|May 29, 2012|
Previously published on May 2012
The federal government has released a comprehensive guide to help healthcare professionals understand the role of privacy and security when implementing health information technology.
On May 8, 2012, the HHS Office of the National Coordinator for Health Information Technology (ONC) released its "Guide to Privacy and Security of Health Information" (the "Guide") to help medical practices and their staffs better understand the roles of privacy and security in using electronic health records (EHR) and implement best practices in protecting patient information.
Medical practices participating in the Medicare and Medicaid EHR Incentive Program should be aware of the HIPAA privacy and security provisions included in the Stage 1 meaningful use requirements. This includes Core Objective & Measure 12, which requires medical practices to provide patients with an electronic copy of their health information upon request; and Core Objective & Measure 15, which requires medical practices to protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities.
The 47-page Guide, available at http://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf, provides direction for satisfying the meaningful use standards, as well as advice on working with health information technology vendors, a checklist for risk management in medical practices and a useful compendium of available privacy and security tools and resources.
The Guide also includes a 10-step privacy and security plan for medical practices. There are recommendations for selecting a security officer, conducting risk analysis, developing an action plan to manage and mitigate identified risks and educating staff and communicating with patients. For those medical practices that have yet to establish EHR systems, the Guide includes a helpful chart showing the different risks associated with office-based and Internet-hosted systems.
Medical practices should review the Guide to better understand HIPAA and meaningful use requirements and to educate their staff on proper ways to manage electronic health information. The Guide should also serve as a reminder to healthcare professionals to take the opportunity to continually monitor and evaluate their practice's HIPAA compliance.