Smaller health care practices and providers now have another reason to bookmark the website of the Office of the National Coordinator for Health Information Technology (ONC).  Yesterday, the ONC published Version 2.0 of its “Guide to Privacy and Security of Electronic Health Information” (the Guide).  Overall, the 62-page Guide provides health care providers with “plain English” explanations of their privacy and security-related obligations under the Health Insurance Portability and Accountability Act (HIPAA) and in relation to the Medicare and Medicaid Electronic Health Record Incentive Programs (EHR Incentive Programs).  Of note, this version of the Guide addresses:

  • Updates to the HIPAA Privacy, Security, and Breach Notification Rules as released in the Omnibus Rule, particularly the expanded scope of obligations related to dealings with business associates and subcontractors; and
  • Updated information about the privacy and security compliance expectations incorporated into the EHR Incentive Programs’ Stage 1 and Stage 2 meaningful use core objectives

Other helpful aspects of the Guide include:

  • A list of defined acronyms to clarify the alphabet soup of agencies and laws that appear in the health care privacy and security universe;
  • A sample seven-step approach for implementing a security management process;
  • A dedicated chapter section on working with EHR and Health IT developers; and
  • Numerous links to relevant sources of legal authority and additional agency information.

The Guide can help smaller health care practices and providers to better understand how the countless privacy and security laws and regulations directly apply to their work on EHR and health IT implementation.  But the Guide also puts these individuals and entities on notice that they should not rely on the Guide as a comprehensive resource or as a substitute for counseling with outside legal or health IT experts when specific issues arise.  In the end, the Guide implicitly acknowledges the complexity of health care privacy and security obligations, but only provides a floor of knowledge upon which health care practices and providers should build their own expertise.