Apr 272015

ONC and OCR Release Updated Guide to Privacy and Security of Electronic Health Information

Sidley Data Matters Contributors

Recently, the Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) published new guidance on the privacy and security of electronic health information (the “Guide”). Although the Guide was drafted primarily for the benefit of smaller healthcare providers, it provides useful information on privacy and security issues that is potentially valuable to providers of all sizes. The Guide, last published in 2011, provides updated information about compliance with Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs (“Meaningful Use Programs”) and the HIPAA Privacy, Security and Breach Notification Rules.

The Guide articulates several reasons why compliance with the Guide is beneficial beyond merely promoting compliance with legal requirements. First, to reap the benefits of digital healthcare platforms, healthcare providers and individuals must trust that health information is private and secure. Second, when there is patient trust, patients share more information, which, in turn, leads to better health outcomes. Third, sound privacy and security practices can help providers mitigate the risk of the reputational and financial harm that often result from a data breach.

The Guide provides a broad overview of HIPAA privacy and security requirements, specifically focusing on patients’ health information rights; the responsibility of healthcare providers to provide access to health information to patients; and EHR security and cybersecurity practices under the Security Rule and Meaningful Use Programs. As patient demand for electronic communication increases, healthcare providers should be thinking about and implementing mechanisms that will ensure compliance with HIPAA and the Meaningful Use Programs, namely encryption and patient portals that require patient logins.

Importantly, the Guide highlights new Meaningful Use requirements, such as responding to patients’ requests to transmit electronic Protected Health Information (ePHI) to designated individuals or entities, to Personal Health Records (PHRs), or to other physicians. The Meaningful Use Programs, which were promulgated by CMS, provide incentive payments to providers that demonstrate progressively more integrated use of EHRs. Providers demonstrate “meaningful use,” in part, by satisfying staged privacy and security requirements that address patients’ rights to access their own health information and to have their health information protected from unauthorized access.

To satisfy the Meaningful Use (and Security Rule) requirements, providers must conduct a security risk analysis to identify potential security weaknesses and flaws. Risk analysis compliance measures must be reviewed for each EHR reporting period, which can range from 90 days to a full calendar year depending on the provider’s year of participation in the program.

The Guide also provides a list of questions providers may ask their EHR and health information technology developers to assist with the security risk analysis, including:

  • How does the software address security features, such as encryption and audit functions?
  • How does the backup and recovery system work?
  • Will the developer use remote access to provide updates and will this access be secured?

Of particular note, the Guide provides a sample seven-step approach for implementing a security management process that addresses the security-related requirements of the Meaningful Use Programs. As noted in the Guide, this approach does not cover all Meaningful Use and HIPAA requirements, but it can be used as a starting point for healthcare providers to fulfill their compliance responsibilities.

  • Step One – Lead a provider’s culture, select its team and learn through:
    • Designation of a Security Officer;
    • Discussion of HIPAA security requirements with its EHR developer;
    • Consideration of engaging an external, qualified professional to assist with security risk analyses;
    • Use of the ONC and OCR websites and other tools to help identify potential security risks;
    • Refreshing knowledge of the HIPAA rules; and
    • Promotion of a culture of protecting patient privacy and securing patient information.
  • Step Two – Document risk analyses and HIPAA-related policies, procedures, reports and activities. The Guide provides a non-exhaustive list of records that providers should retain, which includes, among others, a risk management action plan.
  • Step Three – Review the existing security of ePHI by performing a security risk analysis that assesses the potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI.
  • Step Four – Use the results of its risk analysis to develop an action plan to mitigate any identified risks. An action plan should consist of five components: (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) organizational standards; and (5) policies and procedures.
  • Step Five – Manage and mitigate risks by implementing an action plan; preventing breaches through workforce education and training; communicating with patients about the privacy and security of information stored in EHRs; and updating business associate contracts to comply with changes to HIPAA.
  • Step Six – Submit attestation to CMS in order to receive incentive payments (where applicable). The Guide notes that attestation is a legal statement, and making an attestation prior to actually meeting the Meaningful Use requirements could amount to a false claim.
  • Step Seven – Monitor, audit and update security controls on an ongoing basis.

The Guide notes that in the event of a breach of unsecured PHI, providers are required to notify affected individuals, the Secretary of HHS, and, in some instances, the media. Unsecured PHI is data that has not been encrypted or properly destroyed. Providers may avoid reporting a breach if it encrypts its data in accordance with OCR guidance. Providers may also be required to report breaches of encrypted PHI when the encryption key has been breached. The Guide states that when a provider suspects that a breach of unsecured data has occurred, it should conduct a risk assessment to determine the likelihood that the PHI has been compromised.

The Guide also reminds providers that the HIPAA, HITECH, and Meaningful Use requirements are not the only privacy- and security-related requirements with which a provider may need to comply. Depending on the type of information involved, providers may be required to comply with additional state and federal laws. For instance, providers should be aware of 42 C.F.R. Part 2 (Confidentiality of Alcohol and Drug Abuse); the Family Educational Rights and Privacy Act (FERPA); Title X of Public Health Service Act (Confidentiality); the Genetic Information Nondiscrimination Act (GINA); and a whole host of other federal and state laws that regulate the privacy and security of health information.

This summary highlights the practical advice presented in the Guide that can, depending on a provider’s specific circumstances, enhance provider compliance with the Meaningful Use Programs and HIPAA and help providers realize the many benefits of digital health platforms. For more information, please refer to the full text of the Guide, which is available here.

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work, or

Anna L. Spencer
Partner
+1.202.736.8445
aspencer@sidley.com

Lacey L. Withington
Associate
+1.202.736.8346
lwithington@sidley.com

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.

Sidley Data Matters Contributors

Sidley Austin Privacy Group

1n-licensing@onenorth.com

You might also like
Washington State Enacts My Health My Data Act, Broadly Regulating Health-Related Data With a Private Right of Action

On April 27, 2023, Washington Gov. Jay Inslee, a Democrat, signed into law the state’s My Health My Data Act (the Act), which will become effective on March 31, 2024 (June 30, 2024, for small businesses). Despite its name, this is a comprehensive privacy bill that will affect many entities, including those outside of the traditional “health” context. The rights and obligations may apply to individuals other than Washington residents, as the law defines consumers as including persons whose data is merely collected or otherwise processed in the state.

FemTech Has Been Warned: UK’s ICO Indicates Closer Scrutinization of FemTech Apps

On 4 April 2023, John Edwards, the UK’s Information Commissioner, stated that the UK’s Information Commissioner’s Office (ICO) would be “going after providers of women’s health apps and auditing them, and getting them to change any practices that are non-compliant.” Speaking at the IAPP Global Privacy Summit in Washington DC, the Information Commissioner indicated that this proposed strategy forms part of the ICO’s new “agile” initiative, which will focus on “areas of vulnerability, targeting…intervention [where] that has the greatest impact”.

New U.S. FDA Draft Guidance Outlines Path To Faster Modification of AI/ML-Enabled Devices

The U.S. Food and Drug Administration (FDA or Agency) has issued new draft guidance on “Marketing Submission Recommendations for a Predetermined Change Control Plan for Artificial Intelligence/Machine Learning (AI/ML)-Enabled Device Software Functions”1 that discusses a “science-based approach to ensuring that AI/ML-enabled devices can be safely, effectively, and rapidly modified, updated, and improved in response to new data.”2 This approach should offer more certainty to industry as FDA’s stated goal is to allow AI/ML-enabled devices to be modified faster in accordance with FDA requirements while being “built to adapt to the data and needs of individual health care facilities” and “adapt to deliver treatments according to individual users’ particular characteristics and needs.”3 Those wishing to comment on the draft guidance should note that the comment period closes on July 3, 2023.