ONC offers physicians hands-on privacy, security guide

By Mary Mosquera
12:11 PM

The Office of the National Coordinator for Health IT has created a handbook to help physicians and their practice staff to understand the importance of privacy and security in the use of electronic health records and how to conduct the best practices to safeguard health information.

The Guide to Privacy and Security of Health Information (PDF) is meant to be easy to understand and to be a comprehensive instructional tool, including a 10-step plan for practices to take to integrate privacy and security into their EHRs and daily operations.

Applying privacy and security protections can “inspire confidence and trust in health IT and electronic health information exchange,” according to ONC's Office of the Chief Privacy Officer, which developed the guide in cooperation with the American Health Information Management Association Foundation, in a May 8 announcement.

To build trust, physicians need to make sure patients can request access to their medical record; carefully handle patients’ health information to protect their privacy; and keep the information in patients’ individual records as accurate as possible.

“Updating your privacy and security practices can be manageable and affordable, but it will require a sustained effort,” the guide said.

The 47-page handbook includes a guide for security risk analysis and management tips; working with EHR and health IT vendors; and the importance of privacy and security in meaningful use. The guide also has a section with health IT privacy and security education and training resources and videos.

Each chapter contains charts, lists and examples, such as among the five security components for risk management are administrative safeguards, which include training staff, reviewing user activities monthly and enforcing security policies.

[Q&A: RWJF's Michael Painter, MD, on MU stage 2's impact on public and population health.]

Under meaningful use requirements in stage 1, physicians must provide patients who request it an electronic copy of their health information within three business days. Providers must also conduct a security risk analysis, or review an existing one, that follows the security rule of the Health Insurance Portability and Accountability Act (HIPAA), an update where necessary.

According to the guide, some basic, common-sense reminders are important first steps in the privacy and security of health information, including:

• Is the server in a room only accessible by authorized staff, and is the door locked

• Are passwords easily found, such as taped to a monitor, or easy to guess

• Where, when and how is information backed up, and is at least one back-up offsite, and can data be recovered from the back-up

• How often is EHR server checked for viruses

• What is the plan if server crashes and data cannot be recovered directly, and is there documentation about the kind of server and software used.