Practical Information From HHS About Privacy, Security and Health IT: ONC’s Guide to Privacy and Security of Electronic Health Information

Lucia Savage, J.D. | April 13, 2015

In the draft Interoperability Roadmap, ONC committed to helping individuals, providers, and the health and health IT community better understand how existing federal law — the Health Insurance Portability and Accountability Act (HIPAA) — supports interoperable exchange of information for health. Today, we take a first step to fulfill that commitment and published the revised Guide to Privacy and Security of Electronic Health Information.

Last published in 2011, this Guide has been updated to bring new, practical information about privacy and security to small and medium-sized provider practices, health , health IT, other information technology professionals, and the public at large, many of whom may be considered Business Associates.

The Guide includes practical information on issues like cybersecurity, patient access through Certified Electronic Health Record Technology (CEHRT), and other Electronic Health Record (EHR) technology features available under the 2014 Edition Certification rule. The Guide also includes new, practical examples of the HIPAA Privacy and Security Rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.

Privacy and Security Rules in Action

The Guide offers many scenarios for anyone who has struggled to understand when someone is or is not a Business Associate (BA). Here are three of the examples:

  1. You hire a case management service to identify your diabetic and pre-diabetic patients at high risk of non-compliance and recommend optimal interventions to you for those patients. The case management service is a BA acting on your behalf by providing case management services to you.
  2. You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.
  3. You hire a web designer to maintain your practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI. The web designer is not a BA.

Permitted Uses

The Guide also provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or health care operations without being required to have the individual sign a piece of paper before the exchange occurs.

And, the Guide explains how a patient can approve the disclosure of his or her health information to a third party (like a friend or a relative who is helping to provide care) without a formal written process:

For example, if a patient begins discussing health information while family or friends are present in the examining room, this is a “circumstance that clearly gave the individual the opportunity to agree, acquiesce, or object.” You [the provider] do not need a written authorization to continue the discussion [with the family or friends].

Tackling Security

The Guide also provides practical tips and information about security. Chapter 6 focuses on a “Sample Seven-Step Approach for Implementing a Security Management Process” and can be downloaded separately from the rest of the Guide as a handy reference takeaway.

To ensure that providers and patients take full advantage of the secure, private communications capabilities of 2014 Edition CEHRT, the Guide explains how providers can use their 2014 Edition CEHRT to electronically communicate with their patients while remaining compliant with the HIPAA Security Rule.

The Guide tackles cybersecurity and encryption, explaining in practical terms what encryption is and why it is important. The Guide also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs. Here’s an excerpt:

  • When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
  • How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
  • If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?

We are really proud of our Guide, which we could not have published without the help of the HHS Office for Civil Rights (@hhsocr), the HHS office that is responsible for HIPAA regulations and enforcement. We hope you find it useful. Let us know what you think!