Leon Rodriguez, JD: Hi, I’m Leon Rodriguez. I’m the Director of the Office for Civil Rights (OCR) of the US Department of Health and Human Services in Washington, DC. Welcome to this program titled, "EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information."

The goals of this program are to propose steps that eligible professionals can take to safeguard patient data on electronic health records (EHRs), to plan appropriate communication for patients about how their data will be stored and used on EHRs, and to evaluate Meaningful Use criteria related to data security and privacy required as part of the EHR Incentive Program.

We all know the benefits of an EHR -- an electronic health record. It gives us improved quality of care and convenience, increased patient participation in their care, improved accuracy of diagnoses and outcomes, improved care coordination, and increased efficacy and cost savings. However, in order to realize the full benefit of your EHR, it is critical for both your patients and your colleagues to be confident and trust the data held in these systems are private and secure. That is where OCR comes into play.

We work with the Centers for Medicare & Medicaid Services (CMS) to ensure that EHR users are in compliance with the Health Insurance Portability and Accountability Act (HIPAA). If your practice has adopted or is adopting an EHR, it is important to know that the EHR Incentive Programs provide incentive payment under Medicare and Medicaid to eligible professionals, eligible hospitals, and critical access hospitals that demonstrate Meaningful Use of certified EHR technology. Incentive payments are also available under Medicaid for adopting, implementing, or upgrading to certified EHR technology.

The EHR Incentive Programs include 17 core objectives for eligible professionals for stage 2 Meaningful Use^[1] that cover topics ranging from what types of data are entered and how those data are shared to clinical decision support and ways of sharing information with patients. In this program, we specifically are concerned with this objective: Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.

“Certified EHR technology” refers to EHR systems that have undergone a certification process by the Office of the National Coordinator for Health Information Technology. I know we are throwing a lot of acronyms at you, but that is another critical office here. To learn about what they do, you can go to visit www.healthit.gov. That’s, again, www.healthit.gov, where you can get more information.

The measure associated with the objective generally calls for eligible professionals to conduct or review a security risk analysis, implement security updates as necessary, and correct identified security deficiencies as part of the risk management process. Ensuring privacy and security of health information in an EHR is a vital part of Meaningful Use, and security risk analysis must be conducted in accordance with the requirements of the HIPAA Security Rule. Security risk analysis and management are foundational to this effort. The process can be challenging, but is achievable through a stepwise approach.

The Health Information Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules as amended by HITECH require covered entities and their business associates -- and we’ll explain what that means later -- to safeguard protected health information.^[2,3] Today, we will discuss strategies for safeguarding patient information in data in EHRs and some tips for how to speak with your patients about how that data will be used and stored to EHRs.

Let’s get started. Most healthcare providers are covered entities under the HIPAA Privacy and Security Rules. As a general rule, if the healthcare provider conducts insurance-related transactions electronically -- and that’s going to mean most EHR users, such as submitting a healthcare claim to a health plan -- they are covered by HIPAA. Healthcare providers that are covered entities under HIPAA have important legal responsibilities for protecting and securing their patients' individually identifiable information. We call this protected health information or PHI. If this information is maintained or transmitted electronically, we call it ePHI.

Let’s talk about your leadership, because this is really important in protecting health information. You need to emphasize the importance of protected health information: That’s vital to your privacy and security activities. For example, HIPAA requires covered providers to designate both a privacy and security official on their staff. In a small practice, 1 person might serve in both roles. In fact, you may need to assume these responsibilities yourself. Your privacy and security official will be responsible for developing, documenting, and maintaining your privacy and security practices to meet the HIPAA requirements. The person or persons in these roles should also be part of your EHR adoption team and should work collaboratively with your information technology (IT) administrator or consultant, EHR vendor, and practice management professional.

Be sure to record the assignment of these roles in your HIPAA documentation files even if you are the one who serves both roles. That is important because when we review, or when CMS might come review your compliance, we are going to want to look at these documents.

Disseminate your privacy and security policies among your staff and make sure that each staff member understands his or her privacy and security responsibilities. Discuss your expectations and set the tone for the importance of keeping patient information secure and protected. Continue to communicate about the work to integrate privacy and security into your practice operations. Know that you as a covered provider retain the ultimate responsibility for HIPAA compliance.

The Centers for Medicare & Medicaid Services (CMS) advises that all providers that attest for the EHR incentive program should retain all relevant records that support attestation. These records are going to be essential if you are ever audited for compliance with the incentive program requirements.

Document these steps in paper or an electronic folder. Examples of your record-keeping should include completed checklists, security risk analysis, a risk management plan and ongoing risk management efforts, business associate agreements, records of training for staff, EHR logs that show utilization of security features and monitor user actions, your policies and procedures, and information about any breaches of protected health information that may occur, what steps you took in response to those breaches, and whether and how your privacy and security policies or practices were changed to protect from future, similar breaches.

Data from OCR’s privacy and security audits suggest that policies and procedures related to EHRs can be areas in which practices are vulnerable. Be sure to date-stamp your work and update these documents regularly, including whenever you incorporate new software or hardware into your practice. Your goal should be to build a complete and up-to-date master record of security findings, decisions, and actions that your workforce can reference.

The HIPAA Security Rule requires you to conduct a risk analysis to document the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI -- electronic protected health information -- that you hold about your patients. My office, OCR, has issued guidance on conducting a risk analysis that is posted on our website. That’s www.hhs.gov/OCR/privacy. We also have other Medscape training on this topic as well as a Medscape destination page.

After an initial full-scale security risk analysis, the risk analysis should be updated periodically and it should be an ongoing process. For Meaningful Use, a review is required for each EHR reporting period. Please note that the objective is slightly different for stage 1 and stage 2 of Meaningful Use. A risk analysis should also be performed any time a major change occurs in your practice, for instance, when your practice decides to participate in a Health Information Exchange.^[4]

Using your risk analysis results, discuss and develop an action plan to manage your risk and mitigate the vulnerability of the ePHI you hold in your practice. That plan should discuss how your practice addresses the administrative, physical, and technical safeguards in the HIPAA Security Rule on a routine and daily basis. To develop the plan, your staff and vendors that are responsible for security should work collaboratively to prioritize actions and document steps needed to mitigate identified risks. The HIPAA Security Rule is written to allow for scalability. That means that the Security Rule can be right-sized for your security measures, for your specific practice circumstances.

Your ongoing risk management should be focused in part on the security settings of your EHR, IT network, hard drives, and other devices where ePHI may be stored or maintained. You and your staff should become familiar with the security settings in your EHR, internet connection, and devices, and how to configure these settings. There are industry best practices and OCR’s website has links to many of these. Your written policies and procedures should guide how your practice operates on a day-to-day basis with respect to securing and protecting patient information.

Your documented HIPAA policies and procedures must include processes for addressing the HIPAA Security Rule; its administrative, physical, and technical safeguards; how your practice recognizes individual rights under the HIPAA Privacy Rule; and the processes for fulfilling these responsibilities; a response plan or instructions for how your workforce responds to incidents that impair the availability, integrity, or confidentiality of PHI; a process for breach notification; an ongoing documented process for monitoring access to and use of PHI by your workforce, along with a sanction process for when violations may occur; a process for periodically updating your policies and procedures and ensuring that your practice is adhering to them; retain copies of your policies and procedures for 6 years after you have updated or replaced them -- there are state and other requirements that may specify a longer period of time; documentation that your workforce has been trained on your practices, policies, and procedures.

Continuous monitoring provides feedback that your practice needs for continuous improvement, documentation, and a regular analysis of risks. Monitoring also addresses a HIPAA Security Rule requirement that you have audit controls in place, as well as ongoing monitoring of your safeguards. These processes should be in scale with the size of your practice, though small practices are not excused from the requirement to continuously monitor their security infrastructure.

Your EHR should also have a function to generate audit logs. This means it can record how protected health information is accessed, by whom, what information was accessed, and when. Your EHR can also produce reports. Audit logs are useful tools for both holding your workforce accountable for protecting PHI and for learning about unexpected or improper use of patient information. Work with your security officer, IT administrator, or EHR vendor to ensure that your audit function is active and configured to your needs.

To safeguard patient information, your workforce must know how to implement your policies and procedures. Training is required for each member who joins your staff and you must retrain your staff members any time there is a material change to your policies and procedures. Reinforce workforce training with reminders. Lead by example by adhering to your policies and procedures.

Thoughtful workforce training in a culture that values patients’ privacy and trust is a vital part of risk management. Make sure your staff has access to a copy of your policies and procedures for easy reference, and have an open door policy in place to answer questions.^[5] Reassess each workforce member’s functions to ensure that he or she has access to only the minimum necessary PHI to do his or her job.

Don’t surprise your patients with your EHR adoption. Have in place a thoughtful rollout, communicating with them about their rights, including their right to an electronic copy of their information in the EHR. You can use the view, download, and transmit function in your certified EHR to provide patients access to their health information. You can also talk with patients about how to use their information as part of a wellness plan. Many patients understand the benefits of EHR since they deal with computers in most areas of their lives, but some may worry about their privacy being compromised in EHRs and the electronic sharing of their information. You can help ease their concerns by helping them understand the privacy and security protections that you must have in place.

Good customer service means having and following policies and procedures for communicating with your patients and caregivers, especially if your practice experiences a breach of unsecured protected health information. You can find model notices of privacy practices on our website. Any information you develop or provide should be culturally appropriate. Consider language, communications, and the literacy of level that you use. OCR has brochures on privacy, security, and EHRs posted on our website that we have developed in 8 languages.^[6] We also have videos available on YouTube. If you plan to interact with patients via online platforms, like a patient portal, make sure that you have taken precautions to safeguard this information appropriately.

Let’s talk about business associate agreements. The HITECH Act of 2009 brought many changes to the HIPAA Privacy and Security Rule, including requiring that business associates provide privacy and security assurances to HIPAA-covered entities before protected health information can be disclosed to them. These assurances must be in writing and are commonly referred to as business associate agreements.

HIPAA HITECH provisions expanded the definition and responsibilities of business associates and subcontractors. A business associate is a person or entity other than a member of the workforce of a covered entity, who performs functions or activities on behalf of providers of certain services to a covered entity that involve access by the business associate to protected health information.^[7] A business associate also is a subcontractor that creates, receives, maintains, or transmits protected health information on behalf of another business associate. Examples of business associates are billing companies, EHR vendors, or storage vendors. Subcontractors of business associates are also included, such as shipping companies that transport records to storage.

You must update your business associate agreements by September 22, 2014 to bring them into compliance. OCR can help. We have posted model business associate language to our website. This is also available on our Medscape destination page. These changes will require your business associates to safeguard protected health information they get from your practice, train their workforce, and comply with the HIPAA security requirements. Be sure to work with your vendors to have assurances that they and their subcontractors are meeting their obligations to protect your patients’ information.

Finally, let’s talk about attestation for the security risk analysis as part of the Meaningful Use objectives. Eligible professionals can register to earn incentives through the Medicare EHR Incentive Program through 2014 and in the Medicaid Program through 2016, but they can only attest after they have met the Meaningful Use, it is a legal statement that you have met specific objectives and measures, including that you have adequate protections in place for your practice’s ePHI. Providers participating in the EHR Incentive Program can be audited.

To wrap up, legal requirements, rapid changes in technology, and increased awareness among patients demand your detailed attention and high prioritization of your security and privacy practices. Trust is critically important and a key business asset. Privacy, security, and Meaningful Use are achievable and your practice will reap great benefits, but it takes attention and diligence.

For an overview of specific Meaningful Use requirements regarding EHR, privacy, and security, download Chapter 2 of the Guide to Privacy and Security of Health Information, which is available on CMS' website. For an overview of the HIPAA privacy and security requirements, visit our web site, www.hhs.gov/OCR.

Thank you for participating in this activity. To proceed to the online CME/CE test, click on the Earn CME/CE Credit link on this page.