Rare Practical HIPAA and HIT Guidance

By Matt Fisher, Esq
Twitter: @matt_r_fisher

Potentially lost in all of the privacy, security, and health IT news coming out of the Health Information and Management Systems Society (or HIMSS as everyone calls it) Annual Meeting the week of April 11th, the ONC updated its Guide to Privacy and Security of Electronic Health Information (the “Guide”). The updated Guide was released on April 13, 2015. The Guide offers practical insights into meeting privacy and security obligations under HIPAA as well as providing insights into Meaningful Use and other health IT related issues. ONC designed the Guide to help small and medium sized providers to meet the many difficult obligations that everyone in the healthcare industry must comply with.

On the whole, the Guide achieves ONC’s goals and provides some good, practical advice and tips. The Guide combines easy to understand text with actual examples of how the rules being discussed are applied in real situations. From this standpoint, the Guide is accessible for many people. It must be noted though that some of the finer details of the issues discussed are not covered in substantial detail.

The Guide consists of seven chapters. The chapters address the following issues:

  1. why privacy and security matter;
  2. HIPAA basics;
  3. patient rights in and to health information;
  4. the intersection of HIPAA, cybersecurity and electronic health records;
  5. Meaningful Use core objectives addressing privacy and security;
  6. a sample approach to a security management process; and
  7. breach notification and enforcement issues.

The advice regarding HIPAA compliance is especially beneficial. For instance, the Guide provides scenarios using everyday occurrences to help organizations identify when an arrangement may result in a vendor becoming a business associate. For instance, the Guide offers two examples concerning website developers and when a website developer may become a business associate. The expansion of HIPAA pursuant to the Omnibus Rule makes it essential to be able to appropriately identify what relationships fall under HIPAA’s ambit. While it is the situation that will determine who is a business associate, it is also necessary to get a business associate agreement in place where necessary. Further, the reminder that a covered entity can become a business associate to another covered entity is also included. The discussion and examples highlight why it is essential to examine each individual relationship according to the HIPAA rules and regulations as well as the included definitions. Each situation and arrangement will be unique and should always be examined.

The Guide’s focus on electronic health records (“EHR”) and HIPAA security compliance is also timely. As the Guide reminds, it is important to remember that implementing a secure EHR does not result in HIPAA compliance. A secure EHR is only one component of HIPAA compliance. Full compliance with the HIPAA security rule requires examination of not just the medical records, but all information stored in a practice, all access points and the overall operation of the organization. Encryption is one option to consider when trying to secure protected health information. The Guide presents basic information as to what encryption actually is, which some may not fully be aware of. Even though encryption is not required to comply with the HIPAA security rule, the relative ease with which it can be implemented now should shift considerations.

Lastly, the proposed seven step approach to implementing a security management process will arguably provide organizations with the building blocks necessary to effectively manage security requirements. The seven steps proposed are:

  1. lead an organization’s culture and team and keep learning;
  2. document processes, findings, and actions;
  3. reviewing existing security measures;
  4. develop an action plan;
  5. manage and mitigate risks;
  6. attest for meaningful use related security objectives; and
  7. monitor, audit and update continually.

The last point may be one of the most important. No element of a compliance program can remain static. It must be constantly changing and evolving in order to meet and address new threats and circumstances. As initially suggested though, with the basic steps to an effective program identified in the Guide, it becomes increasingly difficult for organizations to claim that effective compliance cannot be achieved or there is a lack of knowledge. The Guide is just that, it is designed to be a lead for organizations to follow.

As indicated above, each chapter offers easy to access insight into the particular area covered. Given the heightened attention being paid to privacy and security compliance, the timing of the Guide is beneficial. Even though the Guide will not fully prepare an organization to be compliant, it will at least aid an organization in spotting issues and seeking assistance as necessary. The Guide is well worth reading and presents a lot of information to consider. The Guide is only a start though and assistance, where appropriate, should still be sought.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.