The Department of Health and Humans Services (HHS) Office of the National Coordinator for Health Information Technology (ONC) recently released a practical guide designed to help healthcare providers and their service providers better understand and implement privacy and security protections for electronic health information.1 Organizations that handle personal health-related information, even when they are subject to HIPAA regulation, may find the HHS guide to be a source of information on emerging and better practices. This is updated guidance following HHS’s substantial changes to HIPAA regulations through the omnibus rule in early 2013.
The new guide counsels that the benefits from digital health records rely heavily on cultivating patients’ trust that information will be maintained accurately, that patients will have the ability to request access to such data, and that providers and others will carefully handle the information. The guide makes clear that providers are responsible for protecting the confidentiality, integrity, and availability of health information; and that such responsibility is not outsourced to third-party vendors who manage and maintain health information.
The HHS guide reminds organizations regulated by HIPAA (i.e., covered entities and business associates) that they must comply with the Privacy, Security, and Breach Notification Rules. Generally, business associates are organizations that have access to protected health information (PHI) to perform certain functions or activities on behalf of covered entities, such as healthcare providers, insurance companies, or other business associates. The guide also provides an overview of the HIPAA Privacy, Security, and Breach Notification Rules.
Meaningful Use Programs
The guide describes the Stage One and Stage Two core objectives that address privacy and security with respect to the Medicare and Medicaid Electronic Health Record Incentive Programs (“Meaningful Use” programs). The Meaningful Use requirements align with many HIPAA privacy and security requirements for electronic PHI.
Seven Steps for Security Management
To help organizations meet some of their HIPAA and Meaningful Use program obligations, the guide describes a sample seven-step approach to beginning implementation of a security management process. The steps include:
- Lead Your Culture, Select Your Team, and Learn
- Document Your Process, Findings, and Actions
- Review Existing Security of electronic PHI (Perform Security Risk Analysis)
- Develop an Action Plan
- Manage and Mitigate Risks
- Attest for Meaningful Use Security-Related Objective
- Monitor, Audit, and Update Security on an Ongoing Basis
Step One: Lead Your Culture, Select Your Team, and Learn
The guide lists several actions that organizations may perform to emphasize protecting patient information as part of their culture. For example, an organization can designate a security officer, use third parties to help perform security risk assessments, and update and republish internal HIPAA training and policies and procedures.
Step Two: Document Processes, Findings, and Actions
Documentation of HIPAA-related policies and procedures is required under HIPAA. The guide states that written documentation also can aid in increasing the efficiency of security procedures, make policies and procedures more accurate and easier to follow, and provide explanation of how security decisions are made and thereby support future decision-making when changes to systems or the risk environment occur.
Step Three: Review Existing Security of Electronic PHI
Organizations regulated by HIPAA that maintain PHI are expected to assess potential threats and vulnerabilities to the confidentiality, integrity, and availability of the information. According to the HHS guide, comprehensive risk assessments should:
- identify where PHI exists and how it is created, received, maintained, and transmitted;
- identify potential threats and vulnerabilities to PHI; and
- identify risks and their associated threat levels based on the likelihood the threat will exploit a vulnerability and the potential resulting impact of such exploitation.
Step Four: Develop an Action Plan
Following a risk analysis, the guide suggests that organizations discuss and develop an action plan to mitigate the identified risks. ONC recommends that organizations begin by identifying the easy actions that can reduce the greatest risks. The HIPAA Security Rule provides flexibility by permitting compliance efforts that take into account the characteristics of the organization and its environment. The guide states that an action plan should have five components:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational standards
- Policies and procedures
Step Five: Manage and Mitigate Risks
The guide suggests building an organizational culture that values patients’ health information and actively protects it. To help create this culture, the guide recommends implementing the action plan developed in Step Four, training the organization’s workforce, implementing and monitoring compliance with policies and procedures, sending regular reminders to the workforce about data privacy and protection, communicating with consumers/patients about the precautions the organization takes with respect to PHI, responding quickly and accurately to patient data requests, and updating contracts with service providers.
Step Six: Attest to Meaningful Use Security-Related Objective
Organizations participating in Meaningful Use programs may consider attesting that they have met the Meaningful Use requirements for a certain reporting period.
Step Seven: Monitor, Audit, and Update Security on Ongoing Basis
The guide recommends that organizations routinely monitor the adequacy and effectiveness of their security infrastructure and make any necessary improvements. The auditing can be done internally and/or with third-party consultants. The guide also suggests that organizations examine historical activity through retrospective documentation (e.g., logging). This type of monitoring can help an organization measure the effectiveness of security controls, such as data tampering resistance, user access and authorizations, automatic log-offs, and emergency access.
For organizations required to comply with HIPAA and those that have made attestations of compliance with Meaningful Use programs, non-compliance can lead to substantial penalties. The guide provides a helpful overview of regulatory requirements and some practical compliance advice that are useful in implementing good faith efforts at compliance. Indeed, compliance with, at a minimum, the recommendations found in the guide may serve as evidence of such good faith efforts of taking steps to comply with the HIPAA Privacy, Security, and Breach Notification Rules. Moreover, given the continued growth of health-tech and headline grabbing breaches involving health-related information, organizations handling such information may find the guide to be a useful resource in evaluating and critically analyzing their security practices. Similarly, any organization considering implementing a security management program or updating an existing program may find the guide to be helpful as a starting point.
1 Department of Health and Humans Services, Office of the National Coordinator for Health Information Technology, “Guide to Privacy and Security of Electronic Health Information,” April 2015, http://healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.