In the draft Interoperability Roadmap, ONC committed to helping individuals, providers, and the health and health IT community better understand how existing federal law — the Health Insurance Portability and Accountability Act (HIPAA) — supports interoperable exchange of information for health. Today, we take a first step to fulfill that commitment and published the revised Guide to Privacy and Security of Electronic Health Information.

Last published in 2011, this Guide has been updated to bring new, practical information about privacy and security to small and medium-sized provider practices, health , health IT, other information technology professionals, and the public at large, many of whom may be considered Business Associates.

The Guide includes practical information on issues like cybersecurity, patient access through Certified Electronic Health Record Technology (CEHRT), and other Electronic Health Record (EHR) technology features available under the 2014 Edition Certification rule. The Guide also includes new, practical examples of the HIPAA Privacy and Security Rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.

Privacy and Security Rules in Action

The Guide offers many scenarios for anyone who has struggled to understand when someone is or is not a Business Associate (BA). Here are three of the examples:

  1. You hire a case management service to identify your diabetic and pre-diabetic patients at high risk of non-compliance and recommend optimal interventions to you for those patients. The case management service is a BA acting on your behalf by providing case management services to you.
  2. You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.
  3. You hire a web designer to maintain your practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI. The web designer is not a BA.

Permitted Uses

The Guide also provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or health care operations without being required to have the individual sign a piece of paper before the exchange occurs.

And, the Guide explains how a patient can approve the disclosure of his or her health information to a third party (like a friend or a relative who is helping to provide care) without a formal written process:

For example, if a patient begins discussing health information while family or friends are present in …read more