APRIL 2019

What to Do Following a Cyberattack

19_April.indd 1 3/20/19 10:04 PM

JOURNAL AHIMAOF

Welcome TO THE DIGITAL EDITION OF THE

Slideshow: Six Simple Steps to Take During a CyberattackThe Department of Health and Human Services’ recent Cybersecurity Report details six steps providers should take in the event of a cyberattack.

CODING & CDI GUIDE

AHIMA

2019 | RESOURCE GUIDE

The State of CDI ANALYSIS OF AHIMA’S NEW CLINICAL DOCUMENTATION IMPROVEMENT INDUSTRY SURVEY

WelcomeDigital_Apr19.indd 1 3/20/19 10:01 PM

If there’s one thing our customers all have in common, it’s the look of confidence when they know they’re assigning the right codes using the TruCode Encoder.

And you can feel this confident, too.

TruCode’s renowned Research Pane acts as a digital assistant, presenting relevant information and resources at the point of coding. The result is a streamlined

workflow that allows you to assign codes more quickly and accurately.

Ready to discover the TruCode Encoder difference? View a demo and see how its knowledge-based approach and intuitive design leads to better coding outcomes.

WWW.TRUCODE.COM/DEMO

19_April.indd 2 3/20/19 10:05 PM

Journal of AHIMA April 19 / 1

Contents April 2019

12

Hacked! What to Do Following a CyberattackBy Mary Butler

Cover

Features

18 The State of CDIAnalysis of AHIMA’s new clinical documentation improvement industry surveyBy Tammy Combs, RN, MSN, CCS, CDIP, CCDS

22 What to Do (and Not Do) When Changing HIM VendorsBy Angela Rose, MHA, RHIA, CHPS, FAHIMA

51 Coding & CDI Resource Guide

Departments

4 President’s MessageIt Takes Leadership to Reimagine HIM

6 Bulletin Board

11 Inside LookTackling the Modern Privacy Challenge

46 Calendar

47 Keep Informed

48 Volunteer Leaders

60 AddendumValue-Based Care Now Includes Ambulance Coverage

pg. 18AHIMA’s comprehensive CDI industry survey examined how and where CDI professionals work.

Vol. 90, no. 4

CODING & CDI GUIDE

AHIMA

2019 | RESOURCE GUIDE

19_April.indd 1 3/20/19 10:05 PM

Contents April 2019

Working Smart

26 How to Ensure Proper PHI Disclosure Management in the Business OfficeBy Kim Charland, RHIT, CCS; Cindy Zak, MS, RHIA, PMP, FAHIMA; and Kyle McElroy, MS-HSA, RHIA

28 How to Create a Modern and Compliant Records Retention Schedule You Can Actually ExecuteBy Mark Diamond

30 Using Information Governance to Avoid Data Breaches and Provide CybersecurityBy Gail Gottehrer, JD, and Ronald J. Hedges, JD

32 Cybersecurity and Understanding Cyber RiskBy Diane Dolezel, EdD, RHIA, CHDA Practice Brief

36 Guidelines for Achieving a Compliant Query Practice (2019 Update)

Coding Notes

42 Five Tenets for Success in Academic Medical Center CodingBy Sarah Humbert, RHIA

44 Complicated Coding: Postoperative IleusBy William C. Fiala, MA, CCS-P, CPC, RMA, and Kristine N. Kraft, DC, RMA

AHIMA members may earn continuing education credits by successfully completing the following quizzes at https://my.ahima.org/store

Quizzes

17 “Hacked! What to Do Following a Cyberattack”Domain: Privacy and Security

21 “The State of CDI”Domain: Clinical Data Management

45 “Complicated Coding: Postoperative Ileus”Domain: Clinical Data Management

http://journal.ahima.org

CMS and ONC Have Released Proposed Rules on Information Blocking—What’s Next?This overview of the proposed rules on data exchange and interoperability reviews the direct impact on HIM’s role.

Monday Coding QuizTest your skills with a new coding question from Clinical Coding Workout every Monday.

Slideshow: Six Simple Steps to Take During a CyberattackThe Department of Health and Human Services’ recent Cybersecurity Report details six steps pro-viders should take in the event of a cyberattack.

19_April.indd 2 3/20/19 10:05 PM

Journal of AHIMA (ISSN 1060-5487) is published monthly, except for the combined issues of July/August and November/December, by the American Health Information Management Association, 233 North Michigan Avenue, 21st Floor, Chicago, IL 60601-5800. Subscription Rates: Included in AHIMA membership dues is a subscription to the Journal. The annual member subscription rate is $22.00 for active and graduate members, and $10.00 for student members. Subscription for nonmembers is $100 (domestic), $110 (Canada), $120 (all other outside the U.S.). Postmaster: Send address changes to Journal of AHIMA, AHIMA, 233 North Michigan Avenue, 21st Floor, Chicago, IL 60601-5800. Notification of address change must be made six weeks in advance, including old and new address with zip code. Periodical’s postage is paid in Chicago, IL, and additional mailing offices.

Notice of PolicyEditorial—views expressed in articles contributed to the Journal of AHIMA are those of the author(s) and do not necessarily reflect the policies and opinions of the Association, editorial review board, or staff. Articles are not to be construed as endorsing any particular product or service. Advertising—products, services, and educational institutions advertised in the Journal do not imply endorsement by the Association.

Copyright © 2019 American Health Information Management Association ® Reg. US Pat. Off.

ADVERTISING REPRESENTATIVESMCI USA

Jeff RhodesPhone: (410) 584-1940jeff.rhodes@mci-group.com

Allison ZippertPhone: (410) 584-1941allison.zippert@mci-group.com

AHIMA OFFICE233 N. Michigan Ave., 21st FloorChicago, IL 60601-5800(312) 233-1100; Fax: (312) 233-1090

AHIMA ONLINE: www.ahima.orgJOURNAL OF AHIMA: journal@journal.ahima.org

JOURNAL OF AHIMA MISSIONThe Journal of AHIMA serves as a professional development tool for health information managers. It keeps its readers current on issues that affect the practice of health information management. Furthermore, the Journal contributes to the field by publishing work that disseminates best practices and presents new knowledge. Articles are grounded in experience or applied research, and they represent the diversity of health information management roles and healthcare settings. Finally, the Journal contains news on the work of the American Health Information Management Association.

EDUCATIONAL PROGRAMSThe Commission on Accreditation for Health Informatics and Information Management Education (www.cahiim.org) accredits degree-granting programs at the associate, baccalaureate, and master’s degree levels. For more information on HIM career pathways and CAHIIM accreditation, visit www.ahima.org/careers.

AHIMA CEO Wylecia Wiggs Harris, PhD, CAE

EDITORIAL DIRECTOR Anne Zender, MA

EDITOR-IN-CHIEF Chris Dimick

ASSISTANT EDITOR/WEB EDITOR Sarah Sheber

ASSOCIATE EDITOR Mary Butler

CONTRIBUTING EDITORS Sue Bowman, MJ, RHIA, CCS, FAHIMA Patricia Buttner, RHIA, CDIP, CCS, CHDA, CPHI Tammy Combs, RN, MSN, CCS, CCDS, CDIP Julie Dooling, MSHI, RHIA, CHDA, FAHIMA Melanie Endicott, MBA/HCM, RHIA, CHDA, CCS, CCS-P, CDIP, FAHIMA Jewelle Hicks Lesley Kadlec, MA, RHIA Donna Rugg, RHIT, CCS, CCS-P, CDIP, CICA Gina Sanvik, MS, RHIA Robyn Stambaugh, MS, RHIA Maria Ward, MEd, RHIT, CCS, CCS-P

ART DIRECTOR Graham Simpson

EDITORIAL ADVISORY BOARD Linda Belli, RHIA Gerry Berenholz, MPH, RHIA Carol A. Campbell, DBA, RHIA, FAHIMA Rose T. Dunn, MBA, RHIA, CPA, CHPS, FACHE, FAHIMA Diane A. Kriewall, RHIA Glenda Lyle, RHIA Daniel J. Pothen, MS, RHIA Tricia Truscott, MBA, RHIA, CHP Carolyn R. Valo, MS, RHIT, FAHIMA

19_April.indd 3 3/20/19 10:05 PM

4 / Journal of AHIMA April 19

President’s Message

AS LEADERS IN the HIM profession, we must strive to reimagine our future and embrace the change that will ac-company it. Looking back over the HIM Reimagined (HIMR) recommendations, I see areas where we have already made progress—and others that we still have some work to do.

1. Increase the number of AHIMA members who hold relevant graduate degrees (e.g., HIM, Health Informatics, MBA, MD, MEd, MPH) to 20 percent of total membership within 10 years. Cur-rently, about 14 percent of our members hold a master’s degree or higher. Mentor-ship is important to reach this milestone. A mentor can provide advice, support, and knowledge through the entire edu-cational process. Employer support is also vital—whether with afforded time off to attend classes or through finan-cial support such as tuition assistance. To complete my master’s and doctorate I received both strong mentorship and financial support through my employer.

2. In collaboration with other health and health-related organizations, in the public and private sectors, build a mechanism to ensure availability of re-search that supports health informatics and information management. Some of our members conduct evidence-based best practices, policies, and interventions that can be applied to healthcare and population health. But much work remains to be done in this area. The AHIMA Foun-dation Research Network is conducting research in areas that are vital to HIM.

3. Increase the opportunities for specialization across all levels of the HIM academic spectrum through cur-ricula revision, while retaining a broad foundation in health information man-agement and analytics. The 2018 HIM competencies have been finalized by the Council for Excellence in Education and

provided to the Commission on Accredi-tation for Health Informatics and Infor-mation Management Education to use. Several educational programs have or are moving toward building specialty concen-trations to accommodate the needs of students and to provide them with more opportunity to enhance their skills and ex-pertise directly in the HIM workplace.

4. RHIA credential is recognized as the standard for the HIM generalist practice and the RHIT (+specialty) as the tech-nical level of practice. Even though the RHIT+ certification will not move forward currently, new and emerging ways to des-ignate skills and knowledge for not only the RHIT, but also for all AHIMA certifica-tions, will be explored. The RHIT to RHIA proviso allows current RHIT credential holders who also hold a baccalaureate de-gree or higher in any field to sit for the RHIA exam. Currently, 336 members have taken advantage of this opportunity and 85 per-cent have passed the RHIA exam through the proviso.

HIMR is our vision for the future in edu-cation, research, specialization, and cre-dentials. As Ron Heifetz, the founding di-rector of the Center for Public Leadership at Harvard University, states in The Prac-tice of Adaptive Leadership: “Leadership is a difficult practice personally because it almost always requires you to make a challenging adaptation yourself. Those are hard choices because they involve both protecting what is most important to you and bidding adieu to something you previously held dear: a relationship, a value, an idea, an image of yourself.” As effective and adaptive leaders, let’s continue to reimagine our future and the bright promise it holds for all of us. ¢

Valerie Watzlaf (valerie.watzlaf@ahimaboard.

org) is vice chair of education and associate pro-

fessor at University of Pittsburgh.

It Takes Leadership to Reimagine HIM

By Valerie Watzlaf, PhD, MPH, RHIA, FAHIMA

19_April.indd 4 3/20/19 10:05 PM

Learn more at ahima.org/crack-the-codes.226.19

Move Your Team to theNEXT LEVELBecome an Advanced Level Coder and create more e� ciency within your team, raise the standard of healthcare information quality, and assist your organization in meeting industry requirements.

AHIMA’s Crack the Codes: Advanced Coding Workshop helps healthcare professionals advance and grow their coding power in ICD-10-CM, ICD-10-PCS, CPT, and HCPCS. Mix and match classifi cation system(s) and create a one- to four-day workshop* that best suits your training needs.

Crack the Codes: Advanced Coding WorkshopStarts June 10 | Chicago, IL

Workshop Highlights• Utilize actual redacted physician documented reports • Experience eye-catching visuals and in-depth

explanations that illustrate diseases, conditions, and procedures

• Discuss case rationale and o� cial supporting guidance• Explore documentation improvement and provider

query opportunities• Gain personal access to an AHIMA coding team member• Earn up to 26 CEUs

“I now understand how to build the PCS

code and deconstruct the code. THIS WAS

PERFECT AND WHAT I NEEDED!” —2018 Crack the Codes

Attendee

* Meeting pricing is based on type and duration of meeting chosen by attendee.

19_April.indd 5 3/20/19 10:05 PM

6 / Journal of AHIMA April 19

Bulletin Board what’s happening in healthcare

AHIMA Submits Comments on OCR’s HIPAA Modification RFIIn February, AHIMA submitted com-ments on the Department of Health and Human Services’ (HHS’) Office for Civil Rights’ (OCR) Request for Information (RFI) on “Modifying HIPAA to Improve Coordinated Care.” The RFI seeks to identify provisions of HIPAA that im-pede the transformation to value-based healthcare or that limit care coordina-tion and “present obstacles to these goals without meaningfully contributing to the privacy and security of protected health information (PHI) or patients’ abil-ity to exercise their PHI rights,” accord-ing to an HHS press release.

With the goal of enhancing the individ-ual right of access to health information under HIPAA, AHIMA’s RFI response

proposed converging HIPAA release of information requirements with ONC’s health IT certification program. OCR should better define and standardize the health information that must be in-cluded in organizations’ “designated record set,” as defined by HIPAA, and then require certified health information technology to provide this information set in a format that is easy to read and to access, including via application pro-gramming interfaces, AHIMA wrote.

AHIMA also asked OCR to extend the HIPAA right of access to non-covered entities that manage indi-vidual health data, such as mHealth and health social media applications. “The goal is uniformity of health data

access policy, regardless of covered entity, business associate, or other commercial status,” AHIMA wrote.

AHIMA noted concerns about requir-ing accounting of disclosure requests for treatment, payment, and health-care operations, a pending change to HIPAA required by the HITECH Act but not yet enacted. AHIMA noted that providing this accounting—a list of individuals authorized to access PHI as part of their jobs—would be overly burdensome on healthcare providers and provide limited value to patients. If OCR does implement this requirement, AHIMA suggested providers only be required to indicate why disclosures occurred in a general way, such as “for

AHIMA Seeks Comments on ONC/CMS Interoperability, Info Blocking Proposed RulesThe Centers for Medicare and Medic-aid Services (CMS) and the Office of the National Coordinator for Health IT (ONC) released their long-awaited pro-posed rules concerning the interoper-ability of electronic health information (EHI) and information blocking—and AHIMA is collecting member feedback.

Some of the major intended out-comes from the proposals are seam-less and secure access, exchange, and use of EHI, and increased patient choice and provider competition, fos-tering innovation that promotes patient access to and control over their EHI.

The rules also define information blocking as practices that unreasonably limit the availability, disclosure, and use of EHI to improve interoperability. There are seven exceptions to the information blocking provisions. These exceptions are categories of practice that would be reasonable and necessary provided certain conditions exist.

The ONC proposed rule includes aspects that call for information to

be made available to patients at no cost, and that APIs be developed us-ing FHIR standards. The ONC rule also has two associated Requests for Information which seek public com-ments on: pricing that can be included as a part of a person’s EHI and would help the public see the prices they are paying for their healthcare; asks how standards-based APIs might sup-port improved information exchange between a healthcare provider and a registry in support of public health reporting, quality reporting, and care quality improvements.

The Federal Register published the rules on March 4, opening a 60-day comment window that ends May 3. To form its response, AHIMA is ask-ing members to send positive and negative comments about the rules to advocacy@ahima.org. For more in-formation, visit https://journal.ahima.org/2019/03/04/ahima-seeking-com-ments-on-onc-cms-interoperability-and-info-blocking-proposed-rules/. ¢

Over Half of 2018 Healthcare Breaches Caused by InsidersA Verizon research study showed that in 2018, healthcare was the sole industry where more data breaches were perpe-trated by organizational insiders than by external sources.The “2018 Data Breach Investigations Report” analyzed more than 53,000 cybersecurity incidents oc-curring over the course of the year, with 2,216 confirmed breaches over nine industries: education, financial, health-care, accommodation, information, manufacturing, professional, public, and retail. Of those breaches, 536 occurred within the healthcare sector. While 43 percent of the breaches were caused by external actors, 56 percent were caused by internal sources like employees. Only 19 percent of the financial industry’s inci-dents were caused by insiders, and only 19 percent in the education field. A total of 35 percent of the healthcare breaches were the result of user error.  Read the report at https://enterprise.verizon.com/resources/reports/dbir/. ¢

19_April.indd 6 3/20/19 10:05 PM

Journal of AHIMA April 19 / 7

The Department of Veterans Affairs is part-nering with the Centers for Disease Control and Prevention (CDC) to integrate patient mortality data from its electronic health record (EHR) system into the CDC’s Modernizing Death Reporting project.

While digital and artificial intelligence technologies are becoming a critical focus of healthcare spending, Damo Consulting’s annual survey found in 2019 that many healthcare executives plan to spend the majority of their IT budgets on optimizing their EHR systems.

A study by tech research firm Compari-tech.com ranked the United States fifth in cybersecurity preparedness, lagging behind Japan, France, Canada, and Denmark.

Seven leading national hospital as-sociations released the report “Shar-ing Data, Saving Lives: The Hospital Agenda for Interoperability” that offers suggestions on how to improve health IT data exchange.

Major health insurer Cigna and integrat-ed delivery system Sentara Healthcare have joined a blockchain collab-orative to leverage the technology for improved payment processing, health information exchange, and maintaining provider directories.

Data analyzed by the US Bureau of Labor Statistics found that between 2006 and 2017 healthcare travel and wait times were the longest when compared to other professional services like legal services and government licensing.

The Department of Health and Human Ser-vices’ Office of Inspector General reported that the Centers for Medicare and Medicaid Services inappropriately paid $84 million to skilled nursing facilities that didn’t meet its three-day rule between 2013 and 2015. ¢

treatment” or “for healthcare opera-tions purposes,” instead of providing additional data elements.

The comments also suggested that instead of doing away with the HIPAA requirement of a signed Notice of Pri-vacy Practice (NPP) for each patient, OCR consider modifications to the methods by which the NPP is shared with the patient, since privacy trans-parency is important.

AHIMA’s comments also called on the alignment of 42 CFR Part 2, the law offering special privacy protec-tions to substance abuse health re-cords, with HIPAA. The current Part 2 regulations present operational chal-lenges for HIM professionals, who

“often are forced to work with paper records to ensure that a patient’s Part 2 information is kept confidential.” In Part 2 programs that do have an elec-tronic health record system, HIM pro-fessionals often lack data segmen-tation functionality and must keep patients’ addiction records separate from the rest of the health record by creating two separate records. While the comments acknowledge revi-sions to 42 CFR Part 2 are beyond the scope of OCR’s regulatory author-ity, AHIMA said this should be ad-dressed by HHS through a separate rulemaking process. Read the full comments at http://bok.ahima.org/PdfView?oid=302676. ¢

Number of Breached Patient Records Tripled in 2018Clocking in at 15 million records compromised across 503 healthcare data breach incidents, the number of patient records breached in 2018 was nearly triple those reported in 2017, according to the Protenus 2019 Breach Barometer report. De-spite the alarming jump in the number of breached records—from 5.5 million in 2017 to 15 million in 2018—the number of actual breach incidents only increased slightly—from 477 in 2017 to 503 in 2018. The largest breach reported in 2018, ac-cording to a press release on the Breach Barometer report, was not a healthcare provider but a hacked business associate, a health system vendor where hackers gained access to patient data for 2.65 million patient records. Hacking was the cause of 44 percent of the breaches in 2018, according to the report. ¢

Source: Protenus. “2019 Annual Breach Barometer Report.” 2019. www.protenus.com/2019-breach-barometer.

Number of Breached Patient Records

0 million 15 million 20 million 25 million10 million5 million

5.5 Million

15 Million 2018

2017

19_April.indd 7 3/20/19 10:05 PM

8 / Journal of AHIMA April 19

OCR Collected All-Time High in HIPAA Enforcement Fines in 2018The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) wrapped up 2018 by post-ing an all-time record year in HIPAA enforcement activity.  Last year OCR settled 10 cases, together totaling $28.7 million from enforcement ac-tions, according to an HHS press re-lease. This total surpassed the previ-ous record of $23.5 million from 2016 by 22 percent. In addition, OCR also reached the single largest individual HIPAA settlement in history by fining Anthem, Inc. $16 million—represent-ing a nearly three-fold increase over the previous record settlement of $5.5 million in 2016.

“Our record year underscores the need for covered entities to be proactive about data security if they want to avoid being on the wrong end of an enforcement action,” said OCR Director Roger Severino in a press release.

OCR’s final settlement of the year

occurred in December 2018, when California-based hospital network Cottage Health agreed to pay $3 million and adopt a substantial cor-rective action plan to settle potential violations of the HIPAA Rules. OCR re-ceived two notifications from Cottage Health regarding breaches of unse-cured electronic protected health in-formation (ePHI) affecting over 62,500 individuals: one in December 2013 and another in December 2015, accord-ing to HHS. The first breach occurred when ePHI stored on a Cottage Health server—including patient names, ad-dresses, dates of birth, Social Secu-rity numbers, diagnoses, conditions, and other treatment information—be-came accessible via the internet. The second breach occurred when a serv-er was misconfigured following an IT response to a troubleshooting ticket, exposing unsecured ePHI over the in-ternet, HHS said. ¢

Voice Assistants Take on Patient Care RolesHealth technology developers are working rapidly to develop voice-en-abled technology—such as Amazon’s Alexa and Apple’s Siri—to take on pa-tient care and patient data manage-ment tasks in a manner that complies with patient privacy. Until recently, voice-enabled technologies were pri-marily a consumer-facing resource for patients, but as developers have start-ed to address patient privacy issues, experts predict that voice assistants will start to be seen as another mem-ber of the patient care team.

Some providers, such as Boston Children’s Hospital, are already us-ing voice assistants to help improve intensive care unit efficiency, provide wound care instructions, and, in the case of New York’s Northwell Health, provide patients in private rooms with access their medical records via Alexa,

according to Stat News. An emerging area for hospital inpa-

tient use of voice assistants is syncing them up with nurse’s call buttons to help caregivers prioritize patient needs and respond more efficiently. Addition-ally, many tech startups are working with transcription and documentation vendors such as Nuance and Notable to reduce the physician documenta-tion burden, Stat News reported, add-ing that many products already on the market are HIPAA-compliant.

“I do not think in the near, medium, or long future the EMR is going to be replaced with a voice-enabled applica-tion,” Darren Dworkin, chief of informa-tion at Cedars-Sinai, a Los Angeles-based health system, told Stat News. “Like many technologies before this, the important part will be that we don’t get too far ahead with the hype.” ¢

Bulletin Board what’s happening in healthcare

SURVEY: REVENUE CYCLE MANAGEMENT STILL VIEWED AS CRITICAL

www.healthdatamanagement.com/news/revenue-cycle-management-still-viewed-as-critical-by-providers

A survey conducted by Health Data Management found that nearly two out of every three health IT executives said revenue cycle management remains “very or extremely important to their organizations,” though the respondents noted they are under pressure to wring revenue cycle improvements out of their computer systems. Only a third of the respondents said their organizations were “very or extremely effective” in managing revenue cycle management.

RETHINKING HEALTH DATA PRIVACY LAWS

www.theverge.com/2019/1/29/18197541/health-data-privacy-hipaa-policy-busi-ness-science

This consumer-facing article in The Verge offers a quick-hit look at why HIPAA and other privacy laws are due for an update—and steps the govern-ment is taking to address the issue. Points include the need for standard-ized national privacy laws and the need to take into account modern so-ciety’s definition of just what “privacy” entails in the 21st century.

HITECH ACT EXAMINED ON 10TH ANNIVERSARY

https://jamanetwork.com/journals/jama/fullarticle/2724003

The Health Information Technology for Economic and Clinical Health (HITECH) Act hit its 10th anniversary this year. A viewpoint article on JAMA Network marks the occasion by examining HITECH’s successes and failures over the last decade. While HITECH can be credited with driving near-universal adoption of electronic health records, the authors note, poor electronic health record system usability and interconnectivity has contributed to medical errors and physician frustra-tion unmatched by other health IT implementations. ¢

19_April.indd 8 3/20/19 10:05 PM

Journal of AHIMA April 19 / 9

Studying Past Cyberattacks Helps Current Cybersecurity Prevention EffortsOne of the best ways to prevent cyber-security attacks is to pay close atten-tion to attacks reported in the news. Solid understanding of previous at-tacks—particularly how such attacks were thwarted and how entities re-sponded to them—can provide useful information for providers working to prevent them.

That’s according to Ron Mehring, chief information security officer and vice president of technology and se-curity at Texas Health Resources, who discussed cybersecurity prevention efforts at the February HIMSS19 Con-ference in Orlando, FL, according to Health Data Management. For exam-ple, an uptick in cyberattacks that pen-etrated organizations through phishing emails is an indication that hackers are finding that method to be successful and will therefore increase phishing at-tacks (see the article below for more information). Healthcare organizations

can use this information to provide more training on how to identify phish-ing emails.

“Follow the Marine Corp approach to war and automating processes,” Meh-ring advised, according to Health Data Management. “The quicker we react to observe the incident, and to automate observations is key because people are slow. The closer we get to automa-tion and controls testing the better we’ll have a handle on this.”

Mehring also advised providers to read the most recent cybersecurity guidance from the US Food and Drug Administration. In late 2018 the FDA warned providers about security vul-nerabilities in medical devices that pro-vided updated recommendations for device manufacturers on how they can better protect their products against different types of cybersecurity risks, from ransomware to a catastrophic at-tack on a health system. ¢

Report: Email Fraud Attacks on the RiseThe healthcare sector saw an astro-nomical increase of 473 percent in email fraud attacks between the first quarter of 2017 and fourth quarter of 2018, according to a report from Proof-point. To reach that number, Proof-point analyzed over 160 billion emails sent across 150 countries, identify-ing cyberattack trends relevant to the healthcare sector. On average, they found that healthcare organizations experienced 96 email fraud attacks during the fourth quarter of 2018—32 per month.

Of those, more than half were at-tacked more often, with incidents up anywhere from 200 percent to 600 percent during the Q1 2017 to Q4 2018 time period. None of the com-panies covered in the analysis saw a decrease in attacks during that time. While the report authors note that in

other industries there is no correla-tion between company size and num-ber of attacks, in healthcare larger companies were targeted more fre-quently.

It can take a real effort to catch some of the more sophisticated email fraud attacks. According to the re-port, 95 percent of healthcare orga-nizations were targeted by an attack using their own domain. “And all of them had their domain spoofed to target patients and business part-ners,” the report said.

A concerning 45 percent of email sent from healthcare-owned domains in Q4 2018 appeared suspicious. The report’s authors recommend a multi-layered defense against email fraud, in-cluding email authentication, machine learning and policy enforcement, and domain monitoring. ¢

QUALITY AND PERFORMANCE IMPROVEMENT IN HEALTHCARE BOOK UPDATED

https://my.ahima.org/store/product?id=65719

The AHIMA Press book Quality and Performance Improvement in Health-care: Theory, Practice, and Manage-ment has been updated, and covers the latest trends in healthcare quality control and performance. The book presents a comprehensive introduction to the theory, practice, and manage-ment of performance and quality improvement processes in healthcare organizations, and includes the latest information on Commission on Ac-creditation for Health Informatics and Information Management Education accreditation standards that maps chapter content to the curriculum.

STUDY: ‘EMPIRICAL EVIDENCE’ THAT HIE PARTICIPATION IMPROVES OUTCOMES

www.healthaffairs.org/doi/abs/10.1377/hlthaff.2018.05447

A new study published in Health Affairs claims to have “empirical evidence” of a long-time claim of health information exchange (HIE) organizations—that use of HIEs improves patient outcomes. Researchers examined state-level data in Florida from 2011 to 2014 to examine the relationship between hospitals’ participation in HIEs and quality and health outcomes. HIE participation was associated with a decrease in readmis-sions for myocardial infarction.

AHA RELEASES ROADMAP TO HELP RURAL HOSPITALS

www.aha.org/guidesreports/2019-02-04-rural-report-2019

The American Hospital Association has created a roadmap aimed at helping rural hospitals—who struggle with low patient volumes, geographic isolation, financial uncertainty, and an increasing regulatory burden. Some of the recom-mendations include updating Medicare and Medicaid payment rates for rural hospitals, and expanding access to telehealth. ¢

19_April.indd 9 3/20/19 10:05 PM

The need to effectively protect the confidentiality of health information is more essential than ever. Gather with industry peers at this premier industry event to share proven successes and lessons learned for effectively managing your organization’s privacy and cybersecurity.

The Privacy and Security Institute is an advanced level learning environment to:

• Hear presentations and participate in discussions aimed at ensuring privacy, security, and confidentiality of health information

• Advance this unique skill set to lead your organization with effective privacy and security management

• Understand key points for evolving privacy and security practices for optimal compliance in a continually changing environment

• Strengthen and learn new and proven successful management approaches to the industry’s “hottest” privacy and security trends, issues, and practices

• Gain practical insights for alternative privacy and security operational methods and solutions

• Network with peers and policy makers

September 14–15 | Chicago, IL

LEARN MORE AT ahima.org/privacyinstituteREGISTRATION OPEN NOW220.19

19_April.indd 10 3/20/19 10:05 PM

Journal of AHIMA April 19 / 11

Inside Look

WE’RE SEEING A powerful case for the profession to keep privacy and security high on its priority list as we drive for-ward to a more modernized HIM prac-tice. It’s an area that continues to evolve and challenge us.

You can see the challenges in the regu-lar news reports of privacy breaches, cy-berattacks, and hacking.

You can see evolution in the federal Request for Information (RFI) issued late last year on modernizing HIPAA to further the Department of Health and Human Services Secretary’s goal of promoting coordinated, value-based healthcare. (A summary of AHIMA’s re-sponse to the RFI can be found on page 6, while the full comments are available in the AHIMA HIM Body of Knowledge.)

You can see more evolution in a study in Social Science & Medicine that indi-cates that consumers are likely to avoid certain kinds of health information, such as genetic testing or other test results, in the implied presence of audiences with high capacity to harm them (such as health insurers or employers)—even if the information could enable them to take life-saving action.1 As HIM profes-sionals, we may have the opportunity to educate people on how their information will be used and advocate for policies that could potentially reduce harm to consumers.

Cyberattacks are in the news on a regular basis, and they are a privacy or security officer’s worst nightmare. What would you do if it happened at your or-ganization? In “Hacked! What to Do Fol-lowing a Cyberattack,” Mary Butler dis-cusses what HIM professionals should do following a cyberattack that impacts health information. Butler highlights best practices for contingency plans, interwoven with firsthand accounts and insights from those who have lived

through and learned from these events. As part of its transformation, AHIMA

is channeling resources and time into clinical documentation improvement (CDI). We believe CDI is one of the core functions of HIM professionals, and we want to capitalize on that strength. We are pleased to publish a new research study conducted by AHIMA’s CDI Prac-tice Council on the state of the CDI in-dustry. In “The State of CDI,” Tammy Combs, RN, MSN, CCS, CDIP, CCDS, summarizes some of the key takeaways of this survey, including insights on the types of organizations where CDI pro-fessionals work, CDI credentials that are seen in the industry, and the pro-fessional backgrounds of CDI profes-sionals. The full results of the survey can be found in the AHIMA HIM Body of Knowledge.

Finally, skills to effectively manage vendors should be part of every HIM professional’s toolkit. In “What to Do (and Not Do) When Changing HIM Ven-dors,” Angela Rose, MHA, RHIA, CHPS, FAHIMA, convenes a virtual roundtable of HIM professionals to share their challenges, lessons learned, and prac-tical strategies that helped them ensure quality service during a vendor transi-tion. “Always challenge, stay on top of the changes, and communicate oppor-tunities for improvement,” one partici-pant says in the article.

Sounds like words to live by as we mod-ernize HIM practice for the 21st century. ¢

Note 1. Lipsey, Nikolette P. and James A.

Shepperd. “The Role of Power-ful Audiences in Health Informa-tion Avoidance.” Social Science & Medicine 220 (2019): 430-439. www.sciencedirect.com/science/article/pii/S0277953618306713.

Tackling the Modern Privacy ChallengeBy Wylecia Wiggs Harris, PhD, CAE, chief executive officer

19_April.indd 11 3/20/19 10:05 PM

Hacked! What to Do Following a Cyberattack

12 / Journal of AHIMA April 19

19_April.indd 12 3/20/19 10:05 PM

Journal of AHIMA April 19 / 13

STEVE GILES, CHIEF information officer (CIO) at Hollywood Presbyterian Medical Center, says the experience of his organization’s 2016 high-profile ransomware attack was among the top three most terrible events he has lived through in his professional and personal life. Hospital officials started to notice that access was blocked to certain servers at 6:30 p.m. on a Friday, so they im-mediately implemented their downtime procedures as well as internal triage processes. The following morning a ransom message appeared on Hollywood Presbyterian’s computer terminals, prompting Giles and his colleagues to con-tact the cyber unit of the Los Angeles Police Department. However, since it was a weekend, the cyber unit put off their own response until Monday, as did the local Federal Bureau of Investigation (FBI) office. Giles and the hospital staff were on their own for the weekend.

What to Do Following a CyberattackBy Mary Butler

19_April.indd 13 3/20/19 10:06 PM

14 / Journal of AHIMA April 19

Because ransomware attacks were thought to be rare events in early 2016, there were few industry best practices for Giles to fol-low—such as not paying the ransom, enacting a specific ransom-ware incident response plan, or, if worse comes to worst, knowing exactly how to obtain Bitcoin. With no law enforcement help com-ing in the near future and the fear growing that waiting could lead to increased patient risk, Hollywood Presbyterian ended up paying the $17,000 ransom in Bitcoin. At the time many experts and some in law enforcement typically recommended paying the ransom just to ensure retrieval of vital data like health records—but it is a practice that security experts now advise against.

According to Clyde Hewitt, MS, CISSP, CHS, executive advi-sor at CynergisTek, organizations that pay a ransom are 75 per-cent more likely to experience another attack. If word gets out in the press that a ransom was paid, or if the hackers brag to their friends about their exploits, hospitals find themselves targeted again. Giles says that in the wake of Hollywood Presbyterian’s attack, the volume of phishing emails and other attempted hacks tripled.

Fortunately, the medical center had monthly downtime peri-

ods when security updates are pushed out, which gave the staff practice with quickly transitioning to paper-based processes such as charting and registering new patients. However, the at-tack shut down the payroll system, which added a layer of stress because of California’s strict regulations about paying hospital employees on time. So, in addition to addressing systems re-lated to patient care, getting payroll back online was a priority. Lab systems, pharmacy systems, and electronic health records (EHRs) stayed operational during the attack.

“Our saving grace was that our backups were still on tape,” Giles says. “They were then and they are still. And as a result the malware could not reach them. I’ve taken calls from other hospitals that had their backups on a disc drive technology that were also networked with the rest of the system and they got at-tacked too.”

Giles now gives talks at conferences around the country about what it’s like to survive a ransomware attack so that others can learn from the experience and know what to expect. The fact is, many organizations—and, specifically, health information management (HIM) professionals—don’t know how to prepare for or react to a cyberattack.

Privacy and security officers, health IT workers, and HIM pro-fessionals must be on the frontlines of healthcare organizations trying to thwart and mitigate cyberattacks that are increasingly coming from every direction. They can come from nation state actors—North Korea is believed to be behind the WannaCry ransomware attack; Russia is the suspected source of the mock ransomware virus NotPetya (in fact, insurance companies that sell cyber insurance policies have at times refused to pay out be-cause cyberattacks are considered “an act of war”).

And in other less-publicized incidents, which can be equally as damaging, cyberattacks can come from within an organiza-tion through current or former employees, or hospital visitors looking to disrupt Wi-Fi networks. In most industries targeted by cyberattackers, the biggest risk is financial. In healthcare, cy-berattacks can take down EHRs, cardiac cath labs, CT scanners, lab systems, heart monitors, ventilators, and even hospital beds. Experts predict that cyberattacks against healthcare organiza-tions are only going to increase as hackers exploit this vulner-ability and increase their profits by selling stolen data.

According to a survey from the Department of Health and Hu-man Services (HHS) and the Healthcare and Public Health Sec-tor Coordinating Councils, which got its numbers from IBM and the Ponemon Institute, the cost of a data breach for healthcare organizations rose from $380 per breached record in 2017 to $408 per record in 2018. Across all industries, healthcare has the highest cost for data breaches;1 while cost per record is $408 in healthcare, it is only $166 per education industry record.

While incident response plans at many healthcare organi-zations are led by IT and information systems staff, HIM can play a huge role in protecting patient information during and after an attack. Contingency plans for unexpected EHR system downtime can help mitigate the impact of a cybersecurity attack from an HIM standpoint—but as many healthcare facilities have found, even the best-made preparation plans can’t account for every scenario. There are, however, best practices for preparing

Cybersecurity Definitions

� Breach: A breach is, generally, an impermissible use or disclosure under the HIPAA Privacy Rule that compromises the security or privacy of the protect-ed health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual.

� Cybersecurity: Broad term referring to the practice of keeping computers and electronic information safe and secure.

� Malware: Malicious software that is designed to dam-age or do other unwanted actions to another unsus-pecting computer.

� Phishing: A type of cyberattack used to trick indi-viduals into divulging sensitive information via elec-tronic communication by impersonating a trustworthy source. For example, an individual may receive an email or text message informing the individual that their password may have been hacked. The phishing email or text then instructs the individual to click on a link to reset their password.

� Ransomware: A type of malware distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypt-ing the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.

Sources: Department of Health and Human Services Office for Civil Rights: www.hhs.gov/sites/default/files/cybersecurity-newsletter-february-2018.pdf; Office of the National Coordinator for Health IT: www.healthit.gov/sites/default/files/cybersecure/downloads/Cybersecurity_Glossary.pdf

Hacked! What to Do Following a Cyberattack

19_April.indd 14 3/20/19 10:06 PM

Journal of AHIMA April 19 / 15

for, responding to, and recovering from attacks that can help set you up for success in the event of a cyberattack.

Prepare for the Worst, Expect the BestNow that ransomware and other cyberattacks—including mal-ware and viruses—are in the news constantly, provider organi-zations and their vendors would be foolish to continue ignoring the problem. Ty Greenhalgh, HCISPP, managing principal and founder of Cyber Tygr, says it’s much harder to adequately re-spond to a cyberattack without having prepared for one. A good place to start, he says, is the HHS and Healthcare and Public Health Sector Coordinating Councils’ document “Health Indus-try Cybersecurity Practices: Managing Threats and Protecting Patients,”2 which HIM professionals can use to help formulate an incident response plan. He thinks most providers are wholly unprepared for what they could be facing.

“They think they’re prepared and they have some paper pre-

scription pads, different things they might need in a paper envi-ronment. But they underestimate the length of time they will be down and so really it falls back to an incident response plan. A good incident response plan is going to prepare you and detail what you and what each department in the organization should do,” Greenhalgh says.

“What do [incident response] teams look like? Whose got what, who’s talking to the media, what are we saying? Someone has to decide if prescriptions should be written out. Someone needs to know how to get Bitcoin—going out and getting Bitcoin after the breach is not a good strategy. So more detail you can get in that plan the better.”

Ed Brown, director of IT systems at CaroMont Health in Gas-tonia, North Carolina, had one of the best probable outcomes when his hospital was struck with a WannaCry attack in July 2018, which he describes as a “minimal breach.” The WannaCry virus infiltrated CaroMont’s system through a laptop that didn’t

TV vs. Reality: ‘Anatomy’ of a Ransomware Attack

EVERY BED IN the trauma center’s emergency department is filled with patients that are sick but stable. Suddenly, the heart monitors at the side of each bed start beeping, seeming to suggest that each patient is crashing. On a medical-surgical floor elsewhere in the hospital, an attending physician can’t get into her patient’s electronic health record (EHR), and another physi-cian’s iPad chart is malfunctioning outside a critical patient’s room. Then a frozen computer issues a message asking for $20 million in Bitcoin in exchange for an encryption key.

This isn’t a summary of the latest high-profile healthcare ransomware attack, but a recent plot on the long-running medical drama Grey’s Anatomy. CynergisTek’s Executive Advisor Clyde Hewitt, MS, CISSP, CHS, actually uses parts of this cliffhanger episode when he does cybersecurity training because he says the show provides useful information for real-life healthcare providers within the somewhat fantastical plot.

“The possibility of everything happening was 100 percent, but the probability of all of it happening at the same hospital at the same time is almost impossible,” Hewitt says. “But everything that happened in that episode is a serious real probability of causing harm to that hospital.”

Hewitt credits the relative accuracy of the episode with the fact that a chief information officer from a hospital that had re-cently been attacked had a relative that worked at ABC (the network that broadcasts Grey’s Anatomy) and was able to provide real details to the writing staff.

The show did pack a lot of cyberattack symptoms into its two-part episode. For example: � Hackers crept into the thermostat and ratcheted the hospital’s temperature up to 90 degrees � The keypad allowing doctors into the hospital’s blood bank was locked � All of the equipment in the laboratory went down � A surgeon was forced to do an open procedure instead of a laparoscopic one because the camera on the device

stopped working

The episode did a believable job conveying the terror healthcare practitioners experience when a cyberthreat strikes a health-care organization’s infrastructure. For example, the doctors in the episode considered paying the $20 million ransom—a tactic that the FBI and cybersecurity experts always advise against. In the real world, ransoms are usually more affordable since it makes victims more likely to be able to pay. When Hollywood Presbyterian Medical Center was hit with ransomware, hackers demanded $17,000. Hackers are taking advantage of the very real fear of harm—and the sense that anything can happen.

Joe Petro, executive vice president and chief technology officer at Nuance Communications, said that in the wake of his company’s ransomware attack, his thinking about these ongoing threats has evolved.

“In these situations, you have to take the fractional probability [of an event like this], multiply it by gigantic risk, and that’s what should drive your behavior on a day to day basis,” Petro says. “If someone had described [our attack] to us the day before it happened, we would’ve said, ‘That’s insane, it’ll never happen as long as we’re alive,’ and it did. And that’s the crazy part.”

But the Grey’s Anatomy story line wasn’t completely accurate. One of Hewitt’s qualms with the episode was the speed with which the FBI stormed the hospital with laptops and gear. While he has FBI agents on speed dial, Hewitt says they never arrive as quickly as on the show. Hewitt also took issue with how easily the characters in the show ended the attack. As skeptical viewers might expect, it’s unlikely that a surgical resident would be able to decrypt the encryption key before the FBI could.

Hacked! What to Do Following a Cyberattack

19_April.indd 15 3/20/19 10:06 PM

16 / Journal of AHIMA April 19

belong to the hospital, and it was minimal in scale because it only affected the organization’s mobile thin devices. A mobile thin device looks like a laptop but doesn’t have a full hard drive, so in essence it’s an “over-glorified monitor,” Brown says.

“Once we cornered it [the WannaCry malware] we were able to restore the network back to almost normal operating. So for example, some of our nursing units were able to con-tinue to chart, some of our other units had no issues. We had a phone system that operates across the internet, across our data network that was not impacted. From the time we got a call from our security monitoring service to the time we veri-fied that the last mobile thin device was back to normal and WannaCry was eradicated from our system, we were back up in 56 hours,” Brown says.

Brown’s department benefited from a lot of work in advance of the attack. He had been working with cybersecurity ex-perts on contingency plans for two to three years and con-tracted with a security monitoring vendor that kept an eye out for unusual activity on hospital servers and networks. Additionally, every server and work station were up to date with security patches.

Nuance Communications, a vendor that provides speech recognition, transcription, and other digital services—along with global shipping giant FedEx, Maersk, GE, Verizon, and many other major companies—were not as lucky when they were sidelined by the NotPetya malware on June 27, 2017. The goal of NotPetya was not to steal data but to cause dis-ruption. Joe Petro, executive vice president and chief tech-nology officer at Nuance, said that on the first day NotPetya hit he started to receive alarming text messages from col-leagues at 7:15 a.m.

Michael Clark, senior vice president, general manager, provid-er solutions at Nuance, says, “At the beginning, law enforcement didn’t know if the attack was malware, ransomware, or another

type of virus. They also didn’t know if there would be ‘another wave’ or another phase of the attack.” Because of the uncertain-ty, a major decision was made to cut transcription connections to outside entities.

As a result of the protective measures, HIM departments had to enable dictation and get all the data plugged into their own EHRs. This struck at the heart of HIM in many healthcare fa-cilities that used Nuance for services. Fortunately, no personal health information was compromised—but that hardly stopped it from being disruptive.

“One way to think about it is HIM professionals are respon-sible for documentation and systems. We in essence provide a transcription dial tone, and when that dial tone went down, it put the HIM departments under pressure,” Petro says. “Clini-cians in clinical areas and executives in institutions turned to HIM and asked, ‘How are you going to fix this?’”

Petro says that in our personal and professional lives, we as-sume that when systems go down, they’ll come right back up, since 99 percent of the time they do. However, the reality of cy-bercrime is that it can deliver weeks of disruption.

“One thing we all need to contemplate in HIM, as well as soft-ware vendors, is preparing for something that’s worse than we could have imagined ahead of time. Even if something has a low probability of happening, really think through the details and prepare for that,” Petro says.

Formulating an Action PlanIt’s important that healthcare providers and HIM profession-als be prepared, but also understand that absolutely no one is immune from cybercrime, and even the most prepared ven-dors and business associates can get hit. In many ways, it’s not all that different from having a downtime plan in response to natural disasters like hurricanes and tornadoes. Clark says Nu-ance’s clients were very helpful and understanding. But every

THE BESTPRODUCTIVITY

SOFTWARE SPEED UP YOUR TEXT INPUT

• Create customized glossaries in an instant.

• Type a few letters and Instant Text suggests.

• Continue phrases without typing.

Call 1 800 355 5251 Instant Text 7 Prowww.instanttext.com

Make your clinical documentation and data entry

TIMELY - ACCURATE - RELIABLE and give doctors more time for patient care.

Hacked! What to Do Following a Cyberattack

19_April.indd 16 3/20/19 10:06 PM

Journal of AHIMA April 19 / 17Journal of AHIMA April 19 / 17

Journal of AHIMA Continuing Education QuizQuiz ID: Q1919004 | EXPIRATION DATE: APRIL 1, 2020HIM Domain Area: Privacy and SecurityArticle—“Hacked! What to Do Following a Cyberattack”

Review Quiz Questions and Take the Quiz Based on this Article Online at https://my.ahima.org/store

Note: AHIMA CE quizzes have moved to an online-only format.

client they talked to wanted to know how to better put up their defenses. The vendor-provider relationship became much more collaborative after the breach, he says.

And once HIM gets a true sense of the realities and the risk in-volved with modern-day cybercrimes, they may need to work with IT and information systems teams to convince organiza-tional leadership that protecting against cyberthreats should get priority status. In addition to having downtime plans, there should also be comprehensive cyber hygiene training for the entire workforce. One strategy that experts recommend is simulating phishing attempts to test how many employees still don’t know the warning signs of suspicious emails.

“You stress test the system and then you can bring that back as evidence that you have to train, etc. Making it real is a bit of an art form. Back it up with science and evidence. We reoriented but in this day-and-age of sophisticated cybercrime it’s not so easy out there if you haven’t been through it,” Petro warns.

In a perfect world, providers and vendors should already be working with security firms before a breach event, like Brown was doing at CaroMont.

“Ideally, people should call us way before a breach,” Green-halgh says. “Most of the clients we work with… everybody has different needs, different resources, but [typically we] go in and help with infrastructure, awareness training programs, and do-ing monitoring for them.”

Another thing HIM and privacy officers should keep in mind is that breach events need to be reported to HHS’s Office for Civ-il Rights within 60 days of an attack, and Greenhalgh notes that’s not a lot of time in the grand scheme of things.

“A lot of our clients put in place a retainer for a forensics team and a breach team [prior to an attack]. Then reconnaissance work can be done, and they understand the environment—there’s boots on the ground immediately. Basically the faster you can respond, the less impact a breach is going to have,” Greenhalgh says.

HIM will also play a big role in converting any downtime documentation from a paper state to a digital state when EHRs are reactivated after a breach. CynergisTek’s Hewitt recalls one breach where a system’s EHR was down for two weeks. When it went back up, HIM staff were greeted with enormous stacks of paper records that needed to be entered into the EHR. Dur-ing that two-week downtime period at a 600-bed hospital, no claims were sent to payers, and within two weeks they lost $60 million in cash flow. In approximately three months they recov-ered about half of that.

“So one of the things HIM needs to look at is they have to make

payroll and they have to pay bills, and all of a sudden they don’t have cash to do it. Second, any projects they thought were prior-ity—for the next six months or year, they can just put those on the shelf. All resources should be going into fixing the problems that allow the ransomware to take place the first time. They have to fix security holes, and every spare dime should be spent on fixing security and privacy, or patient notification, or outside at-torneys or OCR fees,” Hewitt says.

One unexpected aspect of Hollywood Presbyterian’s attack was that once they paid the ransom, the hackers sent them well over 900 different decryption codes that had to be meticulously matched to each and every impacted computer terminal in the medical center.

“So we had to apply decryption codes very, very carefully and very specifically to the right server, because if we didn’t the warning said using the wrong encryption key could strip the server of all data. So we were very, very careful in terms of all of our servers,” Giles says.

Giles says he learned that there’s no absolute, secure capabil-ity an organization can have that will keep you safe. “I think you really have to understand that your whole goal in keeping safe is minimizing the potential of it happening again. But you can’t eliminate every possibility.” ¢

Notes 1. US Department of Health and Human Services and

Healthcare and Public Health Sector Coordinating Coun-cils. “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” www.phe.gov/Prepared-ness/planning/405d/Documents/HICP-Main-508.pdf.

2. Ibid.

Mary Butler (mary.butler@ahima.org) is associate editor at the Journal of

AHIMA.

Health information management professionals will also play a big role in converting any downtime documentation from a paper state to a digital state when EHRs are reactivated after a breach.

Hacked! What to Do Following a Cyberattack

19_April.indd 17 3/20/19 10:06 PM

The State of CDI ANALYSIS OF AHIMA’S NEW CLINICAL DOCUMENTATION IMPROVEMENT INDUSTRY SURVEYBy Tammy Combs, RN, MSN, CCS, CDIP, CCDS

18 / Journal of AHIMA April 19

19_April.indd 18 3/20/19 10:06 PM

Journal of AHIMA April 19 / 19

The State of CDI

THE AHIMA CLINICAL Documentation Improvement Prac-tice Council (CDIPC) is a group of clinical documentation im-provement (CDI) experts that meet once a month to discuss the hot topics that are impacting the CDI industry. From that discussion, action plans are made to develop and update CDI products to support the needs of the CDI industry. One need identified by this group is information on the various program structures that are being utilized by the CDI industry. To ob-tain this data, the 2018 AHIMA CDI Industry Survey was cre-ated by the CDIPC, who developed and analyzed the survey questions in the hope of identifying typical CDI practices in the industry.

This article will discuss some of the key takeaways from the survey. Full survey results can be found online in AHIMA’s HIM Body of Knowledge. This article will focus on results that detail the types of organizations where the respondents work, the de-partments under which CDI teams are managed, professional backgrounds for CDI professionals, CDI credentials that are seen in the CDI industry, location and type of CDI reviews, and the training methods of CDI professionals.

The survey featured 40 questions that brought a wealth of information forward regarding the structure of CDI programs. There were a total of 157 respondents, with 39.72 percent identi-fying as working in a leadership role and 57.45 percent identify-ing as working in non-leadership roles.

Type of OrganizationThe survey began by asking participants to state the type of organization they work for, which found 78.98 percent of the respondents were hospital-based (see Table 1 on this page, top right). This is an important element of information for health-care leaders who are thinking about starting a CDI program and are trying to decide on the healthcare setting in which to initiate the program. Most CDI programs begin in a hospital setting, but programs are not limited to this setting. The survey also featured responses from staff in other healthcare settings that fell into the inclusion criteria for this survey (21.02 per-cent), showing CDI programs are branching beyond the tra-ditional hospital arena. These non-hospital locations included critical access hospitals, post-acute long-term care, rehab, and physician clinics. There was an “other” option for this ques-tion, and these organizations were identified via comments as vendor services, insurance plans, staffing agencies, educators, software developers, behavioral health, and auditors.

For further clarity on the non-acute participants, the survey asked those respondents who reported working in a physician clinic about the size of the clinic by physician number. All re-spondents worked for clinics with more than nine physicians. This reflects that CDI programs are gaining the interest of larger clinics.

Of all the participants who responded to the survey, 90 percent work for organizations that have a CDI program. It is important to note that some of the participants work in a non-traditional CDI organization identified as “other,” who would likely work with CDI programs but would not necessarily have a CDI pro-gram within their organization (such as a vendor).

Table 1: CDI Programs by Organization Type

Q: Does your organization have a CDI program?

Q: What type of organization do you work for?

Responses Response # %

Yes 141 89.81%

No 16 10.19%

Total Responses 157

Table 2: What department does the CDI program report to?

0% 60% 80% 100%40%20%

51.06% HIM

17.73% Finance

Compliance1.42%

Nursing1.42%

Quality7.80%

Case Management7.09%

Other (Please Specify)13.48%

78.98%

89.81%

15.29%

10.19%

1.27%

1.27%

2.55%0.64%

78.98% Hospital 1.27% Post-Acute Long-Term Care Hospital

1.27% Critcal Access Hospital 0.00% Psychiatric Facility

0.00% Ambulatory Surgical Center 0.64% Rehab Facility

0.00% Home Health Center 2.55% Physician Clinic

0.00% Skilled Nursing Facility 15.29% Other (Please specify)

19_April.indd 19 3/20/19 10:06 PM

20 / Journal of AHIMA April 19

The State of CDI

Reporting Structure of CDI ProgramsThe majority of the respondents indicated their CDI programs reported to the health information management (HIM) depart-ment (see Table 2 on page 19). HIM departments are responsi-ble for managing the information within a healthcare organiza-tion, and since CDI is responsible for the accuracy of the clinical information, it makes sense that this would be the department seen most often in the reporting structure of a CDI program.

Other departments that were identified included case man-agement, finance, nursing, quality, and compliance. There was also an “other” section, which respondents identified in the comments as CDI reporting to coding, data quality, education, and corporate administration departments.

Most of the respondents have more than 10 CDI professionals on their CDI teams. They indicated that 71.63 percent of them have a physician advisor for their program. Most of the respon-dents begin their health record reviews within 24 to 48 hours of an inpatient hospital admission or after an encounter for out-patient reviews. Of those reviewing inpatient records, 82.27 per-cent follow concurrent queries after discharge.

Another question that is brought up frequently in the CDI in-dustry pertains to the professional backgrounds of CDI profes-sionals. Concerns have been brought to the CDIPC that some CDI programs only hire nurses and physicians to fill the roles of CDI professionals. It has also been voiced on the CDIPC that some programs take a hybrid approach by hiring CDI profes-sionals that come from both clinical and HIM backgrounds. By following this structure, CDI programs have staff who can bring in both perspectives to the program. CDI is seen as the bridge between physician and coding languages. For this reason, it is seen as beneficial to have staff who understand physician lan-guage, such as nurses, and staff that understand coding lan-

guage, such as HIM/coding professionals. This idea brought up the next survey question, which was

asked to determine how many CDI programs hire HIM/certi-fied coding professionals. The majority of the respondents, 58.87 percent, do hire these professionals, which supports the desire to include HIM/coding professionals in CDI positions (see Table 3 above, left).

Comments were provided regarding the reason why some programs do not hire HIM/coding professionals. The reasons were mostly related to the desire to have staff with clinical knowledge. This is an interesting reason, since coding knowl-edge is equally important in the identification of high-quality clinical documentation. It is also important to note that HIM professionals are required to take clinically-focused classes like anatomy in their prospective educational programs. Nurses and physicians have experience in applying clinical knowledge in direct patient care and HIM/coding professionals have experi-ence in applying clinical knowledge in the accurate representa-tion of diagnosis and procedural codes. Both of these areas of clinical knowledge are crucial in the accurate representation of patients through clinical documentation.

Preferred CDI Credentials and Education Level There are several credentials seen in the world of CDI. To deter-mine the most frequently seen CDI credentials, a survey ques-tion was asked regarding the credentials the respondents hold. The most frequently required credentials are RN and CCS, ac-cording to the survey. The highest preferred credentials are the CDIP and the CCDS. The required and preferred educational levels were also assessed. The majority of the respondents indi-cated that an associate degree is the most required level and the bachelor’s degree is the most preferred level of education.

Location and Type of CDI ReviewsThe next topic for discussion is the location and type of CDI reviews. The CDIPC has been discussing the possibility of re-

Table 3: Does your facility hire HIM/certified coding professionals for CDI positions?

Table 4: Which of the following best describes the location of the CDI team’s health record review?

Responses Response # %

Yes 83 58.87%

No 58 41.13%

Total Responses 141

0% 60% 80% 100%40%20%

41.13%

41.84% Hybrid (mixture of onsite and remote)

Onsite

17.02% Remote

58.87%

41.13%

19_April.indd 20 3/20/19 10:06 PM

Journal of AHIMA April 19 / 21

The State of CDI

mote CDI positions. There has also been some concern dis-cussed regarding maintaining physician engagement in re-mote CDI programs, so this question was asked to determine how many CDI programs are taking the step toward remote positions. The hybrid approach, which has a mixture of onsite and remote days, captured the highest number of responses (see Table 4 on page 20). Programs that are strictly onsite came in second. There were some programs that report a completely remote CDI program.

For the programs that reported a hybrid approach, the major-ity of them allowed CDI professionals to work remotely two days per week.

The type of health records being reviewed by CDI programs was also questioned in the survey. Inpatient records accounted for the majority of the health records reviewed (see Table 5 above). The second-highest review was a combination of inpatient, out-patient, and professional records. This supports the industry’s beginning shift toward CDI reviews of outpatient health records.

CDI Training MethodsOrganizations sometimes struggle to identify the best training methods for their CDI professionals. In this survey, the majority of respondents reported providing onsite training for their CDI staff (see Table 6 above, right). From the comments regarding training, greater detail in this training can be recognized. Many respondents report having a classroom type training, either by vendor or onsite personnel upon hire—then the CDI profes-sional is transitioned to peer-to-peer training with current CDI staff or a CDI educator. These professionals continue working with this peer until they obtain a pre-determined percentage of accuracy on review and query quality audits. The survey comments also reflect that programs provide ongoing training for their CDI staff through educational sessions. Training time

ranged from six weeks to three months. The following training topics were identified in the comments:

� Chart review � Coding guidelines � Medicare Severity-Diagnosis Related Groups (MS-DRGs) � Major Diagnostic Categories (MDCs) � All Patient Refined Diagnosis Related Groups (APR-DRGs) � Hierarchical Condition Categories (HCCs) � Documentation standards � Query process � Compliance and ethics � Knowledge of federal, state, and private payer regulations � Organizational policies and procedures � Quality improvement theory and reporting structures

More Results Available OnlineThis article has discussed some of the key takeaways from the CDI Industry Survey. To find greater details on the program structures of CDI programs, visit the AHIMA Body of Knowledge to access the full survey. ¢

Tammy Combs (tammy.combs@ahima.org) is director of HIM practice ex-

cellence, CDI/nurse planner, at AHIMA, an AHIMA-Approved ICD-10-CM/

PCS Trainer, and an AHIMA-Approved CDI Trainer.

Table 5: Which type of health records does your CDI team review?

Table 6: How are your new CDI professionals trained?

Journal of AHIMA Continuing Education QuizQuiz ID: Q1929004 | EXPIRATION DATE: APRIL 1, 2020HIM Domain Area: Clinical Data ManagementArticle—“The State of CDI”

Review Quiz Questions and Take the Quiz Based on this Article Online at https://my.ahima.org/store

Note: AHIMA CE quizzes have moved to an online-only format.

0% 60% 80% 100%40%20%

15.60%

Other (Please Specify)

Vendor training, additional

73.76% Onsite training, additional

10.64%

80.85% Inpatient 0.00% Professional

4.26% Outpatient 14.89% Combination of the above

80.85%

14.89%

4.26%

19_April.indd 21 3/20/19 10:06 PM

What to Do and Not Do When Changing HIM VendorsBy Angela Rose, MHA, RHIA, CHPS, FAHIMA

22 / Journal of AHIMA April 19

19_April.indd 22 3/20/19 10:06 PM

Journal of AHIMA April 19 / 23

THE OUTSOURCING OF health information management (HIM) functions is not a new concept in the healthcare indus-try. Coding, clinical documentation improvement (CDI), tran-scription, electronic heath record (EHR) systems, and release of information (ROI) are a few of the functions for which HIM leaders seek support from service vendors in today’s evolving healthcare environment. Many factors—including laws, regu-latory requirements, best practices, resources, and finances—contribute to the overall success of an implementation project or change in service vendor. To promote consistency and trust within a strong partnership, communication and transpar-ency are critical throughout the process.

Choosing the right vendor can be a challenging and daunt-ing task, especially if your current service has been in place for a long time. Whether the service being considered for out-sourcing options is in-house or with another vendor, the key to a successful transition is in the planning. Defined tasks and milestones are required to ensure a normal state of operations is achieved as efficiently and effectively as possible, keeping the end goal in mind—optimal outcomes for the organization, the vendor, and most importantly, the customer.

This virtual roundtable takes a close look at the real-life ex-periences of three HIM experts during their service vendor transitions. Topics include the challenges, lessons learned, and practical strategies that help ensure quality service and a lasting collaborative partnership. Facilitated by Angela Rose, MHA, RHIA, CHPS, FAHIMA, vice president of implementa-tion services at MRO, the discussion focuses on each expert’s type of vendor transition: transcription, EHR, and ROI.

Handling a Transcription TransitionRose: Describe the challenges you experienced that prompt-ed your organization to seek a better solution.

Cindy M. Phelps, RHIA, senior director, TSG business re-lationship management, Carilion Clinic, a not–for–profit healthcare organization based in Roanoke, VA: The previous vendor that managed transcription services was experiencing significant reorganizational changes that negatively impacted

our daily operations. Service and quality metrics were not being met consistently. We were also looking to consolidate vendor products and work with one vendor that could accom-modate all of our dictation/transcription needs, both medi-cal and imaging. In addition, the ability to meet operational staffing requirements for 24/7 transcription coverage was an increasing challenge.

Rose: Briefly state the most important lessons learned and suggest practical strategies to achieve a successful transition.

Phelps: In addition to changing vendors and platforms with dictation/transcription, we were also moving to managed ser-vices. Our focus was on the staff to be sure their needs were met through this transition. We knew the dictation/transcription plat-form would meet our organizational needs both present and in the future. For a successful transition, we recognized the need for a collaborative partnership with the vendor, IT, HIM, operations, medical staff, and human resources. Ongoing open communica-tion was a critical concern. As a result, five strategies emerged:

� Conduct benchmark, research, and reference checks. All three are necessary when transitioning to a new ven-dor, along with understanding industry trends.

� Establish key performance indicators. This is essential to accurately track progress and measure success.

� Engage multidisciplinary teams. Include the vendor and your organization’s operations, IT, physicians, and hu-man resources to define and develop a step-by-step tran-sitional process.

� Conduct a pilot test. Engage physicians to fully test the system, identify potential issues, and see the final prod-uct. This was a successful and vital part of the process of transitioning both vendors and platforms.

� Communicate and collaborate. Provide ways to commu-nicate with all stakeholders and staff every step of the way. Conduct ongoing focus meetings to prepare, transition, and handle post-implementation. And communicate with the outgoing vendor to maintain that relationship throughout the transition.

What to Do (and Not Do) When Changing HIM Vendors

19_April.indd 23 3/20/19 10:06 PM

24 / Journal of AHIMA April 19

Rose: In your experience, what are the components of a strong, collaborative partnership that promotes ongoing optimal outcomes?

Phelps: Key performance indicators tell the story of suc-cess. These are essential, along with documenting client feedback. In addition, we recommend the following com-ponents:

� Monthly review meetings to discuss successes, concerns, and issues with the vendor.

� Engagement and availability of the vendor in the daily op-erational business.

� Vendor sharing latest trends with development and with their other clients.

� Annual onsite business review to highlight current state and share future state with key stakeholders.

Handling an EHR TransitionRose: Describe the challenges you experienced that prompt-ed your organization to seek a better solution.

Sherine Koshy, MHA, RHIA, CCS, corporate director HIM, Penn Medicine, a leading academic medical center based in Philadelphia, PA: Penn Medicine had implemented an EHR on the ambulatory side early on in the late 90s. In March 2017, the enterprise-wide implementation was com-pleted as a necessary step to have all users on one platform. Up until that point we were living in two different worlds—one EHR system for ambulatory and another for inpatient. Because the systems did not talk to each other, each func-tioned in its own silo. Transitioning to one system enables patient care providers to view the patient’s entire medical history in one system, which supports the coordination of patient care across the health system.

Rose: Briefly state the most important lessons learned and suggest practical strategies to achieve a successful transition.

Koshy: Setting priorities requires a governance structure in-volving all key stakeholders—IT, clinical, financial, and opera-tions. We needed a structure that included both a clinical and revenue tower, and a lead under each specific operational area. We realized the importance of bringing the organization togeth-er to achieve our mission. To that end, our team recommends four strategies:

� Create a project charter. Define the project scope, goals, and objectives. Set expectations and accountability. De-velop a timeline with milestones and phases.

� Build a collaborative team. Include experts from each operational area. Engage key stakeholders and hold them accountable. Promote ongoing communication and up-dates, require attendance in person, and have an escala-tion process to reach agreement when necessary.

� Provide training and education. Training is essential to a successful transition. Secure go-live support. Engage vendors whose teams are experienced with the imple-mentation of your specific EHR brand. Our key message was: “No training—no access!’”

� Track key performance indicators (KPIs). Establish and track KPIs pre- and post-go-live.

Rose: In your experience, what are the components of a strong, collaborative partnership that promotes ongoing optimal outcomes?

Koshy: It is important to work with a vendor that serves as an extension of your department and understands how your department operates. And, it is important to invest in the training and resources necessary to meet the needs of your

What to Do (and Not Do) When Changing HIM Vendors

Angela Rose, MHA, RHIA, CHPS, FAHIMA, vice president of implementation services at MRO

Cindy M. Phelps, RHIA, senior director, TSG business relationship management, Carilion Clinic, a not–for–profit healthcare organization based in Roanoke, VA

Sherine Koshy, MHA, RHIA, CCS, corporate director HIM, Penn Medicine, a leading academic medical center based in Philadelphia, PA

Kathleen J. Edlund, M.M., RHIA, director of HIM, Trinity Health, a national not-for-profit Catholic health system based in Livonia, MI

19_April.indd 24 3/20/19 10:06 PM

Journal of AHIMA April 19 / 25

organization. Once you’re live, what’s next? Optimize. Always challenge, stay on top of the changes, and communicate op-portunities for improvement. Having one unified system has helped us expand our department as we’ve grown and ac-quired additional hospitals. We are able to assist with resourc-es and be more nimble.

Handling a Release of Information TransitionRose: Describe the challenges you experienced that prompt-ed your organization to seek a better solution.

Kathleen J. Edlund, M.M., RHIA, director of HIM, Trin-ity Health, a national not-for-profit Catholic health system based in Livonia, MI: ROI is one of the most challenging HIM functions. In a constantly changing regulatory environment, timely, accurate, and compliant release of medical records is crucial for us and for our patients. A strong partnership and transparency with an ROI service vendor became even more important to ensure the application of best practices aligned with our vision, values, and organizational goals. Our biggest challenge was that the lack of client support consistently failed to meet the standards of the organization.

Rose: Briefly state the most important lessons learned and offer practical strategies to achieve a successful transition.

Edlund: To ensure all aspects of ROI are included in the pre-implementation planning assessment, it is critical to know the details of current processes, policies, and procedures. In addi-tion, any recommended changes to the current workflow must be fully understood to enhance the training, education, and overall success of the implementation. Six strategies emerged from our process:

� Complete pre-implementation assessment documenta-tion. Do this well in advance of the due date to allow for questions, comments, and potential revisions to the plan.

� Create a visual diagram model of the process flow. In-dicate all workflow tasks, designated staff, and appro-priate handoffs. This is a useful tool for system training and to identify any gaps or barriers to providing the ROI services.

� Schedule and conduct vendor-specific training. Design training according to roles and areas of responsibility.

� Ensure understanding of ancillary departmental (EHR) software systems. Know how to access the patient record data for future ROI requests. All medical record data for a particular patient must be available to comply with certain ROI requests.

� Establish and track metrics. Know the service-level agreements or metrics for pre-implementation. For post-implementation, stay informed regarding metrics includ-ing status of requests, turnaround time, ROI volumes, and financial impact. Keep a pulse on the level of customer service to both the requester and client.

� Preserve a working relationship with the outgoing ven-dor. Communicate to ensure the expected level of service

continues through the transition period.

Rose: In your experience, what are the components of a strong, collaborative partnership that promotes ongoing op-timal outcomes?

Edlund: As in all of life, open communication is essential to partnership and achieving optimal outcomes. Routine meet-ings, whether virtual or in person, enhance collaboration, prompt accountability, and maintain agreed-upon touch points. Second, the ability to establish positive relationships enables those involved to respectfully and honestly agree to changes, or to challenge any procedural details. This kind of collaborative partnership typically leads to overall process improvement. ¢

Angela Rose (arose@mrocorp.com) is vice president of implementation ser-

vices at MRO.

What to Do (and Not Do) When Changing HIM Vendors

19_April.indd 25 3/20/19 10:06 PM

26 / Journal of AHIMA April 19

HHEALTH INFORMATION MANAGEMENT (HIM) profes-sionals face mounting challenges in response to the rising volume of release of information (ROI) requests made to business offices to support payment of claims. Business of-fice personnel release millions of patient records annually to commercial health plans and government payers to expedite payment, validate appropriate level of care, authorize ser-vices, appeal denials, or fulfill auditor requests. The process of pulling and attaching records in the business office can require up to 40 to 45 percent of personnel time, taking them away from their core responsibilities. In addition to workflow inefficiencies and distracting business office staff from tasks directly related to revenue, navigating privacy and security in this environment raises HIPAA concerns and presents ob-stacles to compliance.

Business office personnel are primarily billers and collectors who lack the training and expertise to manage proper disclo-sure of protected health information (PHI). As a result, HIPAA compliance must be top priority to identify and address pri-vacy and security risks.

The list of challenges across the industry is extensive, includ-ing the following:

� Business office staff distracted from core objectives � High-priority requests requiring timely fulfillment � Increased backlogs and requests to resubmit records mul-

tiple times � Privacy risks and concerns � Disparate processes among business office, HIM, and

payers � Incomplete and inconsistent business office request

trackability

� Inefficient processing of business office medical record requests

� Convoluted issue resolution processes � Lack of transparency � Limited technology

This article explores PHI disclosure management technolo-gies and workflows for improving collaboration between HIM and the business office when fulfilling documentation and claim attachment requests. Two HIM leaders share their expe-riences and offer strategies to optimize business office work-flows to achieve efficiencies, cost savings, and compliance.

Gaining Transparency and EfficiencyYale New Haven Health, a major provider based in Con-necticut, initially focused on two common industry chal-lenges—the need for transparency in HIM and an efficient HIM procedure for billing releases. Because the business office maintained ownership of payer requests, HIM lacked visibility into the processing of high volumes of patient infor-mation. Once records were pulled and copied by HIM, the in-formation was sent back to the business office for shipping—a costly and inefficient process that also created additional labor requirements for both the business office and HIM. The goal of HIM and the business office was to create a standard-ized, efficient, and centralized release of information process for the health system.

To resolve those issues, Yale New Haven Health implement-ed a streamlined, stepwise approach using a combination of technology and centralized ROI workflows based on payer specifications:

Working Smart a professional practice forum

How to Ensure Proper PHI Disclosure Management in the Business Office By Kim Charland, RHIT, CCS; Cindy Zak, MS, RHIA, PMP, FAHIMA; and Kyle McElroy, MS-HSA, RHIA

19_April.indd 26 3/20/19 10:06 PM

Journal of AHIMA April 19 / 27

1. Business office logs the request, or creates a proactive re-quest, and then attaches billing documents if necessary and moves the request to HIM.

2. HIM reviews and verifies the request online—ensures the right documents, payer, and delivery method.

3. HIM selects the correct portions of medical records to be sent electronically via the payer’s preferred delivery method.

4. The medical records are sent securely via the payer’s pre-ferred delivery method.

With medical record requests on the rise for business offices, centralizing those requests and transferring work to HIM can help ensure the information is processed and delivered efficient-ly. This approach allows the business office to focus on billing and cash collection, and HIM to handle release of information to pay-ers in a centralized and standardized manner that is consistent with their current ROI process. Centralization also allows for full transparency for the business office, payer, and HIM.

Aligning ROI FunctionsSteward Health Care, a large-scale private, for-profit physi-cian-led healthcare network, faced similar challenges due to a significant increase in ROI requests made to the business of-fice for health records to support claims payment. HIM’s lack of visibility into records being released was a critical issue that affected efficiency, privacy, and security. Additional issues in-cluded the following:

� Increased payer denials routed directly to the business of-fice for copies of health records

� Decreased business staff productivity—approximately 30 percent—due to the high volume of requests

� Inconsistent ROI processes—delivery method and print-ed documentation

� Increased denials due to missing elements such as admis-sion order, history and physical, operative report, or pre-admission medical necessity information

� Need to improve technology around record delivery

Resolving those issues required the right combination of technology, centralized resources, and redesign of workflows to improve efficiency and promote privacy and security. Stew-ard chose a straightforward approach to align all ROI func-tions through a single platform, and elected to add one payer at a time versus by hospital.

The main goal was to move business office record claim at-tachment functions from billers and collectors to an HIM-managed process, while ensuring a more transparent deliv-

ery method. A secondary goal was to ensure the organization was not missing out on any billable record opportunities through the release of records for audit purposes. Overall, centralization of ROI has proven to be the best solution for ensuring payers receive the right records in a timely manner for processing claims more accurately and efficiently.

Positive Outcomes Promote Enterprise-wide ComplianceThrough establishing proactive approaches to ensure proper health record attachment, Yale New Haven Health and Stew-ard Health Care have achieved the following positive out-comes:

� Business office staff is focused on billing and collecting. � HIM staff is focused on pulling the requested health re-

cords. � Only the portion of the health record that is requested is

being sent. � Paper processes are shifting to electronic delivery. � Workflows are based on payer specifications. � Health record claims attachments are sent within 24 to 48

hours of receipt. � Requests are now trackable to promote transparency.

Solutions for optimizing technologies and workflows to im-prove PHI disclosure efficiency, cost savings, and HIPAA pri-vacy and security compliance include:

� Centralize all requests for records � Transfer work to HIM � Outsource ROI services � Automate processes

For both organizations, the system business office and HIM personnel now collaborate more effectively, focusing on their core responsibilities to maximize productivity and efficiency. The new technology and workflows have decreased business office staff time processing health record requests and re-duced paper processes, creating significant cost savings, and enhancing enterprise-wide compliance. ¢

Kim Charland (KCharland@mrocorp.com) is the director of revenue

cycle services for MRO. Cindy Zak (cindy.zak@ynhh.org) is executive

director, clinical revenue services, at Yale New Haven Health in New

Haven, CT. Kyle McElroy (kyle.mcelroy@stewart.org) is the executive

director of HIM at Steward Health Care, West Division. The views and

opinions expressed in this article are those of the authors and do not

necessarily ref lect or represent the views, opinions, or policies of MRO

Corporation.

With medical record requests on the rise for business offices, centralizing those requests and transferring work to HIM can help ensure the information is processed and delivered efficiently.

19_April.indd 27 3/20/19 10:06 PM

28 / Journal of AHIMA April 19

H

How to Create a Modern and Compliant Records Retention Schedule You Can Actually Execute By Mark Diamond

HEALTH INFORMATION MANAGEMENT (HIM) profession-als need to ask themselves if their records retention schedule is helping or hurting their records retention program.

Traditional records retention schedules largely assume that most information is paper-based, and depend to a large de-gree on employees manually classifying, tagging, or moving records into certain areas. These types of schedules worked okay for paper, but today more than 95 percent of the infor-mation a company receives is in electronic format. Even most paper documents are copies of electronic information. These paper-centric schedules work poorly with electronic informa-tion, and are the source of huge compliance gaps in records retention programs.

Organizations are increasingly updating their records re-tention policies and schedules to be modern, compliant, and easier-to-execute, reflecting both the pervasive presence of electronic media and how records programs need to work well with other compliance areas, including discovery, information security, and privacy.

Traditional Approaches to Retention SchedulesTraditionally, record retention schedules were designed for the retention and disposition of paper records. Much of record re-tention schedule implementation consisted of sorting the paper documents into offsite storage boxes or simply scanning them into systems. Yet during the past few decades information man-agement has changed as organizations and employees have transitioned to electronic media including email, electronic health records (EHRs), and other types of electronic communi-cations. Organizations are realizing that their traditional, paper-centric approaches do not work with electronic information.

This compliance risk comes in when there is a gap between what is called for in policies and what information is actually being retained and disposed. These traditional approaches fall short in many ways:

� They are outdated with an emphasis on paper records management, to the exclusion of the majority of records that are created or received in electronic media.

� They focus only on records with legal or regulatory re-quirements, with little to address records with business need or business value.

� Historically, the emphasis has been on creating longer and more complex schedules. Some schedules have thou-sands of lines for every single record in the organization. The misconception was that a longer schedule was more compliant. These detailed schedules are difficult and time consuming for employees to follow.

� Often, there is a heavy emphasis on creating a detailed policy itself with little consideration for how the policy will be executed.

A More Modern ApproachAt the highest level, a good records retention schedule pro-vides the foundation for an effective records management and information governance (IG) program. But what makes a re-cords retention schedule good? The following are some com-mon attributes:

� Addresses Modern Records and Their Requirements. A good schedule addresses all types of documents across all types of media, capturing not only traditional record types in typical areas such as finance and human resourc-es, but also an organization’s atypical or even unique re-

Working Smart a professional practice forum

19_April.indd 28 3/20/19 10:06 PM

Journal of AHIMA April 19 / 29

cords across a variety of functions. In other words, mod-ern schedules truly represent important information across all parts of a complex enterprise.

� Builds a Consensus. A schedule should not be a policy club to be wielded against the business units to demand they de-lete non-records. Rather, an effective schedule represents a consensus across multiple stakeholders and groups on what data and documents need to be retained both for legal and regulatory requirements, while also addressing busi-ness value. It helps sort out what must and should be saved from non-record and low-value information.

� Will Be Followed. Compliance is achieved in the view of courts and regulators in not only having a policy, but rather demonstrating that a policy is being followed. They are not interested in whether you “checked the box” and drafted some policy documentation. They want to see how you implemented those policies and requirements. Com-pliance means showing you actually did what you said you were going to do. Modern records retention schedules are designed to be followed.

A good schedule not only drives compliance but also saves time and effort on downstream discovery, privacy, disposition, and other compliance initiatives. More importantly, identifying high-value information makes the employees and the overall business more productive.

Attributes of a Modern Retention ScheduleSix attributes of a modern retention schedule include:

Retention ComplianceDoes your retention policy and schedule follow all the rules? An immature retention policy and schedule fails to consider the rules, does not provide the legal basis for retention periods, and does not mandate disposition of expired information. As a schedule matures, it should address general legal and regulato-ry requirements as well as any industry-specific regulations. For global companies, the most mature schedules include country-specific retention requirements.

But it doesn’t stop there. A good policy should clearly define “What is a record?” and “What is not a record?” Without these definitions, employees are less likely to be compliant when try-ing to follow the policy and schedule. Likewise, giving employ-ees permission to dispose of records is very important. Policies should be clear in stating that when records expire or are no lon-ger needed, employees must dispose of them.

ComprehensivenessDoes your schedule represent all of the unique records in the organization? Companies often try to take shortcuts by copying from industry templates or sample schedules that purport to in-clude all the records a company in that industry should have. These types of schedules really do organizations a disservice, because even though healthcare may be similar to other indus-

tries, individual healthcare organizations have unique qualities that others don’t share.

MediaDoes your organization’s schedule look across all media for-mats where records may exist? The oldest and often the least mature schedules address only paper or a subset of the media present in the organization. By making a comprehensive list (i.e., an information-types inventory) of all the places things might live—paper, electronic in all of its different forms (i.e., CD/DVDs, USB drives, email, social media)—your organiza-tion will be well on its way to making sure the schedule is media-agnostic.

ClarityHIM professionals should stop to consider whether their reten-tion policies and schedules clearly define “What is a record?” and “What is not a record?” Likewise, do employees understand what records must be kept and what can be destroyed? Finally, HIM departments should determine if their schedules specify retention requirements, or if many categories are left as indefi-nite. The least mature policies do not define records or give in-complete definitions.

ConsensusOften, a records initiative is driven by one group in the compa-ny, such as legal or compliance, and little effort is made to en-gage the rest of the business. The result is rogue business units who either refuse to follow it or push back on its requirements. Such efforts are often seen as “legal poking its nose in our busi-ness” or “encroaching on our territory” and are therefore seen as unwelcome.

UsabilityThe most practical schedules provide a “goldilocks” approach to retention schedules: just enough information, not too little, not too much. They use a format that is easy to read, and they organize the schedule in a way that all employees can follow. A usable schedule follows a “big bucket” approach with a small number of record categories, rather than a “small bucket” ap-proach with hundreds or even thousands of record line items. Finally, make the schedule concise. Don’t list every single re-cord or example for a particular record category.

By understanding and following these best practices for de-veloping a modern and compliant retention schedule, HIM pro-fessionals will improve the overall quality of their organization’s schedule, making it much easier to execute and achieve higher compliance from employees. By engaging the business, one shifts the balance of work from a boring, “check the box” activity to a more positive, affirming activity that will demonstrate great benefits for the organization. ¢

Mark Diamond (mdiamond@contoural.com) is the president and CEO

of Contoural.

19_April.indd 29 3/20/19 10:06 PM

30 / Journal of AHIMA April 19

T

Using Information Governance to Avoid Data Breaches and Provide CybersecurityBy Gail Gottehrer, JD, and Ronald J. Hedges, JD

THE SEEMINGLY DAILY announcements of cyberattacks and data breaches underscores the need for effective information governance (IG), particularly in the healthcare industry.

Consider a situation in which a healthcare provider learns that a wearable device approved by the Food and Drug Administration (FDA) that transmits patient data directly to the provider needs a software update. That device, which collects data through sensors worn on the patient’s body, is used for treatment purposes. No other information is available from the manufacturer or the FDA. How the provider responds to the risks created by this situation is a valuable test of its IG program. Working through 10 key IG competencies can help the provider decide how to proceed. That process will also identify potential weaknesses in the IG program and areas for improvement.

IG Structure An IG program could be expected to anticipate issues such as the above, as well as have procedures and policies in place to address it. The policy could be that a designated employee sets their computer to constantly search the internet, including blogs and social media sites, for references to the technologies used by the provider, and have the computer automatically alert the employee when it finds something of note. That way, the provider becomes aware of possible problems with the technol-ogy as early as possible and can respond quickly, rather than first hearing about the problem from the manufacturer or the FDA. The policy could further provide that when the employee is alerted to a possible problem with a technology, they inform a committee of senior-level stakeholders. That committee should be set up in advance, with members that meet on a regular basis to discuss how to handle these situations.

Strategic Alignment A well-aligned IG program should be prepared for the situation described above because it would enable the use of technology and data for patient care, as that is the goal of many IG programs. If the IG program has not been designed to identify and respond to scenarios like this, it exposes the provider to potential liability and financial and reputational damage.

Privacy and Security The provider’s chief technology officer (CTO), chief information security officer (CISO), and chief privacy officer (CPO)—to the extent the provider has one or more of these C-suite positions—and their teams will play a critical role in ascertaining the scope of the risk and the questions that must be answered in order to recommend a course of action.

Those questions could include: � Is the information being collected by the devices and

transmitted to the provider accurate? � Has the data been compromised or altered before or dur-

ing the transmission process? � Does the incoming data from the devices pose a threat to

the provider’s computer systems? � Is the provider’s computer network, and the data on it, in-

fected with malware? � Is information being shared improperly? � Do medical experts need to be consulted to determine if

there is an ongoing threat to patients and if the technology issue could be interfering with their treatment?

� Is there a chance that the problem that is causing the manu-facturer to update its software could lead to a HIPAA viola-tion, such that the legal department needs to be consulted?

Working Smart a professional practice forum

19_April.indd 30 3/20/19 10:06 PM

Journal of AHIMA April 19 / 31

Legal and Regulatory Senior members of the provider’s legal and compliance depart-ments should be members of the committee set up as part of the IG program to address high-risk situations like this one. They will as-sess the provider’s legal exposure, the legal and regulatory obliga-tions it may have, and the available legal remedies. The questions they will focus on may include: Is there reason to believe that what-ever led the manufacturer to need to update its software requires the provider to notify patients or regulators of a breach? Has some-thing happened that requires, or makes it advisable for, the pro-vider to discontinue its use of the technology? Do medical ethicists need to be consulted? Does the provider’s insurance carrier need to be notified of the situation? Does the manufacturer have a con-tractual obligation to provide additional information to the provid-er? Is the manufacturer in breach of that contract? What causes of action might the provider have against the manufacturer, and what damages might the provider be able to recover? Are there any steps that need to be taken at this time to ensure the viability of claims the provider may have against the manufacturer and to preserve electronically stored information (ESI) and other data sources that may be relevant to future litigation associated with this situation?

Data Governance The team members responsible for data governance (which could be the CTO, CISO, CPO or members of their staffs), will be in the best position to know where the data transmitted by this technology is stored by the provider, how it is used, and who has access to it. The IG program should define their role. This could include identifying everywhere the data resides, which may be on the provider’s computer network and in the cloud or other offsite storage. Data governance team members would also de-termine whether the data has been shared with other entities, and if it has, who it has been shared with in case those entities need to be notified. Additionally, this professional would know which medical personnel have accessed and used the data, as well as know which patients are being treated using this data.

IT Governance A central feature of a medical provider’s IG program is likely to be policies and procedures for selecting, evaluating, and using tech-nology in an effort to reduce risk. As a result of these policies, the provider should have documentation detailing the reasons why the technology at issue was selected; what potential risks were iden-tified during the vetting process; whether a problem like this one was considered and if so, if a backup plan was created; and whether there are other vendors who manufacture similar technology and could be alternative providers in the event the provider decides to stop using the technology and switch manufacturers.

Analytics Tools As part of the IG program, analytics tools can be used to iden-tify trends and anomalies in the data from technologies like the one at issue here. Through analytics, the provider can look at the data from this technology over a period of time and see if there

have been problems in the past, if there are reasons to believe the data generated by the technology may not be reliable, and whether any patterns emerge. This can provide additional infor-mation to help the provider assess the level of risk posed by the technology and the manufacturer’s software update.

Enterprise Information Management By putting procedures in place to track information as it travels across the healthcare ecosystem, the provider’s IG program will en-able it to determine which doctors, nurses, pharmacists, lab tech-nicians, members of the health information management depart-ment, and other personnel use this technology, or rely on the data generated by it, and may need to be made aware of the potential problem. It may reveal whether there have been complaints about the technology or the integrity of the data received from the devic-es, or if the data generated by the technology has been shared with other entities, used for research purposes, or used in publications.

IG Performance The performance and impact of the provider’s IG program will be revealed as the provider works its way through the process of evaluating how to respond to the news of the manufacturer’s planned software update. If the IG program is effective, the pro-vider should be able to access the information it needs to weigh its risks and options in a timely manner. If the process turns out to be slow and complicated, with employees being uncertain about their responsibilities and unable to locate the necessary information, that will indicate that the IG program is not per-forming as intended and needs to be overhauled.

Awareness and Adherence The process of reviewing internal data to respond to this poten-tial threat will also allow the provider to evaluate whether, and to what extent, employees are aware of its IG policies and pro-cedures, and whether they are following them. This exercise will show whether IG policies were known to employees; whether they were followed; whether additional training is required on certain policies for certain employees; whether the data from the technology at issue was used appropriately; whether it was shared only as specified in the IG policies; whether the appropri-ate access restrictions were in place; whether data security and privacy were maintained; and whether the data was disposed of in accordance with the provider’s records retention schedule.

Healthcare providers must expect to be confronted with—and integrate—new technologies for the care and treatment of pa-tients on a regular and accelerating basis. As this article dem-onstrates, an information governance framework provides a method to address new technologies and cybersecurity risks that these technologies may present. ¢

Gail Gottehrer (ggottehrer@outlook.com) is the founder of the Law Office of

Gail Gottehrer LLC. Ron Hedges (r_hedges@live.com) is a former US Magistrate

Judge in the District of New Jersey and is a writer, lecturer, and consultant on top-

ics related to electronic information. He is a senior counsel with Dentons US LLP.

19_April.indd 31 3/20/19 10:06 PM

32 / Journal of AHIMA April 19

H

Cybersecurity and Understanding Cyber RiskBy Diane Dolezel, EdD, RHIA, CHDA

HEALTHCARE ORGANIZATIONS ARE at risk for data breaches as the number of healthcare data breaches contin-ues to rise annually despite efforts to slow the upward trend. Since 2009, there were over 2,000 data breaches reported to the Department of Health and Human Services (HHS).1 Al-though only 18 data breaches were reported in the last three months of 2009, there were 271 breaches during the first nine months of 2018. To minimize cyber risk, organizations should scrutinize data breach reports and become informed about cyber risk threat vectors.

Data Breach ReportingHealthcare data breaches are reported to the Department of Health and Human Services’ Office for Civil Rights (OCR). The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule states that, “A breach is, generally, an impermissible use or disclosure under the Pri-vacy Rule that compromises the security or privacy of the protected health information.” Healthcare providers must notify HHS of breaches of unsecured personal health infor-mation affecting over 500 individuals, and they must notify affected individuals within 60 days of breach discovery. Un-der HIPAA, organizations must have user access controls to restrict employees’ access to the minimum necessary infor-mation needed, and they must use physical access controls such as laptop cable locks, security cameras, regulated data disposal, and badge or biometrics access. The Health Infor-mation Technology for Economic and Clinical Health Act (HITECH) extends the breach notification rules to vendors and third-party service providers. As an illustration, a vio-lation of the minimum necessary rule could occur if a mes-

sage was left on a family member’s home phone describing the patient’s medical condition and treatment plan, when the patient had indicated that her work phone should be used for communications.

Examine Lessons LearnedLessons learned from data breaches will drive cyber risk man-agement because they identify threat vectors. Breaches are ex-pensive on many levels. Breached organizations face damage to their reputation, digital disruption, clinical errors, litigation, and fines. Stolen patient information may be sold on the dark web, or utilized for digital extortion or phishing attacks.

In 2018, Anthem paid $16 million to HHS, the highest fine at the time, for a breach where a malicious email (phishing) attack hit a company subsidiary and provided passwords for down-loading the protected health information of 79 million people.2 A federal investigation revealed Anthem did not implement ac-cess controls, perform enterprise-wide risk analysis, or conduct adequate IT systems reviews.

Regarding lag time, in 2018 a Blue Cross Blue Shield em-ployee error exposed healthcare data for three months, from April 23 to July 20, before being noticed.3 These cases under-score the need for access controls, employee training, net-work monitoring, and data governance. Remember, if you can’t measure your breach threat vectors and catalogue them in your risk management plan, then you can’t harden your data defense perimeter.

Identifying Threat VectorsIdentifying threat vectors benefits risk planning. The ubiquitous usage of mobile devices, such as laptops and smartphones, ex-

Working Smart a professional practice forum

19_April.indd 32 3/20/19 10:06 PM

Journal of AHIMA April 19 / 33

poses data to attack from malicious actors. Mobile devices are easy targets for data breaches. They are commonly used outside the facility over Wi-Fi networks and their security is often de-pendent on the users. Additionally, these devices may be lost or stolen, become infected with viruses, or be hacked. For mobile device management, the use of encryption, password protec-tion, firewalls, remote wiping, scheduled software updates, risk assessments, and bring your own device (BYOD) programs are essential. Need incentive? MD Anderson Cancer Center paid $4.3 million for failing to secure and encrypt patient’s data, and Fresenius Medical Care North America paid $3.5 million for fail-ing to conduct a complete risk analysis of their electronic pro-tected health information.4

Medical devices present an attractive entry point for cyberat-tackers. A medical device is defined as “an instrument, appara-tus, implement, machine, intended for use in the diagnosis of disease or other conditions, or in the cure, mitigation, treatment, or prevention of disease, in man or other animals,” according to the US Food and Drug Administration (FDA) definition.

Medical device manufacturers must adhere to FDA adminis-tration quality system regulations (QSR) on cybersecurity be-fore and after they are approved for consumer use. The FDA col-laborates with the Department of Homeland Security, medical device manufacturers, health delivery organizations (HDOs), medical researchers, and end users to secure medical devices.

For example, HDOs would work with the vendors to select a medical device, then the manufacturer would validate that any customizations (or future modifications) were compliant with the QSRs. Unfortunately, this system is lacking in checks and balances because the manufacturers self-validate with little technical oversight from the FDA.

A related concern occurs during vendor selection, when fa-cility teams are challenged to perform security testing. For in-stance, can they tell if the vendor has a back door into the de-vice’s systems? To facilitate thorough security testing, many companies are contracting with security firms who perform cyberattack simulation testing.

Other Risk VectorsOther risk vectors arise from databases, legacy systems, cloud storage, and business associates. Legacy systems are present at most companies, and many have software that cannot be up-dated. Moreover, their threat warning systems (if any) are not usually interoperable with the company’s security monitoring systems, thus the legacy systems’ warnings are not being passed to the security monitoring systems.

Regarding databases, an incorrectly configured Amazon data store caused Medcall Healthcare Advisors to breach personal data (emails, doctors notes, and Social Security numbers) of 10,000 consumers twice in one month during 2018.5 As a sugges-tion, when reviewing potential threats from business associates or service providers think outside the box. Recall that these top companies have experienced cloud data breaches: Microsoft,

Dropbox, Yahoo, Apple iCloud, and LinkedIn. Does your compa-ny or do your business associates use these companies’ services? Do employees use them on company-owned mobile devices? If you don’t know the answers you may already be part of the col-lateral damage of these (or similar) commercial breaches.

Now is the time to be proactive, harden your cyberthreat defenses, and strengthen your cyber risk management plan. Consider this: when was your company’s last cyberthreat drill? Clearly, hiring a security team should be a priority, and red team threat simulation drills are helpful.

Fortunately, there are many resources to guide these efforts. As a starting point, review the HIPAA crosswalk to the National Institute for Standards and Technology Cybersecurity Frame-work (National Institute of Standards and Technology 2014). Additionally, HHS has a cybersecurity checklist of steps to fol-low after a cyberattack and the Agency for Healthcare Research and Quality offers an information and privacy program.

Understanding Risk Lowers VulnerabilityThe number of consumers affected by healthcare data breaches

HHS: What to Do Following a Cyberattack

THE DEPARTMENT OF Health and Human Services’ (HHS) Office for Civil Rights (OCR) offers the following quick-re-sponse tips for HIPAA-covered entities to take in the event of a cyber-related incident.

In the event of a cyberattack or similar emergency, an entity: � Must execute its response and mitigation pro-

cedures and contingency plans. For example, the entity should immediately fix any technical or other problems to stop the incident.

� Should report the crime to other law enforcement agencies, which may include state or local law en-forcement, the Federal Bureau of Investigation, and/or the Secret Service. Any such reports should not in-clude protected health information, unless otherwise permitted by the HIPAA Privacy Rule.

� Should report all cyber threat indicators to federal and information-sharing and analysis organizations (ISAOs), including the Department of Homeland Security, the HHS Assistant Secretary for Preparedness and Re-sponse, and private-sector cyber-threat ISAOs. Any such reports should not include protected health information.

� Must report the breach to OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals, and notify affected individuals and the media unless a law enforce-ment official has requested a delay in the reporting.

Read the full recommendations at www.hhs.gov/sites/de-fault/files/cyber-attack-checklist-06-2017.pdf.

19_April.indd 33 3/20/19 10:06 PM

34 / Journal of AHIMA April 19

Working Smart a professional practice forum

continues to rise annually despite efforts to slow the upward trend. Healthcare data breaches are costly on many levels. In the United States, the cost of cybercrime is estimated at $12.47 million dollars a year, and this will increase. Organizations need to identify cyber risk threat vectors, implement cyberdefenses, and manage problems related to cyberattacks.

Understanding cyber risk can help lower your cyberattack vulnerability. Healthcare data analysts will play a vital role in cyber risk mitigation, privacy and security education, and cy-bersecurity implementation. They could perform risk assess-ments, educate employees, supervise data governance, and run red team drills. Security managers and a strong security team should be part of an integrated security solution. Con-sider consulting with HIPAA experts to get a better handle on the relevant legislation. ¢

Notes 1. McLeod, Alexander and Diane Dolezel. “Cyber-Analyt-

ics: Modeling Factors Associated with Healthcare Data Breaches.” Decision Support Systems 108 (April 2018): 57-68.

2. United States Department of Health and Human Services. “Anthem Pays OCR $16 Million in Record HIPAA Settle-ment Following Largest U.S. Health Data Breach in Histo-ry.” Press release. October 15, 2018. www.hhs.gov/about/news/2018/10/15/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach-history.html?language=en.

3. Davis, Jessica. “Employee error exposed data of 16,000 Blue Cross patients online for 3 months.” Healthcare IT News. September 21, 2018. www.healthcareitnews.com/news/employee-error-exposed-data-16000-blue-cross-patients-online-3-months.

4. United States Department of Health and Human Servic-es. “Five breaches add up to millions in settlement costs for entity that failed to heed HIPAA’s risk analysis and risk management rules.” February 1, 2018. www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agree-ments/fmcna/index.html.

5. Davis, Jessica. “Update: Misconfigured database breaches thousands of MedCall Advisors patient files.” Healthcare IT News. October 10, 2018. www.healthcareitnews.com/news/update-misconfigured-database-breaches-thou-sands-medcall-advisors-patient-files.

ReferencesAgency for Healthcare Research and Quality. “AHRQ

Information Security and Privacy Program.” 2018. www.ahrq.gov/policy/electronic/privacy/infosecurity.html.

Carey, Susan. “Quest for Managing Cyberthreats in Healthcare.” Journal of AHIMA 88, no. 5 (May 2017): 40-41,43. http://bok.ahima.org/doc?oid=302131.

Davis, Jessica. “1.4 million patient records breached in

UnityPoint Health phishing attack.” Healthcare IT News. July 31, 2018. www.healthcareitnews.com/news/14-million-patient-records-breached-unitypoint-health-phishing-attack.

Davis, Jessica. “Phishing attack breaches 38,000 patient records at Legacy Health.” Healthcare IT News. August 22, 2018. www.healthcareitnews.com/news/phishing-attack-breaches-38000-patient-records-legacy-health.

Department of Health and Human Services. “Breach Notification Rule.” July 26, 2013. www.hhs.gov/hipaa/for-professionals/breach-notification/.

Department of Health and Human Services. “Breach Portal.” https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf.

Department of Health and Human Services. “Hospital Implements New Minimum Necessary Polices for Telephone Messages.” www.hhs.gov/hipaa/for-professionals/complianceenforcement/examples/all-cases/index.html#case26.

Department of Health and Human Services and the National Institute of Standards and Technology. “HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework.” 2014. www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf.

Department of Health and Human Services Office for Civil Rights. “Considerations for Securing Electronic Media and Devices.” Cyber Security Newsletter. August 2018. www.hhs.gov/sites/default/files/cybersecurity-newsletter-august-2018-device-and-media-controls.pdf.

Department of Health and Human Services Office for Civil Rights. “My entity just experienced a cyber-attack! What do we do now?” 2018. www.hhs.gov/sites/default/files/cyber-attack-checklist-06-2017.pdf.

Office of the National Coordinator for Health IT. “Top 10 Tips for Cybersecurity in Health Care.” 2015. www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf.

Gibbs, David, Karima Lalani, and Alexander McLeod. “Beware the Internet’s Dark Side: What HIM Professionals and Patients Should Know About the Dark Web.” Journal of AHIMA 88, no. 8 (August 2017). http://bok.ahima.org/doc?oid=302209.

Lucci, Susan and Tom Walsh. “Cybersecurity 101.”  Journal of AHIMA 86, no. 11 (November 2015): 42-44. http://bok.ahima.org/doc?oid=107795.

McLeod, Alexander and Diane Dolezel. “Cyber-Analytics: Modeling Factors Associated with Healthcare Data Breaches.” Decision Support Systems 108 (April 2018): 57-68.

Ponemon Institute. “2017 Cost of a Cyber Crime Study.” https://cdn2.hubspot.net/hubfs/85462/2018/2018_VUENUE/2018_BLACK%20HAT/Accenture-2017CostCybercrime-US-FINAL.pdf?t=1521831469946.

SANS Institute. “SEC564: Red Team Operations and Threat Emulation.” 2018. www.sans.org/about/.

Diane Dolezel (dd30@txstate.edu) is an assistant professor, HIM depart-

ment, at Texas State University.

19_April.indd 34 3/20/19 10:06 PM

ASSEMBLY ON EDUCATION SYMPOSIUM/ FACULTY DEVELOPMENT INSTITUTE (AOE/FDI)

July 27–31 • Atlanta, GA

Health information management (HIM) educators gather at AHIMA’s Assembly on Education Symposium/Faculty Development Institute (AOE/FDI) each year to network, learn, and experience innovative solutions to achieve their academic program goals.

• Learn best practices to transition to the new 2018 HIM Curricula Competencies to achieve and maintain program accreditation

• Network with fellow educators and participate in sessions on best practices and strategies to enhance your teaching approach

• See exhibits and meet with organizations who specialize in educational content and technology

• Hear keynote speaker: Linda B. Nilson, PhD, Director Emerita, Office of Teaching Effectiveness and Innovation, Clemson University

Join us this year to:

Register now at ahima.org/aoe

Sign up early and save on your registration and hotel room costs!

227.19

19_April.indd 35 3/20/19 10:06 PM

36 / Journal of AHIMA April 19

Tpractice guidelines for managing health information

PRACTICE BRIEF

THIS AMERICAN HEALTH Information Management Asso-ciation – Association of Clinical Documentation Improvement Specialists (AHIMA-ACDIS) Practice Brief should serve as an essential resource for coding and clinical documentation im-provement (CDI) professionals in all healthcare settings who participate in query processes and/or functions. It should also be shared and discussed with other healthcare professionals, such as quality, compliance, revenue cycle, patient financial services, physician groups, facility leaders, and any others who work with health record documentation, clinical coding, and/or coded data.

This Practice Brief’s purpose is to establish and support industry-wide best practices for the function of clinical doc-umentation querying.  Its intent is to integrate best practices into the healthcare industry’s business and workflow pro-cesses and the overall function of querying.  This Practice Brief should be used to guide organizational policy and pro-cess development for a compliant query practice that imple-ments the directives of the ICD-10-CM and ICD-10-PCS Offi-cial Guidelines for Coding and Reporting and official advice in the American Hospital Association’s (AHA’s) Coding Clinic® for ICD-10-CM/PCS promoting the legible, consistent, complete, precise, nonconflicting, and clinically valid documentation essential to the integrity of the ICD-10-CM/PCS code sets. It is also intended to provide a resource for external reviewers (i.e., the Office of Inspector General (OIG), government contractors, payer review agencies, etc.) in their evaluation of provider que-ries and the documentation they provide.

Some specific use examples include: � Orient new employees and educate current staff � Assist with query audits � Review of query policies and procedures annually � Utilize during coding and CDI education and training � Standardize query practices across the organization � Provide data analytics and information governance � Compliance and legal assistance � Share with external or third-party staff and/or consul-

tants

The distribution of this Practice Brief should enhance the im-portance of adherence to its contents and guidance while im-proving results, outcomes, and compliance with ethical practice.

This is an abridged version of this Practice Brief. For the full ver-

sion, including an expanded discussion of the tenets of a compliant query practice, a discussion of the particulars of verbal queries and written queries, a discussion of query policies and procedures, a discussion on query retention policy, and a full list of authors for previous versions of this Practice Brief, view the online version in AHIMA’s HIM Body of Knowledge at http://bok.ahima.org.

Who Should Follow This Brief? With the evolution of reimbursement methodologies that move beyond resource use and instead focus on severity of illness, medical necessity, risk adjustment, and value-based measures, specific documentation related to diagnosis capture, acuity, and clinical validity have become even more important. The need for clear and accurate documentation and how it is translated into claims data impacts healthcare roles such as case management, quality management professionals, infection control clinicians, and others.  In support of organizational objectives, these pro-fessionals actively engage in educating providers to document a certain way. These individuals may not understand that their interactions meet the definition of a query, but because their practices could alter coded data, they must ensure that their practices meet compliance standards.

Examples of noncompliant queries include: directing a pro-vider to document a diagnosis that is not clinically supported but serves as an exclusion for a patient safety indicator, add-ing a non-reportable diagnosis, or encouraging a provider to neutralize documentation suggestive of a post-surgical com-plication. Although open communication between members of the healthcare team and providers is necessary and impor-tant, when it can impact claims data these discussions should be memorialized as queries. Organizations should educate all relevant professionals in compliant query practices through collaboration with health information management, coding, and CDI professionals before engaging in these interactions. Regardless of the credential, role, title, or use of technology, all healthcare professionals (whether or not they are AHIMA or ACDIS members) seeking to clarify provider documentation must follow compliant query guidelines.

What is a Query?A query is a communication tool or process used to clarify documentation in the health record for documentation integ-rity and accurate code assignment for an individual encounter

Guidelines for Achieving a Compliant Query Practice (2019 Update)Editor’s Note: This Practice Brief supersedes the January 2016 Practice Brief titled “Guidelines for Achieving a Compliant Query Practice (2016 Update).”

19_April.indd 36 3/20/19 10:06 PM

Journal of AHIMA April 19 / 37

Practice Brief

in any healthcare setting. Synonymous terms for “query” in-clude: clarification, clinical clarification, and documentation clarification. Documentation queries (referred to as “queries” in this Practice Brief) are used by coding professionals, CDI professionals, and all professionals responsible for documen-tation clarification or who have oversight and/or involvement in the query process. As healthcare reimbursement method-ologies evolve and reliance on claims data as a risk-adjustment and quality of care tool increases, so does the importance and complexity of the query process. Queries continue to be a mechanism that increases the precision of clinical documen-tation, which translates into accurate clinical data, reflecting a provider’s intent and clinical thought process in a manner that results in an accurate depiction of patient complexity within each episode of care.

All queries, including verbal queries, should be memorial-ized to demonstrate compliance with all query requirements to validate the essence of the query (see below). Regardless of how the query is communicated, it needs to meet all of the fol-lowing criteria:

� Be clear and concise � Contain clinical indicators from the health record � Present only the facts identifying why the clarification is

required � Be compliant with the practices outlined in this brief � Never include impact on reimbursement or quality

measure s

As query templates are now increasingly embedded in the electronic health record (EHR) or workflow software, query professionals must ensure relevant clinical indicator(s) spe-cific to the particular patient as cited within the health record are applied and referenced appropriately. Additionally, the choices provided as part of the query must reflect reasonable conclusions specific to the clinical scenario of the individual patient.

Why Query? Queries are utilized to support the ability to accurately assign a code and can be initiated by either coding or CDI profession-als. Queries may be necessary in (but are not limited to) the following instances:

� To support documentation of medical diagnoses or condi-tions that are clinically evident and meet Uniform Hospi-tal Discharge Data Set (UHDDS) requirements but with-out the corresponding diagnoses or conditions stated

� To resolve conflicting documentation between the at-tending provider and other treating providers (whether diagnostic or procedural)

� To clarify the reason for inpatient admission � To seek clarification when it appears a documented diag-

nosis is not clinically supported � To establish a diagnostic cause-and-effect relationship

between medical conditions

� To establish the acuity or specificity of a documented di-agnosis to avoid reporting a default or unspecified code

� To establish the relevance of a condition documented as a “history of” to determine if the condition is active and not resolved

� To support appropriate present on admission (POA) indi-cator assignment

� To clarify if a diagnosis is ruled in or out � To clarify the objective and extent of a procedure

Although specific query formats will be discussed later in this Practice Brief, issuing clinical validation queries can be more challenging than other query types. These challenges have initiated the development of a separate Practice Brief to address these concerns. Please refer to the AHIMA Practice Brief titled “Clinical Validation: The Next Level of CDI” to learn more about the process of clinical validation, available in the AHIMA HIM Body of Knowledge at http://bok.ahima.org.

What to Query? A health record contains documentation authored by a variety of healthcare professionals. Increasingly, the electronic health record also contains information whose origin and accuracy cannot always be easily verified. While it is important to note the overall accuracy of the health record and how well it meets industry and regulatory standards, it is outside the scope of querying professionals to manage provider documentation practices.

When coding and CDI professionals identify that the health record fails to meet one of the following seven criteria identi-fied below, and after education and query efforts have been ex-hausted, it should be reported to the appropriate facility and/or organizational authority:  

� Legibility   � Completeness � Clarity � Consistency � Precision � Reliability � Timeliness

Facilities and organizations are encouraged to have robust guidelines in place that define the contents of the health re-cord and outline documentation expectations, including the use of copy and paste functionality, automatically populated fields (i.e., problem lists, diagnostic results, etc.), and docu-ment templates that are included within the health record.  

The focus of CDI professionals is to review the health re-cord to ensure clear, high-quality clinical documentation. Ambiguous documentation fails to ref lect the provider’s intent, impacts the clinical scenario (i.e., complications, quality of care issues), the accuracy of code assignment, and the ability to assign a code. It is important to note that code accuracy is not the same as code specificity. The ICD-

19_April.indd 37 3/20/19 10:06 PM

38 / Journal of AHIMA April 19

Practice Brief

10-CM Official Guidelines for Coding and Reporting’s Gen-eral Guidelines B.2 only requires diagnosis codes be report-ed to the highest number of characters available, not to the most specific code available within the code set. Although there has been discussion from payers and others regarding the reporting of unspecified diagnoses, there are situations where an unspecified code is accurate based on the clinical scenario, such as the reporting of A41.9, Sepsis, unspecified organism.

Queries are not necessary for every discrepancy or unad-dressed documentation issue. When determining the need to query, the query professional must consider if the provider can offer clarification based on the present health record doc-umentation or resolve/seek clarification on conflicting docu-mentation.

Organizational query policies and procedures should pro-vide direction to guide staff when multiple opportunities ex-ist. Specifically, organizations need to determine if there is a limit to how many questions may be issued at one time and how many queries may be communicated during the same encounter.  

In a situation when multiple queries are required regard-ing the same set of clinical indicators or ambiguous docu-mentation, querying professionals may need to utilize verbal queries to discuss these complex circumstances. For example, if both a diagnosis and additional specificity must be established for accurate code assignment (i.e., the presence of CHF and its type), a verbal query or two sepa-rate written queries may be necessary. Trying to obtain too much information in one query may result in a non-compli-ant query.

There may be times when a second query is needed to obtain further clarification of a previously answered query as addi-tional information becomes available or as the clinical picture evolves. However, it is considered non-compliant to continue asking the same query to the same or multiple providers until a desired response is received.

The objective of a query is to ensure the reported diagnoses and procedures derived from the health record documenta-tion accurately reflect the patient’s episode of care.

Role of Prior Encounters in QueriesThere has been much discussion and confusion regarding the use of information from prior encounters in a current clinical documentation query. Some major developments require tak-ing another look at this:

� The field of Clinical Documentation Improvement con-tinues to mature and develop beyond clarifying for re-imbursement purposes and is striving for health record integrity

� Implementation of the EHR brings information that was once buried in storage and hard to access to the finger-tips of physicians and querying professionals, leading to a more detailed reference and a richer picture of a patient’s

medical history � Recent Centers for Medicare and Medicaid Services

(CMS) initiatives such as bundled payments and value-based measures expand the “episode of care” across set-tings, transitioning to a patient or disease focus instead of a setting of care focus

� CMS and many commercial payers regularly aggregate healthcare data across settings on an annual basis

Coding Clinic’s Third Quarter 2013 section “Assigning codes using prior encounters” states: “[When] reporting recurring conditions and the recurring condition is still valid for the outpatient encounter or inpatient admission, the recurring condition should be documented in the medical record with each encounter/admission. However, if the condition is not documented in the current health record it would be inappro-priate to go back to previous encounters to retrieve a diagnosis without physician confirmation.”

This statement speaks to code assignment, not construction of a documentation query. A query may be initiated to clini-cally validate a diagnosis that a prior health record provided evidence to support, particularly when clarifying specificity or the presence of a condition which is clinically pertinent to the present encounter supporting accuracy of care provided across the healthcare continuum. Prior encounter informa-tion may be referenced in queries for clinical clarification and/or validation if it is clinically pertinent to the present encoun-ter. However, it is inappropriate to “mine” a previous encoun-ter’s documentation to generate queries not related to the cur-rent encounter.

Situations in which queries using information from prior en-counters may be utilized when relevant include, but are not limited to:

� Diagnostic criteria allowing for the presence and/or fur-ther specificity of a currently documented diagnosis (i.e., to ascertain the type of CHF, specific type of arrhythmia)

� Treatment/clinical criteria or diagnosis relevant to the current encounter that may have been documented in a prior encounter

� Determine the prior patient baseline allowing for com-parison to the current presentation

� Establish a cause-and-effect relationship � Determine the etiology when only signs, symptoms, or

treatment are documented � Verify POA indicator status � Clarify a prior history of a disease that is no longer present

(i.e., history of a neoplasm)

When considering whether a query could be issued using information in the prior record, carefully consider the “Gen-eral Rules for Other (Additional) Diagnoses” that states: “For reporting purposes the definition for ‘other diagnoses’ is inter-preted as additional conditions that affect patient care in terms of requiring: clinical evaluation; or therapeutic treatment; or

19_April.indd 38 3/20/19 10:06 PM

Journal of AHIMA April 19 / 39

Practice Brief

diagnostic procedures; or extended length of hospital stay; or increased nursing care and/or monitoring,” according to ICD-10-CM Official Guidelines for Coding and Reporting, Section III. It would be inappropriate to query for a diagnosis that, if documented, would not satisfy this criteria. A query cannot be based solely on the information from a prior encounter, there must be relevant information within the current encounter to substantiate the query.

Clinical Indicators“Clinical indicators” is a broad term encompassing docu-mentation that supports a diagnosis as reportable and/or establishes the presence of a condition. Examples of clinical indicators include: provider observations (physical exam and assessment), diagnostic findings, treatments, etc. provided by providers and ancillary professionals. There is not a required number of clinical indicators that must accompany a query because what is a “relevant” clinical indicator will vary by di-agnosis, patient, and clinical scenario.

While organizations, payers, and other entities may estab-lish guidelines for clinical indicators for a diagnosis, provid-ers make the final determination as to what clinical indicators define a diagnosis. AHA’s Coding Clinic similarly affirms that in its first quarter 2014 issue, stating:

Clinical information previously published in Coding Clinic

whether for ICD-9-CM or ICD-10-CM/PCS does not constitute

clinical criteria for establishing a diagnosis, substitute for the

provider’s clinical judgment, or eliminate the need for provider

documentation regarding the clinical significance of a patient’s

medical condition. It may still be useful to understand clinical

clues regarding signs or symptoms that may be integral (or not)

to a condition. However, care should be exercised as ICD-10-CM

has new combination codes as well as instructional notes that

may or may not be consistent with ICD-9-CM.

The purpose or type of query will also impact how much clinical support is necessary to justify the query and, when ap-plicable, reasonable option(s). When the purpose of the query is to add a diagnosis, clinical indicators should clearly sup-port the condition, allowing the provider to identify the most appropriate medical condition or procedure.  The quality of clinical indicators—how well they relate to the condition be-ing clarified—is more important than the quantity of clinical indicators.

Clinical indicators can be identified from sources within the entirety of the patient’s health record including emergency services, diagnostic findings, and provider impressions as well as relevant prior visits, if the documentation is clinically pertinent to the present encounter. For example, there is care being provided in the current encounter that necessitated the review of a previous encounter to identify the undocumented condition. Compliant query practice always requires the indi-vidualization of each query to reflect the specifics of the cur-rent circumstance.

Who is Queried?Healthcare data is obtained primarily from diagnosis and procedures codes. In particular, diagnosis codes are only assigned based on the documentation of those licensed in-dependent providers who render direct patient care. The 2019 ICD-10-CM Official Guidelines for Coding and Report-ing define the term “providers” as: “physician or any quali-fied healthcare practitioner who is legally accountable for establishing the patient’s diagnosis.”  Independent provid-ers include physicians, consulting physicians, nurse prac-titioners, physician assistants, and medical residents. Code assignment may be based on other physicians’ (i.e., con-sultants, residents, anesthesiologist, etc.) documentation if there is no conflicting information from the attending physician. Refer to section I.B.14. “Documentation by Clini-cians Other than the Patient’s Provider” in the ICD-10-CM Official Guidelines for Coding and Reporting’s for addition-al guidance. When conflicting documentation is present, it is the attending physician who should be queried to resolve the discrepancy.

There are occurrences for which queries are applied to individuals who are not classified as a provider. Coding Clinic first quarter 2014 states that, “It is appropriate to as-sign a procedure code based on documentation by a non-physician professional when that professional provides the service.” For example, infusions may be carried out by a nurse, wound care may be provided by a nurse or physical therapist, mechanical ventilation may be provided by a re-spiratory therapist, or a medication may be ordered by the physician and administered by a nurse. In these instances, clarification may be needed from a non-physician profes-sional and queries should be assigned as appropriate. All individuals who are likely to receive a query should be edu-cated about the reason(s) for the query, the process, and the expectations for completion and documentation.

How to Query Verbal, written paper, and electronic queries serve the pur-pose of supporting clear and consistent documentation of diagnoses being monitored and treated during a patient’s healthcare encounter. Regardless of the method, a query must adhere to compliant, non-leading standards, permit-ting the provider of record to unbiasedly respond with a specific diagnosis or procedure. References to reimburse-ment must not occur. All relevant diagnoses, lab findings, diagnostic studies, procedures, etc. which illuminate the need for a query should be noted.

Regardless of the format and technology used, a query should not direct the provider to document a specific response. Best practice dictates that, whenever possible, query responses be consistently documented within the health record as part of the progress notes and discharge summary or as an adden-dum as appropriate. If a compliant query has been properly answered and authenticated by a responsible provider and

19_April.indd 39 3/20/19 10:06 PM

40 / Journal of AHIMA April 19

Practice Brief

is part of the permanent health record, absence of the docu-mented answer in a progress note, discharge summary, or ad-dendum should not prohibit code assignment.

Follow Best PracticesHealthcare professionals who work alongside practitioners to ensure accuracy in health record documentation should fol-low established facility and organization processes, policies, and procedures that are congruent with recognized profes-sional guidelines. This Practice Brief represents the joint ef-forts of both AHIMA and ACDIS to provide ongoing guidance related to compliant querying. As healthcare delivery contin-ues to evolve, it is expected that future revisions to this Prac-tice Brief will be required. ¢

Appendices Available OnlineThere are three appendices in the online version of this Practice Brief, available in AHIMA’s HIM Body of Knowledge:

� Appendix A: Use of Templates in the Query Process � Appendix B: Query Examples � Appendix C: AHIMA and ACDIS Resources

ReferencesAHIMA. “Best Practices for Problem Lists in an EHR.” Journal

of AHIMA 79, no. 1 (January 2008): 73-77.AHIMA. “Guidance for Clinical Documentation Improvement

Programs.” Journal of AHIMA 81, no. 5 (May 2010): expanded web version. http://bok.ahima.org/doc?oid=103352.

AHIMA. “Managing an Effective Query Process.” Journal of AHIMA 79, no. 10 (October 2008): 83-88. http://bok.ahima.org/doc?oid=84610.

AHIMA Work Group. “Problem List Guidance in the EHR.” Journal of AHIMA 82, no. 9 (September 2011): 52-58.

BCE Healthcare. “The False Claims Act and Accurate Documentation.” www.bcehealthcare.com/the-false-claims-act-and-accurate-documentation/.

Bryant, Gloryanne. “The Physician Query Process & Compliance Issues.” HCCA West Coast Regional Conference, June 2010, Newport Beach, CA. www.hcca-info.org/portals/0/pdfs/resources/conference_handouts/regional_conference/2010/newport%20beach/bryantcolor.pdf.

Centers for Medicare and Medicaid Services. “Data Analysis Support and Tracking.” January 15, 2014. www.cms.gov/Resea rch-Stat ist ics-Data-a nd-Systems/Monitor ing-Programs/Data-Analysis/index.html.

Glondys, Barbara. “Ensuring Legibility of Patient Records (AHIMA Practice Brief).” Journal of AHIMA 74, no. 5 (May 2003): 64A-D. http://bok.ahima.org/doc?oid=1058868.

Hummel, Jeff and Peggy Evans. “Standardizing the Problem List in the Ambulatory Electronic Health Record to Improve Patient Care.” HealthIT.gov. December 2012. www.healthit.gov/sites/default/f i les/standardizing _t he_problem _list_in_the_ambulatory_electronic_health_record_to_

improve_patient_care.pdf. Long, Gillian. “Understanding the ZPIC Audits.” MiraMed.

April 23, 2014. www.miramedgs.com/ealerts/169-understanding-the-zpic-audits.

Office of the National Coordinator for Health IT. “2014 Edition EHR Certification Criteria Grid Mapped to Meaningful Use Stage 1.” www.healthit.gov/sites/default/files/2014editionehrcertificationcriteria_mustage1.pdf.

Prophet, Sue. “Developing a Physician Query Process (AHIMA Practice Brief).” Journal of AHIMA 72, no. 9 (October 2001): 88I-M.

Richards, Christopher G. “Physician Query Process: Part 1: Physician Query Basics and When To Query.” Libman Education. April 28, 2015. https://libmaneducation.com/physician-query-process-part-1-physician-query-basics-and-when-to-query/.

Weed, Lawrence L. “Medical records that guide and teach.” New England Journal of Medicine, 278, no. 11 (1968): 593–600.

ZPIC Audits. “MACs Flex Their Muscles with Recent CERT Audit Findings.” November 23, 2011. http://zpicaudit.com/tag/cert-audits/.

Prepared By (2019 Update)Suraj Bossoondyal, MB ChB, CDIP, CCDS, CCS, CPC, HIT-TGloryanne Bryant, RHIA, CDIP, CCS, CCDSTammy Combs, RN, MSN, CCS, CCDS, CDIPKathy DeVault, MSL, RHIA, CCS, CCS-P, FAHIMAMelanie Endicott, MBA/HCM, RHIA, CDIP, CHDA, CPHI,

CCS, CCS-P, FAHIMACheryl Ericson, MSN, RN, CDIP, CCDSOkemena Ewoterai, MA, BSN, RN, CCS, CCDSKaty Good, RN, BSN, CCDS, CCSTracey Grier, RN, CCSWilliam Haik, MD, FCCP, CDIPTamara Hicks, RN, BSN, MHA, CCS, CCDS, ACM-RNFran Jurcak, RN, MSN, CCDSKatherine Kozlowski, RHIA, CCS, CDIP, RMCCChinedum Mogbo, MBBS, MSHIM, RHIA, CCS, CDIP, CCDSBrian Murphy, CPCLaurie Prescott, MSN, RN, CCDS, CDIPSusan Schmitz, JD, RN, BSN, CCS, CCDS, CDIPCathy Seluke, RN, BSN, ACM, CCDSSusan Wallace, MEd, RHIA, CCS, CDIP, CCDSMichelle Wieczorek, RN, RHIT, CPHQAnny Yuen, RHIA, CCS, CCDS, CDIPIrina Zusman, RHIA, CCS, CCDS

Acknowledgements (2019 Update)Patricia Buttner, MBA/HCM, RHIA, CDIP, CHDA, CPHI, CCS,

CICAAngie Curry, RN, BSN, CCDSLori Drodge, RHIT, CCSPaul Evans, RHIA, CCS, CCS-P, CCDS

19_April.indd 40 3/20/19 10:06 PM

Journal of AHIMA April 19 / 41

Practice Brief

James S. Kennedy, MD, CCS, CCDS, CDIPKatherine Kozlowski, RHIA, CDIP, CCSRuth A. Lutes, MS, RHIAAngelica Naylor, MBA, BSN, RN, CCDSErica Remer, MD, FACEP, CCDSHoward RodenbergDonna Rugg, RHIT, CDIP, CCS, CCS-P, CICARobyn Stambaugh, MS, RHIADeanne Wilk, BSN, RN, CCDS, CCS

The information contained in this Practice Brief reflects the consensus opinion of the professionals who developed it. It has not been validated through scientific research. This Practice Brief was produced through the joint effort of the Association of Clinical Documentation Improvement Specialists (ACDIS) and the American Health Information Management Association (AHIMA). Both associations collaborated on the creation of this Practice Brief and approved its contents, and as such it repre-sents the recommended industry standard for provider queries.

19_April.indd 41 3/20/19 10:06 PM

42 / Journal of AHIMA April 19

AACCORDING TO THE Association of American Medical Col-leges (AAMC), 44 states and the District of Columbia have ac-credited medical schools and teaching hospitals.1 Numbering nearly 120, these academic medical centers provide critical services not available elsewhere, including comprehensive cancer centers, burn units, Level 1 trauma centers, and pedi-atric intensive care.

While academic medical centers account for a small per-centage of the nation’s hospitals, they are responsible for near-ly 25 percent of clinical care based on total hospital revenue, according to the AAMC. Properly documenting and coding clinical care in academic medical centers is the foundation for correct payer reimbursement.

Ensuring coding accuracy in teaching facilities comes with unique challenges not found in community care. This article identifies five unique principles to follow for improving ac-curacy, productivity, and compliance in academic medical center coding.

1. Conquer Case ComplexityFirst and foremost, acknowledging the complex nature of cases is key for success with academic coding. The ability to attract and retain coders with academic or trauma experi-ence is essential since these two types of settings usually go hand in hand. Academic coding positions are also difficult to fill when coders depart. This makes partnerships with several outsourced coding vendors, not just one, more valuable in the academic medical setting.

Factors increasing case complexity at academic medical

centers include: � Higher number of experimental procedures � Prevalence of pioneering research � Frequent organ transplants � Different treatments and patient case management

Even when coders are assigned only to emergency medicine cases, prior experience with academic and trauma cases is critical. Emergency encounters are significantly more com-plex at academic medical centers than at critical access or community hospitals.

2. Manage the Reality of ResidentsResidents are the norm in academic medical centers. Their annual influx requires additional resources and coder time to build relationships and establish progress note documenta-tion rules with attending physicians.

Clear guidance on what can be coded based on which cli-nician’s notes is a key element for coding accuracy and con-sistency. Coders should also understand how residents are in-volved in care. This is especially important for professional fee coding where there are specific modifiers for residents versus attendings.

3. Watch for Claim Edit Issues During EHR ChangeAcademic medical centers are frequently involved in mergers and acquisitions. Technology changes are an inevitable con-sequence. Electronic health record (EHR) upgrades, conver-sions, and entire system transitions notoriously cause spikes

Five Tenets for Success in Academic Medical Center Coding By Sarah Humbert, RHIA

Coding Notes

19_April.indd 42 3/20/19 10:06 PM

Journal of AHIMA April 19 / 43

Coding Notes

in claim rejections and payer denials as new systems’ billing edits are implemented.

Some academic medical centers report thousands of cases stuck in edit queues post-EHR go-live. More time is needed to review these complex cases, identify the root cause of a failed edit, correct the case, and work with IT to correct system edits. This reality causes significant workflow disruption to medical record coding teams as coders are asked to:

� Correct failed coding and billing edits following EHR up-grades

� Set aside day-to-day production and clean up backlogged work queues

� Work with IT teams to correct faulty billing and coding edits in the new EHR

Matt Hoeger, director of revenue integrity at Penn State Health’s Milton S. Hershey Medical Center, recalls his team’s experience with the implementation of a new EHR in June 2018. “Our coders became half as efficient immediately fol-lowing go-live as thousands of new edits appeared and cases couldn’t be billed. All facets of our business were impacted, and new coding resources were required until we could get the new edits back under control.”

One way to relieve the burden of edit spikes is to establish a specialized edit team. This team could include outside re-sources or designated internal specialists.

4. Designate a Specialized Edit Management TeamA specialized edit team is much more effective and effi-cient in remedying the post-EHR edit challenges mentioned above. Academic medical center coders remain focused on day-to-day production while editors review and clear up to 25 accounts per hour. Here are seven best practice guide-lines to establish and manage a designated edit manage-ment team:

1. Ensure editors have the ability to code and that they pos-sess some coding experience.

2. Work with coders to clearly understand coding workflows within the new EHR.

3. Train the team on EHR edit specifics and establish col-laboration with IT experts to build out specialized queues.

4. Clear edits as quickly as possible, including medical ne-cessity edits, correct connection between diagnosis and procedures, etc.

5. Educate editors on Medicare rules, broad coding guide-lines, and local payer guidelines for the most common payers.

6. Specialize and subdivide the team down to specific edits

and work queues. For example, queue #131 includes all medical necessity edits while queue #132 includes all pa-tient demographic edits.

7. Compile a list of most common issues and learn from each case to establish proactive edit practices and mitigate un-billed risk.

5. Work Collaboratively with Coding VendorsThe final tenet for better outcomes in academic medical center coding is coding vendor management.

It is common for large academic medical centers to part-ner with several outsourced coding companies. Hoeger con-firms the benefits of maintaining relationships with multiple resources. “There are too many contracting challenges and onboarding technology tasks to frequently switch coding ven-dors in the academic setting. I prefer to retain a core group of contracted partners to support our in-house team, under-standing that outsourced coders may not be needed forever,” Hoeger says.

Vendors should also be open to working directly with in-ternal clinical documentation improvement (CDI) teams. CDI programs are typically larger and more specialized in academic settings, requiring closer collaboration with coding professionals on complex cases. Accommodations for frequent team calls, technology-supported communications, DRG mis-match procedures, and more should be included in academic medical centers’ outsourced coding vendor agreements to achieve mutual goals:

� Ensure coding and CDI teams are in agreement before a complex case is submitted for billing

� Verify principal diagnosis across all stakeholders � Agree on what exactly happened to the patient during the

encounter including all therapies, surgeries, testing, etc.

For complex academic medical center cases, strong collabo-ration and clarification are essential to stand behind coding decisions and the coding team’s overall performance. ¢

Note 1. Association of American Medical Colleges. “America’s

Medical Schools and Teaching Hospitals: Improving the Health of All.” May 2018. https://aamc-black.global.ssl.fastly.net/production/media/filer_public/aa/41/aa41a4ce-26c3-4167-a54e-cc4cd0c5ec51/what_is_aca-demic_medicine_infographic_-_20180516.pdf.

Sarah Humbert (shumbert@kiwi-tek.com) is vice president of cod-ing operations at KIWI-TEK.

One way to relieve the burden of edit spikes is to establish a specialized edit team. This team could include outside resources or designated internal specialists.

19_April.indd 43 3/20/19 10:06 PM

44 / Journal of AHIMA April 19

CCOMPLICATION CODING IS “considered to be one of the more challenging aspects of coding,” as an article in ICD10monitor once put it.1 The reporting of complication codes brings with it certain risks to providers and institutions, from adverse report card grades to increased liability and decreased payment. As Van-essa Fuhrmans reported in the Wall Street Journal, some insurers go so far as to refuse payment “for care triggered by some com-plications they believe hospitals should prevent.”2 Coding pro-fessionals need to continue to expand their knowledge in patho-physiology and to continue developing lines of communication with providers to ensure any reporting of complication codes is accurate. This article will review one possible complication—postoperative ileus—and the circumstances of coding for it.

In reviewing medical dictionaries, ileus is frequently defined as an obstruction of the bowel.3,4 Dr. Edward Livingston and Dr. Edward Passaro, in their 1990 discussion, defined it as “a state of inhibited bowel function” wherein there is a “functional inhi-bition of propulsive bowel activity.”5 The physicians further de-fined postoperative ileus as “the uncomplicated ileus occurring following surgery, resolving spontaneously within two to three days” lasting “transiently in the small bowel, for 24-48 hours in the stomach, and 48-72 hours in the colon.”6 Other authors have observed a “general consensus that some degree of postopera-tive ileus is a normal obligatory and physiologic response to abdominal surgery” and a “generally benign condition that re-solves without serious sequelae.”7 The expected result of surgery may have some prophylactic address:

Nasogastric suction for the relief of bowel obstruction was intro-

duced in 1884. Nasogastric intubation had a tremendous impact…

and became the standard after abdominal procedures where ileus

is a problem. It was, and remains so common that [it] is still rou-

tinely employed as prophylaxis.8

Coding professionals should note that, at least in the short term, postoperative ileus can be a normal and expected result of sur-gery for which prophylactic measures may routinely be ordered.

With a reasonable definition of postoperative ileus, it is easier to understand what constitutes a complication. In their 2004 proposal for a classification of surgical complications, Drs. Din-do, Demartines, and Clavien defined a surgical complication as “any deviation from the normal postoperative care.”9 Health information management professionals similarly define a com-plication as a circumstance “likely to increase the intensity of services needed to care for patients” and “a condition arising during the hospitalization that modifies the course of the pa-tient’s illness or the medical care required.”10,11 Key elements from those definitions include “deviation from normal,” “in-crease the intensity,” and “modifies the course.”

ICD-10-CM coding guidelines add another component to the definition of a complication: a link between the deviation, in-creased intensity, or modified care plan and the prior care pro-vided—in this case, the surgery. According to the guidelines:

Code assignment is based on the provider’s documentation of

the relationship between the condition and the care or procedure,

unless otherwise instructed by the classification. The guideline ex-

tends to any complications of care, regardless of the chapter the

code is located in. It is important to note that not all conditions

that occur during or following medical care or surgery are classi-

Complicated Coding: Postoperative IleusBy William C. Fiala, MA, CCS-P, CPC, RMA, and Kristine N. Kraft, DC, RMA

Coding Notes

19_April.indd 44 3/20/19 10:06 PM

Journal of AHIMA April 19 / 45

Coding Notes

fied as complications. There must be a cause-and-effect relation-

ship between the care provided and the condition, and an indica-

tion in the documentation that it is a complication.12

A surgical complication is a circumstance in which there is a modification to the patient’s treatment plan that takes it beyond normal postoperative care and for which the provider docu-ments a clear relationship between the need for the modifica-tion and the preceding procedure.

Armed now with definitions of postoperative ileus and a surgi-cal complication, how would a coding professional report the cir-cumstance when the provider documents “postoperative ileus?”

Since 2012, reporting the circumstance in ICD-9-CM ap-peared fairly straightforward; 2012 saw the introduction of a new code—997.40—along with subterm or essential modi-fier entries in the alphabetic index under the main term “ileus” that read “following gastrointestinal surgery” and “postopera-tive” and pointed to 997.49. Category code 997 is identified as “complications affecting specified body systems, not elsewhere classified.” It seems as though the default for a postoperative il-eus was that the circumstance was a complication whether or not it lasted less than three days, was a “normal obligatory and physiologic response,” did not require any change in the nor-mal postoperative care or treatment plan, and was not specifi-cally identified by the provider as having a causal relationship to the procedure. Similarly, the ICD-10-CM alphabetic index under the main term “ileus” has a subterm or essential modifier “postoperative” and points to code K91.89 with a description of “other postprocedural complication and disorders of the diges-tive system” and a “use additional code” note. Fortunately, the ICD-10-CM guidelines provide one more very critical bit of in-struction: “Query the provider for clarification, if the complica-tion is not clearly documented.”13

The documentation of “postoperative ileus” presents an ex-cellent clinical documentation improvement moment and an opportunity for coding professionals and providers to work to-gether. Coders should not assume that the words “postopera-tive ileus” always refer to a complication as defined above, and queries regarding clarification of the documentation should be made. One coding professional reports that providers are be-ginning to document “expected ileus,” documentation that is consistent with the idea that the ileus is, as Drs. Kalff, Wehner, and Litkouhi suggest, “a normal obligatory and physiologic response” requiring no additional resources beyond routine postoperative care and prophylaxis, and documentation that provides some clarity to coders.14 Coding professionals should work with providers at their practice or facility to establish clear and consistent documentation such that the circumstance of an expected postoperative ileus—the normal two- to three-day event requiring no additional resources—can be clearly and easily distinguished from a complication of surgery—a longer postoperative ileus that does require deviation from the normal postoperative care—thus allowing the encounter to be coded quickly and correctly. ¢

Notes 1. ICD10monitor. “Postoperative Complications: It’s compli-

cated.” March 25, 2016. www.icd10monitor.com/postop-erative-complications-it-s-complicated.

2. Fuhrmans, Vanessa. “Insurers Stop Paying for Care Linked to Errors.” Wall Street Journal. Jan 15, 2008. www.wsj.com/articles/SB120035439914089727.

3. Stedman’s Concise Medical Dictionary for the Health Profes-sions, Third Edition. Baltimore, MD: Williams & Wilkins, 1997.

4. Taber’s Cyclopedic Medical Dictionary: 20th Edition. Phila-delphia, PA: F.A. Davis, 2005.

5. Livingston, Edward and Edward Passaro. “Postoperative Ileus.” Digestive Diseases and Sciences 35, no. 1 (January 1990): 121-132.

6. Ibid, page 122. 7. Kalff, Jörg C. et al. “Postoperative Ileus.” UpToDate. July 17,

2017. www.uptodate.com/contents/postoperative-ileus. 8. Livingston, Edward and Edward Passaro. “Postoperative

Ileus.” Page 126. 9. Dindo, Daniel, Nicolas Demartines, and Pierre-Alain Cla-

vien. “Classification of Surgical Complications: A New Pro-posal with Evaluation in a Cohort of 6336 Patients and Results of a Survey.” Annals of Surgery 240, no. 2 (August 2004): 206.

10. Gregg Fahrenholz, Cheryl and Ruthann Russo, ed. Documen-tation for Health Records. Chicago, IL: AHIMA, 2013: 415.

11. Huffman, Edna. Health Information Management, 10th ed, revised by AHIMA. Berwyn, IL: Physician’s Record Com-pany, 1994: 234.

12. Centers for Medicare and Medicaid Services. ICD-10-CM Official Guidelines for Coding and Reporting. www.cms.gov/Medicare/Coding/ICD10/Downloads/2019-ICD10-Coding-Guidelines-.pdf.

13. Ibid. 14. HCPro. “Q&A: Resolving coding postoperative ileus wor-

ries with documentation.” CDI Strategies. March 31, 2011. www.hcpro.com/print/HIM-264322-5707/QA-Resolving-coding-postoperative-ileus-worries-with-documentation.

William C. Fiala (wcfiala@uakron.edu) is professor of practice, allied

health technology, at University of Akron. Kristine N. Kraft (knk@uakron.

edu) is director, medical assisting technology and interim director, School

of Allied Health Technology, at the University of Akron.

Journal of AHIMA Continuing Education QuizQuiz ID: Q1939004 | EXPIRATION DATE: APRIL 1, 2020HIM Domain Area: Clinical Data Management Article—“Complicated Coding: Postoperative Ileus”

Review Quiz Questions and Take the Quiz Based on this Article Online at https://my.ahima.org/store

Note: AHIMA CE quizzes have moved to an online-only format.

19_April.indd 45 3/20/19 10:06 PM

46 / Journal of AHIMA April 19

SUNDAY MONDAY TUESDAY WEDNESDAY THURSDAY FRIDAY SATURDAY

1 2 3 4

CSA Meeting: Alaska, Anchorage, AK

5 6

7 8 9

AHIMA Foundation Webinar: Apprenticeships: An Effective Workforce Planning Model for Employers

10 11 12

Student Open House, Chicago, IL

13

14 15 16

Faculty Development Webinar: CourseShare and Educator Resources

17 18 19 20

21 22 23 24 25

Career Assist: Virtual Career Fair

26 27

28 29 30

Calendar

AHIMA Annual Conference

2020 Atlanta, GAOctober 13-17

CSA Meeting: Missouri, Branson, MO

CSA Meeting: Nebraska, Kearney, NE

CSA Meeting: Arkansas, Little Rock, AR

CSA Meeting: Oklahoma, Catoosa, OK

CSA Meeting: Illinois, Normal, IL

CSA Meeting: Montana, Great Falls, MT

CSA Meeting: South Dakota, Mitchell, SD

CSA Meeting: West Virginia, Bridgeport, WV

CSA Meeting: New Mexico, Albuquerque, NM

CSA Meeting: Idaho, Boise, ID

CSA Meeting: Indiana, Noblesville, IN

CAHIIM Accreditation Process Conference, Chicago, IL

CSA Meeting: Maryland and Washington, DC, Baltimore, MD

CSA Meeting: Kansas, Wichita, KS

CSA Meeting: Iowa, Des Moines, IA

PMS 7625 and black

19_April.indd 46 3/20/19 10:06 PM

Keep Informed Resources and News from AHIMA

AHIMA Joins with Artifact Health to Help Standardize CDI Query WorkflowAHIMA has joined with Artifact Health to provide and maintain a comprehensive library of compli-ant physician query templates that will be utilized within Artifact’s mobile clinical documentation im-provement (CDI) query platform. Artifact Health automates CDI queries, which coding and CDI professionals send to physicians when the clini-cal documentation provided in a patient’s record is insufficient to accurately code for billing and treatment. AHIMA will provide its library of compli-ant query templates for indications such as sep-sis, pneumonia, and kidney failure to the Artifact platform, which automates the query process by enabling physicians to respond quickly and eas-ily with their smartphone. AHIMA will continuously revise the query templates to ensure they reflect the most recent coding and compliance updates. For more information visit www.artifacthealth.com/post/ahima-joins-with-artifact-health-to-provide-compliant-templates-for-physician-queries.

New On-Demand Webinar Series: Diving Into DocumentationClinical documentation improvement (CDI) best practices, trending hot topics, and advancements in the CDI profession are all on the docket in this new on-demand webinar series. Presented by CDI industry experts, these monthly 30-minute webi-nars will be pre-recorded and available on demand. April’s webinar, “Clinical Validation Best Practice Guidance,” will discuss why clinical validation is important, distinguish DRG validation from clinical validation, help attendees determine when to write a clinical validation query, and discuss the role compliance plays in clinical validation. To access this and past Diving Into Documentation webinars, visit https://my.ahima.org/store/product?id=65801.

CDI Summit Registration Now OpenThe CDI Summit, taking place July 14 and July 15 in Chicago, IL, is dedicated to advancing the docu-mentation journey and exploring the challenges presented by today’s complex healthcare environ-ment. With keynote addresses from nationally rec-ognized industry experts, this comprehensive con-ference offers attendees a range of presentations on CDI best practices, innovation, implementation, and ICD-10-CM/PCS. The summit consists of in-teractive sessions and real-world examples, which provide critical insights into CDI programs and ad-vanced networking opportunities.  To register on-line, visit www,ahima.org/cdisummit.

MAYMay 1–3 CSA Meeting: Minnesota, Duluth, MN

May 2–3 CSA Meeting: Colorado, Lone Tree, CO

May 5–8 CSA Meeting: Alabama, Georgia, North Carolina, and South Carolina, Myrtle Beach, SC

May 7–9 CSA Meeting: Wisconsin, Green Bay, WI

May 10 CSA Meeting: Rhode Island, Warwick, RI

May 14 AHIMA Foundation Webinar: Apprenticeships: A Tool for Career Seekers

May 15–16 CSA Meeting: Virginia, Richmond, VA

May 15–17 CSA Meeting: Hawaii, Honolulu, HI

May 15–17 CSA Meeting: Michigan, Traverse City, MI

May 16 CSA Meeting: Wyoming, TBD

May 17 CSA Meeting: New Hampshire, Manchester, NH

May 17–18 CSA Meeting: Washington, Spokane Valley, WA

May 20–21 CSA Meeting: Pennsylvania, State College, PA

May 30–31 CSA Meeting: Utah, Murray, UT

May 30–June 1

CSA Meeting: Oregon, Silverton, OR

UPCOMING INSTITUTES, SEMINARS, WORKSHOPS, AND WEBINARSJune 2–5 CSA Meeting: New York, Syracuse, NY

June 3–4 CSA Meeting: Kentucky, Richmond, KY

June 3–4 Crack the Code, Chicago, IL

June 7 CSA Meeting: Delaware, Dover, DE

June 8–12 CSA Meeting: California, Indian Wells, CA

June 9–11 CSA Meeting: Massachusetts, Falmouth, MA

June 10–13 Crack the Code Workshops, Chicago, IL

June 11 AHIMA Foundation Webinar: Apprenticeships: An Effective Workforce Planning Model for Employers

June 12–14 CSA Meeting: New Jersey, Atlantic City, NJ

June 12–14 CSA Meeting: Mississippi, Jackson, MS

June 13–14 CSA Meeting: Maine, Augusta, ME

June 20–21 CSA Meeting: Puerto Rico, San Juan, PR

June 23–25 CSA Meeting: Texas, Galveston, TX

July 12–13 CSA Leadership Symposium, Chicago, IL

Check www.ahima.org/events for the latest schedule of institutes, seminars, and workshops.

A Look AheadUpcoming AHIMA Institutes, Seminars, Workshops, and Webinars

19_April.indd 47 3/20/19 10:06 PM

48 / Journal of AHIMA April 19

AHIMA Volunteer Leaders

AHIMA BOARD OF DIRECTORS President/ChairValerie J. Watzlaf, PhD, MPH, RHIA, FAHIMAVice Department Chair of Education and Associate Professor University of PittsburghPittsburgh, PA(412) 383-6647valerie.watzlaf@ahimaboard.org

President/Chair-electGinna Evans, MBA, RHIA, CPC, CRC, FAHIMACoding Educator, IM Specialties DivisionEmory HealthcareDecatur, GA (770) 845-5730 ginna.evans@ahimaboard.org

Past President/ChairDiann H. Smith, MS, RHIA, CHP, FAHIMAVice PresidentTexas Health ResourcesArlington, TX (682) 236-7803diannh.smith@ahimaboard.org

Speaker of the House of DelegatesShawn C. Wells, RHIT, CHDADirector of Health InformationUniversity of Utah HealthSalt Lake City, UT(801) 503-5596shawn.wells@hsc.utah.edu

CEO, AHIMAWylecia Wiggs Harris, PhD, CAEChicago, IL (312) 233-1092wylecia.wiggsharris@ahima.org

TERM ENDS 2019—DIRECTORSJill S. Clark, MBA, RHIA, CHDA, FAHIMASenior Consultant and Knowledge Officer, e4Red Lion, PA(610) 357-4582jclark@e4-services.com

Dwan Thomas Flowers, MBA, RHIA, CCS, CDIPHIM Consultant(904) 607-6610HIMprofexcel@bellsouth.net

Karen S. Scott, MEd, RHIA, CCS-P, FAHIMASenior Training Specialist/OwnerTruCode/Karen Scott Seminars and ConsultingBartlett, TN(901) 233-7245kscottseminars@comcast.net

TERM ENDS 2020—DIRECTORSTreasurerSeth Jeremy Katz, MPH, RHIA, FAHIMAAssociate Chief Information OfficerTruman Medical Center(913) 526-4987seth.katz@tmcmed.org

SecretaryKim D. Theodos, JD, MS, RHIAAssistant ProfessorUniversity of Louisiana at Monroe(318) 245-1776kimtheodos@yahoo.com

Melinda A. Wilkins, PhD, RHIA, FAHIMAProfessor and Program Director, Health Informatics and Health Information ManagementArkansas Tech University(479) 970-1434 mwilkins@atu.edu

TERM ENDS 2021—DIRECTORSSharon Easterling, MHA, RHIA, CCS, CDIP, CRC,

FAHIMA PresidentDocBytesCharlotte, NC(704) 779-8095sharon@docbytes.org

Jennifer Mueller, MBA, RHIA, FACHE, FAHIMAVice President and Privacy OfficerWisconsin Hospital Association – Information CenterFitchburg, WI (920) 285-9232jmueller@wha.org

Godwin I. Okafor, MSHI, RHIA, FAC-P/PMProgram ManagerUS Department of Veterans Affairs(404) 822-1708godwin.okafor@gmail.com

Board AdvisorJohn P. Hoyt, FACHE, FHIMSSExecutive Vice President EmeritusHIMSSChicago, IL(312) 590-9019jhoyt@himss.org

2019 CHAIRS OF AHIMA VOLUNTEER GROUPSAdvocacy and Policy Council Seth Johnson, MBA, RHIAsejohnson@lexmark.com

Daniel Utech, RHIA, CHPSdanielkutech@gmail.com

AHIMA Grace Award CommitteeSandra Pearson, MHA, RHIA, CHDA, CPEHRsandra.pearson@sclhs.net

AHIMA Triumph Awards CommitteeRenae Spohn, MBA, RHIA, CPHI, CPHQ, FNAHQ, FAHIMArenae.spohn@dsu.edu

Annual Convention Program CommitteeSandra Joe, MJ, RHIA, FAHIMASljoe8493@gmail.com

CDI Summit Program CommitteeGenee Askewgeneeaskew@yahoo.com

Lisa Campbell, PhD, RHIA, CDIP, CCS, CCS-Plisa@ppr-corp.com

Clinical Coding Program CommitteeMegan DeVoe, CCSmdevoe@earthlink.net

Lance Smith, MPA, RHIT, CCS-P, CHC, COC, CPMALance.smithW@hahv.org

Engage Advisory CommitteeYvette Humphrieshumphries16ym@gmail.com

Fellowship CommitteeLinda Galocy, MS, RHIA, FAHIMAlgalocy@iun.edu

New Graduate Leadership CommitteeTodd Norden, RHIAtodd.norden@yahoo.com

Nominating CommitteeRalph Morrison, RHIA, CPCcentraloffice@ghima.org

Privacy and Security Program CommitteeBeth A. Kost-Woodrow, RHIAbethk63@aol.com

Tanya Srdanovic, MPA, RHIA, CHPSTanya.srdanvoicW@ynhh.org

Professional Ethics CommitteeVong Miphouvieng, MHA, RHIA, CHPSvongjm@gmail.com

2018–2019 HOUSE OF DELEGATESSpeaker of the House of DelegatesShawn C. Wells, RHIT, CHDADirector of Health InformationUniversity of Utah HealthSalt Lake City, UT(801) 503-5596shawn.wells@hsc.utah.edu

Speaker-elect of the House of DelegatesChristine Williams, RHIAHealth Information Management Document Integrity ManagerUW HealthMadison, WICWilliams4@uwhealth.org

Envisioning CollaborativeAurae Beidler, MHA, RHIA, CHPS, CHCaurae.beidler@gmail.com

Shawn C. Wells, RHIT, CHDADirector of Health InformationUniversity of Utah HealthSalt Lake City, UT(801) 503-5596shawn.wells@hsc.utah.edu

House LeadershipBecci Conroy, RHIA, CCS-P, OHCCbconroy@mdmh.org

Christine Williams, RHIAHealth Information Management Document Integrity ManagerUW HealthMadison, WICWilliams4@uwhealth.org

2019 CHAIRS OF AFFILIATE VOLUNTEER GROUPSAHIMA FoundationDiann H. Smith, MS, RHIA, CHP, FAHIMA (682) 236-7803diannh.smith@ahimafoundation.org

Commission on Accreditation for Health Informatics and Information Management EducationStuart M. Speedie, PhD, FACMI(651) 249-1350 speed002@umn.edu

Commission on Certification for Health Informatics and Information ManagementKaren Collins Gibson, MSA, RHIA, FAHIMA gibson.karen@comcast.net

Council for Excellence in EducationKeith Olenik, MA, RHIA, CHP(816) 392-5796keith@olenikgroup.com

2019 PRACTICE COUNCIL AND VOLUNTEER CONTACTS Clinical Documentation ImprovementChinedum Mogbo, RHIA, CDIP, CCS, CCDSmogboc@gmail.com

Anny Yuen, RHIA, CCS, CCDS, CDIP anny.yuen@apconsultingassociates.com

Clinical Terminology and ClassificationFaith McNicholas, RHIT, CPC, CPCD, PCS, CDCfmcnicholas@aad.org

Mary Stanfill, MS, MBA mstanfill@uasisolutions.com

EHR Documentation IntegrityJami Woebkenberg, MHIM, RHIA, CPHI jami.woebkenberg@bannerhealth.com

Lori Richter, MA, RHIA, CHPS, CPHIT, CPEHR loririchter@catholichealth.net

Privacy and SecurityDana DeMasters, MN, RN, CHPSdana.demasters@libertyhospital.org

Wes Morris, CHPS, CIPM, HCISPP Wes.Morris@Clearwatercompliance.com

19_April.indd 48 3/20/19 10:06 PM

Journal of AHIMA April 19 / 49

AHIMA Volunteer Leaders

Email changes to your listing to sarah.sheber@ahima.org

COMPONENT STATE ASSOCIATION PRESIDENTSAlabamaLakesha Kinnerson, MPH, RHIA, CPHQlkinners@samford.edu

AlaskaKara Anderson, CCS-P, B.Ed, CPC, CPC-Ikanderson@a-lhealth.com

ArizonaLisa Hart, MPA, RHIAlhart1012@gmail.com

ArkansasSara Daniel, RHIA, CHESsdaniel8@atu.edu

CaliforniaMaria Caban Alizondo, MOL, RHIT, FAHIMAmcalizondo@mednet.ucla.edu

ColoradoShandra Duncan, RHIT, CHTS-Tshanmduncan@hotmail.com

ConnecticutJames Donaher, RHIA, CDIP, CCS, CCS-Pjdonaher@mmm.com

DelawareKimberly Seery, RHIT, CHDA, CDIP, CCS, CPC, CRCkimberlyseery@gmail.com

District of ColumbiaToni Jackman, MS-HIS, MTM, RHIAtjackman12@gmail.com

FloridaRae Freeman, RHIA, CHPS, CDIP, CCS-Prfreeman@hccscoding.com

GeorgiaKaren Searcy, RHIA, CPCkaren.searcy@gacancer.com

HawaiiLari Anne Kamei, MBA, RHIAlariannek@gmail.com

IdahoJamie Sand, EdD, RHIT, CCSjaimesand@boisestate.edu

IllinoisTricia Truscott, MBA, RHIA, CHP, FAHIMAtricia.truscott@carle.com

IndianaLynette Thom, RHIA, CDIP, CCSlynettethom@gmail.com

IowaJacinda Barth, RHITjacindabarth@hotmail.com

KansasRichard Ryan, MHS/HCEd, RHITvanzinkel@yahoo.com

KentuckyDustin Ginn, MA, MHA, RHIAdustin.ginn@uky.edu

LouisianaKristy Courville, MHA, RHIAkcourville@louisiana.edu

MaineSheri Conley, RHIT, CPCsconley@mayohospital.com

MarylandTo be determined

MassachusettsBibi Von Malder, RHIT bvonmalder@sturdymemorial.org

MichiganShawn Armbruster, RHIAsarmbru1@hurleymc.com

MinnesotaRyan Johns, RHIA, CHPSrjohns2@range.fairview.org

MississippiLorie Mills, RHIT, CCSlbmills@forrestgeneral.com

MissouriBrenda Fuller, RHIA, CHCbfuller@compasshn.org

MontanaRebecca Conroy, RHIA, CCS-P, OHCCbconroy@mdmh.org

NebraskaTina Mazuch, MS, RHIA, CCS tinam@northeast.edu

NevadaZheila Smith, CDIP, CCSpresident.nvhima@gmail.com

New HampshirePamela Varhol, MS, MBA, RHIA, CAHIMSpam@pamvarhol.com

New JerseyFran DiLorenzo, RHIAfdilorenzo@rcbc.edu

New MexicoErica Lopez, RHIAerica52413@gmail.com

New YorkJeffery Youngs, RHITjefferyyoungs@crouse.org

North CarolinaMary Gregory, RHIT, CDIP, CCS, CCS-P, CPCmary@mascodingsolutions.com

North DakotaLaurie Peters, RHIA, CCSlaurie.peters@koblegroup.com

OhioKrystal Phillips, RHIA, CHTS-ISphillik7@gmail.com

OklahomaTressa Lyon, RHITtlyon@nrh-ok.com

OregonCrystal Clack, MA, RHIA, CDIP, CCSclackc@gmail.com

PennsylvaniaMargaret Stackhouse, BSB/IS, RHIA, CPCmstackhouse@e4-services.com

Puerto RicoAmarylis Del Hoyo, RHIAsilyrama99@hotmail.com

Rhode IslandPatti Nenna, RHIT, CPEHRpnenna@cox.net

South CarolinaTeresa Huss, MHS, RHIA, CPC-Hthuss@selfregional.org

South DakotaJamie Husher, MS, RHIA, CHPSjamie.husher@sanfordhealth.org

TennesseeShannan Swafford, DHA, RHIT, CHDA, CCStnoutdoorgirl@aol.com

TexasPenny Crow, MS, RHIApennyc@brittainkalishgroup.com

UtahCarolyn Russell, RHIACare8875@gmail.com

VermontSarah Donaldson, MS, CCS-Psdonaldson@rrmc.org

VirginiaKathleen Scott, RHIAmary.scott@parallon.com

WashingtonPaula Dascher, RHIApaula.dascher@seattlechildrens.org

West VirginiaVickie Findley, MPA, RHIAvickie.findley@pierpont.edu

WisconsinElizabeth Rockendorf, RHIA, CHPS, CHTS-IMrockendo@uwp.edu

WyomingSarah Reynolds, CCSsarah.reynolds@syfr-him.com

19_April.indd 49 3/20/19 10:06 PM

50 / Journal of AHIMA April 19

AHIMA ...................................5, 10, 35, inside back cover

First Class Solutions ......................................................25

MRO ................................................................. back cover

Textware Solutions-Instant Text .................................... 16

TruCode .................................................. inside front cover

Advertising IndexAHIMA Thanks Its Loyalty Program Members

EXECUTIVE LEVEL

MANAGER LEVEL

The AHIMA Loyalty Program offers organizations the opportu-nity to better align their marketing outreach with AHIMA’s print, content, and information channels while delivering year-long ex-posure to AHIMA’s 103,000+ health information professionals.

To learn more about the AHIMA Loyalty Media Program and position your organization for success, contact:

Jeff Rhodes, 410-584-1940, jeff.rhodes@mci-group.com or Allison Zippert, 410-584-1941, allison.zippert@mci-group.com

19_April.indd 50 3/20/19 10:06 PM

Journal of AHIMA April 19 / 51

CODING & CDI GUIDE

AHIMA

2019 | RESOURCE GUIDE

19_April.indd 51 3/20/19 10:06 PM

CONTENTS

AHA Central Office ......................52

American Society of Anesthesiologists ........................54

Aviacode .....................................55

Coding Concepts .........................55

First Class Solutions ....................56

Healthcare Cost Solutions ...........59

Indiana University School of Informatics and Computing at IUPUI ...................56

Labouré College ..........................57

SourceHOV Healthcare, Inc. .........58

Stat Solutions, Inc. ......................59

see our full profile on AHIMA ResourceConnect at resourceconnect.ahima.orgAHIMA ResourceConnect advertisers as of 3/4/19.

CODING & CDI GUIDE / April 201952

CODING ADVICE FROM THE

CODING EXPERTS

ICD-10-CM AND ICD-10-PCS

CODING HANDBOOK

NELLY-LEON CHISEN, RHIA

AUTHOR OF 2019 HANDBOOK

EDITOR OF CODING CLINICS

www.ahacentraloffice.com

19_April.indd 52 3/20/19 10:06 PM

Month 2014 / GUIDE NAME HEREApril 2019 / CODING & CDI GUIDE 53

Become a Code Cracker and Documentation DetectiveLIKE THE HEALTHCARE profession itself, healthcare coding and clinical documentation improvement (CDI) are dynamic, ever-changing industries that re-quire professionals to stay vigilant with their training. Hoping to help coding and CDI professionals with this task, the Journal of AHIMA’s Code Cracker and Docu-mentation Detective web-exclusive columns feature industry experts diving into the details and offering readers best practices that ensure quality clinical in-formation and properly coded and billed cases.

Specifically, Documentation Detective discusses how to achieve quality clinical documentation with a comprehensive approach aimed at covering all realms of the healthcare industry—inpatient, outpatient, phy-sician office, and beyond. Code Cracker acts as both a job aid (How do I code diabetes mellitus with as-sociated conditions again?) as well as a forum to vet big picture questions about the industry at large (Just how effective is computer-assisted coding?).

The vendors in this Resource Guide aim to of-fer services that help healthcare organizations get their coding and CDI work done right. This is also the objective of the Documentation Detective and Code Cracker blogs—illustrated below with a se-lection of popular recent posts that show a coding professional or CDI specialist’s work and training is never finished.

Code Cracker HighlightsCode Cracker is updated monthly and available at https://journal.ahima.org/category/blogs/code-cracker/.

Computer-Assisted Coding: Helpful or Hurtful?Computer-assisted coding (CAC) has become a com-monly recognized presence on the health information management scene, so much so that we now have coders in the workforce that have likely only ever briefly trained on coding without CAC—or potentially have never worked without CAC at all. But what im-pact does that have on the profession?

Will Coders Ever Return to the Office?It feels like it has been much longer since the days when many coding professionals were working in the

basement of a hospital, still coding from paper charts, the idea of being able to work from home much more dream than reality. Now that the telecommunting coder is indeed reality, some wonder what impact—postive or negative—this is having on work dynamics and quality.

Coding Diabetes Mellitus with Associated ConditionsOne of the most popular Code Cracker articles, this post reviews the confusion among coding profession-als regarding interpretation of the coding guideline “with.” An area that contains many instances of using this guideline in ICD-10-CM is coding Diabetes Melli-tus with associated conditions. There are 53 instances of “with” subterm conditions listed under the main term Diabetes.

Documentation Detective HighlightsDocumentation Detective is updated monthly and available at https://journal.ahima.org/category/blogs/documentation-detective/.

The Impact of Neonatal Abstinence Syndrome on Clinical DocumentationWhile neonatal abstinence syndrome is a serious con-dition, the lack of a standard clinical definition makes it difficult for providers to recognize the symptoms and accurately diagnose and treat newborns. If the syndrome is not recognized, and thus not document-ed, then the correct diagnosis code will not be as-signed—which in turn impacts the state and national statistics regarding this syndrome.

Temporary Newborn Name Compliance: A Focus on Patient SafetyAssigning newborns temporary names at birth is a common practice for hospitals. As a result, a large volume of patients with similar identifiers could po-tentially result in duplicate records and increase the risk for sentinel events.

It’s Complicated: Post-Operative ComplicationsThe challenge for CDI specialists is in determining if the condition is an expected outcome of the proce-dure or patient’s disease process, or if it is an actual post-operative complication. ¢

19_April.indd 53 3/20/19 10:06 PM

CODING & CDI GUIDE / April 201954

18-038

Claims errors are costing you.Code with confidence.

Anesthesia coding includes many unique challenges.

Code accurately and compliantly with the 2019 editions of

CROSSWALK® and Relative Value Guide®.

These essential tools are available as print and electronic files.

Get started today

asahq.org/billing-coding

19_April.indd 54 3/20/19 10:06 PM

Month 2014 / GUIDE NAME HEREApril 2019 / CODING & CDI GUIDE 55

MEDICAL

CODING SERVICES

DOCUMENTATION

IMPROVEMENT

CODING

COMPLIANCE &

AUDIT SERVICES

CODING DENIAL

MANAGEMENT

CODING

ENHANCING

SERVICES

Maximize Revenue, Improve Efficiency & Strengthen Cash Flow

Committed to Coding. Committed to You.

For more information:1-855-438-2634 | sales@aviacode.com

KLAS Outsourced Coding

2018 Report

Recognizes Aviacode's Good Performance and Strategic Expertise

19_April.indd 55 3/20/19 10:06 PM

CODING & CDI GUIDE / April 201956

Serving up ‘first class’ coding and documentation

improvement guidance since 1988, we’re honored

to provide hospitals, physician groups, and skilled

nursing facilities with a full menu of

customizable options:

• Clinical documentation reviews to boost coding

accuracy and identify educational opportunities

• Coding compliance audits (APCs, DRGs, E/M,

and HCCs) to mitigate risk and ensure accurate

payments

• Denial management support to identify root

causes and prevent revenue loss

• ICD-10 education for coding and MDS staff

• Temporary and long-term coding support (APCs,

DRGs, E/M, and HCCs) to fill staffing vacancies

and address backlogs

If you want white glove ser�ice, you need white

glove professionals.

At First Class Solutions, we aren’t satisfied until we’ve exceeded your ex�ectations.Let us show you what we can do.

70

HEALTH INFORMATION

MANAGEMENT1949 Ñ 2019

OUR LONGEVITYSPEAKS FOR ITSELF,

AND IT SAYS QUALITYLooking for high-performing

Health Information Managementand Medical Coding programs?

You can trust that our graduates receive the

very best preparation available from an

industry-recognized, established program

at an internationally-respected university.

To learn more about our programs

and our graduates, please contact:

go.iupui.edu/soic-him

Lisa DesNoyersHIM Program Director

317-278-8592ldesnoye@iu.edu

CAHIIM-accredited

Operated by Indiana University

since 1949

Offered 100%online and 100%

on campus

Possiblediscountedscholarship

SEE OUR DISPLAY AD ON PAGE 25.

19_April.indd 56 3/20/19 10:06 PM

Month 2014 / GUIDE NAME HEREApril 2019 / CODING & CDI GUIDE 57

CDIEarn 8 credits

with the first

college-level

CDI program in

the country

Labouré’s Program v. Boot Camp Webinars:

Labouré’s program is different from webinar programs and

boot camps because it is a college credit-bearing program.

Labouré College’s CDI program stands alone in

its structured, group approach to learning a new

healthcare discipline in an online format.

All courses are online and taught by nurses and doctors credentialed in CDI. The program includes weekly assignments, recorded lectures, hands-on practice activities, and discussion groups. Most importantly, the program provides students with an experienced instructor who is available to answer their questions. Students also have the opportunity to learn from fellow classmates with diverse professional backgrounds.

Each of the four courses covers one or more of the six CDI core competency groups. The eight credits of academic coursework represent 120 hours of instruction and approximately 250 hours of reading or written assignments. In total, this program represents approximately 10 weeks of training. This is a significant bonus to healthcare organizations hiring Labouré CDI graduates - they can start immediately on the clinical practice component of their education and training.

Labouré College’s online Clinical Documentation Improvement Certificate is a structured, academic program designed for credentialed healthcare workers identified by ACDIS or AHIMA (RN, RHIA, RHIT, CCS, MD

and DO).

Graduates gain a solid background in CDI and daily processes and are ready to begin their clinical practice in the CDI department immediately – without preparatory training by the healthcare facility.

Quick Facts:

• Start in September, January, or May• Can be completed in two semesters• Earn eight college credits• College accredited by NECHE• Taught by CDI credentialed nurses and doctors • Graduates are fully prepared to begin clinical practice in CDI departments

• Tuition: $2,920 - payment plans are available (because this program qualifies for college credit it is commonly approved for tuition reimbursement by hospitals and healthcare organizations)

For more information: Please visit laboure.edu or contact the Admissions team at (617) 322-3575 or admissions@laboure.edu.

Program Chair, Elise Belanger, RHIA is also available at elise_belanger@laboure.edu.

Courses: 2 credits each

• Record Review and Document Clarification• Clinical Coding Practice • Metrics and Education• Compliance and Leadership

Educating exceptional nurses and

healthcare professionals since 1892

Labouré College · 303 Adams Street · Milton, MA 02186 · (617)322-3575 · laboure.edu

19_April.indd 57 3/20/19 10:06 PM

CODING & CDI GUIDE / April 201958

Need a coding expert?YOU CAN COUNT ON LEXICODE

LEXICODE.COM

800.448.CODE (2633)

14 MILLIONRECORDS CODED IN

2018

REMOTE CODINGINCLUDES QA AND EDUCATION

EDUCATION OPPORTUNITIESDYNAMIC CODING EDUCATION

AUDITORS/CONSULTANTSTO PERFORM AUDITS AND INTERIM

CODING MANAGEMENT

READY TO SCALESHORT AND LONG–TERM CONTRACTS

AVAILABLE

FLEXIBLEONSHORE OR OFFSHORE SOLUTIONS

OR A COMBINATION OF BOTH

ACCURATEHIGHLY EXPERIENCED, CREDENTIALED

CODERS AND CONSULTANTS

1,000PROVIDERS RELY ON

LEXICODE

1,000+CREDENTIALED CODERS

AND CONSULTANTS

19_April.indd 58 3/20/19 10:06 PM

Month 2014 / GUIDE NAME HEREApril 2019 / CODING & CDI GUIDE 59

Coding Compliance Audits:Inpatient/Outpatient / Clinic

• Concurrent

• Retrospective

• HCC / Risk Adjustment

• Professional Fee

Remote Coding Support:

• 100% U.S. Based / Ongoing QA

Healthcare Audit Resource Technology

Database Solution for the Ever-Changing

Environment of the External Audit

Optimizing Your Rightful Reimbursements

Healthcare Cost Solutions, Inc.

866.427.7828 / 949.721.2795

www.hcsstat.com

Stat Solutions, Inc. provides tailoredsolutions for all your HIM needs. We focus our efforts on providing thehighest level of quality credentialed HIMprofessionals along with the finestpersonalized customer service.

Coding Services

Coding Quality Reviews

Interim HIM Management

Clinical Documentation Improvement

For more information please call888-297-7212

www.statsolutionsinc.cominfo@statsolutionsinc.com

AHIMA

Search Find Connect

Discover even more resources, services, and products at resourceconnect.ahima.org

19_April.indd 59 3/20/19 10:07 PM

60 / Journal of AHIMA April 19

THE STICKER SHOCK FELT BY patients getting a bill for an ambulance ride is a problem that has plagued healthcare for years. A number of factors beyond the control of the patient—who, after all, is being treated for an emergent condition—results in an inefficient and expensive utilization of resources.

Now, however, the Centers for Medicare and Medicaid Services (CMS) is taking a big step in addressing this is-sue—for Medicare beneficiaries, at least—in a new pilot program out of the Center for Medicare and Medicaid Innovation. The value-based Emergency Triage, Treat and Transport (ET3) model will make it possible for partici-pating ambulance suppliers and providers to partner with qualified healthcare practitioners to deliver treatment in place (either on-the-scene or through telehealth) and with alternative destination sites (such as primary care doctors’ offices or urgent-care clinics) to provide care for Medicare beneficiaries following a medical emergency for which they have accessed 911 services, according to a CMS press release.1 The program would give individuals more choice on where an ambulance takes them, when appropriate, instead of automatically heading to the near-est costly hospital emergency room.

Although it’s only a pilot project now, if implemented it could save Medicare over $500 million per year and al-low local fire departments and ambulance services to focus the time and energy of first responders on the most serious emergencies, according to the Associated Press.2

Like other value-based care programs, the ET3 model will eventually involve quality measures, reimburse-ment incentives, and telehealth consultations, requiring the assistance of health information management professionals.

Currently, Medicare only pays ambulance fees for patients taken to a hospital in most cases, although transpor-tation to rehab centers or nursing homes as well as dialysis facilities is also permitted.

So far, the proposed program is being welcomed by healthcare advocates. “We definitely think this is intriguing and exciting, but it really does need to be monitored very closely,” Julie Carter, a federal policy expert with the Medicare Rights Center, told the Associated Press. “We see this as a potential opportunity to keep people out of the ER when they don’t need to be there.” ¢

Notes 1. Centers for Medicare and Medicaid Services. “HHS launches innovative payment model with new treatment

and transport options to more appropriately and effectively meet beneficiaries’ emergency needs.” Press release. www.cms.gov/newsroom/press-releases/hhs-launches-innovative-payment-model-new-treatment-and-transport-options-more-appropriately-and.

2. Alonso-Zaldivar, Ricardo. “Medicare ambulance rides may no longer end up at ER.” AP News. February 14, 2019. www.apnews.com/b142bc5c8d474889b6e5b81364db226f.

Value-Based Care Now Includes Ambulance Coverage

19_April.indd 60 3/20/19 10:07 PM

Now Accepting Applications for the 2019 Grace AwardNinety years ago, Grace Whiting Myers acted on a sincere conviction to improve the quality of our nation’s health records by founding an association known as AHIMA. � e idea was simple—that advancements in the collection and organization of health information will invariably help medical professionals improve public health. Due to Ms. Myers’ prescient vision, AHIMA’s annual HIM award bears her name: � e 2019 Grace Award.

149.18

Apply here: www.ahima.org/gracethrough our simplified application. Submissions accepted from March 25–May 31. The process is 100% free. We’re not interested in application fees. We’re interested in learning about you.

19_April.indd 1 3/20/19 10:07 PM

Ad Space

MRO2

Reputation is everything. That’s why HIM leaders across the nation’s best health systems trust and rely on MRO’s

KLAS-rated #1 Release of Information services and team of renowned experts. Not only do we have a superior

reputation for personalized service and quality, we also work closely with clients to make sure they do too.

Together, we respond to increasing PHI disclosure volume and compliance demands. Through a combination of

the right people and innovative technology solutions, MRO enables clients to deliver high levels of quality, fast

turnaround times, compliance and enhanced customer service.

Gain peace of mind and more time back in your day by partnering with the team that has a proven track record for

excellence. Rita Bowen is just one of the many expert resources you get when partnering with MRO.

“You’re only as good as the company you keep.”

Meet Rita Bowen, MA, RHIA, CHPS,

CHPC, SSGB, Vice President of Privacy,

Compliance and HIM Policy. An HIM

superstar and Past President of AHIMA,

Rita has over 40 years of experience and

expertise. She and her team empower

MRO clients through consultative reviews

of PHI disclosure policies and procedures,

privacy analytics, and a variety of HIPAA

compliance resources and tools.

Learn more: www.mrocorp.com/experts

• KLAS RATED #1 FOR ROI • AUTOMATED WORKFLOWS • 99.99% ACCURACY • EPIC INTEGRATIONS •

19_April.indd 2 3/20/19 10:07 PM