The U.S. Department of Health and Human Services has released a document entitled Guide to Privacy and Security of Health Information. The Guide is designed to help health care providers and their staff members to better understand Privacy and Security requirements in the context of Electronic Health Records (“EHR”), and to implement “best practices” in protecting the confidentiality, integrity and accessibility of PHI and ePHI.
This can be a useful tool for all electronic PHI, not just the “meaningful use” standards. Any health care provider participating in the EHR incentive program is supposed to understand the Stage 1 meaningful use requirements. This includes Core Objective & Measure #12, which requires providers to give patients an electronic copy of their health information upon request. It also includes Core Objective & Measure #15. This requires health care practices to protect electronic health information created or maintained by certified EHR technology through the implementation of appropriate technical capabilities.
We have printed and read the Guide. It is a 47-page document. It is not a difficult read. Some of the key points include the following:
- HHS emphasizes that each health care provider, not your EHR vendor, is responsible to protect confidentiality, integrity and availability of ePHI contained in the EHR system.
- More than 50% of all patients who request an electronic copy of their health information must be provided it within three business days.
- Meaningful use requires a security risk analysis.
- Meaningful use Core Measure #12 also requires you to analyze, address and resolve any compliance gaps. Of course, you cannot address a gap unless you know the gap exists. You cannot know whether a gap exists until you make sure you understand all the rules.
- Meaningful use Core Measure #15 requires an analysis of security vulnerabilities and threats to PHI. This means the IT folks need to perform a security review of the ePHI and fix anything that may make the patient’s information vulnerable. Page 10 contains a nice summary explaining what exactly a security risk analysis is.
- Also interesting is a “myth” and fact explanation regarding security risk analysis, found on Page 11. This type of Security work may be much more involved than we originally thought.
- Page 12 contains a nice and easy to understand series of security component examples and examples of security measures.
- Page 21 contains a nice summary of office-based EHR and Internet-hosted EHR and the security risks associated with those different hosting mechanisms. Page 22 has a nice large box of basic questions to ask yourself when you are looking at managing and mitigating risks.
- Page 27 directs you to only apply for an EHR incentive program after the security risk analysis has been completed and documented, and corrected any deficiencies identified during the risk analysis. There is a warning that attestation to meaningful use legal statement indicating that you met specific standards and that providers participating in the EHR incentive program can be audited. This is a clear message that reckless disregard of the rules can lead to False Claims Act litigation and liability.
- Pages 29-34 contain a nice summary and refresher of the general Privacy issues that must be addressed by a covered entity.
- Pages 44-47 contain a very helpful listing and summary of all of the Privacy and Security resources available.
We have reviewed the entire Guide and have highlighted some points that we think are important. The good part is that it provides some fairly easy to understand directions for satisfying the meaningful use standards, and some decent advice on how to work with health information technology vendors. The 10-step Privacy and Security plan, we think, is very practical. There are a number of good recommendations (selecting a Security Officer, conducting a risk analysis, developing action plans, etc.).
You should work with your Information Technology staff and review this to make sure everything is being done that is required to be done in terms of Privacy, Security and EHR protections.
In light of the U.S. v. Zhou criminal conviction for HIPAA Privacy violations, this becomes even more important.