In April, the Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) issued a revised Guide to Privacy and Security of Electronic Health Information (the “Guide”). The revised Guide includes many practical tips for navigating HIPAA compliance.
Examples of companies that are/are not business associates: “You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.” Guide, p. 12.
Examples of permissible disclosures: “…if a patient begins discussing health information while family or friends are present in the examining room, this is a ‘circumstance that clearly gave the individual the opportunity to agree, acquiesce, or object.’ You do not need a written authorization to continue the discussion.” Guides, p. 16.
Examples of “Low-Cost, Highly Effective Safeguards,” such as: “Say ‘no’ to staff requests to take home laptops containing unencrypted ePHI.” Guide, p. 44.
The Guide also includes a Sample Seven-Step Approach for Implementing a Security Management Process (p. 25), and tips for how to incorporate HIPAA Security into EHR selection and implementation.
With the Office of Civil Rights (OCR) expected to launch a new round of HIPAA audits any day, now is the time to take advantage of these practical tips and get our HIPAA house in order.