Earlier this year, ONC published an updated “Guide to Privacy and Security of Electronic Health Information” to help healthcare providers and ambulatory practices understand existing federal law on protected health information (PHI). It provides guidance on how providers can use certified electronic medical record technology (CEHRT) to provide secure communications with their patients and, via secure and interoperable health IT, share patient data with other care providers.
There is a great deal of practical information provided in this guide that helps explain who is and who is not a business associate (BA), per the HIPAA regulations. It also provides clear guidance as to when it is permissible to disclose PHI, when patient authorizations are required, and how to provide patient access to their health information. In addition, there is a useful section on general cybersecurity explaining the threat of cyber-attacks, the use of mobile devices, and email and texting among providers and their patients.
Possibly the most valuable section is Chapter 6 where ONC defines a seven-step approach for implementing a security management process. The guide helps explain how the security management process standard is a HIPAA requirement, and that the role of CEHRT and meaningful risk analysis is only one important component. In Chapter 7, the ONC guide discusses what constitutes a breach, when public notification is required, and what breaches are investigated by OCR. It also describes options to reduce the risk of unauthorized access or disclosures such as data encryption to avoid a reportable breach.
Why is this important to health IT companies, and particularly those that develop EHRs? In a recent ONC data brief published in June 2015, it was found that 75% of individuals have concerns about the security of their medical records. The data brief also shows that 76% of individuals want their provider to use an EHR, despite any potential privacy or security concerns.
We work with our customers every day to ensure that they achieve their objectives to improve the quality and efficiency of healthcare delivery for their patients and their organizations. An essential component of the services we provide relates to privacy and security issues as providers employ health IT in pursuit of their organizational objectives. We all must not only be well versed in these issues, but must also educate and advise our customers to ensure they understand the regulations and make the right decisions. Check out the ONC guide and share it with your colleagues. Your company and your customers will learn a lot!
William Kinsley, CISSP (Enterprise Architect, Ambulatory, NextGen)
EHRA Privacy & Security Workgroup Chair
Sayee Balaji Chandrasekaran (Application Security Engineer, Allscripts)
EHRA Privacy & Security Workgroup Vice Chair