The federal government has issued updated HIPAA privacy and security guidance to reflect an accelerated move to interoperable exchange of protected health information.

The guidance from the Office of the National Coordinator for Health IT and HHS Office for Civil Rights replaces guidance published in 2011.

Also See: eHealth Exchange is Largest HIE Network

The guidance covers cybersecurity in more detail than previously, updates other issues under the 2014 EHR certification rule such as patient access to their electronic records, and offers practical examples of the privacy and security rules in action, according to a blog posting from ONC’s Chief Privacy Officer Lucia Savage.

The guide also gives many scenarios to understand when a person is or is not a business associate (BA). Below are three examples from ONC:

*You hire a case management service to identify your diabetic and pre-diabetic patients at high risk of non-compliance and recommend optimal interventions to you for those patients. The case management service is a BA acting on your behalf by providing case management services to you.

*You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.

*You hire a web designer to maintain your practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI. The web designer is not a BA.

In addition, the guide provides scenarios to understand how encryption works, the need for it and questions to ask vendors to ensure an organization’s information systems are sufficiently secure. Those three examples from ONC include:

*When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?

*How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?

 *If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?

Additional guidance covers when a HIPAA-covered entity can use information about payment, treatment or healthcare operations without having to sign a document beforehand, how patients can approve disclose of their PHI to a third party such as a friend or relative without a formal written process, and how to use a 2014-certified EHR to electronically communicate with patients while being compliant with the security rule. An entire chapter that can be downloaded separately from the rest of the guidance offers a “Sample Seven-Step Approach for Implementing a Security Management Process.”

The guidance is available here.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access