The Office of the National Coordinator for Health IT released a new guide addressing security of electronic protected health information. The guide can be found here.
The guide is targeted at hospitals, providers and their business associates, but can provide some guidance for employers and their health plans. It suggests that covered entities adopt a step-by-step approach for implementing a security management process. The suggested approach includes:
- Selecting a team
- Documenting processes, findings and actions
- Reviewing existing security of electronic protected health information through a security risk analysis
- Developing an action plan
- Managing and mitigating risks
- Monitoring, auditing and updating security on an ongoing basis.
The guide also details HIPAA breach notification requirements and explains encryption. A large focus of the guidance is on electronic health records, but some of the concepts can apply to any storage of electronic protected health information.
