A new handbook published by the Office of the National Coordinator for Health IT (ONC) includes a 10-step plan to help physician practices integrate privacy and security into their EHRs and daily operations.
The Guide to Privacy and Security of Health Information covers the importance of privacy and security in the use of EHRs and how to conduct best practices to safeguard health information.
Applying privacy and security protections can “inspire confidence and trust in health IT and electronic health information exchange,” according to ONC's Office of the Chief Privacy Officer, which developed the guide in cooperation with the American Health Information Management Association Foundation.
To build trust, physicians need to make sure patients can request access to their medical record; carefully handle patients’ health information to protect their privacy; and keep the information in patients’ individual records as accurate as possible, the handbook explains.
The 47-page handbook includes a guide for security risk analysis and management tips; working with EHR and health IT vendors; and the importance of privacy and security in meaningful use. Each chapter contains charts, lists and examples.
Under meaningful use requirements in stage 1, physicians must provide patients who request it an electronic copy of their health information within three business days. Providers must also conduct a security risk analysis, or review an existing one, that follows the security rule of the HIPAA.
The guide provides basic, common-sense reminders as important first steps in the privacy and security of health information, including:
- Is the server in a room only accessible by authorized staff, and is the door locked
- Are passwords easily found, such as taped to a monitor, or easy to guess?
- Where, when and how is information backed up, and is at least one back-up offsite, and can data be recovered from the back-up?
- How often is EHR server checked for viruses?
- What is the plan if server crashes and data cannot be recovered directly, and is there documentation about the kind of server and software used?