United States: ONC Releases Privacy And Security Guidance Geared Toward Small Providers

The HHS Office of the National Coordinator for Health Information Technology ("ONC") recently released a new and improved version 2.0 of their Guide to Privacy and Security of Electronic Health Information.  This revamped version has been reorganized and rewritten to be more user-friendly for small organizations addressing federal privacy and security requirements for their practices.  Though the Guide is targeted to small providers, providers of all sizes, and their business associates, will find it useful.

The Guide provides a general overview of the HIPAA Privacy and Security Rules and the EHR Incentive Programs, and gives pragmatic advice in areas including:

• How to identify whether a contractor is a Business Associate under HIPAA;
• When patient authorizations are and are not required to disclose protected health information ("PHI");
• Questions to ask EHR health IT developers about security; and
• How to implement a security management process to address the security requirements of the EHR Incentive Programs.

In addition to the Guide, providers can use the HIPAA compliance and training tools developed by ONC and the Office for Civil Rights ("OCR") to assess their current privacy and security practices, including the security risk assessment tool, the HIPAA Phase I audit protocol, and ONC's privacy and security training games.

Notably, the Guide does not include information on state privacy laws or state data breach notification laws.  Providers should ensure that they are aware of the requirements imposed by the states in which they operate and may find the Mintz Matrix of state data breach notification laws to be a useful starting point.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.