HHS has a revised guide to privacy and security for electronic health information that's intended to help smaller healthcare organizations that lack a legal staff. The guide, however, gives scant attention to several important regulatory areas.
The 62-page Guide to Privacy and Security of Electronic Health Information (PDF) is an update of a similar effort released in 2011 by HHS' Office of the National Coordinator for Health Information Technology. The guide is intended “to bring new, practical information about privacy and security to small and medium-sized provider practices, health, health IT, other information technology professionals, and the public at large, many of whom may be considered business associates,” according to ONC Chief Privacy Officer Lucia Savage, writing in a post at HealthITBuzz, the official blog of the ONC.
The guide has a section on encryption of patient information, a hot topic these days in the wake of several massive data breaches at Anthem and Community Health Systems attributed to foreign hackers that compromised the records of more than 80 million people.
It focuses almost exclusively on the privacy and security provisions of the Health Insurance Portability and Accountability Act and is published with the help of the Office for Civil Rights at HHS, the chief federal enforcement agency for the HIPAA privacy and security rule.
The guide makes only a brief mention of another key federal privacy rule, 42 CFR Part 2, which is more stringent than HIPAA and governs the records of patients at federally funded drug and alcohol abuse treatment programs, requiring patient consent to be obtained prior to the exchange or disclosure of those records, even for treatment, payment and other healthcare operations.
And it makes no mention of technologies for data segmentation for privacy, or DS4P, which could be useful for providers seeking to comply with the behavioral health privacy rule, or comply with a HIPAA amendment that requires providers to not share a patient's information with their insurance company if they ask for the information to be withheld and they pay for the visit, treatment or procedure out of pocket.
The guide does warn providers about this out-of-pocket restriction, however, which was included as a HIPAA amendment in the so-called HITECH provisions of the American Recovery and Reinvestment Act of 2009.
“If your patient (or another person on behalf of the individual) has fully paid out-of-pocket for a service or item and also requests that the PHI not be disclosed to his/her health plan, your practice cannot disclose the PHI to a health plan for payment or healthcare operations,” the guide says. “You should implement policies and procedures that ensure this directive can be carried out.”