ONC guide offers 10 steps for MU
ONC's Office of the Chief Privacy Officer (OCPO) has published a "Guide to Privacy and Security of Health Information," which aims to help physicians, nurses and IT staff better understand how the safety of patient data is essential to meaningful use of electronic health records and mobile devices.
Earlier this spring Healthcare IT News reported the results of a study from HIMSS Analytics and Kroll that showed security breaches are still widespread in healthcare – despite increased attention paid to patient privacy.
The "HIMSS Analytics Report: Security of Patient Data," suggested that, despite increasingly stringent regulatory activity with regard to reporting and auditing procedures, most providers were prioritizing compliance with the rules over actually bolstering their own organizations' security protocols.
The result was that, despite significantly increased confidence on the part of officials such as HIM directors, compliance officers and CIOs – with many of them reporting they are "extremely prepared" – data breaches are still on the rise.
Twenty-seven percent of respondents reported a security breach in the past year – well up from 19 percent in 2010 and 13 percent in 2008. More than two-thirds (69 percent) of those experienced more than one breach in the past 12 months.
Health providers "have a lot coming at them," said Brian Lapidus, senior vice president, Kroll Advisory Solutions. "They've got meaningful use, they've got EHR implementations, they've got HIPAA requirements." Nonetheless, "there is a responsibility for these organizations to protect patient data."
So the new ONC guide, which seeks to offer a comprehensive, easy-to-understand resource to help providers incorporate robust privacy and security routines into their clinical workflow, comes at a crucial time.
Developed by OCPO in partnership with the American Health Information Management Association (AHIMA) Foundation, the 47-page guide offers detailed guidance on topics such as security risk analyses and management tips, and working with EHR and health IT vendors.
The guide also offers a 10-step plan for reinforcing privacy and security protections before attesting for meaningful use:
- Confirm your organization is a covered entity. Most healthcare providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. The Department of Health and Human Services offers tools that can help you confirm your organization's status.
- Provide leadership. Emphasizing the importance of protecting patient information to all your employees is central to ensuring a culture where security is treated with the importance it deserves.
- Document your process, findings and actions. The Centers for Medicare & Medicaid Services (CMS) advises all providers attesting for meaningful use to retain all relevant records that support attestation. Record all your practice decisions, findings and actions related to safeguarding patient information.
- Conduct security risk analysis. A security risk analysis – or a reassessment, if you've already done one – compares your current security measures to what is legally and pragmatically required to safeguard personal health information, and identifies high priority threats and vulnerabilities.
- Develop an action plan. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan must have five components, the guide notes: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.
- Manage and mitigate risks. Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects personal health information. Do not lose sight of basic security measures, some of which can be low-cost and highly effective.
- Prevent with education and training. To safeguard patient information, your workforce must know how to implement your policies, procedures, and security audits, according to ONC. HIPAA covered providers must train their workforces (employees, volunteers, trainees, and contractors) on your policies and procedures. Staffs must receive formal training on breach notification.
- Communicate with patients. Your patients may be concerned about confidentiality and security of their health information in an EHR, the guide points out. Emphasize the benefits of EHRs to them as patients, perhaps using consumer education handouts that others have developed, and reassure them that you have a system to proactively protect their health information.
- Update business associate agreements. Ensure your business associate agreements require compliance with HIPAA and HITECH breach notification requirements. This will require your business associates to safeguard protected health information they get from your practice, train their workforce, and adhere to breach notification requirements.
- Attest for the security risk analysis meaningful use objective. Only apply for an EHR incentive program once you'd fulfilled the security risk analysis requirement and have documented your efforts, the ONC guide emphasizes, pointing out that when you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect electronic health information. Participants in the EHR Incentive Program can be audited.
[See also: Risk assessments leave hospitals hamstrung.]
Beyond HIPAA and HITECH, "ensuring privacy and security of health information, including information in electronic health records, is a key component to building the trust required to realize the potential benefits of electronic health information exchange," the ONC guide notes. "If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to electronic health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences."
Access the ONC Guide to Privacy and Security of Health Information here.