ONC Writes Guide on HIPAA Privacy & Security

Guide to HIPAA Privacy and Security of Health Information

ONC’s Office of the Chief Privacy Officer (OCPO) has released a new guide for providers and their staff to help understand HIPAA  privacy and security when it comes to electronic health records (EHRs) and meaningful use. “Guide to Privacy and Security of Health Information” is a comprehensive tool assisting professionals in integrating privacy and security into their practices. The guide includes information on:

  • Privacy & Security and Meaningful Use
  • Security Risk Analysis and Management Tips
  • Working with EHR and Health IT Vendors
  • A Privacy & Security 10-Step Plan
  • Health IT Privacy and Security Resources

According to the guide, your patients trust you and that trust is a “key business asset”. The trust comes from and is directly related to how your practice handles patient information. It further states ways to cultivate your patients’ trust by:

  • Making sure patients can request access to their medical record;
  • Carefully handling patients’ health information to protect their privacy; and
  • Keeping the information in patients’ individual records as accurate as possible.

Privacy and security are required in two objectives for Eligible Professionals in Stage 1 Meaningful Use.

Core objective #12 requires an EP provide patients with an electronic copy of their health information (including diagnostics test results, problem list, medication lists, medication allergies) upon request. To meet this objective they must attest to more than 50% of all patients who request an electronic copy of their health information are provided it within 3 business days. An exclusion for this objective is any EP that has no requests from patients or their agents for an electronic copy of patient health information during the EHR reporting period. Under the HIPAA Privacy Rule, patients have a right to view and obtain a copy of their protected health information (PHI) in your designated record set, including information stored in your EHR.

Core objective #15 requires the protection of electronic health information created or maintained by the certified Electronic Health Record technology through the implementation of appropriate technical capabilities. To meet this objective, the EP must conduct or review a security risk analysis per 45 CFR 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process. There is no exclusion to this objective.