The U.S. Department of Health and Human Services has updated its guide on the privacy and security of Electronic Protected Health Information (ePHI).
Version 2.0 of the HHS Office of the National Coordinator for Health Information Technology's (ONC) Guide to Privacy and Security of Electronic Health Information expands on existing safeguards and measures to prevent unauthorized access of ePHI while also covering some new topics. Electronic Protected Health Information has become a hot topic among doctors and other covered entities, as it creates unique security challenges that must be addressed.
Before we reveal the changes made in version 2.0 of the Guide to Privacy and Security of Electronic Health Information, let's take a few steps back. The ONC first published this guide back in 2011 with the goal of educating entities covered under the federal Health Insurance Portability and Accountability Act of 1996 on how to better protect their ePHI. But as technology evolves and expands, so must the measures used by covered entities to prevent unauthorized use or disclosure of ePHI.
The recently updated guide covers a wide range of topics, some of which include cybersecurity, Certified Electronic Health Record Technology (CEHRT), Electronic Health Record (EHR) technology under the 2014 Edition Certification Rule), definitions of business associates, and even examples of the HIPAA Privacy and Security Rule taking place in today's world.
One of the most helpful elements added to the new Guide to Privacy and Security of Electronic Health Information is practical scenarios involving patient privacy and security. Here's one scenario described in the document: You hire a web designer to maintain your website and improve access for patients who wish to download or transmit their health information. In this scenario, the designer must have regular access to patient records to ensure the website is functioning as intended. The web designer is classified as a business associate since he or she is given access to Protected Health Information (PHI).
“The intent of the Guide is to help health care providers ―especially Health Insurance Portability and Accountability Act (HIPAA) Covered Entities (CEs) and Medicare Eligible Professionals (Eps) from smaller organizations ― better understand how to integrate federal health information privacy and security requirements into their practices,” wrote ONC in its updated guide. “This new version of the Guide provides updated information about compliance with the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs’ privacy and security requirements as well as the HIPAA Privacy, Security, and Breach Notification Rules.”
You can view the updated document in its entirety by visiting www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf.