Revised Guidance for Privacy and Security of Electronic Health Information Released by Government

May 5, 2015 | By Lawrence J. Tabas

The Office of the National Coordinator for Health Information Technology (“ONC”) has released a revised Guide to Privacy and Security of Electronic Health Information (the “Guide”), which is intended to be a resource for small and medium-sized health care providers, health IT and other information technology professionals, and business associates regarding federal health information privacy and security requirements. The Guide, first published in 2011, is organized by chapters that address some of the most important privacy and security issues today, including electronic health records, cybersecurity, Meaningful Use, the security management process, and breach notification requirements.

More specifically, the chapters are organized as follows:

  • Chapter 1 contains a basic overview of the importance of privacy and security. ONC emphasizes that privacy and security are critical in order to maintain patients’ trust.
  • Chapter 2 discusses the Health Insurance Portability and Accountability Act (“HIPAA”) generally. The Guide covers the types of information that HIPAA protects and outlines who must comply with HIPAA. The Guide provides several helpful examples to illustrate when an individual or organization is or is not a business associate. This Chapter also includes information about Notice of Privacy Practices, patient authorizations, and de-identified health information.
  • Chapter 3 briefly outlines patients’ rights, such as access to information, amending information in a record set, and restricting certain uses and disclosures.
  • Chapter 4 covers electronic health records, the HIPAA Security Rule, and cybersecurity. The Guide emphasizes that a health care practice is “responsible for taking the steps needed to protect the confidentiality, integrity, and availability of ePHI maintained in your EHR.” To that effect, the Guide lists questions that providers may want to ask of their EHR and other health information technology professionals to ensure that health information is properly safeguarded. ONC notes that smaller practices often feel that they will not be targeted by hackers. However, ONC makes clear that many smaller organizations have become victims of hackers because they are less likely to be taking full precautions to protect themselves.
  • Chapter 5 discusses Meaningful Use Stage 2 core objectives regarding privacy and security.
  • Chapter 6 provides a sample seven-step approach for implementing a security management process. HIPAA requires organizations to conduct a risk analysis and develop and implement a security management process. If your organization has not developed, implemented, or recently updated its security management process, the information provided in this Chapter is a useful starting place.
  • Chapter 7 concludes with a discussion of breach notification and HIPAA enforcement. ONC also provides a reminder that there are other laws and regulations in addition to HIPAA, such as state laws and regulations, regarding privacy and security of health information.

To access a full copy of the Guide, click here.

To read the ONC’s blog post regarding the release of the Guide, click here.

About the Authors

Lawrence J. Tabas


Lawrence is the Chair for Obermayer’s Health Care Law Department and Election Law Practice Group. Lawrence’s Health Care Law legal experience includes the representation of Pennsylvania County governments in Behavioral Health Managed...

Read More by Author