Privacy and security addresses the laws and methods of protecting of our patients’ confidentiality. The notion of patient privacy has its roots in the Hippocratic Oath taken by all physicians:
“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself, holding such things shameful to be spoken about.”
This idea of privacy is codified in laws such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology Economic and Community Health (HITECH) Act. As we move from paper charts to electronic health records, we must employ all-new methods of security to ensure patient privacy. When practiced in a legally compliant manner, security requires the implementation of a security framework that includes:
- Regular risk analysis;
- Selection, implementation, and assessment of security controls; and
- Ongoing security monitoring.
These steps ensure we have the proper administrative, physical and technical controls in place to protect patient data.
A new HIPAA Omnibus Final rule went into effect on March 2, 2013, making significant changes to the law and expandeing the rights of patients. Read about the rule.
Meaningful Use Core Measure 15
The HITECH Act instituted the Medicare and Medicaid EHR Incentive Programs. Both programs require that you meet core measure 15, which addresses privacy and security in the practice:
“Conduct or review a security risk analysis per 45 CFR 164.308(a)(1) and implement updates as necessary and correct identified security deficiencies as part of the eligible provider’s, eligible hospital’s or critical access hospital’s risk management process.”
What the measure refers to when it says “Conduct or review a security risk analysis” is a formal process used by IT security professionals to prioritize and mitigate the security risks that threaten an organization. The 45 CFR 164.308(a)(1) just refers to the section of the HIPAA security rule that requires practices conduct a security risk assessment. CHITREC recommends you seek the help of a qualified professional when conducting your security risk analysis. Please see our Privacy & security services page for more information and resources.