Dive Brief:
- The Office of the National Coordinator for Health IT announced this week that it has published its revised Guide to Privacy and Security of Electronic Health Information. The guide, which was last released in 2011, is updated to provide the most current information to serve provider practices, health IT, other information technology professionals, and others in the public at large.
- The guide discusses issues including cybersecurity, Electronic Health Record technology features and examples of real-world application of HIPAA Privacy and Security Rules.
- The ONC's chief privacy officer, Lucia Savage, describes the update as the ONC's first step toward fulfilling its commitment made in the draft Interoperability Roadmap to "helping individuals, providers, and the health and health IT community better understand how existing federal law—the Health Insurance Portability and Accountability Act (HIPAA)—supports interoperable exchange of information for health."
Dive Insight:
The release addresses heightened security concerns about healthcare data following this year's high-profile cyberattacks on Anthem and Premera Blue Cross.
Here are some of the topics it details, as described by Savage in her HealthITBuzz blog:
Privacy and Security Rules in Action
The guide provides numerous scenarios to help organizations understand whether someone is or is not a Business Associate.
Permitted Uses
The updated guide explains when a provider, or any HIPAA-covered entity, is legally permitted to exchange information about an individual without having to get the individual's signature in advance.
The guide also explains how a patient can approve the disclosure of their health information to a third party, such as a friend or family member, without a formal written process.
Tackling Security
Perhaps most importantly, the new guide includes new information on cybersecurity and encryption, as well as suggestions on what to discuss with developers and EHR companies.
Its Chapter 6 focuses on a Sample Seven-Step Approach for Implementing a Security Management Process.
"To ensure that providers and patients take full advantage of the secure, private communications capabilities of 2014 Edition CEHRT," Savage says, "the Guide explains how providers can use their 2014 Edition CEHRT to electronically communicate with their patients while remaining compliant with the HIPAA Security Rule."