3 Helpful Lists in ONC HIPAA Guide to Privacy and Security

In April 2015, the Office of the National Coordinator for Health Information Technology released a Guide to Privacy and Security of Electronic Health Information (“the Guide”) available on healthit.gov.  The Guide is particularly aimed at helping health care providers who are HIPAA Covered Entities and are participating in the EHR Meaningful Use program.

While much of the information in the Guide is available in other locations, such as regulatory text or FAQs on the OCR’s HIPAA website, the Guide appears to be a very useful resource for small providers as it merges a great deal of information and guidance in one tool.

Three lists that are included in the Guide are particularly worth noting, especially for physician offices and other small providers:

  1. Questions to ask EHR developers

This list is found on page 29 of the Guide and includes questions that providers should ask their EHR developer related to security features, training, backups, future communications with EHR support and secure emailing capabilities.  This list is important because oftentimes physician practices and other small providers rely heavily on their EHR vendor to provide HIPAA Security measures without understanding exactly what is included in their contract or what steps the provider must take in order to ensure that all applicable security safeguards are in place and maintained.

  1. List of Examples of Records to Retain

This list of example records is found on page 40 of the Guide and includes:  policies and procedures, completed security checklists, training materials and training certificates, updated Business Associate agreements, security risk analysis report, EHR audit logs that show utilization of the EHR’s security features and efforts to monitor users’ actions, risk management action plans or documentation that shows appropriate safeguards in place, and security incident tracking and breach notification information.

  1. List of “low cost, highly effective” safeguards

The list of “low-cost, highly effective” safeguards is found on page 44 of the Guide.  The Guide acknowledges the flexibility of the HIPAA Security Rule with regard to the feasibility and affordability of safeguards.  In accordance with the HIPAA Security Rule’s flexibility and scalability, the Guide lists the following eight safeguards which are considered both low-cost and effective:

  • Say “no” to staff requests to take home laptops containing unencrypted PHI
  • Remove hard drives from old computers before disposing
  • Do not email electronic protected health information (ePHI) unless the data is encrypted
  • Make sure that servers are in a locked room accessible only to authorized staff
  • Make sure the entire office understands that passwords should not be shared or easy to guess
  • Notify office staff that you are required to randomly monitor their access to protected health information
  • Maintain a working fire extinguisher in case of fire
  • Check EHR server often for viruses or malware

Because these safeguards are considered both “low-cost” and effective, it is likely that government officials would hold these as a minimum “floor” of protection for electronic protected health information regardless of the covered entity’s size or budget.  It is important to note that these safeguards are not comprehensive, but a good place for physician offices to start with HIPAA Security compliance.

Speak Your Mind

*