In an effort to help members of the health IT community better understand the federal laws relating to interoperability, the Office of the National Coordinator for Health Information Technology (ONC), part of the Department of Health and Human Services, has published a revised Guide to Privacy and Security of Electronic Health Information. Originally published in 2011, the updated document includes new insights about privacy- and security-related issues that will help providers, health IT professionals, vendors, and the public at large understand the different potentially applicable federal laws and incentive programs and how they fit together.
The guide provides scenarios to help explain how the HIPAA Privacy and Security Rules apply to HIPAA-regulated entities, and what capabilities might be possible when using Certified Electronic Health Record Technology (CEHRT) or taking part in other government health IT programs. ONC also published a blog post further explaining the aims of the guidance.
As its title suggests, the guide covers two main themes:
- The guide covers the permitted uses of protected health information (PHI), patient access to information through CEHRT, and other Electronic Health Record (EHR) technology features. The guide also provides one of the first use case sets published by the federal government designed to help determine if an entity is acting as a Business Associate. For example, the guide compares different fact scenarios under which providers may engage service providers and identifies which, if any, of these scenarios triggers a Business Associate relationship. Similarly, the guide explains under what conditions providers may share PHI with others and when they must first obtain patient consent to do so. The guide separately covers breach notification requirements under HIPAA.
- The guide also looks at cybersecurity across federal health IT programs. It advises health care providers on how to use cybersecurity measures, including encryption, to safeguard health information. Although targeted for small providers, the guide can serve as a useful benchmark for entities with more mature institutional privacy and security infrastructures. The guidance includes instructions on how providers can use CEHRT’s secure, private communications features to communicate electronically with patients. It also provides questions that should be asked when engaging IT developers and EHR companies to help confirm that systems being purchased meet applicable privacy and security requirements. Finally, the guidance outlines seven steps providers can take to implement an effective security management process. These seven steps, available as a standalone document, are as follows:
- Lead Your Culture, Select Your Team, and Learn
- Document Your Process, Findings and Actions
- Review Existing Security of ePHI (Perform Security Risk Analysis)
- Develop an Action Plan to Mitigate Risks Identified in the Risk Analysis
- Manage and Mitigate Risks
- Attest for Meaningful Use Security-Related Objective, As Appropriate
- Monitor, Audit, and Update Security on an Ongoing Basis
ONC’s revised guidance is timely given the growing use of EHRs among providers and hospitals. As of the latest CDC National Ambulatory Medical Care Survey, conducted in 2013, 78 percent of physicians use EHRs—representing nearly double the adoption rate in 2009. Adoption rates are expected to rise as the government promotes EHR adoption through programs like the meaningful use EHR Incentive Programs.
Release of this revised document follows related efforts by ONC to assist in guiding organizations toward compliance with respect to interoperability and privacy. ONC’s January 2015 draft Interoperability Roadmap reflected ONC’s ten-year vision for a HIPAA-compliant interoperable health IT system. To further that vision, ONC also released a 2015 Interoperability Standards Advisory, which outlines draft technical standards for interoperability.
Donald DePass, associate in our Washington, D.C. office, contributed to this entry.