The Office of the National Coordinator for Health Information Technology (“ONC”) of the U.S. Department of Health and Human Services (“HHS”) recently released Version 2.0 of the Guide to Privacy and Security of Electronic Health Information (“Guide”). The Guide is a tool intended to assist providers as they work to comply with federal programs’ requirements administered through HHS and its various offices (such as ONC).
Last published in 2011, the new 2015 version of the Guide provides updated information about compliance with the Medicare & Medicaid Electronic Health Record Incentive Programs (also called “Meaningful Use” Programs) as well as the changes made by the Health Information Technology and Economic Health Act (“HITECH”) as implemented by the Omnibus Final Rule.
At a high level, the Guide includes practical information on issues facing providers such as cybersecurity and patient access to information through certified electronic health record (“EHR”) technology features available under the 2014 Edition Certification rule. The Guide is a practicable and useful tool in that it walks providers though applicable rules and standards, addressing topics such as “why do privacy and security matter”, “understanding provider responsibilities under HIPAA”, “understanding electronic health records, the HIPAA security rule and cybersecurity” and “breach notification, HIPAA enforcement, and other laws and requirements”.
The Guide also addresses the Meaningful Use Programs, which set requirements for providers to demonstrate progressively integrated use of EHRs and to receive incentives for such meaningful use. The Meaningful Use Programs incorporate and require implementation of several key the HIPAA security requirements for ePHI. The Guide describes the Meaningful Use security requirements (which require implementation of certain technical controls to safeguard of PHI against unauthorized access, audit controls, and an annual security risk assessment) and ways to satisfy these requirements.
With respect to HIPAA Privacy, Security, and Breach Notification Rules, the Guide addresses and provides information regarding what to do if a provider has a breach (distinguishing between secured and unsecured PHI), the risk assessment process for breaches, and how to report breaches. The Guide also describes the types of key state laws that may impose requirements that are more stringent than HIPAA.
Finally, the Guide provides a sample seven-step approach to implement a security management process, which the ONC indicates providers can use as a takeaway reference.