May 9, 2012. The Office of the National Coordinator for Health Information Technology (ONC) has issued a Guide to Privacy and Security of Health Information (Version 1.1 022312). This Guide is targeted to medical practitioners who participate in the Medicare and Medicaid Program for Adoption and Meaningful Use of Certified Electronic Health Record Technology.
1. What Is Privacy & Security and Why Does It Matter?
2. Privacy & Security and Meaningful Use.
3. Privacy & Security Step Plan for Meaningful Use.
4. Integrating Privacy and Security into Your Practice.
5. Privacy and Security Resources.
The Guide highlights two of the Stage 1 Meaningful Use Objectives and Corresponding Measures relating to Privacy (Objective #12) and Security (Objective #15):
“Objective #12: Provide Patients with an electronic copy of their health information (including diagnostic test results, problem list, medication lists, medication allergies) upon request. Measure: More than 50 percent of all patients who request an electronic copy of their health information are provided it within three business days. Under the HIPAA Privacy Rule (access), patients have a right to view and obtain a copy of their protected health information (PHI) in your designated record set, including information stored in your EHR [electronic health record].
“Objective #15: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities. Measure: Conduct or review a security risk analysis in accordance with the requirements under the HIPAA Security Rule (45 CFR 164.308(a)(1)(ii)(A)), implement security updates as necessary and correct identified security deficiencies as part of the risk management process. Under the HIPAA Security Rule, you are required to conduct a security risk analysis (45 CFR 164.308).”
The Guide also outlines 10 steps for achieving Meaningful Use:
“1. Confirm you are a ‘covered entity’
2. Provide leadership
3. Document your process, findings, and actions
4. Conduct security risk analysis
5. Develop an action plan
6. Manage and mitigate risks
7. Prevent with education and training
8. Communicate with patients
9. Update business associate agreements
10. Attest for the Security Risk Analysis MU [meaningful use] Objective.”
While each of those steps is important, the content provides little guidance for compliance with HIPAA Privacy and Security and HITECH Act Breach Notification Rules, and ONC does not have enforcement authority for them. The Guide does state on page 7:
“[t]hese Meaningful Use requirements [Core Objectives and Measures 12 and 15] are not intended to supersede or substitute for compliance required under HIPAA. If you are a covered entity, you are still required to comply with the HIPAA Privacy and Security Rules.”
While the content in the Guide focuses on attaining and attesting to Privacy and Security related to Meaningful Use of Certified EHR Technology, the resources identified in this Guide in Chapter 5 are useful for assembling information on HIPAA Privacy, Security, and HITECH Act Breach Notification Rules. Again, other than for risk analysis guidance, the content in the Guide is insufficient for meaningfully attaining compliance with the HIPAA Privacy, Security, and HITECH Act Breach Notification Rules, particularly standards and implementation specifications, and should not be relied upon for that. In addition to the risk analysis, HIPAA Privacy and Security and HITECH Act Breach Notification compliance requires mitigating security risks, such as securing protected health information (PHI) from unauthorized access or use, preparing and documenting administrative, physical, and technical policies and procedures for safeguarding PHI, and training workforce members and designated representatives of business associates on those safeguards. We have covered these topics extensively on HIPAA.com and additional information is available at the HHS enforcement arm for privacy and security, the Office for Civil Rights (OCR).