On May 8, 2012, the Office of the National Coordinator for Health Information Technology (“ONC”) released its “Guide to Privacy and Security of Health Information,” which is available here. The Guide is designed to educate health care professionals on actions to take when using electronic health records (“EHRs”) to assure compliance with the Health Insurance Portability and Accountability Act (“HIPAA”) and the Centers for Medicare & Medicaid Services’ meaningful use requirements. The Guide emphasizes that a medical practice, not its EHR vendor, is responsible for such compliance.
To fulfill the requirements of Stage 1 of meaningful use, providers must attest that they have met certain measures regarding their use of EHRs. The Guide discusses in detail the two requirements of Stage 1 of meaningful use: (1) Provide patients with an electronic copy of their health information upon request (“Core Measure 12”); and (2) Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities (“Core Measure 15”). The Guide offers the reader a 4-step process to assure compliance with Core Measure 12. The Guide then outlines how to conduct a security risk analysis to assure compliance with Core Measure 15.
The Guide also includes a 10-step privacy and security plan that medical practices should undergo before attesting to the meaningful use standards. The 10-steps are as follows:
- Confirm your organization is a covered entity;
- Provide leadership (designate a security officer);
- Document your process, findings, and actions;
- Conduct security risk analysis;
- Develop an action plan;
- Manage and mitigate risks;
- Prevent with education and training;
- Communicate with patients;
- Update business associate agreements; and
- Attest for the security risk analysis meaningful use objective.
The Guide also breaks down the HIPAA Privacy and Security Rules into a user friendly format. With regard to the Privacy Rule, the Guide explains what information is protected by HIPAA, the notice of privacy practices requirement, patients’ right to access or amend their designated record set, and accounting of disclosures. With regard to the Security Rule, the Guide explains administrative, technical, and physical safeguards, how to work with your EHR vendor, cybersecurity, and breach notification.
Finally, the Guide includes a comprehensive list of resources to help providers integrate privacy and security into their medical practices.