The Office of the National Coordinator for Health Information Technology (ONC) has just issued a new Guide to Privacy and Security of Electronic Health Information to help everyone that deals with electronic health information better incorporate federal health information privacy and security requirements into their organization.

The Guide is broadly applicable to anyone that is a HIPAA Covered Entity or Business Associate as well as Medicare Eligible Professionals under the CMS Electronic Health Record (EHR) Incentive Programs (the "Meaningful Use" program).

The Guide includes helpful summaries of the HIPAA Privacy, Security and Breach Notification Rules, and provides answers to common questions about patient information, disclosures, authorizations, patient rights, de-identified information, and the interaction of HIPAA with state law. In addition, it also addresses Meaningful Use programs and the staged requirements and incentives related to meeting these requirements.

Throughout, the Guide provides helpful links to online information on security from the federal government, including helpful tips for use of mobile devices, as well as top ten tips for cybersecurity in health care.

The centerpiece of the Guide is an ONC "sample" 7-step approach for implementing a security management process. This is the first time that ONC has published a suggested security management process and everyone with access to electronic health information should take note.

The 7-step process is:

  • Step 1 – Lead your culture, select your team, and learn;
  • Step 2 – Document your process, findings, and actions;
  • Step 3 – Review existing security of electronic Protected Health Information (ePHI) (i.e., perform a security risk analysis);
  • Step 4 – Develop an action plan;
  • Step 5 – Manage and mitigate risks;
  • Step 6 – Attest for Meaningful Use security-related objective; and
  • Step 7 – Monitor, audit, and update security on an ongoing basis.

Each step is explained in detail, along with practical advice that will assist organizations.

For example, the Guide recommends that organizations consider using qualified outside professionals to support the organization in developing and implementing a security management process.

The Guide also provides practical, low cost suggestions to improve the security of electronic health information such as saying "no" to staff members who wish to take home laptops with unencrypted information, placing servers in rooms with limited access, and reminding staff not to share their passwords.

The Guide reviews the HIPAA Breach Notification Rule and describes in detail the risk assessment process to use in the event of a suspected breach. It also reviews HIPAA enforcement, including civil and criminal penalties, and other relevant laws and requirements, which underscore the intensified enforcement climate among all of the federal agencies for privacy and security of electronic health information.

The Guide is an excellent resource for anyone that has access to electronic health information or that is involved in the Meaningful Use program.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.