The Office of the National Coordinator for Health Information Technology (ONCHIT) recently released a 47-page Guide to Privacy and Security of Health Information. The Guide provides direction to providers on protecting patient privacy and securing their health information in an electronic health record (EHR) for purposes of complying with the Heath Insurance Portability and Accountability Act (HIPAA) as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act. The Guide also addresses compliance with certain Meaningful Use (MU) standards that have been promulgated pursuant to the HITECH Act’s incentive program for adopting and implementing EHRs.
The Guide covers the four following topics:
- What is privacy & security and why does it matter?
- Privacy & security and meaningful use
- Privacy & security and 10-step plan for MU
- Integrating privacy & security into your practice
The Guide also provides additional privacy and security resources, including the Summary of the HIPAA Privacy Rule and the Security Rule prepared by the U.S. Department of Health and Human Services Office for Civil Rights (OCR), as well as OCR’s guidance on conducting a risk analysis under the HIPAA Security Rule.
The OCR’s Security Rule guidance is particularly applicable to providers seeking HITECH incentives as such providers must attest to compliance with the Security Rule regulation which includes conducting a security risk analysis. The Security Rule MU standard is address by MU Core Measure 15. (Core Measure 15 is discussed on page 9 of the Guide.) Falsely attesting to meeting any of the MU standards, including Core Measure 15, could lead to a violation of the False Claims Act.
The Guide warns that privacy and security requirements could change when OCR publishes its long-awaited Final Rule modifying and enacting portions of HIPAA and the HITECH Act. This anticipated Final Rule is officially entitled “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules.” According to the published OMB abstract, the Final Rule is expected to modify the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule in order to implement provisions of Subtitle D of the HITECH Act and section 105 of the Genetic Information Nondiscrimination Act of 2008. The Guide states that the Final Rule will be released “sometime in 2012.” On March 24, 2012, OCR reportedly took the final step for publication by sending the Final Rule for final review to the Office of Management and Budget (OMB). The OMB has up to 90 days to conduct its review. If this timeframe holds, the Final Rule would be issued by the end of June 2012.
This Guide supplements numerous helpful resources available on the ONC website.