The Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) recently published new guidance on the privacy and security of electronic health information.(1) Although the guide was drafted primarily for the benefit of smaller healthcare providers, it provides information on privacy and security issues that is potentially valuable to providers of all sizes. The guide, last published in 2011, provides updated information regarding compliance with Medicare and Medicaid electronic health record incentive programmes (meaningful use programmes) and the privacy, security and breach notification rules of the Health Insurance Portability and Accountability Act.
The guide articulates several reasons why compliance with the guide is beneficial beyond merely promoting compliance with legal requirements. First, in order to reap the benefits of digital healthcare platforms, healthcare providers and individuals must trust that health information is private and secure. Second, where there is patient trust, patients share more information, which in turn leads to better health outcomes. Third, sound privacy and security practices can help providers to mitigate the risk of the reputational and financial harm that often results from a data breach.
The guide provides a broad overview of the privacy and security requirements of the Health Insurance Portability and Accountability Act, specifically focusing on:
- patients' health information rights;
- the responsibility of healthcare providers to provide access to health information to patients; and
- electronic health record security and cybersecurity practices under the security requirements of the Health Insurance Portability and Accountability Act and the meaningful use programmes.
As patient demand for electronic communication increases, healthcare providers should be considering and implementing mechanisms that will ensure compliance with the Health Insurance Portability and Accountability Act and the meaningful use programmes – namely, encryption and patient portals that require patient logins.
Importantly, the guide highlights new meaningful use requirements, such as responding to patients' requests to transmit electronic protected health information to designated individuals or entities, personal health records or other physicians. The meaningful use programmes, which were promulgated by the Centres for Medicare and Medicaid Services (CMS), provide incentive payments to providers that demonstrate progressively more integrated use of electronic health records. Providers demonstrate 'meaningful use', in part, by satisfying staged privacy and security requirements that address patients' rights to access their own health information and to have that health information protected from unauthorised access.
Security and cybersecurity practices
To satisfy the meaningful use requirements (and the security requirements of the Health Insurance Portability and Accountability Act), providers must conduct a security risk analysis to identify potential security weaknesses and flaws. Risk analysis compliance measures must be reviewed for each electronic health record reporting period, which can range from 90 days to a full calendar year depending on the provider's year of participation in the programme.
The guide also provides a list of questions that providers may ask their electronic health record and health IT developers in order to assist with the security risk analysis, including the following:
- How does the software address security features such as encryption and audit functions?
- How does the back-up and recovery system work?
- Will the developer use remote access to provide updates and will this access be secured?
The guide provides a sample seven-step approach for implementing a security management process that addresses the security-related requirements of the meaningful use programmes. As noted in the guide, this approach does not cover all meaningful use and Health Insurance Portability and Accountability Act requirements, but it can be used as a starting point for healthcare providers to fulfil their compliance responsibilities:
- Step 1 – lead a provider's culture, select its team and learn through:
- designation of a security officer;
- discussion of the Health Insurance Portability and Accountability Act security requirements with its electronic health record developer;
- optional engagement of an external, qualified professional to assist with security risk analyses;
- use of the ONC and OCR websites and other tools to help identify potential security risks;
- frequent review of the Health Insurance Portability and Accountability Act rules; and
- promotion of a culture of protecting patient privacy and securing patient information.
- Step 2 – document risk analyses and Health Insurance Portability and Accountability Act-related policies, procedures, reports and activities. The guide provides a non-exhaustive list of records that providers should retain, which includes a risk management action plan.
- Step 3 – review the existing security of electronic protected health information by performing a security risk analysis that assesses the potential threats to and vulnerabilities of the confidentiality, integrity and availability of electronic protected health information.
- Step 4 – use the results of its risk analysis to develop an action plan to mitigate any identified risks. An action plan should consist of five components:
- administrative safeguards;
- physical safeguards;
- technical safeguards;
- organisational standards; and
- policies and procedures.
- Step 5 – manage and mitigate risks by:
- implementing an action plan;
- preventing breaches through workforce education and training;
- communicating with patients about the privacy and security of information stored in electronic health records; and
- updating business associate contracts to comply with changes to the Health Insurance Portability and Accountability Act.
- Step 6 – submit attestation to CMS in order to receive incentive payments (where applicable). The guide notes that attestation is a legal statement and making an attestation before actually meeting the meaningful use requirements could amount to a false claim.
- Step 7 – monitor, audit and update security controls on an ongoing basis.
Breach of information
The guide notes that in the event of a breach of unsecured protected health information, providers are required to notify affected individuals, the secretary of the Department of Health and Human Services and – in some instances – the media. Unsecured protected health information is data that has not been encrypted or properly destroyed. Providers may avoid reporting a breach if they encrypt their data in accordance with OCR guidance. However, providers may be required to report breaches of encrypted protected health information where the encryption key has also been breached. The guide states that when a provider suspects that a breach of unsecured data has occurred, it should conduct a risk assessment to determine the likelihood that the protected health information has been compromised.
The guide also reminds providers that the Health Insurance Portability and Accountability Act, the Health Information Technology for Economic and Clinical Health Act and the meaningful use requirements are not the only privacy and security-related requirements with which a provider may need to comply. Depending on the type of information involved, providers may be required to comply with additional state and federal laws. Among the host of laws that regulate the privacy and security of health information, providers should be aware of, for example:
- Title 42 of the Code of Federal Regulations Part 2 (Confidentiality of Alcohol and Drug Abuse);
- the Family Educational Rights and Privacy Act;
- Title X of the Public Health Service Act (Confidentiality); and
- the Genetic Information Nondiscrimination Act.
Depending on a provider's specific circumstances, the practical advice presented in the guide can enhance provider compliance with the meaningful use programmes and the Health Insurance Portability and Accountability Act, and help providers to realise the many benefits of digital health platforms.
For further information on this topic please contact Anna Spencer or Lacey L Withington at Sidley Austin LLP by telephone (+1 202 736 8000) or email (firstname.lastname@example.org or email@example.com). The Sidley Austin website can be accessed at www.sidley.com.
(1) The full text of the guide is available at www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.
This article was first published by the International Law Office, a premium online legal update service for major companies and law firms worldwide. Register for a free subscription.