Privacy and Security of Health Information
The same federal health information privacy protections that apply to paper medical records also apply to electronic health records (EHRs). The HIPAA Privacy Rule and the HIPAA Security Rule provide protections for individually identifiable health information, often referred to as protected health information (PHI).
The Privacy Rule protects oral, paper, and electronic information. The Security Rule applies only to electronic information.
Concerns about the privacy and security of health information have increased because of data breach incidents, more stringent federal and state regulations, the potential for significant penalties for non-compliance, as well as the required privacy and security Meaningful Use measure. The Office of the National Coordinator for Health IT’s easy-to-understand Guide to Privacy and Security of Health Information explains in detail the two core Meaningful Use Stage 1 requirements related to privacy and security.
Information privacy
Privacy of health information involves how an organization collects, uses, manages, and discloses that information. These processes include a range of responsibilities, including having patients sign a Notice of Privacy Practices to handling issues involving patient and caretaker rights to information. By law, practices must comply with the HIPAA Privacy Rule and include policies and procedures to document how privacy is maintained throughout the organization.
Information security
There is no privacy without security. Health information security involves the confidentiality, integrity, and availability of information. HIPAA’s Security Rule applies specifically to PHI in electronic form. The Rule categorizes security into administrative (policies, procedures, training, etc.), technical (login access, firewalls, etc.), and physical (locks, fire suppression, etc.) controls that must or should be put in place to secure sensitive health information. Compliance with the HIPAA Security Rule is mandatory—medical practices are liable for willful neglect of common security practices and can face fines and reputational damage sufficient to close a practice.
Resources to help your practice
In July 2012, RI REC’s Vendor Marketplace added Technical Service Consultants who specialize in privacy and security in an effort to assist providers who are seeking reliable professionals who specialize in this area.
Similar to other Marketplace participants, Privacy and Security Consultants were chosen for their strength of services and processes as well as their commitment to offering discounted pricing for RI REC members.
Designed to educate health care providers to make informed decisions regarding privacy and security of heath information, the ONC has released an interactive Privacy & Security Training Game. Play the game to test your privacy and security knowledge!