ONC and OCR Release Updated Guide to Privacy and Security of Electronic Health Information

Recently, the Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) published new guidance on the privacy and security of electronic health information (the “Guide”). Although the Guide was drafted primarily for the benefit of smaller healthcare providers, it provides useful information on privacy and security issues that is potentially valuable to providers of all sizes. The Guide, last published in 2011, provides updated information about compliance with Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs (“Meaningful Use Programs”) and the HIPAA Privacy, Security and Breach Notification Rules.

The Guide articulates several reasons why compliance with the Guide is beneficial beyond merely promoting compliance with legal requirements. First, to reap the benefits of digital healthcare platforms, healthcare providers and individuals must trust that health information is private and secure. Second, when there is patient trust, patients share more information, which, in turn, leads to better health outcomes. Third, sound privacy and security practices can help providers mitigate the risk of the reputational and financial harm that often result from a data breach.

The Guide provides a broad overview of HIPAA privacy and security requirements, specifically focusing on patients’ health information rights; the responsibility of healthcare providers to provide access to health information to patients; and EHR security and cybersecurity practices under the Security Rule and Meaningful Use Programs. As patient demand for electronic communication increases, healthcare providers should be thinking about and implementing mechanisms that will ensure compliance with HIPAA and the Meaningful Use Programs, namely encryption and patient portals that require patient logins.

Importantly, the Guide highlights new Meaningful Use requirements, such as responding to patients’ requests to transmit electronic Protected Health Information (ePHI) to designated individuals or entities, to Personal Health Records (PHRs), or to other physicians. The Meaningful Use Programs, which were promulgated by CMS, provide incentive payments to providers that demonstrate progressively more integrated use of EHRs. Providers demonstrate “meaningful use,” in part, by satisfying staged privacy and security requirements that address patients’ rights to access their own health information and to have their health information protected from unauthorized access.

To satisfy the Meaningful Use (and Security Rule) requirements, providers must conduct a security risk analysis to identify potential security weaknesses and flaws. Risk analysis compliance measures must be reviewed for each EHR reporting period, which can range from 90 days to a full calendar year depending on the provider’s year of participation in the program.

The Guide also provides a list of questions providers may ask their EHR and health information technology developers to assist with the security risk analysis, including:

  • How does the software address security features, such as encryption and audit functions?
  • How does the backup and recovery system work?
  • Will the developer use remote access to provide updates and will this access be secured?

Of particular note, the Guide provides a sample seven-step approach for implementing a security management process that addresses the security-related requirements of the Meaningful Use Programs. As noted in the Guide, this approach does not cover all Meaningful Use and HIPAA requirements, but it can be used as a starting point for healthcare providers to fulfill their compliance responsibilities.

  • Step One – Lead a provider’s culture, select its team and learn through:
    • Designation of a Security Officer;
    • Discussion of HIPAA security requirements with its EHR developer;
    • Consideration of engaging an external, qualified professional to assist with security risk analyses;
    • Use of the ONC and OCR websites and other tools to help identify potential security risks;
    • Refreshing knowledge of the HIPAA rules; and
    • Promotion of a culture of protecting patient privacy and securing patient information.
  • Step Two – Document risk analyses and HIPAA-related policies, procedures, reports and activities. The Guide provides a non-exhaustive list of records that providers should retain, which includes, among others, a risk management action plan.
  • Step Three – Review the existing security of ePHI by performing a security risk analysis that assesses the potential threats and vulnerabilities to the confidentiality, integrity and availability of ePHI.
  • Step Four – Use the results of its risk analysis to develop an action plan to mitigate any identified risks. An action plan should consist of five components: (1) administrative safeguards; (2) physical safeguards; (3) technical safeguards; (4) organizational standards; and (5) policies and procedures.
  • Step Five – Manage and mitigate risks by implementing an action plan; preventing breaches through workforce education and training; communicating with patients about the privacy and security of information stored in EHRs; and updating business associate contracts to comply with changes to HIPAA.
  • Step Six – Submit attestation to CMS in order to receive incentive payments (where applicable). The Guide notes that attestation is a legal statement, and making an attestation prior to actually meeting the Meaningful Use requirements could amount to a false claim.
  • Step Seven – Monitor, audit and update security controls on an ongoing basis.

The Guide notes that in the event of a breach of unsecured PHI, providers are required to notify affected individuals, the Secretary of HHS, and, in some instances, the media. Unsecured PHI is data that has not been encrypted or properly destroyed. Providers may avoid reporting a breach if it encrypts its data in accordance with OCR guidance. Providers may also be required to report breaches of encrypted PHI when the encryption key has been breached. The Guide states that when a provider suspects that a breach of unsecured data has occurred, it should conduct a risk assessment to determine the likelihood that the PHI has been compromised.

The Guide also reminds providers that the HIPAA, HITECH, and Meaningful Use requirements are not the only privacy- and security-related requirements with which a provider may need to comply. Depending on the type of information involved, providers may be required to comply with additional state and federal laws. For instance, providers should be aware of 42 C.F.R. Part 2 (Confidentiality of Alcohol and Drug Abuse); the Family Educational Rights and Privacy Act (FERPA); Title X of Public Health Service Act (Confidentiality); the Genetic Information Nondiscrimination Act (GINA); and a whole host of other federal and state laws that regulate the privacy and security of health information.

This summary highlights the practical advice presented in the Guide that can, depending on a provider’s specific circumstances, enhance provider compliance with the Meaningful Use Programs and HIPAA and help providers realize the many benefits of digital health platforms. For more information, please refer to the full text of the Guide, which is available here.

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work, or

Anna L. Spencer

Lacey L. Withington

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.