ONC releases updated health IT privacy and security guide

The Office of the National Coordinator for Health IT this morning issued a new version of its privacy and security guide to help healthcare providers better understand how to integrate the requirements into their practices.

The Guide to Privacy and Security of Electronic Health Information has new information on Medicare and Medicaid electronic health record incentive programs and on HIPAA Privacy, Security and Breach Notification Rules.

The guide is the first step toward fulfilling the commitment made by the ONC in its Interoperability Roadmap to foster better understanding in the industry of how security regulations in place help support interoperability, Lucia Savage (pictured right), ONC's chief privacy officer, writes at the agency's Health IT Buzz Blog.

Concerns of security and privacy in the industry are already growing, especially in the wake of large hacks so far this year on health payers Anthem and Premera.

The ONC guide was last published in 2011, Savage says; the new version reflects the changes healthcare has gone through since then.

Some of the areas the report covers include:

  • Business associates. The report explains who a business associate is and in what ways it must comply with HIPAA regulations. This reflects changes made under the Health and Human Services Department's omnibus rule, which makes contractors, subcontractors and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.
  • HIPPA Privacy Rule. The ONC gives examples of how this regulation applies to a practice, and the rules surrounding use and disclosure of private health information.
  • Meaningful Use. While the first guide focused on Stage 1 privacy and security objectives, this updated version also adds in core objectives for the second stage of the program. It does not yet address Stage 3.
  • Security management. The report outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team; documenting the process, findings and actions; and developing an action plan.

The next phase of the federal HIPAA audit program is "under development," Jocelyn Samuels, director of the Health and Human Services Department's Office for Civil Rights, said during the 23rd National HIPAA Summit in the District of Columbia in March. However, she said OCR is "committed to implementing a robust audit program."

To learn more:
- here's the guide
- read the blog post