The U.S. Department of Health and Human Services (HHS) Office of the National Coordinator for Health Information Technology (ONC), tasked with coordinating the implementation and use of health information technology and the electronic exchange of health information, just re-released its “Guide to Privacy and Security of Electronic Health Information.” This guide replaces the previous version, which was published in 2011.
The new Guide provides additional detail on cybersecurity with practical examples of how to maintain patient privacy and data security. Chief Privacy Officer Lucia Savage notes that the new Guide gives insight into how the Health Insurance Portability and Accountability Act (HIPAA) supports interoperable exchange of information for health. In her blog post announcing the new Guide, Lucia Savage notes:
“This Guide has been updated to bring new, practical information about privacy and security to small and medium-sized provider practices, health , health IT, other information technology professionals, and the public at large, many of whom may be considered Business Associates.”
Inclusions in the new Guide to Privacy and Security of Electronic Health Information include:
- Updated information on cybersecurity for healthcare organizations
- Patient access through Certified Electronic Health Record Technology (CEHRT)
- Electronic Health Record (EHR) technology features available under the 2014 Edition Certification rule
- Examples of HIPAA in action, for example:
- Definition of who is, and is not, a Business Associate
- When a covered entity is permitted to exchange information about a treatment, payment or healthcare operation without sign-off
- Disclosure of health information to a third party
Chapter 6 of the Guide, which is also available as a stand-alone file, includes a sample 7-step approach for implementing a security management process. This guide includes information to help healthcare organizations shift to a security-aware culture, supported by technology and processes. To learn more about how to be proactive in healthcare security, moving beyond best practices to ensure data security, we encourage you to visit our website or read our whitepaper, The Cost of a Data Breach: Healthcare Settlements Involving Lost or Stolen Devices.