell Care service.
Decoding the Cromnibus Spending

Bill for HIM Stakeholders
By AHIMAs Advocacy and Policy Team
BURIED DEEP WITHIN the 700-page

cromnibusthe massive spending bill
passed by both chambers of Congress
last Decemberare various provisions
that could affect HIM professionals directly. The following offers an explanation of the cromnibus and some of its
most relevant provisions.
What is the Cromnibus?

The cromnibus is a combination of a
long-term spending bill (omnibus) and a
shorter-term continuing resolution (CR).
It essentially funds most government
agencies, including the Office of the National Coordinator for Health IT (ONC),
until September 2015. The omnibus
portion of the bill (i.e., the Consolidated
and Further Continuing Appropriations
Act of 2015) includes 11 appropriations
bills, including one that is very pertinent to HIMthe Departments of Labor,
Health and Human Services, and Education, and Related Agencies Appropriations Act of 2015. However, details of
many of the health information technology (HIT) requirements are found in an
accompanying explanatory statement
rather than the bill itself. To read the full
cromnibus visit www.gpo.gov/fdsys/pkg/
BILLS-113hr83enr/pdf/BILLS-113hr83enr.
pdf. To read the explanatory statement,
visit www.congress.gov/congressionalrecord/2014/12/11/house-section/article/H9307-1.
Information Blocking: What the

Bill Says
The bill says that ONC should certify only
those products that meet current meaningful use program standards and that do
not block health information exchange. It
should decertify products that proactively
block the sharing of information. Going
forward, ONC must also provide information regarding the extent of information
blocking, including the estimated number

of vendors, hospitals, or providers who
block information, as well as a comprehensive strategy to address it.
Information blocking occurs when vendors or healthcare providers deliberately
prohibit the sharing of information. This
could occur for a variety of reasons. For
example, vendors may block information
sharing in order to sell additional electronic health record (EHR) systems. An
EHR vendor may boast that its systems
are fully interoperable; however, that may
be true only if the provider implements
that one vendors technology solutions.
Providers may block information sharing
in order to control the flow of clinically
relevant health information.
How This Could Affect HIM

Its unclear how frequently information
blocking occurs because neither the
government nor the private sector tracks
this information uniformly. HIM directors
should serve as vocal proponents for
open exchange and work with vendors
to ensure that technology promotes this
capability. Professionals should also talk
with their chief information officer and
other executives to make them aware
of this issue and the fact that its on the
ONC radar. The problem wont be solved
until hospitals and other providers demand that vendors no longer block information or charge fee differentials to extract patient data or interface with other
solutions.
Interoperability: What the Bill Says

ONCs Health IT Policy Committee must
submit a report by December 2015 to the
US House and Senate Committees on
Appropriations regarding challenges and
barriers to interoperability, including the
technical, operational, and financial barriers. The report should also include the
role of certification in advancing or hindering interoperability.

There are many barriers to interoperability, including variation
in templates, information blocking, a lack of standardized vocabulary, and more. The Health IT Policy Committee report
will likely reveal these and a whole host of other barriers,
many of which HIM professionals can help to address. These
reports will hopefully serve as a foundation for consensus
and a stepping stone for HIM professionals and others to
understand and address these barriers.
Departments of Defense and Veterans Affairs:

What the Bill Says
The Department of Veterans Affairs will receive funds to enhance and modernize its EHR system and develop a standard data reference terminology model. The goal is to ensure
that both departments have systems that can exchange data
and improve patient care for active service members and
veterans. Both departments must submit progress reports to
Congress regarding performance benchmarks toward developing an interoperable EHR.

As with the ONC interoperability reports, the reports submitted by the Departments of Defense and Veterans Affairs will
hopefully spur progress toward what has become a decadelong effort to integrate these two systems. In many cases,
veterans and active military personnel have sustained lifelong injuries as a result of their service. Its important for providers to be able to access information about these patients
easily and efficiently. HIM professionals should be aware of
these reports and try to apply any lessons learned from the
experiences of these two departments to the private sector.
Cloud-based Platform for Public Health Reporting:

What the Bill Says
The Centers for Disease Control and Prevention (CDC) will
work with state and local officials to develop a timeline for
cloud-based IT public health reporting that will reduce the
reporting burden on state public health agencies and create
economic efficiencies.

The importance of this provision is not necessarily that it
calls for a cloud-based platform specifically, but rather that it
seems to acknowledge the lack of an efficient public health
reporting infrastructure. This initiative to reduce the burden
on state health agencies should also hopefully reduce the
burden on HIM departments. If HIM professionals can report
public health data electronically and even automatically from
the EHR, this would certainly create more efficiency. Despite
the challenges, HIM professionals must continue to ensure
that reports are accurate and complete.
Rural Health: What the Bill Says

The cromnibus bill allocates funding for quality improvement and adoption of health IT as well as the purchase and
implementation of telehealth services in rural areas. It also
enhances broadband telecommunications to support telehealth and distance learning programs.

Telemedicine is extremely important in rural areas where access to healthcare providers is limited and where transportation barriers exist. Being able to bring the physician to the
patientrather than the other way aroundvia telemedicine
technology is critical. As telemedicine continues to expand
in scope, HIM professionals must ensure that documentation for these services is complete and that it thoroughly
outlines the scope of the visit so payers dont scrutinize or
question the nature of the virtual encounter.
Recovery Audit Contractors: What the Bill Says

The Centers for Medicare and Medicaid Services (CMS) will
educate providers on how to reduce errors, develop procedures to reduce the Office of Medicare Hearings and Appeals
(OMHA) backlog, and establish a process to provide educational feedback from OMHA to CMS and RAC contractors to
reduce the number of claims that are likely to be overturned
once they reach the OMHA. CMS must also submit a report
to the appropriate committees of the US House and Senate
regarding its strategy to improve the entire appeals process,
including the quality of auditors reviews, and to improve
confidence in RACs ability to interpret Medicare policies
consistently and correctly.

This is all good news for providers and HIM professionals,
many of whom have struggled with a high volume of appeals
that are subsequently overturned. Hopefully these unnecessary denials will decrease over time. CMS education will also
help providers identify the reasons for denials so they can
implement internal processes to prevent these denials in the
future. A consistent interpretation of Medicare regulations
will also be helpful in terms of reducing unnecessary denials. HIM professionals should continue to monitor and track
denials and notify their RAC of areas for improvement. Pay
attention to CMS provider education, and ensure that any
internal policies and procedures address high-risk areas.
Contributor Acknowledgement
The authors of this article would like to acknowledge Joel
White, executive director of the Health IT Now Coalition, who
contributed to this article by providing insight into how the
cromnibus could affect HIM professionals.
The AHIMA Advocacy and Policy Team (advocacyandpolicy@ahima.org)
is based in Washington, DC.
For years AHIMA has been

committed to making the
transition to ICD-10 as smooth,
efficient, and easy as possible.
Meetings
Advanced ICD-10-PCS Skills Workshops
For those looking to refine their code set skills, these workshops
provide three days of in-depth hands-on training in the ICD-10-PCS
coding system and its application.
AHIMA ICD-10 Academy: Building Expertise in Coding
This dynamic training program provides coding proficiency through
expert instruction and hands-on exposure to coding exercises on
both the ICD-10-CM and ICD-10-PCS code sets.
Find multiple dates and locations for workshops and academies by
visiting ahima.org/events.
Data Summit: Beyond ICD-10
The 2015 AHIMA Data Summit: Beyond ICD-10 is a must-attend
industry event dedicated to exploring multiple healthcare datas
connections, leading the documentation journey, and how
classification and terminologies (including ICD-10) provide more
specificity to that data.
To register, visit ahima.org/events.
Online Education
AHIMA Learning Opportunities with CEUs include:
ICD-10 A&P Focus Courses and Assessments
ICD-10 Coding Practice Cases
ICD-10-CM Collection
ICD-10-PCS Collection
ICD-10 Coding Proficiency Assessments
ICD-10 Readiness and Post-Training Assessments
Clinical Documentation for ICD-10 by Specialty:
Principles & Practice
For more information, visit ahima.org/education/onlineed.
Webinars
10IC
D-1
0IC
-10
D-1
ICD
0IC
D-1
10IC
CD
0IC
D-1
-10
D0
Benefit from reliable and expert information on timely subjects, with

just a click your mouse.
For a complete list of 2015 webinars, visit ahimastore.org and click
on webinars.
Find out more at ahima.org/icd10
#ICD10MATTERS
MX10766
Publications
ICD-10-PCS Code Book ,
2015 Draft
Consulting Editor
Anne B. Casto, RHIA, CCS
Prod. No. AC222014
Price: $110
Member Price: $89.95
Downloadable Resources
2015 Edition
ICD-10-PCS
An Applied Approach
Lynn M. Kuehn, MS, RHIA, CCS-P, FAHIMA,

Therese M. Jorwic, MPH, RHIA, CCS, CCS-P, FAHIMA
ICD-10-CM Code Book ,

2015 Draft
Consulting Editor
Anne B. Casto, RHIA, CCS
Prod. No. AC221014
Price: $110
2015
Basic
ICD-10-CM/PCS
and ICD-9-CM
Coding
Lou Ann Schraffenberger

MBA, RHIA, CCS, CCS-P, FAHIMA
Visit ahimastore.org to buy ICD-10 publications.
ICD-10-PCS: An Applied Approach,

2015 Edition
Lynn M. Kuehn, MS, RHIA, CCS-P,
FAHIMA
Therese M. Jorwic, MPH, RHIA, CCS,
CCS-P, FAHIMA
Prod. No. AC201114
Price: $99.95
ICD-10-CM/PCS and ICD-9-CM

Coding, 2015 Edition
Lou Ann Schraffenberger, MBA,
RHIA, CCS, CCS-P, FAHIMA
Prod. No. AC200514
Price: $99.95
-10ICD-10ICD-10ICD-10ICD-10ICD-10ICD
10ICD-10ICD-10ICD-10ICD-10ICD-10ICD-
Were looking
out for ICD-10
and you!
LEVERAGE AHIMAS WELL-ESTABLISHED

ICD-10 EXPERTISE AND KNOWLEDGE
DURING YOUR TRANSITION.
Inside Look
New Technology Creates New

Privacy, Security Challenges
By Lynne Thomas Gordon, MBA, RHIA, FACHE, CAE, FAHIMA, chief executive officer
LOOKING FOR SOME help around the

house? Proponents of what has become
known as the Internet of Things have
been developing products that will do
just that. For instance, the winners of the
2014 Internet of Things Awards represent
a tempting array of Internet-connected
products that can help with household
tasks.1 One product tracks conditions in
the garden and tells you when its time to
water. Others allow you to change your
home thermostat, mow your lawn, or
monitor home security via apps on your
phone. Networked devices that monitor,
collect, and analyze data are appearing in
transportation, retail, and healthcare as well.
At the same time, the rise of the Internet of
Things has led to questions by privacy and
security advocates. How can we be sure the
data that is collected is handled properly?
The Federal Trade Commission recently
released a staff report urging companies
developing Internet of Things devices to
adopt best practices to address consumer privacy and security risks.2 Many of
the recommendations will seem familiar
to those of us who know HIPAA, such as
training employees about the importance
of security, ensuring that outside service
providers can maintain reasonable security, and considering measures to keep
unauthorized users from accessing a
consumers device, data, or personal information stored on a network.
We in HIM may know the best practices,
but that doesnt mean we have solved
privacy and security. We have plenty of
existing challenges, as this months articles illustrate. In our cover story, Cracking Encryption, Mary Butler looks at why
encryption is still not widely used to combat costly breaches. Many providers are
slow to invest in this technology, and the
article looks at barriers and myths that
may be hindering adoption.
As healthcare organizations consolidate,
the process of managing protected health

information (PHI) has become increasingly complex. Collette Zeiour, RHIA, and
Mariela Twiggs, MS, RHIA, CHP, FAHIMA,
explain how they created a more streamlined, consistent release of information
process across the board in Instituting
an Enterprise-wide PHI Disclosure Management Strategy.
As electronic health records (EHRs) advance, HIM professionals with the right
background and skills can fill more occupational roles than ever before. But it can
be hard for us to understand all the options, especially when considering obtaining additional education. Lisa Eramo talks
to some HIM professionals about various
ways to climb the career ladder in Learn
More to Earn More. Another issue arises
in trying to connect all of the disparate
health IT systems and gadgets in order
to foster meaningful, interoperable use of
health information. In Clearing the HIPAA
Cobwebs, Chris Dimick speaks with the
new ONC Chief Privacy Officer Lucia Savage on how she plans to balance privacy
and security issues while fostering EHR
data exchange.
As technology evolves, new challengeslike those presented by the Internet
of Thingswill continue to develop. Well
need to keep our skills in top form to continue to meet them.
Notes
1. Postscapes.com. Fourth Annual
Internet of Things Awards. http://
postscapes.com/internet-of-thingsaward/2014/index.
2. Federal Trade Commission. Internet of
Things: Privacy and Security in a Connected World. January 2015. www.ftc.
gov/system/files/documents/reports/
federal-trade-commission-staff-reportnovember-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
io n
pt
C r ac
in
g E nc
y
r
DESPITE BENEFITS, TECHNOLOGY STILL NOT WIDELY

USED TO COMBAT MULTI-MILLION DOLLAR BREACHES
By Mary Butler
Cracking Encryption
IN MOVIES AND on television lately, Hollywood has made encryption and decryption look exciting, glamorous, and worldsaving. The film The Imitation Game and the BBC show The
Bletchley Circle chronicle how British code breakers decrypted
military strategy codes from the Nazi encryption tool called
Enigma. History buffs know that decryption technology and
the military advantage it provided shortened World War II by
an estimated two years, saving untold thousands of lives.
Encryption and decryptionparticularly encryptionis
still a high stakes game today when it comes to protecting valuable data like personal health information.
Cracking Encryption
Hackers and thieves, the enemies of secure health data, are waging a war against hospitals, insurers, Wi-Fi networks, and patients
whose information is stored and transmitted by those entities.
The last several years have seen massive data breaches compromising the protected health information (PHI) of millions
of people. In January, the thieves who hacked insurer Anthem,
gained access to the names, birthdates, medical ID/Social Security numbers, addresses, employment information, and income
data of an estimated 80 million peoplethe largest breach to
date as of press time. And in August 2014, a group of Chinese
hackers breached Community Health Systems network, which
stored the patient data of 4.5 million people. These breaches
came shortly after the Federal Bureau of Investigation warned
healthcare providers that hackers were expected to target facilities in the healthcare industry due to lax security practices.
One of the best tools for fighting breaches is data encryption,
which health information management (HIM) professionals
define as the process of transforming text into an unintelligible
string of characters that can be decrypted when it reaches a secure destination.1
While encryption cant prevent every kind of breach out
there, it can lessen the blow when data is stolen by preventing sanctions from the government. If an encrypted device is
stolen, the information is considered inaccessible by hackers
and the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) waives monetary penalties. In other
words, encryption is a get out of jail free card of sorts when
done properly.
But even with perks like thatas well as preventing the loss
of millions of dollars in fines and credibility with the public
healthcare entities have been slow to jump on the encryption
bandwagon. Much of that is due to myths surrounding encryption. Healthcare organizations are concerned that encryption
will slow down a number of operations, such as electronic
health record (EHR) system functions, web portal communications, and business processes. Another concern is costthough
the costs of encrypting databases, mobile devices, data at rest
(data thats stored), and cyber insurance policies vary broadly.
Encryption also doesnt come with an easy or readily measurable return on investment, which can make it hard to justify
during budget negotiations. Finally, for privacy officers, HIPAA
is frustratingly vague on encryption requirements. Chris Apgar,
CISSP, CEO of Apgar Solutions, which helps healthcare organizations perform HIPAA Security Rule risk analyses and build security response plans, notes that while the HIPAA Security Rule
talks about encrypting laptops versus encrypting e-mail, its not
specific about how to do it.
But the rewards of having stringent data protection programswhether through encryption alone or encryption
combined with other measuresare enormous as long as an
organization knows what to encrypt, can identify why theyre
encrypting, and can see through the myths.
The healthcare industry is coming around to encryption, slowly but surely, security experts say. With an increasing number
of data breaches occurring as the result of stolen laptops, encryption is getting a second look from many providers. According to a 2014 Bitglass analysis of HHS breach reports, 68
percent of healthcare data breaches since 2010 were the result
of lost or stolen files or devices. Forty-eight percent of breaches
involved a laptop, desktop, or mobile device.2
Encryption: Where to Start

Any dutiful security and encryption expert is going to advise a provider to hire a consultant to help implement an encryption strategy and select a vendor. But before they even
get that far, Chris Bowen, MBA, CIPP/US, CIPT, founder and
chief privacy and security officer at ClearDATA, says its important for companies to know where their data is, literally.
Does the data live in secure database rooms, or on laptops,
EHRs, and mobile devices?
Find out where your data is at, understand the safeguards
around where that data is at, and then do what youd normally do in any security risk analysis, and understand where your
gaps are, Bowen advises. Eliminate those gaps, then prioritize
high severity items first.
This is exactly what Traci Waugh, RHIA, CHPS, CHC, senior
director of compliance at North Valley Hospital, in Whitefish,
MT, did when her facility first implemented encryption technology. Even though North Valley is a small 25-bed critical access
hospital, the data theyre protecting is valuable, says Waugh,
who is also a member of AHIMAs Privacy and Security Practice
Council. And because of its size, the cost of a breach at North
Valley would hit very hard financially.
Waugh says her facility underwent a risk assessment, and the
results uncovered vulnerabilities that helped her convince senior management that encryption and other security measures
were worth the investment. Waugh found that the hospitals
liability insurance had started offering a cyber liability plan,
which, while it doesnt cover the cost of encryption or an OCR
fine, it would help pay for fees associated with sending notification letters, getting outside public relations help, and publishing
the required notices in the wake of a breach.
Waugh and her team also moved forward with a plan to encrypt every mobile device that the hospital deploys, such as laptops and iPads. They also chose to auto-encrypt e-mails when
PHI is being transmitted. This decision was met with resistance
by physicians and others in the organization who felt this slowed
down their processes. In this case, the notion that encryption is
slow turned out not to be a myth, but a reality.
Recipients had a hard time retrieving an encrypted message
as well. After dealing with negative feedback, Waugh and her
team changed the policy, leaving the decision to encrypt an email in the hands of the sender. This step requires just one extra
click for the sender, though the recipient still has to go through a
Cracking Encryption
How Encryption Works

ONE OF THE hurdles to getting organizations to adopt encryption is conveying its importance to senior management in terms
they can understand. In laymans terms, encryption turns text datasuch as information considered sensitive, like PHI
into an undecipherable stream of characters, like this:
Graphic credit: Sharon Lewis, MBA, RHIA, CHPS, CPHQ, FAHIMA, Primeau Consulting.
Usually there is software or another mechanism that deidentifies the data in the original message so that only individuals who have a keysuch as a password or another
multifactor authenticatorcan decrypt the data.
Health data security experts say that data sent around
and within the same organization (a closed network) usually doesnt need to be encrypted. But if its being transmitted outside of an organization, especially if its PHI, it
should be encrypted.
There are also different levels of encryption, and the
strength is determined by a mathematical algorithmdepending on the algorithm, the encrypted data may or may
not be considered secure. Healthcare organizations can
look to organizations such as the National Institute of Standards and Technology (NIST) to provide recommendations
for the level of encryption needed to protect various devices.
Encryption strength is measured in bits. For example,
encryption strength for a laptop and its disk size might be
56 bits, which can be cracked in three days by someone
who doesnt have the key or passcode. On the other hand,
it could take six months of quantum computing to crack
something employing 128-bit encryption, such as a large
database, according to Apgar.
But as other experts have noted, encryption only works when
the people using the data are properly trained. For instance,
with some encryption technologies data on a laptop is only encrypted when the laptop is closed or shutdown. If a user walks
away from the laptop the data is not secure until the system
automatically signs the user out after a set period of time.
In essence disk encryption technologies can be bypassed
if an attacker gets a hold of the computer while it is sleeping
or waiting for a password prompt. The attack exploits RAM
chips in laptops that arent cleared of data when the laptop is
turned off, Bowen says.
To be certified for stage 2 of the meaningful use EHR Incentive Program, eligible professionals or hospitals must
conduct or review a security risk analysis that includes
addressing the encryption/security of data stored in certified EHR technology, according to the programs final
rule. For providers working on meaningful use, encryption should be a priority.
If Im using an EHR system, entering or updating patient
records in the electronic system, then encryption should
be seamless to the user, Bowen says. They would be
viewing the application inside a secure network, and once
they hit save it would push that data to a database that
automatically encrypts the data when it is no longer being
accessed or used.
Cracking Encryption
couple steps to retrieve it. But overall Waugh described the process as not too painful.
Elisa Gorton, RHIA, CHPS, MAHSM, assistant director of HIM
and privacy officer at St. Vincents Medical Center in Bridgeport, CT, says the cost of encryption and the potential for slower
e-mail sending and receiving are the price organizations may
pay for securing their systems. At St. Vincents, e-mails leaving
the organization are automatically scanned as they leave their
internal e-mail system. The system will detect certain wording
and numbering conventions that could be, or are, Social Security numbers or phone numbers, credit card numbers, account
numbers, medical record numbers, etc. The system then sends
an automatic reply back to the sender informing them that the
e-mail did not transmit. The organization has a policy and procedure for encrypting such e-mails and when they are encrypted the email is transmitted. Gortons organization also encrypts
mobile devices owned by the hospital.
St. Vincents e-mail security program is robust, but Gorton
knows there are weaknesses in any organization. She says that
in the back of her mind shes always worried about a person
who uses their own personal mobile device for work. I think
thats always going to be pretty much where I see our greatest
risk right now, she says.
Barriers to Encryption Adoption

Security of systems is always going to compete with revenue
generating projects, says ClearDATAs Bowen. Some hospital
management, or practices owned and run by physicians, will
look at the financial cost of encryptionwhose value cant be
measured for a long timeweigh it against profit generators
such as new surgical and radiology wings, and come to the conclusion they should put off encryption.
However, not every type of encryption is expensive. Apgar,
who regularly reviews security products, says encrypting laptops can cost up to $150, but laptops can also be encrypted with
USB devices that cost $15-$20 or less. Mobile devices such as
Windows, Android, iPhones, and iPads are natively encrypted.
Physicians can purchase encrypted text messaging platforms
which allow them to text message patient information to each
other. Without encryption, the stakes are much higher. The loss
of an encrypted laptop can cost an organization as little as $300
to replace it. However, a stolen unencrypted laptop can cause
an organization millions of dollars in penalties and breach-related costs, and potential harm to patients.
Fortunately, security experts are seeing positive trends toward
physicians and hospitals embracing encryption; its just been
slow in coming. But the recent string of large-scale breaches,
both in retail and healthcare, are starting to sway healthcare
providers to encrypt. Bowen says hes seeing this in his own
cloud security firm.
I see a trend absolutely going in that direction, Bowen says.
If you see the new protocols for sharing data, youll see data protection and encryption built into the technology a lot more than
the old days. That said, when youre dealing with a legacy system,
[like] Anthem or others, its harder to shore those things up.

So the new things youre seeing coming out are really trending in the right direction.
Still, physicians need more education on security and encryption if theyre going to be compliant. Its not that physicians
dont want to communicate securely or protect their patients
information. What they want is to be able to access the data in
a way that allows them to care for the patients, Bowen says. So
sometimes theyll say Im going to send this text of my patient
chart, how can we act? And its just easier to communicate that
way sometimes.
They dont do it purposely, but a lot of physicians will bypass
group controls because they need to make a decision in treating
a patient in a very urgent manner. You cant fault them for that.
Its not just physicians who are slow to encrypt, but even senior executives, says Michael Frederick, CISSP, and Steven
Penn, CISSP, ISSMP, ISSAP, CAP, HCISSP, both of the Frisco, TXbased HITRUST Alliance.
The problem is when you start talking about the cyber security stuff, nobody believes that what youre saying is real. They
think youre talking about a Tom Clancy novel, Penn says.
Some of them view the computer as this mystical box that just
does things and [they] dont understand it. When you talk about
cyber security stuff, and when you bring up state actors like
Russia and China and organized crime, they really start to think
youre spinning science fiction here. Hopefully the silver lining
in some of the events that have transpired over the last 12 to 18
months, those types of issues are being shown to be real.
What to Encrypt, Remaining Vulnerabilities

In a perfect world, not only would every mobile device, every
e-mail sent, and every EHR be encrypted, but so would data
stored within servers, at rest, and in transmission. That would
be the holy grail supreme, according to Frederick and Penn.
HITRUST is an organization that assists healthcare organizations with the implementation of cybersecurity systems by providing them with a cybersecurity framework tailored to each
type of organization. They are also working with state governments to develop regulations around cybersecurityregulations that are harder to achieve at a national level.
The easiest way to do this is by building security features such
as encryption into the very beginning of the security lifecycle.
But both Frederick and Penn note that one of the challenges
of knowing what and how to encrypt is deciphering what the
HIPAA Security Rule says about it. HIPAA guidelines are purposely vague so as not to be interpreted as prescriptive. With
technology evolving so quickly, the government didnt want to
tell stakeholders exactly how to encrypt their data.
As a result, it can be hard for organizations security professionals to articulate their encryption needs to senior management. If an upper management official doesnt like how the IT
department says something must be done, there isnt a lot in the
HIPAA Security Rule saying that x has to be done.
Even in those items that it [HIPAA] considers required, there is
Cracking Encryption
always use of the terms reasonable and appropriate and I tend to

read those terms and think, That means to be defined later by an
attorney. So I like to avoid those situations, Frederick says. When
they released that initial information or initial rule, they left it vague
on purpose not realizing were moving into the healthcare space.
They needed little more than a vague rule to work with.
Even if a healthcare organization follows the government
and industry best practices to the letter, nobody is 100 percent safe from a security breach. Organizations need to stay
up-to-date on all of their vendors security patches and updates since hackers are routinely testing new system weaknesses. For example, with the Anthem breach, the hackers
manipulated authorized administrators to give them their
credentials in order to access Anthems database and run a
query. Having that data encrypted on disks wouldnt have
prevented the breach, Penn says.
Apgar points out that while encryption is great protection,
its useless unless the individuals using and deploying it have
the right training. The biggest risk out there [is if] people just
focus on the technical safeguards, especially when youre
working with vendors, Apgar says. Your biggest risk is on
the people side. If you dont have administrative safeguards in
place, it doesnt matter what you do, youre going to land yourself in trouble.
The perfect example, he says, occurred when he and his wife
were driving cross-country and Apgars wife saw a home health
nurse doing her charting on an unsecured network at Starbucks.
In addition to using an open and unsecured Wi-Fi connection,
the nurse had PHI on her laptop screen, easily readable by anyone who walked past her.
To that end, Penn and Frederick both say that even a massive breach like Anthems isnt the worst kind of healthcare
privacy breach, though to be sure, its not a scenario anyone
wants to live through. The most dangerous security risk is
hackers who find a way into a hospitals networked medical
Journal of AHIMA Continuing Education Quiz

Quiz ID: Q1518604 | EXPIRATION DATE: APRIL 1, 2016
HIM Domain Area: Privacy and Security
ArticleCracking Encryption
devicessuch as morphine IV lines, insulin pumps, pacemakers, and heart and oxygen monitorsand manipulate
the operation of those devices.
There is a large risk out there for life and limb for patients
hooked to these devices and decisions that are made on information rendered in them, Frederick explains. Historically with medical devices the device manufacturers have
resisted providing malware protection, or secure network
connectivity.
This leaves medical devices vulnerable to cyber terrorism. All
it would take is for one hacker to install a malicious code causing one of these devices to malfunction. Although this might
sound paranoid, it helps put encryption in perspective.
We have been talking about security and encryption in the context of a breach, and people having their personal information stolen. When it comes to healthcare that is probably the best case
scenario for what could happen in a breach, Frederick says.
Notes
1. AHIMA. Pocket Glossary of Health Information Management Technology. Chicago, IL: AHIMA Press, 2012.
2. Bitglass. The 2014 Bitglass Healthcare Breach Report:
Is Your Data Security Due for a Physical? http://pages.
bitglass.com/rs/bitglass/images/WP-Healthcare-Report-2014.pdf.
Reference
WinMagic Data Security. Data Encryption Demystified: Seven
Common Misconceptions and the Solutions That Dispel
Them. http://docs.media.bitpipe.com/io_10x/io_104841/
item_535783/WM_Data_Encryption_Demystified_White_
Paper_20120316.pdf.
Mary Butler (mary.butler@ahima.org) is associate editor at the Journal
of AHIMA.
TAKE THE QUIZ AT WWW.AHIMASTORE.ORG

NOTE: MAILED-IN PAPER QUIZZES WILL NO
LONGER BE ACCEPTED
REVIEW QUIZ QUESTIONS AND TAKE

THE QUIZ BASED ON THIS ARTICLE
ONLINE AT WWW.AHIMASTORE.ORG
NOTE: AHIMA CE QUIZZES HAVE
MOVED TO AN ONLINE-ONLY FORMAT.
Instituting an
Enterprise-wide
PHI Disclosure
Management
Strategy
By Collette Zeiour, RHIA, and Mariela Twiggs, MS, RHIA, CHP, FAHIMA
Enterprise PHI Disclosure

Management Strategy
WITH MORE THAN 1,000 large breaches of protected health

information (PHI) on record, its not surprising that PHI disclosure management is currently top of mind for healthcare leaders.1 Many of these breaches have cost organizations between
$1 million and $5 million in penalties, not to mention damages
related to their reputation and patient trust.2 As organizations
prepare for the next round of US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) audits, a centralized and enterprise-wide PHI disclosure management strategy can help create a more airtight compliance environment
while streamlining workflows in busy organizations.
One hospital system that chose to institute enterprise-wide
PHI disclosure management was East Jefferson General Hospital
(EJGH). EJGH, which has seen their centralized strategy standardize processes and create consistency, provides healthcare for the
eastern Louisiana region through its 2,700 employees and more
than 600 physicians. In addition to a 420-bed hospital, EJGH offers a broad spectrum of healthcare services via a regional cancer center, cardiovascular services, radiology and interventional
care, ambulatory services, and 23 physician practices.
Collette Zeiour, RHIA, health information management (HIM)
director at EJGH, first saw the need for a strong, standardized PHI
disclosure management strategy across all departments and facilities in 2011. Creating an enterprise strategy would be a large-scale
effort, but Zeiour felt it would ultimately enable consistency, standardization, and efficiency throughout the growing health system.
To help launch the enterprise PHI disclosure management
strategy EJGH partnered with release of information vendor
MTT Enterprises, which was acquired by vendor MRO during
the course of the initiative. At its inception, the enterprise PHI
disclosure management project began with the HIM, radiology, and billing departments, adding a cardiology clinic several
months later. The largest phase of the project came when EJGH
added its 23 physician practices to the strategy. Given EJGHs
fast-paced growth in its physician practice groups, this phase of
the project was particularly important.
Addressing Workflow Challenges and

Standardizing Processes
Early on, the team acknowledged several challenges that needed
to be addressed. For example, the way various staff handled release of information (ROI) requests varied widely. While each team
handled PHI correctly, the lack of consistency created inefficiency
and varied timelines for fulfilling ROI requests. As EJGH continued
to grow, expanded departments and new physician practice locations led to even greater variations in PHI disclosure management.
When EJGH launched its enterprise disclosure management strategy, the teams goal was to implement a centralized
program that would enable the entire EJGH staff to leverage a
consistent workflow across the organization. A centralized approach would not only streamline workflow but also ensure
standardization, which would mitigate potential risk. In addition, the enterprise project was an opportunity to identify inefficient workflows and create a faster, more efficient process that
would allow staff to be more productive.
One disclosure workflow that was standardized acrossEJGH
as a part of this initiative was the accounting of disclosures

(AOD) log. The physicians network, imaging center, and HIM
departments previously maintained separate AOD logs. Now,
all releases are logged and maintained in one database. Another
workflow standardization example is the accessibility of pending requests via the Documents Required list. An employee
that works at the imaging center, for example, now has the ability to view the request and authorization documents for the hospital and assist with retrieving and uploading the records to fulfill and complete the request remotely.This allows forincreased
productivity at a location that may not be as busy while also assisting the main HIM department with the workload.
Creating Consistency, Reducing Workload

In late 2011, EJGH brought its numerous physician practice
locations under the centralized PHI disclosure management
program. In addition to having their own processes for ROI
requests, practices were using disparate technology systems.
Many were also engaged with different disclosure management vendors. Consequently, practice locations had different
needs regarding the PHI disclosure management process. For
instance, some locations still used paper; therefore, the assisting vendors management team needed to determine how and
when to pick up paper-based ROI requests.
The vendor team visited all practice locations and evaluated
their workflows, ultimately developing processes that were compatible with each practices technology and would allow them
to offload work to their vendor. While EJGH maintained its standardized and consistent disclosure management program, their
vendor made minor workflow adaptations based on the practice locations varying circumstances. EJGH soon implemented
a technology platform offered by their vendor that enabled staff
across the enterprise to submit ROI requests. While the transition
to this platform was an adjustment for employees, it ultimately
allowed them a new level of visibility and efficiency since staff
could track requests, view their status, and access reports.
In addition, the new platform allowed EJGH staff to offload
many duties to their vendor, such as invoicing, mailing, sending notifications to requesters, generating a variety of correspondence, and fulfilling other clerical duties. As part of the
move to the new online platform, the vendor also took over the
quality assurance (QA) process. HIM leadership decided to
maintain its own QA check as well, which doubled QA efforts
to ensure the organization remained compliant and error-free.
Initially, some physician practices were reluctant to move to the
centralized strategy because they had to relinquish control and
learn the new online platform. Now, many practice managers are
quite vocal in their appreciation, indicating their satisfaction with
knowing they are maintaining their patients data privacy and
security. Despite the varying cultures and technology systems
among practices and departments, EJGH has achieved a level of
consistency and standardization that brings peace of mind.
Since reducing the backlog of ROI requests at the inception
of the project, EJGH has maintained a three-day turnaround on
requests, often fulfilling requests in less time. This consistent
timeliness has enabled EJGH to provide excellent service to paJournal of AHIMA April 15/25
Enterprise PHI Disclosure

Management Strategy
tients while also adhering to legal and regulatory demands.

The new workflows and technology have also drastically reduced the time EJGH staff spends on certain activities. Recovery
audit contractor (RAC) and Medicare administrative contractor
(MAC) requests, for instance, once took days to fulfill due to the
boxes of paper records that had to be assembled. EJGH staff is
now able to use their new processes and electronic submission
software to meet these requests, which eliminates hours of printing and administrative work. In addition, the team can log in to
the online platform and check the status of any RAC appeals.
Regulatory Environment Increasingly Complex

The EJGH team makes frequent communication and ongoing
training a priority, which keeps staff abreast of changing regulations. The team acknowledges several factors that enabled their
successful implementation of an enterprise-wide PHI disclosure
management strategy, along with a few lessons learned:
Get leadership on board in advance. Implementing a centralized approach to PHI disclosure management is much easier if leadership conveys its importance to all team members
across the enterprise. Establishing why its necessaryand not
optionalcan go a long way in ensuring success.
Work through the kinks prior to implementation. Bring
in the IT department about a month before implementation
to work through any issues in technology and workflows. This
helps IT identify and resolve any problems before go-live.
Prioritize ongoing communication and training after implementation. During the initial go-live phase, the team will need frequent and more intensive communication. After everyone is comfortable with the new processes, though, project leadership should
still offer regular forums for communication and collaboration.
Why? Regulations frequently change and staff often has questions
or ideas after the initial flurry of implementation has passed.
Offload and centralize PHI disclosure management tasks
as much as possibleeven if staff initially disagrees. Even
though physician practices had their own processes, technology, and solutions for PHI disclosure management, EJGH imple-
mented an enterprise approach. Now, physician practice teams

are grateful they can focus on patient-facing or revenue cycle
staff activities rather than fulfilling ROI requests. Centralization
not only created consistency and mitigated risk, but also gave
practice staff much-needed time for other tasks.
Tracking and reporting capabilities are a necessity, not a
luxury. EJGH staff across the enterprise realize the necessity of
logging into a system and being able to find out when a record
was released, if the party received it, or other information related to status. When recipients claim they didnt receive a document within the requested timeframe, having transparency into
the process has proven invaluable. When embarking on a PHI
disclosure management project, be sure to evaluate the tracking
and reporting features to ensure staff will have what they need.
As healthcare organizations continue to grow, it is important
to stay on top of plans to acquire practice locations or expand
into new service areas. Proactively addressing PHI disclosure
management for new departments can help an organization stay
compliant, consistent, and efficient in the years to come. As patients and HHS both continue to demand new levels of safety and
privacy, a centralized, enterprise-wide PHI disclosure management strategy can help ensure a healthcare organization adheres
to requirements and keeps patients trust in the years to come.
Notes
1. The Advisory Board Company. One in 10 Americans Has
Been Affected by a Large Health Data Breach. The Daily
Briefing. June 17, 2014. www.advisory.com/Daily-Briefing/2014/06/17/One-in-10-Americans-has-been-affected-by-a-large-health-data-breach.
2. Department of Health and Human Services. Health Information Privacy: Case Examples and Resolution Agreements.
www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/.
Collette Zeiour (czeiour@ejgh.org) is director of HIM for East Jefferson General Hospital. Mariela Twiggs (mtwiggs@mrocorp.com) is national director
of training and compliance for MRO.

HIM Domain Area: Privacy and Security
ArticleInstituting an Enterprise-wide PHI Disclosure Management Strategy


LONGER BE ACCEPTED
Ad Space
NAME
27
LEARN
MORE
TO EARN
MORE...
HOW TO FURTHER YOUR HIM EDUCATION, AND WHAT IT GETS YOU
By Lisa A. Eramo
DETERMINING WHAT TO do with ones life is a daunting task.

Even once youve chosen the field of HIM, the sky is the limit
in terms of the roles in which you can serve. As HIM evolves
commensurate with the electronic health record (EHR), the options only continue to growand require skills and education
to seize them. Many HIM professionals are starting to feel the
push for an advanced degree or credential in what has become
an increasingly competitive job market saturated with talented
and tech-savvy individuals.

With all of the choices available, however, it can be overwhelming to determine what educational requirements are needed
to accomplish professional goals and aspirations. How do you
know what educational endeavor to tackle after you obtain your
first HIM degree? Is it truly worth it to obtain an advanced degree or credential? How can HIM professionals ensure a return
on investment?
SKILLS,
MONEY,
JOB SECURITY,
RESPECT,
CAREER
SATISFACTION,
OPPORTUNITIES,
MOBILITY,
WISDOM,
PRIDE,
Heed This Advice When Seeking Additional Education or Credentials

NOT SURE WHERE to begin in terms of pursuing your next educational endeavor? AHIMA has created an interactive Career
Map (available at www.hicareers.com/CareerMap) that provides
job descriptions and responsibilities as well as skills and education required for a variety of current and emerging HIM roles.
Prospective career advancement advocates can also consider these tips provided by HIM professional experts.
1. Ask yourself, What is it that I really want to do? Do
you like to work with other people? Do you gravitate toward
leadership positions? Do you enjoy working with a team in
the trenches? Do you prefer to work independently? What
is your dream job in HIM? The answers to these questions
will help determine the type of position for which you should
strive. For example, those who enjoy working in the trenches may consider a coding route. Those who prefer to work
independently may enjoy working as a data analyst. Those
who specifically seek a raise in salary may want to consider
management-level positions.
Know yourself, and then move in the direction that best
suits your skills, Parker says. Theres a fallacy that if youre
not in a management position, youre not using your full potential. In HIM, thats just not true.
Many HIM professionals pursue additional credentials because they want to move in a new direction, increase their
knowledge as their current position evolves, or simply prove
their proficiency in a particular subject area, Marc says. I
think were going to see more credentials over the next 10
years, he says. There are many individuals who are working
in the profession who need to be able to identify themselves
as having particular skills.
Marc, who helps teach the College of St. Scholasticas
CHDA exam prep course, says he pursued the CHDA cre-
Times, They are A-changin

Theres no doubt that the healthcare environment in which todays HIM professionals work is far different from the one that
existed 10 or more years ago, says Susan Parker, MEd, RHIA,
owner and recruiter at Seagate Consultants, based in Wilmington, NC.
Parker, whose company focuses on recruiting individuals for
both traditional and emerging HIM roles, says having a credential and/or degree in higher education is becoming far more
commonand even expectedin todays job market. Having
an associates or bachelors degree is a helpful start; however,
employers are increasingly looking for more specialized knowledge or even a masters degree. This is particularly true for HIM
director and manager positions, she says.
I think well find that having a masters degree will be the
baseline for management-level positions. Were not there yet,
but I think we will be, Parker says, adding that this transition
dential because of his knack for analytics and to identify himself as an expert in this area.
2. Interview others in the profession and within the organization to get your bearings and hear real stories. Talk
with other professionals before making the leap into higher
education or pursuing a specialty credential. Most HIM professionals are very approachable and more than happy to
share their educational and professional journeys, Parker
says. Ask them if you can shadow them for a day. Also consider asking management staff about the types of credentials
and degrees that could benefit you the most within the organization, she adds. Are there any upcoming organizational
changes for which a credential might be helpful?
3. Move at your own pace. Pursuing additional education
or credentials can be extremely difficult for those with family
and work obligations. Its a lot to juggle, Marc says. Not
everyone can hammer out a degree in one or two years. Take
the time you need to get it done. Edmonson agrees. As
long as youre working toward it and taking one class at a
time, youll get there eventually, she says.
However, its important to stay focused and not use a lack
of free time as an excuse to delay education, says Lusk. We
need to encourage people that theres never going to be a
good time to do it. You just need to get started, she says.
4. Never forget the importance of networking. Even
once youve got the credential or degree, youve still got to
work at finding and maintaining professional connections.
Networking essentially enhances the return on investment of
the degree or credential, Parker says. Its not just about what
you knowits about who you know as well. Its incredibly
important to engage in internships and attend AHIMAs local
and national meetings, she adds.
could occur in the next five to 10 years given the rapid evolution of the profession.
Specific masters degrees that may appeal to HIM professionals run the gamut. Theres the traditional masters degree
in health services management, but there are also masters degrees in education, strategic leadership, organizational leadership, health administration, or health informatics. Some HIM
professionals are even pursuing a masters in business administration. Others may pursue a legal degree or masters degree in
Juris Prudence, or even a PhD.
Some Cross the Bridge

A working professional doesnt necessarily need to go to a college campus to get a higher education. HIM professionals are
increasingly pursuing their degrees online, which makes it
easier to balance their education with a full-time job and other
commitments, Parker says. Another cost- and time-effective
Moving HIM Toward Advanced Degrees

A GOAL OF AHIMAs and the AHIMA Foundations Council for Excellence in Education (CEE) is to increase the number of
AHIMA members who hold masters and doctoral degrees. The point of this goal is to attract new members who hold higher
education degrees as well as help current AHIMA members obtain advanced education in order to better utilize their skills and
role in the workforce. The CEE Strategic Action Plan includes a goal to increase the number of members holding masters and
doctoral degrees to 12,500 by the year 2023, an increase of more than 60 percent over December 2013 numbers.
Number of AHIMA Members with Masters and Doctorate Degrees

December 2013: 7,609 (actual)
December 2014: 7,920 (actual)
*4 percent increase over 2013
December 2023: 12,500 (goal)
2,500
5,000
*64 percent increase over 2013
7,500
option is to pursue a bridge program. These programs target

those with an associates degree or RHIT credential and provide
advanced standing so students only need to focus on the necessary core classes to obtain the new degree.
Some opt for advanced degrees directly unrelated to HIM.
Parker originally obtained her own masters degree so she
could work in higher education. The degree ultimately allowed her to serve as the director of an RHIA program for
more than a decade before she founded the recruiting company that she now oversees. She says having a masters degree in adult education gave her a greater appreciation for
how adults learn and function in the workplace as well as
what motivates adults. All of this insight is helpful when recruiting HIM professionals, she says.
However, not everyone aspires to become a manager or work
in higher education, and there are certainly plenty of other avenues to pursue. Getting a masters degree isnt for everyone.
It makes sense for people who are moving into those management positions, Parker says. For those who arent moving
into these positions, having an additional credential makes all
the difference.
Adding Credit to Your NameLiterally

Credentials speak volumes to a potential employer because
they help capture ones proficiency and expertise in a particular area. A credential says that someones knowledge is not tied
to their individual experience, Parker says. Their knowledge is
certified and proven. Whether youre in North Carolina or Cali-
10,000
12,500
15,000
fornia, your knowledge applies.

The good news is that HIM professionals have a whole slew
of credentials from which to choose. For those interested in
clinical documentation improvement, consider the Certified
Documentation Improvement Practitioner (CDIP) credential.
For those interested in coding, consider the Certified Coding
Specialist (CCS) or Certified Coding SpecialistPhysicianBased (CCS-P) credentials. The Certified in Healthcare Privacy
and Security (CHPS) credential is great for those interested in
HIPAA. Those who are interested in health IT might consider
the Certified Healthcare Technology Specialist credential
(CHTS). Finally, theres the Certified Health Data Analyst credential (CHDA) geared toward those who enjoy working with
and analyzing Big Data.
What credentials and degrees are in the most demand right
now? Parker says it depends on the position. As a recruiter, however, she has seen an increased demand for those who can work
with and manipulate healthcare data. Overall, employers are
increasingly looking for those with the unique combination of
work experience, an advanced degree, and a specialty credential. She says there is also a demand for project management
credentials and experience, given HIMs role in overseeing ICD10-CM/PCS and EHR implementations.
Graduate Degrees Allow Professional Mobility

David Marc, MBS, CHDA, knows the value of higher education
and specialty credentials. After graduating from college with a
bachelors degreedouble major in biology and psychology
he got a job working in a lab using data analytics to develop predictive models for diseases. He decided to obtain his masters
degree in biomedical sciences with a minor in biomedical informatics to advance his position from that of clinical researcher to
senior clinical researcher.
After realizing that he wanted to perform his own research
rather than assist others with their projects, he decided to take
some time off work to pursue his PhD in health informatics with
a minor in cognitive science. Ultimately, his passion for teaching landed him his current job as an assistant professor in the
department of health informatics and information management at the College of St. Scholastica, where he says having a
PhD will help him pursue tenure track. Marc, who also serves
as the health informatics graduate program director, says many
students view a graduate program as a way to explore different
job opportunities.
What I think an advanced degree does for you is expose
you to the depth and breadth of the profession so when you
leave the program, you understand all of the angles and components, he says. When you graduate, you have more confidence in terms of knowing where you want your career to go.
Oftentimes, new graduates become pigeonholed within one
aspect of HIM and may not even realize what other opportunities are available, Marc says. Other professionals may feel as
though theyve hit a plateau in their careers. Despite their frus-
D I S C E R N I N G
tration, they may feel as though they dont have the ability to
move in a new directionparticularly in the direction of the
emerging field of healthcare analytics. Statistics and analytics
are terms that scare a lot of people, Marc says. But Ive had students who go through these classes, and it just clicks. They get it.
They say, I can see myself doing this.
Marc says he often tells his students that having an advanced
degree helps the most with career mobility. Students could
probably pursue a job and get an entry level position in the
field, but if they want to progress within that position faster or
get the manager or director type of role, thats where the advanced degree really helps. You can come into this profession
with an advanced degree, he adds. This is particularly true for
career changers or those who may not have a whole lot of direct HIM experience.
Katherine Lusk, RHIA, MHSM, had been working as an assistant vice president of patient information services when the
large health system in which she worked purchased 12 physician practices. Although her RHIA credential provided her with
valuable skills related to registration and scheduling, she says
she needed a different breadth of knowledge when it came time
to integrate the physician practices. Lusk thought about pursuing an MBA but was more interested in the system integration. I thought it was important for me to understand from a
big picture the integration with external provider groups, she
Identities
Just Associates Data Integrit olutions combine

professional services and advanced technolog o identif
and resolve duplicate medical records and their causes.
IDManage, our outsourced MPI management service,
provides ongoing resolution of duplicates to prevent
future data qualit issues.
MPI Clean-Up
Ongoing MPI Management
Algorithm Optimization
Data Integrity Consulting Services
www.JustAssociates.com | 303-693-4727
| ANALYZING | IMPROVING | OPTIMIZING
ADVANCING
PATIENT MATCHING ONE INDIVIDUAL AT A TIME
I got my return on investment the moment I got that job. It was

probably a combination of my degree and work experience, but
had I not had that credential, I dont know that they would have
really looked at me.
Donna Edmonson, BS, RHIA
says. I really didnt have a core understanding of how those
clinics worked and how the financial integration and referral
patterns would occur.
Lusk, who went on to hold various director positions in
different settings, currently serves as the chief health information management and exchange officer at Childrens
Medical Center in Dallas, TXa job she says she couldnt
have landed without first obtaining her masters degree.
The degree establishes a baseline for people to understand
your knowledge so you dont need to work so hard to prove
yourself, she says.
Ensuring Job Security

Donna Edmonson, BS, RHIA, suspected that the standalone
hospital in which she worked might be bought out by another organization, forcing her to look for another job. Her
fears became a reality when the organization closed, moved
to another location, and became part of an entirely different
healthcare system. At the time, she had been working as an
HIM director there while also pursuing her bachelors degree so she could advance from having an RHIT credential
to an RHIA. Im thankful that I was already in the process
of going back to school because the RHIT would have limited me in terms of what Id be able to do in larger organizations, she says.
Edmonsons bachelors programan online programwas
designed for working adults. I could make it fit around my
schedule, she says. Theres just no way that I could have commuted. Although she had initially been apprehensive about
going back to school after 20 years, she said her work experience helped her get through classes more easily.
Shortly after graduation, UC Health, based in Cincinnati,
OH, contacted Edmonson via LinkedIn regarding a position
that would oversee RAC audits. Shortly thereafter, she landed
a job as a director of government audits and currently oversees all policies, procedures, appeals, and trends related to
RAC and other third-party audits. She is also a manager of
HIM, overseeing all scanning, indexing, and release of information as well as the opening of a brand new maternity unit.
I got my return on investment the moment I got that job, she
says. It was probably a combination of my degree and work
experience, but had I not had that credential, I dont know
that they would have really looked at me.
Edmonson says the return on investment for her degree can
also be measured in terms of its usefulness to her current role.
It has definitely helped me become more aware of time man-
agement and project management. It also helps me communicate with higher level management. I understand the workflow
and processes, and I know how to interject and give suggestions
for how to make things better.
In addition to working full-time at UC Health, Edmonson also
teaches classes online and in person. She hopes to eventually
pursue a masters degree in the event that she decides to teach
full-time in a university setting.
Climbing the Career Ladder

Erin Head, MBA, RHIA, CHTS-TR, the director of HIM at Parrish Medical Center in Titusville, FL, says the convenience
of not having to travel to a campus is what made it possible
for her to continue her HIM education. At the time she had
been working as an HIM operations manager at a hospital
and knew she eventually wanted to land an HIM director position. Having only an RHIT credential, she decided to attend
a CAHIIM-accredited college to obtain her bachelors degree
and RHIA credential entirely online. I didnt need to leave
work early for any classes, and I also liked the self-paced aspect of it, Head says.
After realizing that most HIM director positions were starting to require a masters degree, Head decided to continue her
education. I knew that I needed to [get the advanced degree]
for my future. I knew it would be a good investment, she says.
Also, with the MBA, I think it opens up other doors for other
departments within the hospital, such as an executive director
or vice president level of several different areas that function together with HIM such as finance, IT, case management, or patient registration.
Head says she chose the MBA rather than another type of masters degree because it would give her exposure to the bigger picture budgetary and operational aspects of healthcares business
side. Her degree also included a specialization in healthcare
management that she says helped her understand community
and public health.
Even though she has landed an HIM director job, she isnt
stopping her education. Head decided to become credentialed
as a Certified Healthcare Technology Specialist Trainer (CHTSTR) after having performed EHR validation, testing, and training at a previous job.
With the EMR, youve got to have people who are trained to
troubleshoot, train physicians and caregivers, and understand
the data thats coming into and out of the system. Having that
credential shows that I have additional competencies in healthcare technology, she says.
Best to Move Out of Your Comfort Zone

Elit Gonazlez, MBA, RHIA, began her healthcare career at the
age of 17, working her way up from a file clerk to a coordinator
positionthe highest position in which she could serve without an academic degree or credential. She decided to obtain her
RHIT credential and eventually got a job as a night shift HIM
supervisor at MD Anderson Cancer Center. At that point, I noticed that all of my peers had their bachelors degrees and RHIA
credential, she says. I really wanted to obtain that level of education and felt like I needed to make it happen.
Like many other working adults, an online program seemed
like a viable option. Gonzalez and one of her colleagues both
enrolled at a CAHIIM-accredited colleges online bachelors
program, and says it was so much easier than having to leave
my kids and my family and go to a campus for several hours.
She also enjoyed the exposure that her online program gave
her to other professionals around the country, many of whom
she continues to network with today. Gonzalez says many HIM
professionals may feel as though they just do not have the time
for an additional degree or credential. Others may feel intimidated going back to school as an older adult. However, these
should not be excuses, and only stifle ambition. Some people
may be scared because theyve been out of school for so long.
I say, Ive been there and done that. Im that person who was
scared to go back, and I did it, Gonzalez says.
After obtaining her bachelors degree, she didnt stop there.
Just two months after graduating Summa Cum Laude from
her program, Gonzalez began a masters program to obtain
her MBA. Fourteen months later, she again graduated Summa
Cum Laude.
She says she chose an MBA because she wanted to be able to
teach HIM and other courses at the university level. I want-
THE BEST
PRODUCTIVITY
SOFTWARE
UNIQUE KEY FEATURES
TO SPEED UP TEXT INPUT
Call 1 800 355 5251
ed to broaden my horizons. I had been in HIM for 29 years

and wanted to try something different in addition to my current job. The MBA took me out of my comfort zone, she says.
Gonzalez is currently pursuing adjunct HIM instructor positions and is going to teach her first college course
this spring. She also works as an assistant director of HIM
administration at MD Anderson Cancer Center, where she
oversees document imaging, forms management, and 32
staff members. Gonzalez also assists with the development
and implementation of the EHR.
Prior to her education, she was unable to obtain a management position. Gonzalez says that her education provided
her with the knowledge she needed to become a successful
manager.
In my masters program, I learned so much about the management aspect of HIM. I focused more on business leadership, ethics, managerial decision making, management operations, management organization, and finance. Obtaining
my MBA was the best decision for me, she says.
Lisa Eramo (leramo@hotmail.com) is a freelance writer and editor based
in Cranston, RI, who specializes in healthcare regulatory topics, HIM, and
medical coding.
Link
Earning HIM Cred
journal.ahima.org
This web-exclusive series focuses on just what career-cred AHIMAs

credentials earn HIM professionals in the real world. First up, the CHDA
credential. Just what professional leverage does one get with this data
analytics-focused certification?
adopted by thousands of users to achieve
ACCURATE - RELIABLE - TIMELY

clinical documentation and data entry in ALL Windows systems
via transcription or speech recognition editing. Safe and consistent documentation facilitates CDI and Coding,
and the doctor can concentrate on patient care.
Natural Language Processing : You create customized glossaries in an instant.
Dynamic text / data suggestion : You type a few letters and what you speak see is what you get.
Predictive capabilities : You continue writing without typing.
Free 30-day trial at www.instanttext.com
Instant Text 7 Pro only $189
Ad Space
NAME
35
Visit our
booth #8103
at HIMSS15
Clearing
the HIPAA
Cobwebs
NEW ONC CHIEF PRIVACY OFFICER LUCIA SAVAGE
FOCUSES ON BALANCING PRIVACY AND SECURITY
WITH EXPANDING INTEROPERABLE EHR EXCHANGE
By Chris Dimick
THE SPIDERS OF time have been hard at work on the US

healthcare privacy and security rules, to the point that their
place in health IT interoperability has become fogged and is
inhibiting their proper role in the meaningful exchange of
health information, according to Lucia Savage, JD, the Office of the National Coordinator for Health ITs (ONCs) new
chief privacy officer. Savage wants to clear the cobwebs and
foster better electronic health record (EHR) exchange and
interoperability.
Because we have permitted uses we actually have the [privacy and security] rules we need [for interoperability], Savage
says. And in some ways I sort of see myself as putting on my
head scarf and getting out the broom and getting the cobwebs
off the ceiling. So that is really my focus.
Harmonizing federal and state-level privacy and security
rules and their interpretations in order to allow better information exchange and EHR interoperability is a top agenda item for
Savage. Taking over for the first chief privacy officer, Joy Pritts,
in October 2014, Savage says one of her first priorities has been
fostering the interoperable use of electronic health informationthrough programs like the meaningful use EHR Incentive Program and guidance like ONCs Interoperability Roadmapin a private and secure way.
A draft of the 10-year roadmap, which in part aims to clarify
HIPAA to reduce confusion and misconceptions about HIPAA
restrictions and entitlements, was released by ONC in February.
(See this months Addendum on page 68 for a graphic depicting
roadmap milestones.)
While privacy rules like HITECH-HIPAA may need to be
modified in order to keep up with emerging health IT and treatment technology, Savage says the key to better interoperability
isnt necessarily in changing federal privacy regulations but by
achieving interoperability through a clearer use of the current
rules. We are going to go back to basics a little bit and talk about
how to get interoperability in the rules environment that we actually have, she says. And part of that is permitted uses. Weve
had for 17 years the ability of physicians and payers to share information about their patient/members in common; that PHI at
its core can be exchanged for appropriate treatment, payment,
and healthcare operations purposes.
The Journal of AHIMA spoke with Savage about her upcoming priorities at ONC, how HIPAA is still being used as
a scapegoat to deny release of health information, and what
she feels is the biggest threat to protecting patient privacy in
healthcare today.
Who is Lucia Savage?

ALWAYS LOOKING FOR a challenge, Savage says she was first
attracted to healthcare compliance
and law because the industry was
so messed up that she felt she
would enjoy trying to fix it. In the 20
years since entering the field, there is
still plenty to fix in healthcare, which
Savage hopes to help accomplish as
the new ONC chief privacy officer.
The thing that really attracted me to healthcare was that
it was so messed up, there was so much work to be done,
and I really like a challenge, Savage says. It was at the tail
of the last wave of managed care in the late 90s, people
couldnt figure out how to do benefit appeals, prior authorization was not being handled in a very good way. HIPAA
was a new law; it was a chance to really dig in on something
new and build from it.
Graduating with her Juris Doctor from the New York University School of Law in 1989, Savage started her career
as an employee benefits attorney. But she soon expanded
her practice to include healthcare regulation, healthcare reform, and HIPAA implementation. Before coming to ONC
in October 2014 she worked at insurer UnitedHealthcare
as the senior associate general counsel, focusing on large
data transactions related to health information exchanges,
healthcare transparency projects, and other data-driven
healthcare work. Savage also served on the governance
board of the Centers for Medicare and Medicaid Services
Multi-Payer Claims Database Project from 2011 to 2013,
and collaborated with health information exchanges and
state agencies in their planning with payers, according to
ONCs website.
One of her next challenges is helping the country achieve
private, secure, and interoperable health information exchange, as well as becoming a grandmotherat least, in
time. She feels the first step has been taken with the recent ONC Interoperability Roadmap, of which she was a
co-author.
I always hoped that Ill have completely interoperable
data by the time Im a grandmother, and hopefully that is 10
years out, so I think that this 10-year [ONC interoperability]
roadmap is about right, she says.
What is a Typical Work Day for the Chief

Privacy Officer?
IT IS A real mix of internal meetings that are both strategic and tactical as we plan stuff out. I do a lot of writing
and editing. I was working on a privacy guide today. I have
meetings with other agencies of the government as we try
to lend our expertise on topics like cybersecurity and precision medicine. And then I meet a lot with external stakeholders, sometimes in person and sometimes by phone
and sometimes in a sort of public presentation setting. So
every day is kind of a mix that way. Lucia Savage
JAHIMA: As you start down the Interoperability Roadmap,

and as information becomes easier to exchange, how do you
feel the privacy and security regulations should be modified? How do you walk the line between fostering exchange
with health IT and maintaining patient privacy?
Savage: I think that for everyday healthcare we have pretty good
background rules right now that we can get a lot accomplished
with, and in fact we can get a lot more accomplished than we
have. What we do know, however, is that with the advent of all this
amazing computing power we couldnt possibly have imagined
17 years ago [when HIPAA was implemented], and some people
imagined when HITECH was passed, but most people were unfamiliar with mobile health, APIs, the smartphone. Most of us ordinary people did not imagine that [this change] would be coming.
I think we have an opportunity to make sure that we are keeping
abreast with technology as it is developing.
So for treatment, payment, and operations for health, we have
pretty good background privacy rules. As we move into spaces like precision medicine, and part of that might be repeated
long-term use of particular DNA samples, we need to have rules
that accommodate our needs for science and knowledge in
that space. And the rules we have now come from a time when
it wasnt all done through computers and people didnt make
choices with radio buttons on their tablets and computers. So
we definitely have an opportunity to structure understanding to
meet the growing technology needs. And in particular what we
need to do is look ahead so that we are always keeping pace and
we dont fall behind where technology is taking us.
JAHIMA: Do you feel HIPAA-HITECH goes far enough right
now to protect patient privacy, or are there gaps that could be
tightened, either currently or as future technologies develop?
Savage: I think our problem isnt really with the nationwide
rules that were established in the original HIPAA enactment
and the HITECH amendments. I think HITECH did some great
housekeeping by clarifying, for example, the role of health information exchanges as business associates or adding protections about marketing rules that had become really onerous
and burdensome for consumers as the Internet advanced. But I
think we have some work to do with regards to being able to take
advantage of computer technology while fostering the special
protections that states have enacted.
JAHIMA: What needs to change at the state and federal level to foster more health information exchange?
Savage: We have a situation where HIPAA is really a floor,
it is the basic rule and states are not only allowed to, but do,
enact laws that are more privacy-protected than HIPAA. And
those enactments come because of real experiences real
people have had where bad things have happened to them.
For example, because their personal information, health or
not, has been used in a way they didnt anticipate. One older
example is at one time children [were] being sent home from
school because their parents were HIV positive. So we have
enacted these rules to protect peoples privacy in these special circumstances after very robust public debate in state
legislature.
The problem we have is while those rules are philosophically
aiming at the same things, the words used on the page vary so
much that we cant efficiently use machine learning because
we are worried that if we program it to meet the rule of state A,
we wont quite meet the philosophically similar but contentdifferent rule of state B.
And so I think we have some work to do to harmonize how
we deploy these special protections [at the state level]. Im in no
way saying they should be removed. Im saying lets harmonize
them so that we can take advantage of computerized abilities
to capture, consent, tag data with consent, persist that choice
through the data. And if you think about something like telemedicine, where the intent is to have a provider in one state and
a patient in another state, you have got to figure out a way to
have the patients expectations and the providers understanding match across the state line.
JAHIMA: As EHRs developed, a lot of interoperability issues
came with the technology. But there was once a time when
privacy was one of the big issues hindering interoperability.
Savage: That is right, and ONC has done some task support on that, even the HISPC work before HITECH that really
documents the nature of the problem and even documents
potential solutions. And Im really hoping to go back to that
as a discussion point.
I think now that we have had such a great run of getting
physicians to adopt electronic health record systems and we
are moving toward how do we make those systems exchange
data for healthcare, it gives us a new chance to look at this
in light of what now science is telling us about how effective
coordinated care can be, and what we can do on the social
determinants of health to improve health in communities,
keep people out of the emergency room that dont belong
there, etc.
There is a really important part of this that we cant lose sight
of. A key part of this privacy formula is the patient or person
whose data are collected needs to understand what is happening to it. If we have harmonized laws, it is easier to explain
privacy rights to a person. And we have a situation where we
have many different languages and different levels of literacy in
America. The easier it is to explain the easier it is to get that word
out in our diverse population.
JAHIMA: It would definitely simplify things from a health

information release standpoint. But whose job is that? It is
a big job to harmonize all the various state privacy laws, and
harmonize them in a way that at least information exchange
can happen. Are you seeing this as ONCs role?
I think ONCs job here, and my job in particular, is to be a subject
matter expert and a resource. So it is really that sort of expert/coordinator capacity. At the end of the day public policy choices made
by states really have to be made by the states. So, you know, states
have a wide variety of health situations, they have a wide variety
of political environments, they have a wide variety of budget situations, they have priorities that may be different than this priority.
And what we can bring to the conversation is Here are our expert
observations, here are some resources we can make available. Do
you want to try and tackle this, if so how can we help you tackle it?
We have done a lot of research to identify the issue, and it is
definitely something that as a matter of health and safety needs
to be addressed, and engaging in this harmonization process
has to be a priority for the states that want to take up that baton.
JAHIMA: Other than state law, what do you feel is the biggest obstacle to private and secure health information exchange and EHR interoperability right now?
Cybersecurity. I think people are very concerned about it, and
rightfully so. Those of us who work in the industry have been waiting for what happened to Anthem to happen. [Editors note: The
day before this interview was conducted health insurer Anthem
announced it had suffered a data breach by hackers affecting 80
million people.] We knew that a large health company was going
to get hit, we didnt know when or where. I think that as a society
every time there is a big hack we are not to the point where we are
really immune to them. We all actually think about it and worry
about it. Gosh was I covered by Anthem, was my data in there,
did they get my Social Security number, did they get my e-mail
address? Did they get my home address? And I think that in order
to have interoperability we have to have really good solutions and
advice on cybersecurity in a way that keeps interoperability going.
Then there was that large Brooklyn warehouse fire [in February] and guess what burned up? Medical records. Many, many,
many hospitals worth. So this gives the opportunity to talk
about, for both paper and cyber threats, is cloud computing really the best solution? Because it is a time share in a facility that
can apply standard industry tools at an economy of scale that
an individual person cant. We need to have that conversation
if we think about cybersecurity and facilitating interoperability.
JAHIMA: After digital data breaches, what is the biggest
threat to protecting health information today?
I think actually it is misunderstandings. Ill give you a story
from my personal life. A family member falls down and needs to
go to the ER. They get the stitches, and we ask for the visit summary to be sent to a physician who is in a different system. And
we are told, Well we are not allowed to send data outside our
system because of HIPAA. Well I know different, but the fact
that somebody could say that and the consuming public is told
that and they want to believe their physicians offices and take
what they say to heart, [the public likely] doesnt understand

the rules well enough to say Wait a minute, I dont think that is
quite right. So, we have these misunderstandings that are making the data not move as much as it could.
JAHIMA: Do you feel HIPAA is still being used as a scapegoat to deny people access to their records?
I think there is some of that going on. I was just talking to a
physician on staff and I said Dont you remember when in your
primary care practice you had to talk to XYZ specialist about a
patient in common and you just picked up the phone? HIPAA is
media-neutral and OCR [Office for Civil Rights] will tell you that.
It is the same privacy rule for phone calls, for faxes, for pictures,
for e-mail. Or information exchange, it is media-neutral, and we
really need to make sure everyone knows that.
Chris Dimick (chris.dimick@ahima.org) is editor-in-chief of the Journal of
AHIMA.
First Class Solutions, Inc. SM

Not your traditional healthcare
consulting firm services customized
to YOUR needs since 1988
Our HIM & ICD-10 Services
Operational Assessments
Temporary HIM Management
Coding Validation Audits and Coding Support
Scanning and Transcription Analyses
Scanning Software & Project Operations
Management
CAC Guidance & RFP Management
CAC Implementation Management
ICD-10 Coder and Physician Education
ICD-10 Project Management (Limited)
ICD-10 DRG Shift/Documentation Analysis
Our Release of Information Software

Cortrak Standard & Plus Include scanning
capabilities which are tied to request
Cortrak Plus Utilizes Microsoft SQL Server
800-274-1214
www.FirstClassSolutions.com
www.Cortrak.com
Working Smart a professional practice forum

Navigating Privacy & Security / e-HIM Best Practices / Standards Strategies / The Sound Record
Where to Begin
with Cyber Defense
By Sharon Lewis, MBA, RHIA, CHPS, CPHQ, FAHIMA, and Kevin B. McDonald, HCISPP, CHPSE
AS DATA IS made more readily available through a growing

number of public and private channels, understanding the risks
is critical. Patients expect organizations to take the steps required
to protect their sensitive and personal information as it is being produced, processed, shared, and possessed. Whether it is
protected health information (PHI) or personally identifiable
information (PII), health information management (HIM) professionals have an ethical and legal obligation to protect patient
data from wrongful use and disclosure. This of course is not an
easy feat, and this article is designed to provide advice for those
parties intent on meeting their breach prevention obligations to
patients and the federal government. According to the Ponemon
Institutes Fourth Annual Benchmark Study on Patient Privacy
& Data Security, criminal attacks on healthcare have risen 100
percent since the study was conducted four years ago in 2010. In
April and August 2014, the Federal Bureau of Investigation (FBI)
issued a notice warning that healthcare systems and medical devices face an increased risk of cyberattacks and hacking.
The demand for patient information remains high on criminal
marketplaces, including the 2014 release of Grams, a search engine for what is known as the Dark Web. The Dark Web loosely
refers to many websites that are publicly available, but whose
ownership is obscured by several methods to protect those
responsible for their management. With Grams, criminals are
removing the knowledge barrier to obtain illicit information,
products, and services. The newly minted search engine aids
those seeking underground or illegal products and information
such as stolen PHI and PII, drugs, guns, heavy artillery, prostitution, and the services of mercenaries. There is even a YouTube
video demonstration on how to use Grams.
If you are looking for one good example of a bad data breach, look
no further than the recent incident involving Community Health

Systems, Inc. According to the companys Securities and Exchange
Commission 8K filings, the cyber attack that occurred in April and
June 2014 impacted data related to the companys physician practice operations and affected approximately 4.5 million individuals
who, in the last five years, were referred for or received services
from physicians affiliated with the company, the filings state.
Many have asked who the attacker was in this security breach.
The company and its service provider believe the attacker was
an advanced persistent threat group originating from China
who used highly sophisticated malware and technology to attack the companys systems. The attacker was able to bypass the
companys security measures and successfully copy and transfer certain data outside the company, the filings state.
Healthcare Should Brace for More Cyber Attacks

In a recent warning, the FBI said Cyber actors will likely increase
cyber intrusions against health care systemsto include medical
devicesdue to mandatory transition from paper to electronic
health records, lax cybersecurity standards and a higher financial
payout for medical records in the black market.
In an attack, criminal cyber actors may seek information such
as credit card numbers, medical record numbers, a patients diagnosis, and other health data that can be used to, among other
things, steal a patients identity, access individuals bank accounts, and obtain prescriptions for medications. It is well understood that patients medical information is worth around 10 times
more than credit card numbers on the black market, as reported by Reuters. In addition to the higher record value, victims of
healthcare identity theft usually take longer to report an incident
and recovery can be extremely difficult. It often may take weeks
or months to realize that information has been taken, and it can

take years to recover.
Medical identity theft is difficult to recognize. For HIM professionals concerned with patient privacy, being aware of these
attacks is key to prevention. Understanding which safeguards
need to be in place to ensure confidentiality, availability, and
integrity of the PHI and PII is also vital to successful cyber defense. The need to protect patients information includes at
least basic knowledge of the types of cyber-crime occurring in
todays environment and how they come about. Understanding how these events may occur and ensuring mitigation strategies are in place can significantly decrease the risk of PHI and
PII compromise. Keep in mind, even when a breach does not
immediately cause tangible damage to the patient, the damage to a providers reputationalong with financial liability
can still be significant.
Common Ways Systems are Attacked

Cyber breaches may occur in a variety of different ways. Whether
it is insiders making mistakes or intentionally releasing information, hackers directly targeting an organization, or random broadcast scanning that simply attacks many targets, the cyber breach
possibilities can be overwhelming. Identity theft, for example, may
be due to employees stealing information such as pharmaceutical
and prescription data and selling it. Some common attacks and
breach causes include:
Viruses, worms, trojans, and bots. These programs, also known
as malware or malicious code, are specifically designed to damage,
disrupt, steal, or inflict some bad or illegitimate action on data,
host computers, or networks.
Theft or loss of data bearing devices. Cell phones, CDs, DVDs,
thumb drives, and laptops are among many other devices that pose
a large threat to organizations. According to Ponemon, 36 percent
of reported breaches are due to a lost or stolen laptop.
SQL injection. A coded statement inserted into an entry field designed to dump database contents to an attacker.
Phishing. A targeted individual is contacted by e-mail or telephone by someone posing as a legitimate institution to lure an
individual into providing sensitive information such as banking,
credit card details, and passwords. This can be done by suspicious
links in e-mail or false advertising, among other methods.
Web-based attacks. Malware and social engineering attacks that
target end users and web-connected devices by displaying bogus
pop-up windows made to look like legitimate plug-ins that prompt
a user to click on it and open the gate to infect a computer device.
Social engineering. An act of psychological manipulation
that targets human decision making. For example, an individual
walks into a building and posts an official looking announcement stating the help desk number has changed. When an employee calls for help, the individual might ask for a password
and ID to obtain access to the companys private information.
Misconfigured systems. This can be identified as a main
cause of a breach and may consist of unsecured wireless access
points, mismatched applications and hardware, and security
systems not regularly maintained. These networks can be easily

penetrated by hackers.
PHI protection requires that an organization implement administrative, physical, and technical safeguards to protect the
privacy, availability, and integrity of their data. HIM professionals help facilitate PHI protection by being clear on where PHI
resides within all systems in the organization and by completing an entity-wide risk assessment of all identified systems,
processes, and facilities. Also, a policy should be implemented
that prevents non-technical users from having administrative
rights and ensures administrator accounts are only used for
functions that require such access.
Utilize anti-virus and malware protection software and
keep the signatures up-to-date, and ensure that all systems
are patched and updated to help close vulnerabilities that are
leveraged by bad actors, viruses, and other malware. Ensure
that the organizations network is protected by firewalls with
advanced threat protection. Also, use unique and complex
passwords and ensure they are changed on a regular schedule, preferably every 90 days. Organizations should implement
encryption for data in transmission and at rest, and identify
the internal and remote access points where a connection may
exist with other systems that contain PHI in order to make sure
they are secure. Create procedures to authorize and control
workforce access to PHI, audit systems access and maintain
documentation of those audits, and document, implement,
and enforce policies and procedures through employee education and sanctions policies. HIM professionals should also
implement security monitoring and log review processes, as
well as implement a media inventory management program
while documenting all changes to their system.
Surrender is Not an Option

While this may seem like a lot to handle, surrender is not an option. IT security is about risk management and ensuring that an
organization has an ongoing risk management program. Being
proactive means conducting a comprehensive and ongoing security risk analysis. If critical threats are identified and resolved
first, before an attack, and systems are maintained by continually working to reduce the quantity and severity of risk, organizations stand a better chance against the ever-changing threat
landscape.
Resource
Ponemon Institute. Fourth Annual Benchmark Study on
Patient Privacy and Data Security. March 12, 2014. www.
ponemon.org/blog/fourth-annual-benchmark-study-onpatient-privacy-and-data-security.
Sharon Lewis (slewis@primeauconsultinggroup.com) is principal and
chief privacy officer for Primeau Consulting Group. Kevin McDonald
(kmcdonald@noloki.com) is chairman of the Orange County Sheriff/Coroners technology advisory council and president of Noloki Healthcare IT
and Compliance.

Issues in Accessing Foreign

Personal Information for Use
in US Legal Proceedings
By Jeane Thomas, JD
IMAGINE YOUR ORGANIZATION is involved in a lawsuit or

government investigation and needs to access documents or
information located outside the United States. If you think you
can just demand that they be sent to the US because they are relevant or maybe even necessary for the legal matternot so fast.
For companies involved in litigation in the US, the production
of confidential information relevant to the caseincluding personal health informationis commonplace. American entities
deal with the confidentiality concerns by producing such information subject to protective orders and non-disclosure agreements that allow parties to use the information for purposes of
the litigation, but prevent it from being misused for other means.
The US discovery regime is extremely broad, allowing parties to demand all documents and information relevant to their
claims and defenses. It is no excuse to assert that the information called for is personal or sensitive. Further, parties have an
obligation to turn over information in their possession, custody
or control, and employees, customers, or other third parties
have virtually no ability to control what the organizations that
maintain their personal information do with that information
when they are required to produce it for legal proceedings.
But the situation is very different in many countries outside of
the US, most notably in the European Union (EU) and the dozens of other countries that follow an EU-style approach to data
protection. Within the EU, the ability of every citizen to control
what happens with his or her personal information is considered a fundamental human right. Accordingly, laws within the
EU grant specific data protection rights to individuals and prevent organizations that control data from processing or transferring personal data except under certain conditions.
Personal information is defined broadly to include any in42/Journal of AHIMA April 15
formation relating to an identified or identifiable natural person. In other words, personal information is anything that allows anyone to link information to a specific person. Examples
include physical or e-mail addresses, phone numbers, bank
information, video images, and, of course, health information.
Because these rights belong to individuals, they exist without
regard to where personal data about them is located, including
information within the custody of their employers, third party email, social media providers, healthcare providers, or insurers.
Competing Legal Obligations

This difference in approaches between jurisdictions creates
very difficult conflicts when it comes to providing or obtaining personal information of non-US residents for use in US litigation or investigations. For example, consider a situation in
which the health information of non-US residents is relevant
to litigation in the US. Under our discovery rules, such information must be produced as long as it is relevant and within
the possession, custody, or control of any party within the
courts jurisdiction, such as an employer, healthcare provider,
or research organization.
However, the production of such information in US legal proceedings may violate foreign data protection laws, which protect the rights of individuals who typically are not party to the
litigation. Companies in this situation are caught between the
proverbial rock and a hard place. They must choose between
disobeying US discovery obligations and potentially violating a
court order to produce such information on the one hand, or
violating foreign law with potential criminal and/or financial
penalties on the other hand.
Unfortunately, there is no straightforward process for harmo-
nizing these conflicting legal obligations, and US courts have

not shown much sympathy for parties dealing with these issues.
The US Supreme Court addressed this type of conflict more than
25 years ago in the Arospatiale case, which held that principles
of international comity require an evaluation of the respective
interests of the US courts and the foreign nation whose laws are
at issue. The Supreme Court set forth the factors relevant to the
comity analysis that courts should apply when considering
how to proceed with respect to non-US discovery:
1. The importance to the litigation of the documents or
other information requested
2. The degree of specificity of the request
3. W hether the information originated in the United States
4.
The availability of alternative means of securing the
information
5.
The extent to which noncompliance with the request
would undermine important interests of the United States,
or compliance with the request would undermine important interests of the state where the information is located
Following Arospatiale, nearly every US court that has dealt
with these cross-border discovery issues has decided that US interests in requiring litigants to meet their discovery obligations
outweigh foreign interests in protecting the privacy interests of
their citizens. These courts have ordered parties to comply with
discovery requests and orders, notwithstanding the fact that
such compliance would violate foreign law, in part because the
courts have found that the risk of prosecution or penalty in the
foreign jurisdictions is relatively low.
For example, a court in New York recently considered the extent
to which foreign laws prohibiting the release of banking information, sometimes on pain of criminal prosecution, outweighed the
need to produce the information in the US litigation. Asking the
question, But is this for real? the court found that the extent to
which the relevant country has actually enforced the prohibition
is a strong indicator of the strength of the state interest and ordered the production of the information in Motorola Credit Corp.
v. Uzan, 2014 WL 7269724 (S.D.N.Y., 2014).
Litigation Complications Will Persist

The difficulties for US litigants may become even more acute if
the EU passes proposed data protection legislation that significantly increases the penalties for violation, possibly up to two
percent of worldwide turnover per infraction. In addition, with
China and other countries passing new data protection laws, or
adding more teeth to existing regulations, the conflict with USstyle discovery obligations is truly becoming a global issue. It
remains to be seen how and when these conflicts ultimately will
play out, but with the increasing volume of non-US information
relevant to US litigationalong with increasing data protection
enforcement around the worldit is certain that the issues will
not go away anytime soon.
Jeane Thomas (jthomas@crowell.com) is a partner at the international
law firm Crowell and Moring, LLP, based in Washington, DC.
You asked for ...
AFFORDABLE
ICD-10
... we delivered!!!
v
ICD-10 CODE BOOKS

2015 ENHANCED ICD-10-CM
w Very affordable price Only $6995
w Enhanced coder-helpful features include:
w Highlighted Term Differentiation
w Highlighted 7th Digit Subclassifications
v 2015 ENHANCED ICD-10-PCS

w Very affordable price Only $5995
w Enhanced coder-helpful features include:
w Unique Graphic Page and Table Design
w Highlighted Index Terms
Lowest
priced,
best
value
ICD-10s
of any
publisher!
ICD-10 TRAINING SEMINAR-IN-A-BOX
v LEARNING ICD-10-CM (Seminar-In-A-Box)

(Equivalent to a 1-2 day seminar/workshop)
Teach staff
w Professional Version On Sale $54995
w Designed to teach others
or clients!
w Includes: Power Point Slides, Instructors Manual,
Seminar DVD Set, Workbook, & Code Book
w Individual Version On Sale $24995
st!
Low CEU Co
w Designed to teach yourself (12 CEUs)
w Includes: Seminar DVD Set, Workbook, & Code Book
v LEARNING ICD-10-PCS (Seminar-In-A-Box)
(Equivalent to a 2-3 day seminar/workshop)

Teach staff
w Professional Version On Sale $59995
w Designed to teach others
or clients!
w Includes: Power Point Slides, Instructors Manual,

Seminar DVD Set, Workbook, & Code Book
w Individual Version On Sale $29995
st!
Low CEU Co
w Designed to teach yourself (20 CEUs)
w Includes: Seminar DVD Set, Workbook, & Code Book
ICD-10 TRAINING EXERCISE BOOKS

v
v
v
v
v
Mastering ICD-10-CM Exercise Book

Mastering ICD-10-PCS Exercise Book
Mastering ICD-10-CM Guidelines Exercise Book
Mastering ICD-10-PCS Guidelines Exercise Book
Each Mastering Book Includes:
Excellent,
w Very affordable price Each book only $5995
Affordable
Practice!
w Hundreds (or thousands) of exercises
w Two quizzes, one test mail in for grading and CEUs
w Coding Guidelines printed in Guidelines books
Compare our Products, Prices, & Value to Others!!
Channel Publishing, Ltd.

1-800-248-2882
FOR DETAILS
AND ORDERING INFORMATION, VISIT:
www.channelpublishing.com
SS10015

Security, Privacy, and Safety

Standards in Canadian Healthcare
By Grant Gillis
IN THE LARGE community of standards development organizations (SDOs) that are focused on healthcare and health informatics, the International Organization for Standardization
(ISO) Technical Committee (TC) 215 Health Informatics (ISO/
TC 215) is one of the leading forums. As mandated by ISO, the
scope of ISO/TC 215 is broad:
Standardization in the field of health informatics, to facilitate
the coherent and consistent interchange and use of health-related
data, information, and knowledge to support and enable all aspects of the health system.1
Founded in 1998 and now covering such domains as architecture, frameworks and models, semantic content, security, safety,
and privacy, ISO/TC 215 has more than 25 years invested in consensus building and requirements development. The committee
has worked with public and private sector experts to enable the
development of health information technology (HIT) standards.
ISO/TC 215 now has more than 50 countries participating in and
observing its standards development activities, and collaborates
with 29 other ISO technical committees. It works closely with
the International Electrotechnical Commission and International Telecommunication Union, and hosts the Joint Initiative
Council, comprising various HIT standards development organizations, such as Integrating the Healthcare Enterprise (IHE),
Health Level Seven (HL7), and the International Health Terminology Standards Development Organisation (IHTSDO).
ISO/TC 215 and Security, Safety, Privacy Standards

ISO/TC 215 standards play a vital role locally, nationally, and
globally in facilitating the definition, collection, and availability of personal health information (PHI) in health information
systems. It does this while protecting the security and privacy of

PHI, and controlling authorized access by healthcare delivery
organizations.
Since the inception of ISO/TC 215, Canada has been a strong
participant and contributor to the committees work, in part because of the important work that the committee does in the areas of information security, privacy, and safety standardization.
For these areas, ISO/TC 215s Working Group 4 Security, Safety and Privacy is dedicated to standardization of methods and
systems to protect and enhance the confidentiality, integrity
and availability of health information, to prevent information
systems from adversely affecting patient safety, to protect the
privacy of PHI used in health and healthcare, and to ensure the
accountability of users of health information systems.2
While developing an impressive body of requirements-based
specifications of its own, ISO/TC 215s Working Group 4 also
plays a fundamental role as facilitator and collaborator in the
wider development of security, privacy, and safety standards
with the International Electrotechnical Commission (IEC).
ISO Security, Safety, and Privacy Standards

The Canadian Experience
Distinctly, Canada has for many years organized its various health informatics standards engagements through the
Standards Collaborative hosted by Canada Health Infoway.
Bringing together such domains as architecture, information exchange, and terminologies, this organization facilitates a lifecycle-based approach to the standards-based
electronic health record (EHR), including development,
testing, implementation, maintenance, and conformance.
The Standards Collaborative has been particularly beneficial
The benefits of standards that aim to ensure the security, safety, and
privacy of PHI are extremely important for healthcare information
systems development and professional competence.
through its Electronic Health Record Infostructure (EHRi) Privacy
and Security Conceptual Architecture. This robust, well-detailed
scheme describes a secure systems design for EHRs in Canada.
The conceptual architecture works to ensure that the privacy of
patients is protected and that the confidentiality, integrity, and
availability of their PHI is maintained in an ongoing fashion.
Within this conceptual architecture, ISO security, privacy, and
patient safety standards play an important role in point-of-service solutions. For all provincial and territorial jurisdictions, as
well as many crown agencies and commissions in healthcare,
the standard ISO/IEC 27799 Health Informatics Information
Security Management in Health Using ISO/IEC 27002 is widely
recognized as the foundational standard for security for EHRs
and all clinical and eHealth related solutions.
Based on the standard ISO/IEC 27002 Information Technology Security Techniques Code of Practice for Information Security Controls, which is the international standard
providing global guidance for any organizations information
security standards and information security management
practices, ISO/IEC 27799 provides more specific guidance in
support of implementation of ISO/IEC 27002 in health informatics. In particular, ISO/IEC 27799 specifies the appropriate controls for the management of PHI, thereby sustaining a
requisite level of security corresponding to an organizations
circumstances and maintaining the confidentiality, integrity,
and availability of PHI.
In conjunction with ISO/IEC 27799, many Canadian jurisdictions also use a variety of ISO/TC 215 security standards for
their EHR requirements. For example, requirements from the
standard ISO/IEC 18028 Information Technology Security
Techniques IT Network Security have been used in many
network environments to adapt and extend existing IT security
management guidelines by specifying the necessary operations
and mechanisms to implement network security safeguards
and controls in a comprehensive manner.
Also, to help manage the growing need to audit accesses to
PHI, the standard ISO 27789 Health Informatics Audit Trails
for Electronic Health Records specifies a common framework
for audit trails for EHRs, in terms of audit trigger events and
audit data, to keep the complete set of PHI auditable across information systems and domains. These ISO/TC 215 standards
are supplemented by an array of security specifications from
the IEC, HL7, as well as integration profiles from the IHE.
On the privacy side, the 10 principles as originally specified
by the Organization of Economic Cooperation and Development (OECD) are closely followed as a national standard
through CAN/CSA-Q830 Model Code for the Protection of
Personal Information. As a national standard of Canada,

Q830 is incorporated in all domestic privacy legislation and
regulation. The 10 core principles constitute the widely recognized national policy in protecting PHI in the healthcare environment in various settings.3
In further support of each jurisdictions standards-based approach to privacy and security of PHI, COACH: Canadas Health
Informatics Association publishes Guidelines for the Protection
of Health Information. The guidelines serve as a best practices
resource to help the health sector protect the PHI they require to
do their work and fulfill their professional responsibilities.
The guidelines cover topics such as:
Requirements for consent for the collection, use, and disclosure of PHI
Exceptions to consent requirements
Requirements for reasonable safeguards for PHI
How requirements apply to actors and stakeholders in the
healthcare delivery space
The guidelines assist in the development of an overall privacy
and security framework designed to support and sustain the
proper use and protection of PHI. The 2013 Main Edition is supplemented by Special Editions covering access audits, privacy
and security for patient portals, and EHR implementations.4
In the area of patient safety, ISO/TC 215 has been working
on specifications addressing the safety of health software since
2006, with important publications centering on the classifications of safety risks involving health software (ISO Technical
Specification/TS 25238), as well as measures for ensuring the
patient safety of health software (ISO Technical Report/TR
27809). More recently, and with Canadian leadership, ISO/TC
215 published the standard ISO Technical Report/TR 17791
Health Informatics Guidance on Standards for Enabling Safety
in Health Software.
Domestically, COACH has leveraged these standards and,
working closely with colleagues in the US, the UK, Australia,
and elsewhere, has published the COACH eSafety Guidelines,
a leading publication providing a method-based approach to
ensuring the safety of electronic health IT systems (hence, eSafety) in the larger context of patient safety. These guidelines
apply across the healthcare spectrum, providing background
information on eSafety and patient safety. They provide detailed
recommendations on best practices and standards, checklists,
templates, and much more.
Benefits of Security, Safety, and Privacy Standards

The benefits of standards that aim to ensure the security, safeJournal of AHIMA April 15/45

ty, and privacy of PHI are extremely important for healthcare

information systems development and professional competence. According to the Canada Health Infoway, a government
created non-profit that works with the healthcare community,
Canadian citizens, the government, and the technology industry to improve access to health information for better care,
good standards allow systems to interoperate seamlessly.
Good standards encapsulate a great deal of knowledge and experiencesome of it hard-wonand make it available to the
architects of new systems. These standards make healthcare
information networks possible. They protect the privacy of individuals without limiting their freedom of choice or compromising their security.4
For Canada and other nations, the work of ISO/TC 215, especially its security, safety, and privacy standards, is of very real
value and will continue to serve as an important body of knowledge supporting healthcare professionals in ensuring the protection of PHI.
iso_technical_committee.htm?commid=54960.
2. International Organization for Standardization. ISO/
TC 215 Health Informatics Business Plan Version 3.
June 7, 2013. http://isotc.iso.org/livelink/livelink/
fetch/2000/2122/687806/ISO_TC_215__Health_informatics_.pdf?nodeid=1001750&vernum=-2.
3. COACH: Canadas Health Informatics Association.
Guidelines for the Protection of Health Information:
2013 Edition. www.coachorg.com/en/practices/2013_
Main_Edition.asp.
4. Canada Health Infoway. Electronic Health Record Infostructure (EHRi), Privacy and Security Conceptual
Architecture. Version 1.1. June 2005. www.infoway-inforoute.ca/index.php?option=com_googlesearchcse&n=
30&Itemid=1307&cx=012561371923227377403%3Ae3ijz6
nmumi&cof=FORID%3A11&ie=ISO-8859-1&q=4.%09Ca
nada+Health+Infoway.+Privacy+%26+Security+Architec
ture%2C+Version+1.1.+2005&hl=en&cr=countryCA.
Notes
Grant Gillis (ggillis@coachorg.com) is a member of the Canadian Standards Mirror Committee, ISO/TC 215 Health Informatics, and is executive director, forums and practices, with COACH: Canadas Health Informatics Association.
1. International Organization for Standardization. ISO/TC

215 Health Informatics. www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/
Coding Compliance AuditsMS-DRG/APR-DRG/APC

HCC, LTAC, Pro-Fee, CVIR/IR
ICD-9/ICD-10 Dual Coding Reviews
Online ICD-9 and ICD-10 Tutorials
Denial Reviews and Appeals
HIM Interim Management
Remote Coding Support
Medical Necessity Reviews
Focus On
Missed Revenue
Database Solutions For the Ever-Changing Audit Environment
Optimizing Your Rightful Reimbursements
1.866.427.7828
W W W. H C S S TAT. CO M
Ad Space
NAME
47
HIM challenges mounting up?

VHC solutions put you over the top.
HIM SERVICES
or
Remote
Onsite Coding
and
Inpatient
Outpatient
Coding Reviews
Coding
ICD-10
and Training
The integrity of your revenue cycle depends on complete confdence

in your processes, performance, and adaptability. Today, more change,
more complexity, and more work can threaten that integrity.
VHC can help. Our seasoned professionals understand the full revenue
cycle and excel at identifying opportunities to improve charging, billing,
and reimbursement. We serve more than 200 hospital clients and
ensure compliance in everything we do.
Let VHC resolve your coding and other revenue cycle challenges with
customized solutions that smooth out operations ups and downs and
achieve your highest performance goals.
Chargemaster
Review
Capture
Charge
Review
and
Consulting
Special Projects
(630) 6 20- 91 78 i nfo @ v hci .co m www.v hc i .co m

Evaluating the Information

Governance Principles for Healthcare:
Integrity and Protection
By Galina Datskovsky, PhD; Ron Hedges, JD; Sofia Empel, PhD; and Lydia Washington, MS, RHIA
Editors note: This is the second in a series of four articles that discuss the eight Information Governance Principles for Healthcare.
AHIMAS NEW INFORMATION Governance Principles for

Healthcare (IGPHC) provides a framework for healthcare organizations to enhance their ability to leverage information
in order to achieve the organizations goals, and conduct their
operations effectively while ensuring compliance with legal
requirements and other duties and responsibilities.
IGPHC is a set of eight principles that, when considered in
whole or in part, are intended to inform an organizations information governance strategy. This article is the second of
four that explores the meaning and intent of the principles,
two at a time.
Integrity Principle
The principle of integrity states that an information governance (IG) program should be constructed and managed such
that the organization has a reasonable and suitable guarantee
of authenticity and reliability. In healthcare, integrity of information means that an organization has the ability to prove
that information is authentic, timely, accurate, and complete.
This is a fundamental expectation from patients, providers,
and other stakeholders such as regulatory agencies.
This principle recognizes that an information governance program should include:
Adherence to the organizations policies and procedures
Appropriate workforce training on information management and governance
Reliability of information
Admissibility of records for litigation purposes
Acceptable audit trails
Reliability of systems that control information
Why are these elements important for good information governance? Consistent practices that assure the quality of information must be integrated into every step in the information
lifecycle. For example, it is critical that organizations determine
their responsibilities and processes for both internally created
information as well as that which is received from external
sources. The latter, however, might include taking additional
steps that are necessary to identify and classify the information
before adding it to a patients health record.
Adherence to IG policies and procedures helps an organization not only comply with regulatory and legal requirements,
but more importantly, assure patient safety and care quality. In
addition, workforce training empowers individuals to comply
with those policies and emphasizes their importance.
Audit trails document activities related to information, and
therefore reinforce the reliability and integrity of that information. Likewise, information cannot be reliable unless the technology infrastructure on which it is created, used, maintained,
and stored is reliable. Therefore, an organization should monitor its infrastructure for deficiencies, and when necessary take
appropriate action to correct problems and mitigate risks.
Integrity provides trust that the information is authentic. An
authentic record is one that is proven to:
Be what it purports to be
Has been sent, received, or created by the person or system purported to have done so
Has been sent, received, or created at the time purported
The principle of integrity seeks to assure the trustworthiness of information through the development and implementation of information governance processes and procedures
by which information is generated, used, and maintained

throughout its lifecycle.
Protection Principle
The principle of protection states that an IG program must
provide the appropriate levels of protection from breach, corruption, and loss for information that is private, confidential,
secret, classified, essential to business continuity, or otherwise
requires protection. Given the intensely personal, sensitive,
and life sustaining nature of health information, the principle of
Protection has a special emphasis in healthcare.
Many healthcare organizations have established privacy and
information security programs, and these should be integrated
into the overall information governance program.
Protection takes various forms and may include:
Active management of, and restriction of access to, information according to context

Prevention of unauthorized information disclosure by
clearly defining policies, creating safeguards, and then
monitoring them to prevent leakage
Securing final disposition of information, regardless of
source or media
Audit programs to validate whether sensitive information is handled in accordance with organizational policies and procedures and in compliance with applicable
laws and practices
a healthcare organization uses for business reasons, whether

those reasons relate to patient care and treatment, patient or
insurer billing, or, for that matter, the construction and maintenance of physical plants.
Information must have integrity to be useful and to be depended on for decision-making. That information must be
protected to maintain integrity. Together, these principles enable information to be relied on. This synergy increases not
only in the information, but also in the overall information
governance program.
Galina Datskovsky (gdatskovsky@gmail.com) is CEO, North America,
at Covertix. Ron Hedges (r_hedges@live.com) is a former US Magistrate
Judge in the District of New Jersey and is currently a writer, lecturer, and
consultant on topics related to electronic information. Sofia Empel (sofia.
empel@connolly.com) is director, information governance, at Connolly
iHealth. Lydia Washington (lydia.washington@ahima.org) is senior director of HIM practice excellence at AHIMA.
Link
Read the Full IGPHC Principles
www.ahima.org/topics/infogovernance
For a detailed look at all eight Information Governance Principles for

Healthcare, as well as other information governance resources, visit
www.ahima.org/topics/infogovernance.
As part of their operations healthcare organizations must

manage sensitive patient information in addition to administrative data. The principle of protection recognizes that information has varying degrees of sensitivity that must be categorized
accordingly, and then must be safeguarded throughout its life
span. In healthcare, information must be protected throughout
the ecosystem, at the source and by all stakeholders.
Integrity and Protection Improve Trustworthiness

Trust is central to the integrity and protection of healthcare
information. Users must be confident that the information
on which decisions are based is what it purports to be, just as
business people, regulators, and juries should have similar
confidence. That confidence requires the information have integrity. Integrity itself requires that information be protected
from, among other things, loss, theft, unauthorized access, or
unauthorized change. The principles of integrity and protection
operate together to create and maintain information that stakeholders, including patients, can have confidence in.
Integrity and Protection Improve IG

In the first installment of this series, the authors noted that at
its basic level, governance requires trust in decision makers and
the decisions they make. The article then discussed the synergistic relationship between the principles of accountability and
transparency in creating and maintaining that trust.
Similarly, governance requires trust in the information that
PRACTICE BRIEF
practice guidelines for managing health information
The Implementation and Management

of Patient Portals
THE ADVANCEMENT OF technology has changed the practice of medicine. It has evolved the physician-patient relationship from solely a face-to-face interaction into real-time online
encounters, from e-mails to virtual appointments. Patient portals represent such a technological advancement, leading the
charge and breaking new barriers in patient communication.
Patient portals, which are becoming commonplace within
healthcare organizations, provide online access to a patients
healthcare information. An increased awareness and need for
the appropriate management of the protected health information
(PHI) flowing in and out of patient portals is critical to the overall
confidentiality, privacy, and security of that information. For the
purpose of this Practice Brief, a patient portal is defined as secure,
convenient 24-hour online access to a patients health information from any location. A patient portal may or may not include
electronic communication between the patient and the provider.
Patient portals can empower and engage patients and families to actively manage their healthcare. The meaningful use
EHR Incentive Program, which requires the adoption and use
of a patient portal, is a strong driving factor for the implementation and management of patient portals within a healthcare
setting, which provides financial incentives for the meaningful
use of certified electronic health record (EHR) technology. With
the right portal build and the implementation of appropriate
policies and procedures, healthcare organizations can provide
easy-to-use self-service patient tools that enhance patient communications and engagement.
This Practice Brief will provide recommended practices for the
implementation and management of patient portals, including
the phases of implementation, ongoing operational considerations, and legal and regulatory requirements.
Implementing Patient Portals

Implementation is dependent upon a number of considerations, including the complexity of the organizations systems
and culture, the health IT infrastructure present, interoperability capabilities, and meeting legal and regulatory requirementswhether mandatory or voluntary.
Stakeholders Involved
To provide for the most comprehensive and effective portal, it
will be necessary to develop a taskforce to represent the stakeholders that will be affected:
S
enior leadership: Provide support and sponsorship of
the project.
Health information management (HIM) professional:
Provide knowledge of the organizations data and information, data integrity, privacy and security, and EHR systems.
Physicians/clinicians: Help determine what information will
be displayed and when (i.e., what data needs to be manually
reviewed before posting, and an appropriate delay period).
Privacy and security officer(s): Ensure organizational
policies, processes, and education is in place to prevent
inappropriate access and disclosure.
Patient advocates: Speak on behalf of caregivers, patients,
and personal representatives in a range of delivery settings
to meet the expectations of patient interactions (i.e., appointments, profile updates, billing, and communication).
Risk management/legal counsel/compliance: Ensure overall compliance with all applicable laws and requirements.
Information technology: Program and maintain the software,
interfaces, etc. to support the portal, including safeguarding
protected health information (PHI) as obligated by organizational policies and procedures and federal regulations.
Marketing: Review and promotion of organizational and
patient information materials as well as providing support for any organizational branding needs.
Strong Internal Communication Strategy

Communication is critical to the success of the portal. An organization-wide communication plan is essential for transparency about the development, rollout, use, and maintenance of
the portals implementation.
Selection of the Portal System

Patient portals can exist as a standalone system that interfaces
with an organizations EHR systems or as a feature within the EHR
system itself. Whether using a single entity (i.e., limited to a hospital or clinic) or a regional portal product, access may be as broad
as the full legal health record or limited only to selected continuity
of care data sets such as discharge summaries and lab results.
The selection of a patient portal must be made based on the
organizations strategic plan and objectives for implementation.
Goals and desired outcomes of a patient portal will vary among
organizations, from meeting the meaningful use incentive to
increasing patient engagement. The following, at a minimum,
Practice Brief
should be considered prior to selection:

Regulatory and/or voluntary incentive requirements:
Ensure compliance with all federal and state laws and
regulations.
Clinician and patient participation: Determine who will
generate and use the portal information, including when
and which information will be made available.
Administrative (bill paying, appointments): Determine
which administrative tasks will be available to patients on
the portal such as release of information, customer service, appointments, registration, profile updates, billing,
and e-mail.
Resource needs:
-- Workforce: Evaluate staffing needs (internal and/or
external) to build, maintain, and manage the portal
system (i.e., ongoing integrity assurance, answering
user questions, or providing internal/external training on policies and procedures).
-- Budget: Ensure budgetary needs to meet the organizational goals and vision for the portal implementation and maintenance.
-- Vendor: Assess external vendor capability needs for
development, implementation, and ongoing support.
Information access: Establish who will have access to the
portal and for what purpose. Determine the process for
the provisioning and de-provisioning of user access.
Technology capabilities: Support tasks related to interoperability needs and privacy and security considerations.
-- Interoperability: Ensure the portal will integrate with
other systems (internal and, if needed, external) including the organizations EHR system while validating
continued maintenance of information integrity.
-- Privacy and security: Make certain the privacy and
security of information is understood and maintained at all times.
Usability: Ease of use of the portal for the user (both workforce
and patient) is critical to the success of the overall system.
Rollout of the Patient Portal

Rollout of the portal will require the careful minding of several
important steps.
1. Timeline: Establish a realistic timeline to achieve the
goals and objectives of the portal system with adequate
flexibility for unforeseen obstacles.
2. Portal content: An interdisciplinary team (i.e., clinicians,
HIM, IT, pharmacy, laboratory, radiology) determines
what type of health information will be made available to
the patient in the portal. Content determinations are not
all driven by meaningful use obligations.
3. Testing: The portal will be used by patients, patient representatives, and associated workforce members and therefore must be tested by a number of patients to determine if it
functions well for all segments of the population. The project
team needs to conduct user acceptance testing for different
population types (i.e., ages, education levels) that best represent the population that will use the portal on a regular basis.
Ongoing testing can create a need to make changes in the

portal system. In addition to the functionality and comprehension testing, the confidentiality, security, and integrity of the data will also need to be validated. Such testing
would need to be directed toward the information flowing
into the portal from other related systems as well as any information that might flow from patients or their surrogates.
4. Access and authentication: Access to the portal should
ideally be initiated during a patient visit or hospital stay.
This allows the organization to establish its authentication process (verify user identity), ensure the patient has
access to the training and other materials that can accentuate the use of the portal, and explain how the portal
can increase the patients involvement in their care. Such
information will vary by portal and patient. For an initial period it would be an extra benefit if the organization
could facilitate some sort of hands-on training at the organization location, but at a minimum workforce should
encourage participation.
5. Information governance: A portals information is not
static as long as the patient is receiving care. Any changes
in the source information or the systems involved, new information, and so forth requires constant governance to
ensure information integrity, including the information
in the portal. Portals will evolve and expand as resources
and requirements change.
Patient Portal Operations

The overall success of a patient portal requires robust planning
and strong ongoing collaborations within the organization, as
well as attention to numerous operational considerations. Operational considerations must be proactively addressed prior
to implementation and continuously thereafter. At a minimum,
the following considerations should be addressed.
Registration and Enrollment

Registration for the patient portal is typically a multistep process. At the time of the in-person hospital or clinic visit, information is given to the patient about the portal and the patients
e-mail address and other demographics are obtained for registration. The e-mail address is necessary for the activation process and subsequent communications. For patients without
e-mail addresses, the organization should consider providing
recommendations to the patient for obtaining an e-mail address. The type of patient identifiers collected during registration is important for finding an accurate match in the EHR.
Balancing the need to establish secure patient identity procedures with ease of use of the patient portal is important. Each
organization will determine their identity proofing and authentication procedures. Some examples include:
A portal activation code (one time use for initial access/
set-up to the portal by the patient) may be included with
discharge instructions, or enrollment procedures may be
communicated separately via mail, e-mail, or phone to
the patient.
-- It is recommended to allow 30 days for initial use of
Practice Brief
the activation code before the portal enrollment period expires.

-- Upon enrollment completion, a user ID and first time
(generic) password will be provided.
-- Note: In-person enrollment for the portal is strongly
recommended to reduce the risk of inappropriate
registration and access. Failure to implement proper
security measures can result in inappropriate access
to PHI by unauthorized persons (i.e., an individual
attempting to impersonate the patient for access to
PHI). When registration via a website is permitted,
strong security measures include using an e-mail address already on file or sending a follow-up communication by mail or phone to confirm registration and
request the patient contact the organization if they
were not involved in the registration.
A medical record number may also be requested along
with a unique patient identifier.
Patients may be asked to acknowledge that they are submitting the enrollment on their own behalf or on the behalf of a minor. Some organizations may permit proxy access, wherein a patient can permit another user to access
the portal on behalf of the patient.
Some organizations require that the patient receive services within the past 12 months to be eligible to register
for the portal.
Organizations must provide education to patients/proxies
regarding the importance of completing the enrollment in
a timely manner as well as proper overall use of the portal.
Deactivation processes should also be developed and put
in place for user inactivity, misuse, or deceased patients.
Ensuring Data Integrity

The integrity of the data within a patient portal is impacted by
multiple sources, including the source EHR. Inaccuracies in a
source systems information, such as when a lab result is imported into the wrong patients health record, will flow into the
patient portal, resulting in erroneous information. This can lead
to an increased risk to the quality of care provided. Organizations must have policies and procedures in place to help ensure
the integrity of patient data and the accuracy of the path it takes
to reach the portal.
This same approach must be taken with external systems,
such as independent laboratories, that will feed information
into the portals. Each workforce member involved must have
education and training on the systems functionalities and capabilities as well as its limitations. Proper education and training
increases awareness for appropriate use and reduces the risk for
error. Portal screeners, a new and evolving role, review patients
charts and look for misfiles (i.e., files that belong to other patients or files that are incorrectly labeled). These portal screeners ensure data integrity and prevent HIPAA violations prior to
releasing the record.1
Handling Privacy Incidents/Violations

Privacy incidents and HIPAA violations may occur if wrong pa52/Journal of AHIMA April 15
tient data populates the patient portal. For example, when an

admission clerk enters incorrect patient information during
registration and data integrity auditing procedures are not in
place (i.e., portal screeners). An increase in patient-reported incidents may be expected with portal access, and patients must
know who to contact to report suspected incidents and violations. Patient portals should also be included in the organizations security risk analyses to assess for potential vulnerabilities
and threats, including third party vendor assessments.2
Increased Patient Access

Implementation of a patient portal may decrease the volume of
patient release of information (ROI) requests for information
provided in the portal. The traditional patient ROI request process requires properly executed authorization forms and HIM
oversight for record release. Instruction should be provided in
the portal on how to obtain access to their full health record.
While access to health records via the patient portal may decrease release of information requests, requests for amendments may increase as patients may identify errors that might
otherwise go undetected. It may be helpful to plan for additional
workforce members to handle the potential increase in amendment requests, at least during the early post-go-live period.
Workforce Education and Training

An organizations workforce should have a general knowledge
and understanding of the portal, how it works, what information is contained within it, who is serving as the portal liaison,
and where to direct any patient questions or problems.
Given the nature of the information and its potential impact
on patients and their healthcare, it is as important to provide
educational materials to the portal users who will be accessing
and/or submitting information as it is to train the workforce.
Training should include instructions on how to use the system, appropriate privacy and security practices, where questions can be addressed, and where to report problems when
encountered.
At minimum, the following education should be provided:
Senior leadership: General overview and use of the portal.
HIM professionals: Portal content, user registration, and
login procedures including identity verification, troubleshooting and answering patient questions, terms and
conditions content, what to do in the event of a privacy
issue (i.e., wrong patients information contained in the
portal) and the proper response for handling other issues
associated with patient portals.
Physicians/clinicians: Portal content (what is available and
when) and patient messaging capabilities and procedures.
R isk management/legal counsel/compliance: Portal
content and procedures regarding minor access, proxy
access and management of sensitive PHI (i.e., HIV/AIDS,
mental health, substance abuse).
Privacy and security officer(s): Portal content and functionality, interoperability issues, and procedures regarding minor and proxy access.
Information technology: Portal content, user registra-
Practice Brief
tion and login procedures and interoperability issues,

identity verification, troubleshooting, and answering
patient questions.
Patients/patient advocates: Portal content, user registration and login procedures, messaging procedures, and
procedures regarding minor and proxy access.
Registration/scheduling: Portal content, identity verification, user registration and login procedures, terms and
conditions content, what to do in the event of a privacy
issue (i.e., wrong patients information contained in the
portal) and the proper response for handling other issues
associated with patient portals (see issues and challenges
associated with patient portals).
Legal and Regulatory Considerations for Patient Portals

The Centers for Medicare and Medicaid Services (CMS) requires eligible providers or hospitals to adopt a patient portal to
meet the stage 2 meaningful use programs requirements.3 But
with the patient portal comes a host of legal issues a healthcare
organization must consider, including how to manage minors
(patients under the age of 18 in most states) who have access to
portal accounts, whether the organization will allowand how
they will manageproxy accounts, and how an organization
will ensure these records are properly secured.
Minors (Pediatric Patients)

Issues associated with managing a minors PHI and a pediatric
patient portal only compounds these issues.4 Each organization
needs to evaluate the benefits and risks related to these specific
issues before choosing to create a pediatric patient portal. Generally speaking, a parent controls access to and the disclosure of
a minors PHI unless otherwise specified by state law. In specific
situations, however, only the minor may consent to the release
of information. Organizations should research appropriate state
regulations and address them accordingly. The definition of a
minor varies by state law.
Proxy Accounts
Proxy access to the patient portal is granting access to someone
other than the patient.5 One of the primary goals of a patient portal is to provide patients convenient access to their own health
information. There are many examples of situations where someone besides the patient may need access to PHI and the patient
portal is an excellent mechanism to provide that access.
Some examples of proxy access are:
An adult child or a caregiver of an elderly parent/patient
Home health aide to a chronically ill patient
A healthcare power of attorney responsible for the healthcare of an incapacitated patient
Anyone else designated by the patient (spouse, partner, etc.)
The patient must first be informed of the risks associated with
granting proxy access to their patient portal. The covered entity
(CE) is not liable for information accessed, redisclosed, or printed out by a third party with proxy access previously requested
by the patient.
Patient Consent Not Needed for

Portal Participation
PER THE HIPAA Privacy Rule, patients have the right to access their information, and therefore consent is not required
to access the patient portal. Patients must agree, however,
to the terms and conditions presented to them when enrolling in the portal. The patient will be asked to sign an
authorization to release records to the portal if the portal
is hosted independently by a third party vendor versus the
hospital or clinic.6
Content that should be placed in the Terms and Conditions for Portal Use includes:
How the portal is used for healthcare services
User ID and password responsibilities
Electronic communications responses
Setting up proxy access
Privacy and security assurances
Patient responsibilities
Waiver of liability
Security Issues and PHRs

Whenever you create a system for transmitting or storing PHI
there will be security issues. The security of data maintained
in or transmitted to the patient portal from the EHR should be
treated the same as any other PHI, and follow the same policies,
procedures, processes, and workflows for the security of data at
rest and data in motion.7
However, patient portals introduced another unique security
threat: the patients password and login information. The patient has a responsibility to protect their private login information; however, if the portal password is compromised through
no fault of the CE (the patients computer is hacked, the information is stolen from the patients home, etc.) and the patient
notifies the CE, the CE now has a duty to respond quickly to
protect the patients information from a known threat. The CE
must establish a process where they can quickly deactivate the
account or change the password.
A patient portal should not be confused with a personal health
record (PHR). While both are valuable tools in recording and
maintaining health information, there are some important differences. A PHR is created by the patient, maintained by the
patient, and the CE does not control the information within a
PHR. However, a patient portal is created by the CE, information
within the portal may be created by either the CE or the patient,
and the CE is responsible for granting access.8 It is important to
make sure patients and CEs know these differences, especially
as they relate to privacy and security.9
Portal Use Agreement

There are many legal and risk management issues concerning
patient portals. As stated above, many of these issues are statespecific. Organizations must research the laws specific to its practice area and develop a plan that meets its specific organizational
goals. A portal use agreement identifies the responsibilities and
Practice Brief
outlines expectations between the user and the organization.

Portal use agreements are recommended but not required.
There are several areas to consider when trying to engage patients

in the portal, as well as educate both patients and staff on its use.
and their families to routinely access their portal accounts to

view, download, and transmit health information, as well as
message with their providers. Encouraging continuous user access to maintain, update, and validate user profile and demographic information, including proxy access, helps to ensure
accuracy of the data.
Health Literacy
Other Issues and Challenges of the Patient Portal
As patients increasingly engage in portal use, healthcare organizations must recognize health literacy concepts. The Department
of Health and Human Services (HHS) defines health literacy as a
complex phenomenon involving skills, knowledge, and the expectations that health professionals have of the publics interest
in and understanding of health information and services.10
Challenges or limitations with health literacy do not negate
patient interest in the connectivity and engagement offered by
portals. Therefore, in the spirit of preparedness, healthcare organizations must proactively and continuously evaluate resources
and processes related to portal support and account for variances
in health literacy among patients. Organizations should allocate
educational resources for patients related to information content,
information navigation, and technical support.
It is important to consider disparities that may arise related
to intellectual or physical disabilities, generational diversity, or
language barriers. A thoughtful plan is necessary to enhance
patient portal access to promote health equity and improve outcomes for all patients.
Some other issues and challenges that may need to be considered include:
The timing of providing results. Providing immediate,
direct patient access to test results is advisable when they
relate to a known condition which has been thoroughly
discussed with and explained to the patient by the provider and access to ongoing results enables the patient to
modify treatment. It is not advisable if the results are indicative of a new diagnosis, in which case a delay should
be built into the records process to enable the patient/
provider discussion to take place prior to giving a patient
access to his or her results. Capabilities for feeding information into the portal should be explored. Some portal
systems have the ability to suspend data release by a specified amount of time (i.e., 24 to 72 hours), or the data may
have to be processed manually.
Interoperability: For portals that are comprised from multiple components of an EHR and/or multiple EHRs, there
are challenges related to interoperability that include:
-- Master Patient Index (MPI) issues (i.e., different Medical Record Numbers (MRNs) in different systems)
-- Selecting which system to send information from
-- Preventing wrong data selection and breaches
Patient Engagement and Education
Education and Support

Develop and execute a community-wide communication plan
about the portal and how people can become engaged. Ongoing
education and training for the patient is just as important as it is
for the workforce. In order to ensure the continuous success of
the portal, patients must be trained on the proper use of the portal as well as have an understanding of the significance of PHI
and how to safeguard it. Education and training can begin during the enrollment process and should include areas such as the
correct selection and use of passwords, where the information
is viewed, how the information can be accessed, who has access
to the information, and so forth. The patients responsibility for
maintaining the privacy of his or her own information must be
covered to minimize the organizations risk arising from a patients use of the portal system.
Brochures and/or videos can also be developed to provide patients with resources for effective and safe portal use guidelines.
Some organizations have the patient sign a statement that confirms he or she has reviewed this information as an added precaution and to reinforce the importance of it. Patients should
know where to go and who to contact for any portal assistance
needed. Some organizations have a patient support line specialist who is the direct line of contact for the patient regarding the
portal. This can be done in-house via a call center or can be outsourced to a patient communications solutions vendor.
Meaningful Uses Role

Meaningful use program obligations require engaging patients
Each of these challenges should be considered and addressed

during the implementation of any patient portal. It must then be
re-evaluated periodically to ensure that all procedures are still
relevant and functioning as planned.
HIMs Role in Portal Implementation, Maintenance

Patients and their caregivers often have limited knowledge
of how to navigate the complexities of the healthcare system,
which makes it difficult for them to take the lead in managing
their own healthcare. Patient portals can assist patients in navigating around some of the barriers by giving them an opportunity to share information with their healthcare team.
Although participating in a portal offers many quality and efficiency benefits for both the patient and provider, it also creates potential risks that should be considered. HIM expertise is
critical in determining what types of information will be shared
through the patient portal with patients and their designated
caregivers. In addition, the quality of information in any patient
portal is only as good as the documentation that is contained
within the EHR. Therefore, the need for HIM to continuously
monitor documentation quality and timeliness is vital.
HIM leadership can specifically help ensure a portals success by:
Developing enrollment processes, including the management of proxies and dependents
Practice Brief
D
esignating HIM staff to approve registration and remove
access where needed
Working with project leadership to develop a plan for advertising the portal with signage and by developing flyers
for patients that can be placed in waiting areas and distributed at check-in
Considering relocation of HIM staff to patient care areas
to assist with sign-up during the early post-implementation period
Developing talking points for clinical staff to use to encourage patients to register for and use the portal
Developing policies and procedures for routing messages
and guidelines for the timeliness of responses, including
a plan for timing release of lab results and other information to patients
Participating in pilot testing of the portal and accuracy of
the information to ensure privacy standards are met
Designating HIM staff to assist patients with portal questions and to help with troubleshooting; consider appointing a patient portal representative within the HIM department to direct calls from patients
Helping to educate patients about what is appropriate to
communicate via the portal, how and when providers will
use messaging, and when to check the portal for lab results or appointment reminders
Encouraging patients to utilize the portal to obtain electronic copies of their health information, review lab results, and correspond with clinical staff
Responding quickly to any reports of documentation errors and providing patients with the necessary paperwork
to request corrections and amendments
Engaging patients through a patient portal can maintain or
even increase patient loyalty to an organization while improving overall communication. It is essential that HIM leaders get
involved early in the selection and implementation process and
remain committed to ensuring the ongoing use and expansion
of the patient portal.
Notes
1. Eramo, Lisa A. Patient Portals: Express Lane on the
Health Information Highway. Journal of AHIMA 83, no. 9
(September 2012): 24-28.
2. Greene, Adam. Patient Portals Pose New Security Issues.
Healthcare IT News. October 29, 2013. www.healthcareitnews.com/news/patient-portals-pose-new-security-issues.
3. Centers for Medicare and Medicaid Services. Frequently
Asked Questions. July 24, 2013. https://questions.cms.
gov/faq.php?faqId=7735.
4. Sherek, Penny D. and Emmlee Gray. Case Study: Managing Pediatric Health Information in a Patient Portal.Journal of AHIMA85, no. 4 (April 2014): 46-47.
5. Green-Shook, Sheila. Parental Proxy Access via Web
Portals: Ensuring Compliance and Quality Documenta-
tion.Journal of AHIMA80, no. 7 (July 2009): 60-61.

6. Office for Civil Rights. Personal Health Records and the
HIPAA Privacy Rule. www.hhs.gov/ocr/privacy/hipaa/
understanding/special/healthit/phrs.pdf.
7. AHIMA. Security Risk Analysis and Management: An
Overview (updated). Journal of AHIMA 84, no. 11 (NovemberDecember 2013): expanded web version.
8. Francis, Leslie P. When Patients Interact with EHRs:
Problems of Privacy and Confidentiality. Houston Journal of Health Law and Policy 12, no. 2 (2012). https://
www.law.uh.edu/hjhlp/Issues/Vol_122/Francis.pdf.
9. Ibid.
10. US Department of Health and Human Services, Office of
Disease Prevention and Health Promotion. National Action Plan to Improve Health Literacy. May 2010. www.
health.gov/communication/HLActionPlan/pdf/Health_
Literacy_Action_Plan.pdf.
Prepared By
Kevin Baldwin, MPH, CPHIMS
Benjamin W. Burton, JD, MBA, RHIA, CHP
Cary Cothran, CHP
Dana DeMasters, RN, MN, CHPS
Reginald Grady, MSHI, RHIA, CHPS
Aviva Halpert, RHIA, CHPS
Judi Hofman, BCRT, CHPS, CAP, CHP, CHSS
Lesley Kadlec, MA, RHIA
Rosann M. ODell, D.H.Sc., MS, RHIA, CDIP
Sandra Pearson, MHA, RHIA
Deanna Peterson, MHA, RHIA, CHPS
Dan Rode, MBA, CHPS, FHFMA, FAHIMA
Angela Rose, MHA, RHIA, CHPS, FAHIMA
Peg Schmidt, RHIA, CHPS
Acknowledgments
Charlotte S. Barrett, MBA, FACHE, RHIA
Sally Beahan, MHA, RHIA
Susan Clark, RHIT, CHTS-IM, CHTS-PW
Marlisa Coloso, RHIA, CCS
Funmilola Daniel, MBA, CHTS-TS, CHTS-TR
Katherine Downing, MA, RHIA, CHPS, PMP
Elisa Gorton, MAHSM, RHIA, CHPS
Leah A. Grebner, PhD, RHIA, CCS, FAHIMA
Vickie Griffin, RHIT, CCS
Mary Johnson, RHIA
Seth J. Katz, MPH, RHIA
Michele Kruse, MBA, RHIA, CHPS
Lela McFerrin, RHIA
Kelly McLendon, RHIA, CHPS
Melanie Meyer, MHA, RHIT, CCS, PMP
Laurie Miller, RHIT, CCS-P
Harry B. Rhodes, MBA, RHIA, CHPS, CDIP, CPHIM, FAHIMA
Lou Ann Wiedemann, MS, RHIA, CDIP, CHDA, CPEHR,
FAHIMA
The information contained in this practice brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research.
Coding Notes
A Call for Additional

Coding Metrics
By Mary H. Stanfill, MBI, RHIA, CCS, CCS-P, FAHIMA
THE CALL FOR HIM professionals to develop measures and

metrics that guide HIM efforts is not entirely new. Linda Kloss,
MA, RHIA, FAHIMA, president of Kloss Strategic Advisors and
former chief executive officer at AHIMA, discussed the importance of these measures in a Journal of AHIMA article in September 2013. HIM cant manage what it cant measure, and
information management has operated with too few tested
metrics for too long, Kloss wrote. HIM professionals need to
know where their efforts are and where they need to be.1 This
observation remains just as true today, particularly in coding
operations where data abounds, but metrics are primarily limited to basic coding accuracy and productivity rates. This article discusses suggestions for additional coding metrics that
should be used to assess HIM coding operations.
The following are common metrics that have been used to
measure coding operations, with little change over the last
decade:
Coder accuracy
Coder productivity
Discharged not final coded (DNFC)
Case mix index (CMI) trends
Additional Metrics Would Ensure Quality and Integrity

While these metrics are important, expanded uses of coded
data have required the measurement of additional metrics
to ensure that coded data quality and data integrity support
information governance practices. Today, HIM professionals must be able to measure and track the quality of coded
data with more depth. Monitoring and process improvement
should be informed by better data, and coding performance

expectations are more realistic and impactful if data-driven.
Some suggested additional metrics to measure coding operations include:
Accuracy rates by DRG
Unspecified diagnosis code rates
Denied claim rate due to coding errors (clean claim rate)
DRG shift trends
Mismatch between hospital and physician data
More Data Needed for Accuracy Rates by DRG

Most coding professionals would agree that certain DRGs are
more error-prone than others. However, these traditional beliefs
and common assumptions about error-prone DRGs may or may
not be accurate. The intuitive concept of a correlation between
outlier status and billing errors is one that has existed for some
time and is used as the basis of fraud programs and recovery audit efforts. However, an article published in 2008 reported study
results that showed irregular billing patterns are not always indicative of payment errors.2 Furthermore, DRG accuracy rates
reported by payers are focused on the payers payment recovery
objectives and thus likely limited to specific DRGs.
More comprehensive data is needed to determine if any of
the DRG pairs/triplets are inherently error-prone, and if so
which ones. HIM professionals should be pushing for this
information. Data-driven evidence that determines if the de
facto standard of 95 percent accuracy is appropriate across all
DRGs would be extremely valuable. National norms specifying acceptable standard deviations for specific DRGs might be
Coding Notes
established if there was indeed evidence that certain DRGs are

more error-prone. And comparative data on accuracy rates by
DRG would be helpful to establish data-driven performance
standards and focus corrective actions. As a starting point,
HIM professionals should endeavor to track accuracy by DRGs
over time. In addition, they should expectand perhaps demandthat auditors share unbiased data.
Unspecified Diagnosis Code Rate a Useful

Comparative Measure
Another useful metric is the unspecified diagnosis code rate
which reflects a qualitative perspective of coder performance
and coding results. Its calculated by dividing the number of
unspecified diagnosis codes by the total number of diagnosis
codes assigned on a sample of cases. To do this, simply identify
(count) how many diagnosis codes there are on each case (denominator) and how many of them use the term unspecified
in the description (numerator). For example, in a 50-record
sample there will likely be approximately 500 diagnosis codes
assigned. If 100 of those are unspecified, 100 divided by 500 is
0.2, for an unspecified code rate of 20 percent.
The unspecified diagnosis code rate correlates with the quality of clinical documentation, of course, but it may also correlate with a coders quality, making it a useful comparative
measure. For example, if Coder A regularly has an unspecified code rate of 20 percent and Coder Bs rate is 40 percent,
then the coding manager may need to work with Coder B to
ensure that individual is taking the necessary steps to identify
relevant specificity within the clinical documentation before
finalizing code assignments.
The unspecified diagnosis code rate is also particularly significant in the transition to a new code set. ICD-10-CM codes,
for example, have more specificity available than the ICD-9CM codes currently in use. However, the specificity of ICD-10CM codes is only useful if the more specific codes are indeed
assigned. It is important to establish a baseline ICD-9-CM
unspecified diagnosis code rate and then track and trend the
ICD-10-CM unspecified diagnosis code rate. This will empower coding managers to ensure the rate is not impacted by the
code set change since an increase in unspecified code use is
expected to correlate to an increase in claims denials.3
Other Metrics to Consider

HIM coding managers should also consider the applicability of
existing metrics. For example, an organizations patient financial services department likely tracks the number and type of
rejected or denied claims by payer (the denied claim rate or
clean claim rate).4 This information could be cross-referenced
by coder to track the percent of a coders claims that require
re-work. This would be another useful qualitative measure of
coder performance and could help identify trends that require
focused training. Most hospitals address claims issues with
very little emphasis on the factors that lead to those denials. As
a result, they repeatedly experience the same type of re-work.

Data trends are also important, and far too often neglected.
HIM departments should be able to pull DRG data so they can
monitor the volume of DRGs from month to month. Monitoring DRG shifts in this manner could provide an early warning
sign of unexpected shifts that requires investigation. Monitoring DRG shift trends will be even more critical in the transition
from ICD-9-CM to ICD-10-CM/PCS as there are some conditions and procedures that do not map into the same DRG in
both versions of the code sets.5
It will be important to benchmark any high risk DRGs by volume and cost and continue to monitor this on a regular basis.
The HIM manager responsible for coding operations should be
involved in this data trending to uncover DRG shifts inadvertently caused by anomalous ICD-10 coding practices.
As the code sets become more refined and the healthcare
industrys use and re-use of coded data becomes more sophisticated, so too must HIM operational metrics become more
advanced. A new concern has been raised that the increased
specificity available in ICD-10-CM may cause a mismatch in diagnoses between the hospital claim and the claims submitted
by physicians for professional services.6
As a result, the ability to measure coding accuracy longitudinally to ensure consistency in reporting services on all the
claims related to a particular healthcare event will become
even more important. HIM professionals must develop creative
measures to coordinate coding and denials management across
healthcare settings.7
These are just a few suggested approaches to improve HIM
coding metrics. After all, if you cant measure it, you cant
manage it. The clear trend in the healthcare industry is toward
evidence-based methods for monitoring and evaluating key indices of performance. Its time for HIM to get on board.
Notes
1. Kloss, Linda L. Leading Innovation in Enterprise Information Governance. Journal of AHIMA 84, no. 9 (Sept
2013): 34-38.
2. Davis, George et al. Irregular Billing Patterns: Are They
Indicative of Payment Errors? Compliance Today 10, no.
3 (March 2008): 50-55.
3. Eramo, Lisa. Dont Deny the Denials. Journal of AHIMA
85, no. 6 (June 2014): 30-33.
4. Workgroup for Electronic Data Interchange. ICD-10
Critical Metrics. October 5, 2012. www.wedi.org/docs/
resources/wedi_impact_assessment_swg_white_paper_
icd10_metrics_revised_111412-pdf.pdf?Status=Master.
5. Ibid.
6. Ibid.
7. Eramo, Lisa. Dont Deny the Denials.
Mary H. Stanfill (mstanfill@uasisolutions.com) is vice president of HIM
consulting services at United Audit Systems, Inc.
Coding Notes

ARE YOU READY FOR ICD-10-CM/PCS IMPLEMENTATION?
By Kathryn DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA
WITH JUST SIX months until the implementation of ICD-10CM and ICD-10-PCS, now is the time for HIM professionals to
re-evaluate the state of their facilitys implementation plan and
make any necessary adjustments to ensure a successful transition. Previous delays may have slowed down training and planning, but this final stretch to October 1, 2015 still provides time
for organizational preparation.
The ICD-10-CM/PCS Transition: Planning and Preparation
Checklist offers a comprehensive plan that can be followed
to help foster a successful transition to ICD-10-CM/PCS. This
document is available in AHIMAs HIM Body of Knowledge
at www.ahima.org, and provides specific guidance that addresses all areas of an organization that are impacted by the
transition to ICD-10.
Review of this document indicates that now is the time for golive preparation with training and planning in full swing. Preparation, education, and testing will be beneficial in mitigating
potential implementation issues, allowing for a smoother ICD10 transition. Each phase of this implementation plan provides
information for specific target audiences primarily affected by
the tasks in that phase.
The focus now is on the necessary tasks related to go-live and
final implementation on October 1. While this phase provides
information for several target audiences, this article focuses on
a few of the more critical areas.
Bringing Coding Staff Up to Speed

Now is the time, if it hasnt yet begun, for intensive education
and training for a facilitys coding staff. All coders should com58/Journal of AHIMA April 15
plete comprehensive ICD-10 education, and it is recommended

that this be conducted by an AHIMA-approved ICD-10 trainer.
There are multiple ways to complete education and often a
combination of methods is the most effective, such as:
Traditional classroom training
Distance education courses
Audio or web-based materials
Self-directed education with printed or electronic tools
Consider the amount of material to be covered and the best
way to provide the training while also maintaining coders current workload. This will aid in developing the most effective
training plan for staff to ensure the comprehensive education
needed for ICD-10 implementation is obtained by each coder.
Not all coders will need the same amount of training. It is estimated that hospital inpatient coders will require approximately
50 hours of ICD-10 education due to the complexity of ICD-10PCS and the need to learn both ICD-10-CM and ICD-10-PCS.
For those coders working in settings other than hospital inpatient, the estimated required training time is approximately 16
hours because only ICD-10-CM training is involved. Finally, for
those coding staff members working for a physician practice or
specialty clinic, the focus should be on those categories of ICD10-CM most applicable to the particular patient mix.
While education and training is crucial, the assessment of coder
proficiency following the training is just as important. Plan for a
process to validate coder learning and identify potential areas requiring re-training or additional education. With the complexity
of both ICD-10-CM and ICD-10-PCS it should be expected that
Coding Notes
some amount of additional education will be required.

If an organization utilizes contract coding staff, it is essential
that facilities ensure these coders have also received the necessary ICD-10 education. Companies should confirm the content
of the training as well as the qualifications of the educator.
Dual Coding Offers Training Benefits

Dual coding provides the coding staff an opportunity to practice what theyve learned during the education process with
exposure to cases they encounter on a daily basis. One of the
struggles with this, as well as many of the processes associated
with the ICD-10 transition, is the balance between providing
the dual coding opportunity while still maintaining the current
workload. A successful dual coding program gives coders practice in assigning ICD-10 diagnosis and procedure codes while
building confidence in working with the coding classification. It
also serves several other purposes while beginning the process
of building a database of cases coded in ICD-10.
Part of dual coding is the development of a procedure for
auditing dual coded records and providing coding staff with
feedback and education to continue the training process. Individuals auditing dual coded records should not only give suggestions for code changes, as appropriate, but also provide the
reasoning and rationale for any changes or additions. The feedback provides the coding staff with the basis for changes and
further develops coding skills. This process gives managers specific documentation with which to evaluate and assess the ICD10 competency of their staff.
Dual coding is also an opportunity to continue the evaluation
of the quality of health record documentation. Often, dual coding
is the first time actual health records are coded in ICD-10 and it
quickly becomes apparent if there are documentation gaps impacting code assignment. In ICD-10-CM, this often means the
assignment of unspecified codes which, long term, can result in
decreased reimbursement and an inaccurate reflection of severity of illness. With the specificity of ICD-10-PCS, inadequate or
incomplete documentation will often prevent the assignment of
a procedure code. Both the coding staff and auditors can provide

HIM Domain Area: Clinical Data Management
ArticleSix Months and Counting
feedback related to the quality of documentation.

Organizations should track any DRG changes found during
dual coding. If the case was correctly coded in dual coding, minor
changes to the codesfor example, added specificitywill generally not impact the DRG. There are cases where changing one
character in an ICD-10-PCS code can impact DRG assignment;
therefore, any DRG changes found during dual coding should be
carefully reviewed to determine the validity of the shift.
Finally, dual coding creates a database of cases coded in
ICD-10 which can then be used for payer testing and in other
areas where data is necessary for a successful implementation.
Clinical Documentation Improvement Key to Success

During these final few months leading up to implementation, organizations should continue to assess the quality of health record
documentation and implement strategies for improvement as
necessary. Quality documentation is a critical step in realizing the
full benefits of ICD-10. Provider education should continue up to
and beyond the ICD-10 transition to ensure a clear understanding of the documentation requirements. It is important to remember that most providers will only require training in specific
sections and categories of ICD-10-CM, and should focus training
to be meaningful to their specialty. Keep in mind that a complete
documentation improvement plan must include monitoring to
determine the effectiveness of the plan.
While the transition to ICD-10 is a short six months away, there is
still much work to be done to guarantee a smooth implementation
and to mitigate potential issues. It is imperative that organizations
use these remaining months to maximize education and training
for staff as well as continue the push for quality documentation.
Reference
Bowman, Sue and Ann Zeisset. ICD-10-CM/PCS Transition:
Planning and Preparation Checklist. May 2014. http://bok.
ahima.org/PdfView?oid=300536.
Kathryn DeVault (kathy.devault@uasisolutions.com) is manager of HIM
consulting services at United Audit Systems, Inc.

LONGER BE ACCEPTED

Calendar
SUNDAY
MONDAY
TUESDAY
WEDNESDAY
THURSDAY
FRIDAY
SATURDAY
10
11
Advanced ICD-10-PCS Skills Workshop, San Diego, CA

WEBINAR:
Oncology
Service Coding
with ICD-10CM/PCS
CSA MEETINGS:
ILLINOIS, Springfield, IL
MAINE, Brewer, ME
SOUTH DAKOTA , Sioux Falls, SD
WEST VIRGINIA, Parkersburg, WV
12
13
14
15
16
17
18
CSA MEETINGS:
IOWA, Altoona, IA
ARKANSAS, Fort Smith, AR
KANSAS, Junction City, KS
MONTANA, Missoula, MT
CSA MEETINGS:
IDAHO, Boise, ID
NEW MEXICO, Albuquerque, NM
NORTH DAKOTA, Bismarck, ND
19
20
21
22
23
24
25
WEBINAR:
An Introduction
to Logical
Observation
Identifiers
Names and
Codes (LOINC)
CSA MEETINGS:
MISSOURI, St. Charles, MO
NEBRASKA, Kearney, NE
CSA MEETINGS:
ALABAMA, Cullman, AL
WASHINGTON, Spokane, WA
CSA MEETINGS:
NEW HAMPSHIRE,
Lebanon, NH
LOUISIANA,
CSA MEETINGS:
NORTH CAROLINA, Greensboro, NC
26
27
28
WEBINAR:
Using
Healthcare
Statistics in
ACOsModel
Building and
Risk/Payment
Infrastructures
29
CSA MEETINGS:
ALASKA, Anchorage, AK
MINNESOTA, Red Wing, MN
Advanced ICD-10-PCS
Skills Workshop,
Seattle, WA
Monroe, LA
30
May 1
May 1
May 1
AHIMA Annual Convention

2016 Baltimore, MD
October 15-20
A Look Ahead
Keep Informed
MAY
Privacy and Security Training with Optional

CHPS Exam Prep Workshop
Upcoming AHIMA Institutes, Seminars, Workshops,

and Webinars
35
CSA Meeting: Massachusetts, Falmouth, MA
67
CSA Meeting: Virginia, Richmond, VA
68
CSA Meeting: Wisconsin, Stevens Point, WI
78
CSA Meeting: Nevada, Las Vegas, NV
CSA Meeting, District of Columbia/Maryland,

Hanover, MD
1113
CSA Meeting: Indiana, Indianapolis, IN
1113
CSA Meeting: Pennsylvania, Hershey, PA
12
Webinar: Clinical Documentation Improvement

Stepping Beyond Fee for Service
1214
Privacy and Security Training with CHPS Exam

Prep Workshop, Chicago, IL
1215
CSA Meeting: Michigan, Grand Rapids, MI
1415
CSA Meeting: Wyoming, Casper, WY
1415
Faculty Development Regional Meeting,

Tacoma, WA
1416
CSA Meeting: Oregon, Portland, OR
15
CSA Meeting: Rhode Island, Warwick, RI
1819
CSA Meeting: Utah, Salt Lake City, UT
1820
AHIMA ICD-10 Academy: Building Expertise in

Coding, Chicago, IL
2022
CSA Meeting: Colorado, Denver, CO
21
Webinar: Patient Engagement vs. Patient

EducationWhats the Difference?
2729
Advanced ICD-10-PCS Skills Workshop,

Edison, NJ
2729

Coding, Columbus, OH
2729
CSA Meeting: Hawaii, Honolulu, HI
UPCOMING INSTITUTES, SEMINARS,

WORKSHOPS, AND WEBINARS
June 2
Webinar: ICD-10: The Impact on OP Coding for

Certain High Volume Diagnoses
June 3-5

Coding, Seattle, WA
June 4
Webinar: Bringing Predictive Analytics to the Point

of Care
June 4-5
CDIP Exam Prep Workshop, Seattle, WA
June 4-5
Faculty Development Regional Meeting, Miami, FL
Check www.ahima.org/events for the latest schedule of

institutes, seminars, and workshops.
Resources and News from AHIMA
This two-day meeting provides a concise and focused review of the federal HIPAA Privacy and
Security Rules and offers an optional third day for
those preparing to sit for the Certified in Healthcare
Privacy and Security (CHPS) exam. The training
will provide in-depth examples and exercises, best
practices, and operational aspects of implementing
the rules, while covering the five domains within the
privacy and security program. For more information
visit www.ahimastore.org/ProductDetailMeeting.
aspx?ProductID=18189.
AHIMA Introduces New Online HIPAA

Privacy and Security Course
HIPAA is vast, complex, and one of the most
difficult regulations to understand. AHIMA and
TeachPrivacy have collaborated to produce a new
three-part interactive online course series that
makes HIPAA easy to comprehend and discusses
how HIPAA applies to various situations. The
courses include HIPAA Privacy: The Pillars of a
Privacy Program, HIPAA Privacy: Rights and
Responsibilities, and HIPAA Security:
Safeguarding Personal Health Information. For
more information visit www.ahima.org/education/
onlineed/Programs/hipaa.
Webinar Details Oncology Service Coding

with ICD-10-CM/PCS
A webinar scheduled for April 9, 2015 at 12 p.m. CT
will offer practical instruction on oncology service
coding from an AHIMA-approved ICD-10-CM/PCS
trainer. While the webinar is geared toward those
who code in oncology service settings (both ambulatory and inpatient care), it may also be of interest to coders with a desire to learn more about
coding for neoplasms and related procedures in
ICD-10-CM/PCS. For more information visit www.
ahimastore.org/ProductDetailAudioSeminars.
aspx?ProductID=17748.
AHIMA Volunteer Leaders
AHIMA BOARD OF DIRECTORS

President/Chair
Cassi Birnbaum, MS, RHIA, CPHQ, FAHIMA
Senior Vice President of Health Information
Management and Consulting Services,
Peak Health Solutions, Inc.
San Diego, CA
(858) 746-7298
cassi.birnbaum@ahima.org
President/Chair-elect
Melissa M. Martin, RHIA, CCS, CHTS-IM
Chief Privacy Officer and Director of Health
Information Management, West Virginia
University Hospitals
Morgantown, WV
(304) 598-4109 x73716
melissa.martin@ahima.org
Past President/Chair
Angela C. Kennedy, EdD, MBA, RHIA
Head and Professor, LA Tech University
Ruston, LA
(318) 257-2854
angela.kennedy@ahima.org
Speaker of the House of Delegates

Laura W. Pait, RHIA, CDIP, CCS
Chief Operating Officer, Health Information
Management Shared Service Center, Parallon
Business Performance Group, Atlanta Shared
Service Center
Norcross, GA
(678) 421-7681
laura.pait@parallon.com
CEO, AHIMA
Lynne Thomas Gordon, MBA, RHIA, CAE,
FACHE, FAHIMA
Chicago, IL
(312) 233-1165
lynne.thomasgordon@ahima.org
TERM ENDS 2015DIRECTORS
Treasurer
Susan J. Carey, RHIT, PMP
System Director, HIM, Norton Healthcare
Louisville, KY
(502) 629-8913
susan.carey@nortonhealthcare.org
Dana C. McWay, JD, RHIA
Court Executive/Clerk of Court, US Bankruptcy
Court for the Eastern District of Missouri
(314) 244-4600
danahimlaw@aol.com
Cindy Zak, MS, RHIA, PMP, FAHIMA

Executive Director Corporate HIM,
Admitting and Outpatient Access,
Yale New Haven Health System
Woodbridge, CT
(203) 688-5466
cindy.zak@ynhh.org
Zinethia L. Clemmons, MBA, MHA, RHIA, PMP
Senior Health Information Privacy Specialist,
Department of Health and Human Services/OCR
Washington, DC
(202) 495-0533
zinethia.clemmons@hhs.gov
Secretary
Ginna E. Evans, MBA, RHIA, FAHIMA
Business Analyst, Revenue Cycle Development,
Emory Healthcare
Avondale Estates, GA
(404) 778-7960
ginna.evans@emoryhealthcare.org
Colleen A. Goethals, MS, RHIA, FAHIMA
HIM Consultant, Cardone Record Services, Inc.
Belvidere, IL
(815) 378-2632
cgoethals@mmrainc.com

Barbara J. Manor, MA, RHIA
Vice President of HIM, SCL Health
Aurora, CO
(303) 403-7511
barbara.manor@sclhs.net
Dwan A. Thomas-Flowers, MBA, RHIA, CCS
HIM Consultant
Jacksonville, FL
(904) 220-2486
HIMprofexcel@bellsouth.net
Susan E. White, PhD, RHIA, CHDA
Associate Professor, Clinical HRS HIM and
Systems Division, School of Health and
Rehabilitation Sciences, Ohio State University
(614) 247-2495
Columbus, OH
white.2@osu.edu
Advisor to the Board
David S. Muntz, CHCIO, FCHIME, LCHIME,
FHIMSS
Senior Vice President/CIO, GetWellNetwork
Bethesda, MD
(240) 482-3192
david.muntz@getwellnetwork.com
2015 CHAIRS OF AHIMA VOLUNTEER GROUPS

AHIMA Grace Awards Committee
Ann F. Chenoweth, MBA, RHIA
(801) 712-4537
afchenoweth@mmm.com
Engage Advisory Committee

Thomas J. Hunt, MBA, RHIA
(989) 725-8279
thunt@davenport.edu
Nominating Committee
Jill A. Finkelstein, MBA, RHIA, CHTS-TR
(954) 418-0938
jfinkelstein@browardhealth.org
State Advocacy Council

Debra K. Primeau, MA, RHIA, FAHIMA
(310) 617-0042
dprimeau@primeauconsultinggroup.com
AHIMA Triumph Awards Committee

Judith A. Gizinski, MPH, RHIA
(321) 757-5226
judy.gizinski@health-first.org
Exhibit Advisory Committee

Steve Sonn, MS
(312) 229-7197
ssonn@care-communications.com
Professional Ethics Committee

Diann H. Smith, MS, RHIA, CHP, FAHIMA
(817) 457-8911
diannhsmith@texashealth.org
Virtual Lab Strategic Advisory Committee

John Richey, MBA, RHIA
(419) 447-9352
richey@findlay.edu
Annual Convention Program Committee

Kimberly D. Theodos, JD, MS, RHIA
(318) 257-2854
ktheodos@latech.edu
Fellowship Committee
Mona Y. Calhoun, MEd, MS, RHIA, FAHIMA
(301) 352-0304
mcalhoun@coppin.edu
2015 CHAIRS OF AFFILIATE VOLUNTEER GROUPS

AHIMA Foundation
Torrey Barnhouse
(312) 233-1131
Torrey.Barnhouse@TrustHCS.com
Commission on Accreditation for

Health Informatics and Information
Management Education
Bonnie Cassidy, MPA, RHIA, FAHIMA, FHIMSS
(312) 233-1548
bonnie.cassidy@nuance.com
Commission on Certification for Health

Informatics and Information Management
Kay Merriweather, RHIA, CHDA, CDIP, CCS,
CCS-P, CPC-H
(404) 849-0459
wdmerr@earthlink.net
Council for Excellence in Education

Ryan H. Sandefer, MA, CPHIT
(218) 625-4931
rsandefe@css.edu
Envisioning Collaborative
(336) 946-1750
lpait@novanthealth.org
House Leadership
Elizabeth A. Delahoussaye, RHIA, CHPS
(865) 659-5059
edelahoussaye@iodincorporated.com
Judi G. Hofman, CHPS, BCRT, CAP, CHSS,

H-CAP
(541) 706-7760
jhofman@stcharleshealthcare.org
Susie L. James, RHIT, CCS

(205) 941-1105
sjames@mmplusinc.com
20152016 HOUSE OF DELEGATES

Speaker of the House of Delegates
Chief Operating Officer, Health Information
Management Shared Service Center, Parallon
Business Performance Group, Atlanta Shared
Service Center
Norcross, GA
(678) 421-7681
laura.pait@parallon.com
Speaker-elect of the House of Delegates

Elizabeth A. Delahoussaye, RHIA, CHPS
(865) 659-5059
edelahoussaye@iodincorporated.com
2015 PRACTICE COUNCIL VOLUNTEER CONTACTS

Clinical Terminology & Classification
Cheryl Gregg Fahrenholz, RHIA, CCS-P
(937) 848-6080
Cheryl@phs4you.com
Enterprise Information Management

Kathleen Addison
(403) 943-0940
kathleen.addison@albertahealthservices.ca
Health Information Exchange

Neysa I. Noreen, RHIA
(507) 645-0715
neysa.noreen@childrensmn.org
Gail Garrett, RHIT

(615) 344-6247
Gail.Garrett@HCAHealthcare.com
Sharon Slivochka, RHIA

(440) 937-5532
sks622@roadrunner.com
Katherine Lusk, MHSM, RHIA

(214) 456-8576
Katherine.Lusk@childrens.com
Privacy and Security

Sharon Lewis, MBA, RHIA, CHPS, CPHQ,
FAHIMA
(805) 542-0160
sharonlewisrhia@att.net
Deanna Peterson, MHA, RHIA, CHPS
(314) 209-7800
Deanna.Peterson@firstclasssolutions.com
AHIMA volunteers also make valuable contributions as facilitators for Engage Online Communities. To locate the facilitator(s), go to a particular community, click on the Members tab, then click on the
community administrator link.
AHIMA Volunteer Leaders
COMPONENT STATE ASSOCIATION PRESIDENTS

Alabama
Sharon Horton-Woodruff, RHIT
Cullman, AL
(256) 352-8337
sharon.horton@wallacestate.edu
Indiana
Deborah Grider, CDIP, CCS-P
McCordsville, IN
(317) 908-5992
deborahgrider@mac.com
Nevada
Gregory Schultz, RHIA
North Las Vegas, NV
(702) 526-8361
gschultz00@aol.com
South Dakota
Sheila Hargens, MSHI, CMT
Parkston, SD
(605) 928-3741
sheila.hargens@avera.org
Alaska
Janie Batres, RHIA, CDIP
Anchorage, AK
(907) 252-7228
janieleigh44@hotmail.com
Iowa
Mari Beth Schneider Lane, MS, RHIA
Sheldon, IA
(712) 324-5061
mlane@nwicc.edu
New Hampshire
Jean Wolf, RHIT, CHP
Gorham, NH
(603) 466-5406
jean.wolf@avhnh.org
Tennessee
Lela McFerrin, RHIA
Chattanooga, TN
(423) 493-1637
lela.mcferrin@hcahealthcare.com
Arizona
Christine Steigerwald, RHIA
Gilbert, AZ
(480) 292-8293
Christine.Steigerwald@bannerhealth.com
Kansas
Julie Hatesohl, RHIA
Junction City, KS
(785) 210-3498
phoebehat@cox.net
New Jersey
Carolyn Magnotta, RHIA
New Egypt, NJ
(609) 758-8890
magnottac@deborah.org
Texas
Terri Frnka, RHIT
Bryan, TX
terrifrnka@yahoo.com
Arkansas
Marilynn Frazier, RHIA, CHPS
Ozark, AR
(479) 667-5153
mfrazier@ftsm.mercy.net
Kentucky
Diba Thakali, RHIA
Lexington, KY
(859) 979-3049
diba.thakali@bhsi.com
New Mexico
Vicki Delgado, RHIT
Albuquerque, NM
(505) 948-6711
vicki.delgado@kindredhealthcare.com
California
Shirley Lewis, DPA, RHIA, CCS, CPHQ
Upland, CA
(909) 608-7657
shirley.lewis5@verizon.net
Louisiana
Lisa Delhomme, MHA, RHIA
Rayne, LA
(337) 277-5544
delhomme@louisiana.edu
New York
Sandra Macica, RHIA
Saratoga Springs, NY
(518) 584-0389
s.macica@elsevier.com
Colorado
Melinda Patten, CDIP, CHPS
Aurora, CO
(720) 777-6657
melinda.patten@childrenscolorado.org
Maine
Nora Brennen, RHIT
Topsham, ME
(207) 751-1853
Nora.Brennen@va.gov
North Carolina
Jolene Jarrell, RHIA, CCS
Apex, NC
jolene@drgreview.com
Connecticut
Elizabeth A. Taylor, MS, RHIT
East Hartford, CT
(860) 364-4417
liz.taylor@sharonhospital.com
Maryland
Sarah Allinson, RHIA
Baltimore, MD
(410) 499-7281
sarahballinson@gmail.com
Delaware
Marion Gentul, RHIA, CCS
Lewes, DE
(302) 827-1098
mgs60mga@yahoo.com
Massachusetts
Walter Houlihan, MBA, RHIA, CCS
Springfield, MA
(413) 322-4309
Walter.Houlihan@bhs.org
District of Columbia
Jeanne Mansell, RHIT, CHTS-CP, CHTS-PW,
CHTS-IM, CHTS-IS, CHTS-TS, CHTS-TR
Washington, DC
(202) 421-5172
jeanne87@hotmail.com
Michigan
Thomas Hunt, RHIA
Owosso, MI
(989) 725-8279
thunt@davenport.edu
Florida
Anita Doupnik, RHIA
Tampa, FL
(813) 907-9380
anita.doupnik@nuance.com
Minnesota
Jean MacDonell, RHIA
Grand Rapids, MN
(612) 719-3697
jean.macdonell@granditasca.org
Georgia
Allyson Welsh, MHA/INF
Decatur, GA
Allysonwelsh@gmail.com
Mississippi
Phyllis Spiers, RHIT
Carriere, MS
(601) 347-6318
pspiers@forrestgeneral.com
Hawaii
Marlisa Coloso, RHIA, CCS
Wailuku, HI
(808) 442-5509
mcoloso@hhsc.org
Missouri
Angela Talton, RHIA, CCS
Florissant, MO
(314) 276-4180
afranks@swbell.net
Idaho
Mona P. Doan, RHIT, CCS-P
Boise, ID
(208) 484-7076
monadoan@hotmail.com
Montana
Vicki Willcut, RHIA
Kalispell, MT
(406) 756-4758
vwillcut@krmc.org
Illinois
Teresa Phillips, RHIA
Effingham, IL
(217) 347-2806
teri.phillips@hshs.org
Nebraska
Shirley Carmichael, RHIT
Fairbury, NE
(402) 729-6854
shirley.carmichael@jchc.us
Utah
Vickie Griffin, RHIT, CCS
Bountiful, UT
vickie.griffin@Parallon.com
Vermont
Charmaine S. Vinton, RHIT, CCS, CPC
West Chesterfield, NH
(603) 357-0170
cvinto@bmhvt.org
Virginia
Darcell Campbell, RHIA
Hampton, VA
(757) 788-0052
DACampbell@cox.net
North Dakota
Tracey Regimbal, RHIT
Grand Forks, ND
traceyregimbal@hotmail.com
Washington
Sheryl Rose, RHIT
Spokane, WA
(509) 624-4109
sherylrose622@hotmail.com
Ohio
Pamela Greenstone, MEd, RHIA
Mason, OH
(513) 403-9014
Pamela.Greenstone@uc.edu
West Virgnia
Kathy Johnson, RHIA
Sinks Grove, WV
(304) 772-5312
kjohnson@care-communications.com
Oklahoma
Christy Hileman, MBA, RHIA, CCS
Mustang, OK
(405) 954-2824
christy.hileman@faa.gov
Wisconsin
Susan Casperson, RHIT
Cecil, WI
(715) 853-1370
susan.casperson@thedacare.org
Oregon
William Watkins, RHIA
Oregon City, OR
(503) 867-5173
william.w.watkins@kp.org
Wyoming
Kimberle Johnson, RHIA
Gillette, WY
(307) 682-1251
kim.johnson@ccmh.net
Pennsylvania
Laurine Johnson, MS, RHIA, FAHIMA
Sarver, PA
(724) 295-9429
ljohnson@peakhs.com
Puerto Rico
Brunilda Velazquez, RHIA, CCS
Guayanilla, PR
(787) 505-1433
Rhode Island
Patti Nenna, RHIT
Bristol, RI
(401) 253-1686
pnenna@cox.net
South Carolina
Karen B. Farmer, RHIT
Greenville, SC
(864) 277-1982
kfarmer@ghs.org
E-mail changes to your listing to journal@journal.ahima.org

QualCode provides cost-effective solutions for all your

coding, reimbursement and educational concerns.
Advertising Index
AHIMA................................................................. 16, 65, 70
Medical Coding Services

Inpatient & Outpatient
- Onsite & Remote
Specialty Coding
- Wound Care
Amphion Medical Solutions................... inside back cover
Caban Resources, LLC................................................... 49
Coding Compliance Audits

DRG/Coding Quality Audits
Evaluation & Management Audits
- Emergency Room
- Professional Fee Services
Channel Publishing.........................................................43
Education & Training

ICD-10-CM/PCS
First Class Solutions.......................................................39
212.368.6200 www.qualcodeinc.com
Health Information Associates................inside front cover
Health Language, Inc. .................................................... 35

QualCode, Inc.SM
Medical Coding & Reimbursement
Healthcare Cost Solutions.............................................. 46
AHIMA Thanks Its Loyalty Program Members

EXECUTIVE LEVEL
HealthPort......................................................................... 9
In Record Time, Inc......................................................... 27
Just Associates, Inc........................................................ 32
MedData, Inc..................................................... back cover
DIRECTOR LEVEL
MRO.................................................................................. 1
Ovation Revenue Cycle Services...................................... 7
MANAGER LEVEL
QualCode, Inc.................................................................64
Health Language
Textware Solutions-Instant Text.....................................34
VHC................................................................................. 47
INTERACTIVE
AND ENGAGING
ONLINE COURSE
Ad
Space HIPAA
Make
Easy to Understand
ConvenientLearn at your
own pace
HOUSE
HIPAA has a reputation as one of the

most complex and difficult regulations
to understand. Not any longer! AHIMA
and Teach Privacy have collaborated to
produce a new, three-part, interactive,
and easy to comprehend online course
series that points out HIPAAs key
components, shows how the various
parts of the regulation work together,
explains the regulation in easy to
comprehend terms, and discusses how
HIPAA applies to various situations.
65
Courses include:
The Pillars of a Privacy Program
Rights and Responsibilities
Safeguarding Personal Health
Information
Visit ahima.org/hipaaonline for more information and course demos.
MX10826
AHIMA Career Center

For classified advertising information, call Alyssa Blackwell: 410-584-1961 | e-mail: ablackwell@networkmediapartners.com
While the ads in this section are deemed to be from reputable sources, the publisher accepts no responsibility for the offers made.
All copy must conform to equal employment opportunity guidelines, and the publisher reserves the right to reject, withdraw, or modify copy.
A current rate card is available on request.
Exclusively Specializing
in HIM for
almost 25 years!
We assist both
job seekers and employers
in the following specialties:
Executive Level | Consultants
Coders | Auditors | CDI
Directors | Managers | Vendors
Contact us in confidence:
Doug Ellie or
Perry Ellie, MA, RHIA, Fellow AHIMA
Careers@HIMjobs.com
800-248-6989
Want to fill your open position,

or promote your office as a
great place to work?
Advertise in the AHIMA Career Center!
Contact Alyssa Blackwell at 410-584-1961 for pricing and options,
or leave her an email at ablackwell@NetworkMediaPartners.com.
66/Journal
66
/ Journal of AHIMA April 15
15
Upcoming Issues:
May
Informatics
June
ICD-10-CM/PCS
July
Clinical Documentation
Improvement
Journal
Journal of
of AHIMA
AHIMA April
April 15/67
15 / 67
Where
We Are
94%
78%
of non-federal acute
care hospitals use a
certified EHR to
collect electronic
data about patients.1
of office-based
physicians use an
EHR system to
collect electronic
patient data.1
1 in 3
Number of consumers
burdened with providing their
own health information when
seeking care for a medical
problem (such as a test
2
result or medical history).
62%
In 2013, more than six in

ten hospitals electronically
exchanged health
information with providers
outside of their system.3
STATE LINE
Most states have different laws and regulations making it
difficult to share health information across state lines.
The typical primary
care physician has to
coordinate care with
The number of providers a typical Medicare

beneficiary sees annually.6
229
other
physicians
working in 117 practices.7
IN
By the end of 2017

The majority of individuals
and providers can send,
receive, find, and use a common
set of clinical information.
Where We
Are Going
YEARS
51%
Only half of hospitals can

electronically search for
critical health information
from outside sources
(such as in an emergency
or office visit).5
SPEED BUMPS TO INTEROPERABILITY

Health information Aligning
is not sufficiently payment
standardized
incentives
DETERMINANTS OF HEALTH
Social
Taking a leisurely
Diet and
Exercise
Misinterpretation
Lack
and differences in
of
existing privacy laws trust
80%-90%
17 years
for evidence to go from
4
research to practice.
14%
of office-based
providers
electronically
share patient information
with other providers.9
1 in 8
the number of Americans

in 2013 who tracked a
health metric like blood
pressure or weight using
some form of technology.8
of health determinants are NOT

related to health care.
Environmental
IN
Health
Care System
Economic
YEARS
Follow the ONC Road
Interoperability Map Plots Path to a Learning Health System

THE LACK OF INTEROPERABLE HEALTH information systems and IT has long been a barrier to
achieving a learning health system (LHS) in the US. As the Institute of Medicine defines it, a LHS is
a system in which progress in science, informatics, and care culture align to generate new knowledge as an ongoing, natural byproduct of the care experience, and seamlessly refine and deliver
best practices for continuous improvement in health and health care. Creating an evidence-based
healthcare system requires a reliance on a robust national health IT system.
This infographic created by the Office of the National Coordinator for Health IT (ONC) from its recently released Health IT Interoperability Road Map explains how the government agency plans to
help achieve interoperability, mile by mile, within 10 years. To view the complete infographic, visit
www.healthit.gov/newsroom/shared-nationwide-interoperability-roadmap-journey-better-healthand-care.
Credit: Office of the National Coordinator for Health IT. Shared Nationwide Interoperability Roadmap: The Journey
to Better Health and Care. January 2015. www.healthit.gov/newsroom/shared-nationwide-interoperability-roadmapjourney-better-health-and-care.
Public Health Pl
IN
YEARS
Healthier
People
(thus better evidence-based diagnosis,

treatment and personalized medicine)
Smarter
Spending
EA
OUS L RNING C
U
Y
TIN
Research Rd
E
CL
A Learning Health System

reduces the time from evidence
to practice. This enables
ubiquitous connectivity, improves
population health and helps
researchers analyze data from a
variety of sources.
10
CO
N
By the end of 2024
DRAMATICALLY REDUCE THE

TIME IT TAKES FOR EVIDENCE
FROM RESEARCH TO BECOME
COMMON PRACTICE
Better
Care
LEARNING
HEALTH
SYSTEM
By the end of 2020

Connecting an expanded set of users
and data sources through the use of
#mHealth and #wearables. Advances in the
sharing and use of patient-generated health
data leads to consumer empowerment,
person-centered care, active individual health
management and greater information sharing
with the public health community.
Sources:
1. ONC Report to Congress, October 2014.
http://www.healthit.gov/sites/default/files/rtc_adoption_and_exchange9302014.pdf.
2. http://www.healthit.gov/sites/default/files/consumeraccessdatabrief_9_10_14.pdf.
3. http://healthit.gov/sites/default/files/oncdatabrief17_hieamonghospitals.pdf.
4. Balas, E.A. and S.A. Boren. Yearbook of Medical Informatics, 2000.
5. http://dashboard.healthit.gov/quickstats/pages/FIG-Hospital-Electronic-Query-Capability.php.
Privacy Blvd
6. Pham, H.H. et al. Care patterns in Medicare and their implications for pay for performance.
New England Journal of Medicine 2007;356:1130-1139.
http://www.nejm.org/doi/full/10.1056/NEJMsa063979.
7. Pham, H.H. et al. Primary care physicians links to other physicians through Medicare patients:
the scope of care coordination. Annals of Internal Medicine, 2009; 150:236-42.
8. Pew Research Center. Tracking for Health. January 2013. Accessed from:
http://www.pewinternet.org/files/old-media//Files/Reports/2013/PIP_TrackingforHealth%20
with%20appendix.pdf.
9. Health Affairs, August Issue; first author: Furukawa, M.
Submit Your Nomination Now.

ahima.org/grace
AWARD
Grace W. Myers
The Grace W. Myers Award honors an
organizations outstanding achievement
in health information management.
Visit ahima.org/grace for more information

on this prestigious honor.
MX10825
JOURNAL AHIMA
OF
2015 | RESOURCE GUIDE
CODING AND
ICD-10-CM/PCS
GUIDE
2015
CONTENTS
3M Health Information Systems................................................. 73
Henry Schein MicroMD............................................................. 81
Administrative Consultant Service, LLC. . .................................... 73
H.I.M. On Call.......................................................................... 79
AHA Central Office................................................................... 74
HRS........................................................................................80
Amphion Medical Solutions....................................................... 74
IMEDX.....................................................................................80
Care Communications............................................................... 73
IOD Incorporated...................................................................... 81
Career Step............................................................................. 75
Kiwi-Tek..................................................................................84
Channel Publishing................................................................... 75
Maxim Healthcare Services, Inc.. ...............................................83
Cymetrix . . ................................................................................ 76
MedData, Inc...........................................................................85
DocuCoders............................................................................. 76
MLT Medical Coding, Inc........................................................... 82
eCatalyst Healthcare Solutions, Inc... ......................................... 76
Ovation Revenue Cycle Services................................................86
Elsevier Clinical Solutions.........................................................77
Practice Management Information Corporation (PMIC).................82
First Class Solutions . . ...............................................................77
Precyse Solutions. . ................................................................... 82
Flash Code Solutions, LLC.. ....................................................... 78
Professional Data Management Group, Inc... ...............................83
FutureNet Technologies Corporation.......................................... 78
RecordsOne............................................................................. 87
Healthcare Cost Solutions......................................................... 81
Stat Solutions..........................................................................83
Health Information Associates................................................... 79
SuperCoder, The Coding Institute..............................................88
April 2015 / CODING AND ICD-10-CM/PCS GUIDE
Administrative
Consultant
Service, LLC
3M Health Information Systems is a

global provider of medical records coding,
terminology, and reimbursement solutions
designed to improve clinical and nancial
performance.
Our innovative software and consulting
services focus on solutions for clinical
documentation improvement (CDI),
computer-assisted coding (CAC), ICD-10
education, and outsourced coding and
CDI services.
The 3M 360 Encompass System is a
powerful CAC and CDI toolautomated
intelligence for documentation improvement and coding built on trusted logic
and methodologies for linking clinical and
nancial data. It connects and automates
both coding and documentation
improvementtwo of the most critical
issues related to ICD-10.
Revenue Cycle Management

ICD10 Preparation and Training
Clinical Documentation Improvement
Hospital Chargemaster Reviews
Inpatient/Outpatient Audit Services
Appeals Process/Investigation Expert
Witness
Recovery Auditor Appeals
Appropriate use and billing of
Observation Services
Physician (RBRVS) Reimbursement
678 Kickapoo Spur, Shawnee, OK 74801
405.878.0118
www.acsteam.net
Care Communications is a nationally recognized,

award-winning HIM leader. CARE offers focused,
effective and comprehensive HIM services for
hospitals and medical practices, including:
ICD-10 planning, education and
implementation
Coding quality and clinical documentation
improvement and education
Temporary coding staffing
Coding compliance services
Interim coding management
Complete coding outsource
Awarded Supplier of Novation
Care Communications, Inc.

800-458-3544
3M Health Information Systems

Phone: 800-367-2447
E-mail: 3MhisSales@mmm.com
www.3Mhis.com
info@care-communications.com
www.carecommunications.com
73
74 CODING AND ICD-10-CM/PCS GUIDE / April 2015
CODING ADVICE
FROM THE
CODING EXPERTS
print
digital
SEE OUR DISPLAY AD ON THE INSIDE BACK COVER.
75
You asked for ...
AFFORDABLE
ICD-10
Take Control of
Your Coding Needs
... we delivered!!!

ICD-10 PRODUCTS
2015 ICD-10 CODE BOOKS
2015 Enhanced Generic ICD-10-CM Only $69.95
2015 Enhanced Generic ICD-10-PCS Only $59.95
2016 ICD-10 CODE BOOKS

2016 ICD-10-CM, The Educational Annotation
of ICD-10-CM (Available September 2015)
Includes all Enhanced features, plus: COLOR highlighting,
Definitions and Illustrations, Anatomy and Physiology
Reviews, MS-DRG, MCE, AHA notations ... and more!
Annual Version (Paperback) July Sale $55.95
SoftCover Version (Loose-leaf, 3-hole punched
pages, updateable yearly) July Sale $59.95
Career Step offers the planning and

education resources required to build
the long-term coding education strategy
you need to be successful through
ICD-10 and beyond!
Future Updates: 30% below new book reg. price

2016 ICD-10-PCS, The Educational Annotation
of ICD-10-PCS (Available September 2015)
Includes all Enhanced features, plus: COLOR highlighting,
Definitions and Illustrations, Anatomy and Physiology
Reviews, MS-DRG, MCE, AHA notations ... and more!
Annual Version (Paperback) July Sale $45.95
SoftCover Version (Loose-leaf, 3-hole punched
pages, updateable yearly) July Sale $49.95
Assess retention of ICD-10 education

Reinforce ICD-10 training gaps through
online, webinar, and onsite training
Future Updates: 30% below new book reg. price
Prepare physicians for ICD-10 documentation

Transition existing coders to inpatient or
specialty coding
Provide new coder training in I-9 or I-10
Hire Career Step medical coding graduates
See why some of the largest names in

healthcare have chosen Career Step as their
EDUCATIONAL PARTNER.
corporatetraining.careerstep.com
1-888-989-7512
ICD-10 TRAINING SEMINAR-IN-A-BOX

Learning ICD-10-CM (DVDs, CM book, Workbook)
Professional Version: Designed to teach others
Individual Version: Teach yourself (12 CEUs)
Learning ICD-10-PCS (DVDs, PCS book, Workbook)
Professional Version: Designed to teach others
Individual Version: Teach yourself (20 CEUs)
ICD-10 TRAINING EXERCISE BOOKS
2015 Mastering ICD-10-CM Exercise Book

2015 Mastering ICD-10-PCS Exercise Book
2015 Mastering ICD-10-CM Guidelines Exercise Book
2015 Mastering ICD-10-PCS Guidelines Exercise Book
The Last Word on ICD-10

1-800-248-2882
FOR DETAILS
AND ORDERING INFORMATION, VISIT:
www.channelpublishing.com
JS10045-CBG
SEE OUR DISPLAY AD ON PAGE 43.
Optimize Your Revenue Cycle

As a leader in providing comprehensive
revenue cycle management solutions,
our coding professionals are AHIMAcredentialed, experienced and monitored
to ensure high accuracy.
Our HIM Solutions include:

Clinical Coding
Documentation Integrity
Consulting Services
Department Outsourcing
Framing the Future of HIM

The most important element of our
service philosophy is unrelenting client
focus. Our success depends entirely
on how we serve you.
Chris Meyers, CEO
eCatalyst was built on the foundation of knowledge,

expertise, and visionary HIM leadership. We deliver the
right people, processes, and professional service to our
clients, on-time and within budget guaranteed.
800.308.4940
www.cymetrix.com
Remote Coding
Hospital and professional
Backll, ICD-10 support, complete
department outsourcing
Code Auditing
DocuCoders
Outsource Remote Coding Specialists
ICD-9, ICD-10, professional

Audit your dual coding eforts
DRG, MS-DRG, APC, inpatient and
outpatient
ICD-10
Planning, education and implementation
Computer Assisted Coding (CAC)
implementation
Revenue integrity post go-live
Strategic Consulting
HIM workow analysis and operational
assessments
At Your Service!
Strategic consulting
Interim HIM and coding leaders
www.docucoders.com
850.213.3153
eCatalyst brings together the best coding and
audit experts to drive signicant results for
your HIM department and your bottom line.
Call: 623-236-3336
Visit: www.eCatalystHealth.com
Email: info@eCatalystHealth.com
77
First Class Solutions, Inc. SM

Not your traditional healthcare
consulting firm services customized
to YOUR needs since 1988
Our HIM Services
eLearning for Efective Coding and

Operational Assessments
Temporary HIM Management
Coding Validation Audits and Coding
Support
Scanning and Transcription Analyses
Scanning Software Implementation Project
Management
Scanning Operations Management
CAC Guidance & RFP Management
CAC Implementation Management
ICD-10 Project Management (Limited)
ICD-10 DRG Shift/Documentation Analysis
Our Release of Information Software

Accurate, complete coding and clinical documentation
are critical to a healthcare organizations mission and
operations, impacting both quality of care and fnancial
viability.
Thats why targeted training from Elsevier is so
important.
ICD-9 Coding
ICD-10 Assessment, Training and Testing
ICD-10 Practice Environment
Regulatory Compliance
Reimbursement
Contact us today to get started on your customized
training plan. So much depends on it.
Cortrak Standard Includes scanning

capabilities which are tied to request
Cortrak Plus Includes scanning capabilities
which are tied to request, utilizes Microsoft
SQL Server
Our ICD-10 Services

Awareness Education Management &
Physicians
Dual Coding Validation
Documentation Deficiency Reviews
DRG Shift Analysis
www.icd-10online.com
(866) 429-3067
800-274-1214
www.FirstClassSolutions.com
www.Cortrak.com
Who Cares?
Who cares how coding and transcripton
services aect your report quality, patent care,
physician satsfacton, and billing?
We do and thats what makes us dierent.
Call today to learn how FutureNet cares for
how you care for healthcare.
100% Certed Coding Services Team

Flexible, fast & accurate ICD-9/ICD-10
100% Domestc Transcripton Services

Top ter KLAS ranked performance
Low Cost Pricing With No Hidden Fees

Free mobile apps, interfaces & e-sign
Stage 2 Inpatent & Ambulatory EHRs

Powerful NLP, CAC & CDI tools for MU
20 Years With Same Management Team

Stable rm delivering exible solutons
800.200.5440
5440
www.FNEHR.com
takes coding
on a new path.
W E K N O W W H AT M AT T E R S .
Q U A L I T Y. S E R V I C E . P E AC E O F M I N D.
ITS ABOUT THE PEOPLE

BEHIND THE NUMBERS.
THEYRE WHAT MAKE THE
DIFFERENCE
H.I.M. ON CALL
knows the way.
Address coder shortages

Eliminate coding backlogs
Improve code quality
Manage financial impact
Make H.I.M. ON CALL your permanent

resource for all of your coding needs!
For more than 20 years, HIA has been

committed to quality in everything we
do, from the training of our staff, to
relationships with our clients. As a result
weve become a leading provider of
coding and review services. We have
made it a point to get beyond the
numbers game and create a culture built
on inclusiveness and encouragement; its
about nurturing relationships with both
our clients and our employees.
Compliance Reviews Education Coding Services
New ICD-10 Direction, New ICD-10 Team

Meet them all here!
himoncall.com/leadership
866-HIA-CODE | hiacode.com
SEE OUR DISPLAY AD ON THE INSIDE FRONT COVER.
79
Choose experience.
Choose excellence.
Choose HRS.
Remote Coding Solutions
Domestic, international or hybrid options
Temporary staff or complete outsource
Dual coding Hospital & Professional
Coding Quality Reviews

DRG MS-DRG APC Inpatient Outpatient
ICD-10 Dual coding Compliance education
Hospital & Professional
Strategic Consulting
Clinical documentation gap analysis
CDI program tune-up Change management
Workflow analysis HIM operations evaluation
ICD-10 Readiness
Documentation audits Dual coding reviews
End-to-end test coding
Gap analysis Readiness assessments
Coder and non-coder training
AHIMA-approved ICD-10 trainers
800.329.0365
www.HRScoding.com
Bringing Precision
to the Process
At iMedX, we understand the growing
complexity resulting from the changes in
healthcare coding requirements. We can help
by ensuring that your receivables are not
negatively impacted by any coding delays.
Our Coding Services Cover:

Same Day Surgery
Acute Care
Inpatient
Observation
Clinics
Emergency Department
All Ancillary Departments
Home Health & Hospice
The training time and learning curve required by

ICD-10 will require a trusted business partner to
keep the unbilled accounts in line with your goals.
Prepare in advance, and partner with iMedX to
secure resources that will fex with your needs.
Learn more about iMedX at imedx.com or

give us a call at 404.418.0096
Healthcare Audit Resource Technology

Database solutions for the ever-changing
environment of the External Audit
Coding Audits in ICD-9 and ICD-10:
MS-DRG / APR-DRG / APC / HCC / LTAC
Medical Necessity Reviews

RAC Reviews and Appeals
Charge Detail Audits
PACT Validation Audits
Remote Coding: ICD-9 and ICD-10
HIM Interim Management
Online ICD-10 Tutorials
Optimizing Your Rightful Reimbursements

Healthcare Cost Solutions, Inc.
Newport Beach, CA 92660
866.427.7828 / 949.721.2795
www.hcsstat.com
Henry Schein MicroMD

760 Boardman-Canfeld Rd.
Boardman, OH 44512
800-624-8832
micromd.com
Henry Schein MicroMD provides

simple yet powerful Practice
Management and EMR
solutions with functionality,
tools and training to assist with
your ICD-10 transition.
81
ONE SINGLE SOLUTION

PRECYSE TRANSFORMING COMPLEX
WORKFLOWS INTO PRODUCTIVE
OPERATIONS
ONE and only frm to receive 100%

positive comments from clients about
its ICD-10 services*
ONE integrated platform for inpatient
and outpatient CAC and CDI
ONE expert team to empower your
HIM, coding and CDI innovation
* ICD-10 CONSULTING: ROADMAP TO A SUCCESSFUL TRANSITION. DECEMBER 2012.

KLAS ENTERPRISES, LLC. ALL RIGHTS RESERVED. WWW.KLASRESEARCH.COM
WWW.PRECYSE.COM | 1-866-PRECYSE
Keep using
your current
ICD-9 sofware
and keep
getng paid.
It is no surprise that Diagnosis
Billing Codes are changing
upgrading your Billing System
to ICD-10 can be costly.
Make
Maxim your
HIM Partner!
We offer customized
solutions including:
Remote and on-site coding support
Auditing services
Clinical documentation improvement
HIM departmental outsourcing
Facility wide ICD-10 training
Maxim provides only the highest quality HIM
talent and services to help you achieve your
HIM goals. Take advantage of our expertise
and call us today!
Delivering Results, Growing Careers

EAST 866-265-0589
WEST 866-316-8773
www.maximhealthinformationservices.com
Are you ready?

We have a simple, cost-efectve soluton
that will ensure that you keep getng paid
in the upcoming ICD-10 environment while
using your current ICD-9 Medical Billing
System. No need to upgrade your entre
system to ICD-10 untl youre ready.
FOR MORE INFORMATION

Visit our website at PDMG.com to see how
you can keep getng paid while using your
current ICD-9 Medical Billing System.
Be ready with PDMG
Stat Solutions, Inc. is a highly respected

coding company focusing our efforts on
providing the highest level of
quality
credentialed HIM professionals along with
the finest personalized customer service.
*Onsite or Remote Coding
*Coding Quality Reviews
*Interim HIM Management
For more information please call us

888-297-7212
info@statsolutionsinc.com
www.statsolutionsinc.com
83
Your Coding Solution

iS JuSt
a CliCk awaY
kiwi-tek.com
om
Faster Turnaround
Optimal Compensation
Cost-Efective BPO
KIWI -TEK can deliver the best coding

solutions tailored to your specifc workfow
with guaranteed quality and turnaround
times. We are committed to providing fast,
accurate remote coding for any healthcare
Quality Focused
ICD-10 Certifed
Maximum Compliance
provider, in any location, for any patient

type. And, to provide you with the most
cost-efective options, we ofer domestic
and international coding experts.
8900 Keystone Crossing, Suite 1095, Indianapolis, IN 46240

Phone: 317-571-3440 | Toll-Free: 866-709-5494
ICD-10 Y93.D
Activities involving
arts and handcrafts
Youve got to draw

the line somewhere.
ICD-10 has been drawn out until October 2015. But that doesnt mean you
should lie around waiting until then. Take advantage of the extra time and
improve your cash flow by getting proactive with your revenue cycle.
Discover how MedData can help your organization boost revenue from
patient payments by 50%.
CALL TODAY!
800-835-7474
meddata.com/ahima
SEE OUR DISPLAY AD ON THE BACK COVER.
85
Anxious About ICD-10?
We Code with Confdence.

Ovation Coding Services is built on the
foundation of continuous quality improvement
and combines Outsourced Coding, Quality Audit
Services and Intelligent Coding Analytics to
create the ultimate coding solution. The result
is zero coding backlog, guaranteed quality,
reduced costs, and eliminates worry over coding
resources, or shortage-driven cost increases.
Outsourced Coding
2000+ dedicated FTE coding team
4 million+ charts per month | 48 hour turnaround
Quality Audit Services

Ensure completeness of coding and assignment
of proper codes
Intelligent Coding Analytics

100% automated analysis of every chart
Developed, implemented and tested at UPMC
revenue cycle operation. Ovations services
automate manual processes, streamline
workfows, and ensure healthcare providers are
paid quickly and accurately.
Code with Confdence. Contact us: 412.432.5697 or www.ovationrcs.com.
87
ICD-10 Coding Made Easy

Requires no knowledge of
set.
ICD-10 CM codeset.
F17.21,
Nicotine
dependence,
cigarettes
Try the only pictorial coding

g workfow tool
edic Centers trauma

Developed by The Orthopaedic
surgeon Brian Scholl based on clinical residency
coding training
m 3-5 mins to 30
Cuts code lookup time from
seconds!
Adds additional must codess to

ode
picklist as you select base code
ggles
Avoids reimbursement snaggles
ed to
with coding workfow routed
most specifc code
Export codes directly to anyy EHR, PMS, Coder
J40.0,
Unilateral
emphysema
M13.16,
Monoarthritis,
not elsewhere
classifed, knee
Available in: PC, Web-based, iOS, Androidd Phones and Tablets

Available for: Orthopedics, Neurosurgery, Physical Therapy,
Chiropracty, Ophthalmology, Optometry, Emergency
Medicine, Urgent Care, Family Practice
The tool doctors

have been asking for!
M84.472P,
Pathological fracture, left ankle, subsequent
encounter for fracture with malunion
Buy now: www.supercoder.com/BoneCoder10

coder com/BoneCoder10
For more information call 866-228-9252
The Coding Institute LLC, 2222 Sedwick Drive, Durham, NC 27713
ICD-10 Y93.D
Activities involving
arts and handcrafts
Youve got to draw

the line somewhere.
ICD-10 has been drawn out until October 2015. But that doesnt mean you
should lie around waiting until then. Take advantage of the extra time and
improve your cash flow by getting proactive with your revenue cycle.
Discover how MedData can help your organization boost revenue from
patient payments by 50%.
CALL TODAY!
800-835-7474
meddata.com/ahima

Ahimajournal 2015 04 DL

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Ahimajournal 2015 04 DL

Diunggah oleh

Hak Cipta:

Format Tersedia

k

DESPITE BENEFITS, TECHNOLOGY STILL

Video ExtraProtecting Adolescent

The Director of HIM at Chicagos Ann and Robert H. Lurie Childrens

More OnlineMedical Devices Face

More privacy and security articles can be found on the Journal

How to Use the Digital Journal

Contents April 2015

Vol. 86, no. 4

Instituting an Enterprise-wide PHI

By Collette Zeiour, RHIA, and Mariela Twiggs, MS, RHIA, CHP,

Learn More to Earn More

Clearing the HIPAA Cobwebs

Word from Washington

AHIMA Career Center

Contents April 2015

By Sharon Lewis, MBA, RHIA, CHPS, CPHQ, FAHIMA,

Navigating Privacy and Security

e-HIM Best Practices

The Sound Record

By Galina Datskovsky, PhD; Ron Hedges, JD; Sofia

AHIMA members may earn continuing

By Mary H. Stanfill, MBI, RHIA, CCS, CCS-P, FAHIMA

A Call for Additional Coding Metrics

By Kathryn DeVault, MSL, RHIA, CCS, CCS-P, FAHIMA

Six Months and Counting

The Implementation and Management

4/Journal of AHIMA April 15

Instituting an Enterprise-wide PHI Disclosure

Six Months and Counting

Video: Protecting Adolescent

The Director of HIM at Chicagos Ann and Robert H.

Privacy and Security Month Coverage

April is Privacy and Security Month. Visit journal.ahima.org

Share and Connect with AHIMA

Journal of AHIMA April 15/5

The Journal of AHIMA is an official publication of AHIMA

Lynne Thomas Gordon, MBA, RHIA, FACHE, CAE, FAHIMA

ART DIRECTOR Graham Simpson

EDITORIAL ADVISORY BOARD

6/Journal of AHIMA April 15

Anxious About ICD-10?

Quality Audit Services

Intelligent Coding Analytics

Code with Confdence. Contact us: 412.432.5697 or www.ovationrcs.com.

Creating an Environment of Trust

FROM THE YEAR 2009 through 2014,

neighbors without a business need to

All audit requests are

HealthPort best practices are used to

You will have peace of mind with:

Unlimited capacity to handle

For more information, visit healthport.com/auditrelief

Bulletin Board whats happening in healthcare

HHS Sets Ambitious Expansion of Medicares

end of 2016. The agency aims to tie 50

HHS, ONC Release Interoperability Roadmap

ONCs Interoperability Roadmap will help guide our progress

In an effort to extend the pay-forperformance movement outside of

GAO Notes Tech, VA

dling for episodes of care. In these

care, another driver of this initiative is

Top EHR Vendors by Overall Physician Practice Market Share

ART DIRECTOR Graham Simpson