The Office of the National Coordinator for Health IT this week released an updated version of its privacy and security guidance to help healthcare providers better understand how to integrate federal health information privacy and security requirements into their practices. The guidance was last published in 2011.
The new version of the guidance provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.
Some of the areas covered in the new guidance include real-world application of how the HIPAA Privacy and Security Rules apply to a practice and the rules surrounding use and disclosure of private health information. The guidance also addresses “Meaningful Use” programs in more detail. Meaningful Use programs encourage health care organizations to adopt EHRs through a staged approach. Each stage contains core requirements that providers must meet.
Unlike the first guidance, which focused on Stage 1 privacy and security objectives, the updated version adds in core objectives for Stage 2 of the Meaningful Use program. Under Stage 2, providers must respond to patient requests regarding how their electronic health information is being handled.
The guidance also provides examples designed to assist providers in understanding whether someone is a business associate. These examples reflect changes made under the Health and Human Services Department’s Omnibus Rule, which makes contractors, subcontractors, and other business associates of healthcare entities that process health insurance claims liable for the protection of private patient information.
Additionally, the guidance outlines a seven-step approach for providers looking to create a security management process. Steps include selecting a team, documenting the process, developing an action plan, and managing and mitigating risk.