New ONC guide explains EHR privacy, security to providers

Privacy and security take center stage in a new instructional guide unveiled by the Office of the National Coordinator for Health IT this week. The guide--a collaboration of ONC's Office of the Chief Privacy Officer and the American Health Information Management Association (AHIMA) Foundation--is designed to teach healthcare professionals about the roles of privacy and security in the use of electronic health records (EHRs) and in Meaningful Use.

The 47-page "Guide to Privacy and Security of Health Information" includes sections on Meaningful Use, security risk analysis, and working with health IT vendors, as well as a privacy and security action plan. In addition, it includes lengthy explanations of the HIPAA privacy and security rules.

The manual explains in detail the two core Meaningful Use Stage 1 requirements related to privacy and security. The first is the requirement that patients who request it be supplied with an electronic copy of their health information within three business days. This access is mandated by the HIPAA privacy rule, which is imbedded in the Meaningful Use criteria.

Providers who want government incentives for Meaningful Use of electronic health records also must conduct a security risk analysis of their EHRs, as required by the HIPAA security rule. The guide defines a security risk analysis and shows how to conduct it.

Another section includes a checklist for risk management in medical practices. Among other things, providers are urged to employ user names and passwords, encryption, and data backup systems. ONC also lists actions to take to protect against cyber-attacks.

One of the guide's more interesting sections compares the security risks inherent in office-based EHRs vs. Internet-based EHRs. The manual notes that while an office-based system gives users more control of security, the security features may not be updated regularly, and natural disasters can destroy the system. Meanwhile, in an Internet-based EHR, according to the guide, the vendor controls the security settings, but the data may be stored in other countries that have different security requirements, and users are dependent on the reliability of their Internet connections.

Basic principles of information sharing between providers and patients, meanwhile, were the subject of a recently updated guide from The Markle Foundation. Originally released in 2006, the Markle Connecting for Health Common Framework for Private and Secure Information Exchange provides what Markle calls "a comprehensive approach for secure, authorized, and private health information sharing based on Fair Information Practice Principles (FIPPs)."

The 2012 update, the Markle Connecting for Health Common Framework Policies in Practice for Health Information Sharing (Policies in Practice), addresses "a range of critical health information sharing implementation needs identified by experts working in the field."

To learn more:
- read the ONC guide (.pdf)
- see the Markle Common Framework