gtag('config', 'AW-803824614');
Back To Top

Data Integrity Matters™ Newsletter
January 2015

Audits. It's the one word that best describes the state of healthcare as 2014 comes to a close.

Audits are under way by CMS of an estimated 5-10% of hospitals that successfully attested to Stage 1 of the Meaningful Use program-audits that put billions of dollars in incentive funds at risk of repayment. CMS also issued its long-awaited Final Rule for the 2014 reporting period, giving hospitals just 30 days to ramp up for data collection to comply with the 365-day reporting period. 

Those two actions have put attention back on attestation, making now the ideal time to focus on duplicate records. It remains a significant problem for hospitals of all shapes and sizes, and can have an equally significant impact on successful attestation because so many criteria are based on a percentage of unique patients. We examine that issue and offer solutions in "Shining the MU Spotlight on Duplicate Records."

MU isn't the only area being scrutinized. The OCR is also in the process of conducting HIPAA audits, designed to identify weaknesses that may compromise the security of patient information. In "HIPAA Audits Delayed, But Still Looming," we exam the audit process and provide insights into conducting mock audits to ensure readiness when the OCR comes to call.

Industry Highlights


Shining the MU Spotlight on Duplicate Records

As 2014 winds down, activity is heating up on the Meaningful Use front. 

The Centers for Medicare and Medicaid Services (CMS) began auditing an estimated 5-10% of hospitals that successfully attested to Stage 1 of the Medicare and Medicaid EHR Incentive Programs (better known as Meaningful Use), putting billions of dollars in incentive funds at risk of repayment. Meanwhile, in September, the agency issued its Final Rule for the 2014 reporting period, leaving hospitals scrambling to ramp up for data collection starting just 30 days later to comply with the 365-day reporting period. 

With the focus back on attestation, it is an ideal time to examine an area that is often overlooked, but that can nonetheless have a significant impact on success: the effect of duplicate records on criteria that are based on a percentage of unique patients. 

Specifically, because so many qualifying criteria are tied to a percentage of unique patients, a high volume of duplicates can hinder a hospital's ability to qualify for incentive payments. When taking the recommended approach of basing those percentages on records, even a relatively low duplicate volume will falsely inflate the number of patients to which the denominator criteria must be applied. 

Defining Unique Patients

To understand why duplicate records wreak such havoc on Meaningful Use attestation, it is first necessary to understand what constitutes a "unique patient." This phrase is central to the program, playing a role in problem lists, medication allergies, active medication lists, recording demographics, recording changes in vital signs, recording smoking statuses, checking insurance eligibilities, and even some of the quality reporting standards. 

A number of Meaningful Use measures require the denominator (for calculating percentages of compliance) to be based on unique patients. Basically, a "unique patient" means counting a patient seen during the EHR reporting period once, even if that patient was seen multiple times. The premise behind this calculation method is that the measures relying on unique patient numbers relate to information contained more globally in the patient record, not all of which requires an update during every patient encounter. It is also important to note that patients whose records are not maintained in certified EHR applications may need to be added to the unique patient count numbers to reflect accurate statistics. 

The Impact on Attestation

There are a number of Stage 2 criteria that are based on unique patient numbers. For example, more than 80% of all unique patients:

  • Admitted to the inpatient or emergency department must have key demographics recorded as structured data
  • Admitted have blood pressure (for patients age 3 and over only) and height and weight (for all ages) recorded as structured data
  • 13 years old or older admitted to have smoking status recorded as structured data


Additionally, more than 50% of all unique patients discharged from the inpatient or emergency departments during the EHR reporting period must be provided with timely online access to their health information (available to the patient within 36 hours after discharge from the hospital) and more than 5% must be able to view, download or transmit their information to a third party.

Duplicate records can easily skew these percentages. One illustration examines what happens when a health system with 62,000 patient records and an 8% duplicate rate attempts to comply with the requirement that 80% of unique patients have their smoking status accurately documented within the EHR as structured data. 

Recording the smoking status of 48,500 patients would not achieve the 80% requirement because of duplicates (48,500/62,000 = 78.2%). However, if the 8% of duplicate records (4,960) were eliminated from the system, recording the smoking status of that same number of patients would exceed the requirement (48,500/57,040 = 85%).

In another example, 80% of patients must have a problem list within the EHR as structured data. If a hospital has 1 million unique patient records in its system, 10% of which are duplicates, compliance would require problem lists for 800,000 patients. Eliminating those duplicates drops that number to a more easily attained 720,000 patients. If that same hospital had a duplicate volume of 15%, eliminating duplicates would drop the number of problem lists required to just 680,000.

Cleaning It Up

Ultimately, even a low rate of duplicates makes attestation needlessly complex by increasing the number of records impacted by the percentage. Decreasing these numbers can become a daunting task, but not an impossible one. 

Implementing strict data governance policies, training and monitoring staff and utilizing strong patient identification algorithms can help eliminate duplicates and speed attestation, thus accelerating receipt of Meaningful Use incentive payments and protecting against audits. More importantly, improving patient data matching accuracy will ultimately develop medical data integrity as a whole, thereby improving patient safety, reducing unnecessary expenses and improving care quality and outcomes.

HIPAA Audits Delayed, But Still Looming

The Office for Civil Rights (OCR) recently delayed the start date for its HIPAA compliance audits until 2015 and reduced the number of organizations it expects to audit from 1,200 to 400. However, these changes will not affect the agency's focus on ferreting out any weaknesses that may compromise the security of patient information. 

In an era where HIPAA breaches cost the healthcare industry an estimated $5.6 billion annually, the protection of patient information is vital. Redspin Inc.'s fourth annual breach report revealed a breach increase of 138 percent between 2012 and 2013, affecting more than 14 million patients nationwide. Today, the breach number stands at more than 38 million patients, according to the latest data from the U.S. Department of Health and Human Services. Furthermore, 64 percent of those breaches involved the theft or loss of paper records or unencrypted devices. Business associates alone are responsible for 21 million breaches.

Since its first study in 2010, The Poneman Institute notes that cyber-attacks on healthcare systems has increased by 100 percent. It attributed that trend to the failure of healthcare organizations' compliance with the HIPAA Final Rule—and it's that kind of rampant non-compliance that the OCR intends to reveal with its audits. 

Organizations that fail the OCR's inspections could face significant penalties and fines. And while any healthcare organization that handles secure patient information is an audit candidate, those that have previously experienced breaches are highest on the probability list. 

Steps to Proper Implementation

The clock is ticking for organizations that have yet to apply proper HIPAA procedures. Retroactively implementing compliance measures will not prevent fines and penalties once notice of an audit is received. Further, failing organizations must still achieve compliance to protect against future audits. Therefore, HIPAA compliance managers are encouraged to use this extra time wisely to avoid being caught off guard when the OCR auditors come to call. 

The OCR will focus its attention on deficiencies in risk analysis and encryption. Auditors will pay additional attention to biomedical devices, cloud storage of protected health information (PHI), security practices and breach notifications. Compliance with Meaningful Use requirements to complete an annual review and update of all security risk analyses will also be scrutinized. 

One of the best ways to prepare for a potential OCR inspection is to conduct a mock HIPAA audit. There are several approaches to doing so. Just Associates' best practices involve a hands-on counseling approach aimed at identifying areas of weakness and directing an organization towards full compliance. 

  1. Introduction and Interviews: An effective mock audit begins with the interviews of key personnel regarding breach notifications and business associate agreements. Consultants use the OCR's Audit Program Protocol as the primary reference for preparing an organization for an OCR inquiry. Note: The OCR is planning to update the audit protocol in the coming months. Organizations can expect to see changes to privacy and breach requirements, while security protocols are predicted to stay the same.
  2. Policy vs. Practice: To begin locating potential holes in the system, consultants must examine an organization's policies as they relate to their HIPAA practices. This includes a comprehensive review of documentation to look for any inconsistencies as well as a thorough on-site validation of policy implementation. The only thing worse than not having a HIPAA policy, is having a policy that hasn't been implemented.
  3. Recommendations: Upon completion of the mock audit, Just Associates provides a detailed report with recommendations for improvement. During this process, consultants will provide counseling and teach facilities' staff how to properly reconcile deficiencies.


To maximize the benefits of a mock audit, the entire staff must develop a policy of complete transparency. Hiding potentially damaging information from mock auditors fails to make effective use of the exercise and actually places an organization at greater risk of failing the real inspection. 

Ultimately, healthcare organizations and their business associates are responsible for keeping patient information safe and secure. Mock audits are an excellent tool for identifying any process and procedural weaknesses that put data at risk and add to the rising costs associated with HIPAA breaches. Mock audits provide organizations with the opportunity to address deficiencies now, before time runs out and patient information is compromised.

News from Around the Industry


CDI is Important for Clinical Analytics and Data Integrity

The importance of establishing an information governance framework throughout an organization was emphasized in a recent Health IT Analytics article. The article, which also discusses the basic principles of clinical documentation improvement, stresses the need for detailed clinical data that will help to improve population health management. 

To encourage creating a bridge between clinical language and coding language, AHIMA offers a set of eight basic principles for healthcare organizations seeking to implement a basic HIM infrastructure, which cover data integrity, staff accountability, privacy and security, and availability.

How Ebola Could Spur Health Care Sector into Data Analytics Action

The subject of how to deal with Ebola or a potential Ebola outbreak has come to the forefront of healthcare concerns. Some data analytics experts see this as an opportunity to "break down data-sharing barriers", in an effort to progress innovation at a time when hospitals are facing monumental financial constraints. An IT Business Edge article aims to explain that if someone with Ebola became a patient at a hospital, the clinical leadership would want to immediately know more, not just about the patient, but about all the patients and employees around the patient. Therefore, the ability to share data between hospitals and other organizations would need to be as speedy and accurate as possible, so clinicians have the information they need to properly treat all those involved with the patient.

Data Governance Will Require Collaboration

The 2014 AHIMA Convention that took place in late September aimed to call together researchers, clinicians, and health information management professionals to create proper data governance policies. Health IT Analytics published an article discussing the concerns that HIM professionals share. 

Attendees, which included Suzanne Paone, MBA, DHA, and Dilhari DeAlmeida, PhD, RHIA, of the University of Pittsburgh, noted the importance of the creation of "a collaborative but secure environment of data analytics for research trials and clinical care." DeAlmeida also suggested that "providers create joint policies through inclusive meetings with all the stakeholders who may need to access patient data for a variety of uses." 

Amid Outcry, DeSalvo to Remain National Health IT Coordinator

Reports that Karen DeSalvo would be leaving the Office of the National Coordinator for Health Information Technology prompted concern from organizations such as the American Medical Association, who worried that an untimely departure could "jeopardize the growing momentum around interoperability of electronic health records." 

These reports, however, were not accurate as DeSalvo instead would remain the national coordinator for HIT, as well as act in her new title of Assistant Secretary of Health, while continuing to co-chair the Department of Health and Human Services. You can read more about the personnel changes summarized in Medscape's article.

Just Associates News


Sharing our Expertise

In October, Beth Just and Mary Anne Leach, senior vice president and CIO of Children's Hospital Colorado, shared with attendees at the Children's Hospital Annual Leadership Conference solutions to the unexpected data integration challenges organizations face when forming an alliance. In "Overcoming Hidden Barriers to Affiliate-based Health Information Exchange," Beth and Mary Anne focused on the due diligence and strategic EMPI/EHR data integration decisions necessary to fully support the operational and clinical processes needed for Children's to provide pediatric care within the walls of another non-Children's hospital. 

The Children's presentation came just a month after several Just Associates' experts shared with attendees of the 86th Annual AHIMA Convention and Exhibit their insights into HIPAA breaches and HIM's future. Joining a panel of esteemed colleagues, Beth presented "HIM Without Walls: Building Expertise for the Future," which focused on why it is critical for HIM professionals to learn new skills, engage colleagues and expand expertise to remain relevant. Also highlighted were key points of an AHIMA/AHIMA Foundation workforce study that shed light on the future of HIM across the healthcare continuum.

Also at the AHIMA Convention, Susan Lucci, Just Associates' chief privacy officer, and Mary Poulson, regional director of compliance at MEDNAX Services, Inc., presented "Whoops! We Have a Breach. What Do We Do Now?" Along with an overview of the 2014 AHIMA Breach Toolkit, they shared guidance and expertise on actions in the case of a HIPAA breach.

Beth also joined Just Associates' Project Manager Megan Munns for "Duplicate Patient Records: Identifying Underlying Causes for MPI Data Discrepancies." They and fellow researchers discussed the findings of their examination of more than 350,000 patient records with confirmed duplicates from multiple sites to identify the underlying causes for MPI data discrepancies. They also discussed the accuracy and ability of existing patient matching algorithms to detect and accommodate the variance in patient identifiers in medical records.

Just Associates in the News


Beth recently contributed to the Journal of AHIMA article "Making Health Information Exchange Work," in which she discusses and analyzes the current state of health information exchange organizations and their operational models. Beth highlights the importance that interoperability and information governance and provides recommendations for building a sustainable HIO.

In a later Journal of AHIMA article, "Tracking HIE's Ever Evolving Operational Models," Beth shares her thoughts on the current state of health information exchange organizations and their operational models. She, along with other industry experts, discuss five critical success factors for private and public HIOs, as well as the differences and similarities of models currently available to organizations.

Beth also co-authored "Data Integrity and HIOs – The top five most dangerous practices, and five steps to solve them," which ran on ADVANCE Healthcare Network in September. In the article, Beth and Exempla Healthcare Data Integrity/EMPI Manager Grant Landsbach addressed problematic data integrity practices that threaten an initiative's long-term success, and identified the five that pose the biggest threat to patient safety and how to avoid them.

Beth also contributed her expertise to a For the Record article, "Patient Identification in an HIE Environment — Where Everyone Doesn't Necessarily Know Your Name." She shared her insights on the detriment that duplicate, incomplete and overlaid patient records have on the healthcare system and offered advice for developing an open-source algorithm that can create benchmarks for vendors and providers.

In an April Journal of AHIMA article, Beth shared her thoughts on "Managing the Integrity of Patient Identity in Health Information Exchange." She discussed the foundation of successful and accurate patient identification and the impact of incorrect or incomplete data capture on the healthcare setting. Beth also warned of the critical patient care issues ineffective patient matching can create and the risk it presents to patient privacy, which degrades consumer and user trust.

Finally, in an ADVANCE Healthcare Network article posted in March, "Three Tiers of Improved Patient Safety," Susan discussed the relationship between accurate patient identity, quality documentation and efforts to reduce medical errors, which are the keys that can unlock the potential for improved patient safety.

Recent Contracts



ProMedica is a large non-profit health care system with locations in northwest Ohio and southeast Michigan. ProMedica includes 11 hospitals, about 250 physician practices and an insurance company (Paramount). 

ProMedica has engaged Just Associates to resolve their duplicate records prior to their deployment of Epic.

Back to all Newsletters