The Office of the National Coordinator for Health IT released a new guide addressing security of electronic protected health information. The guide can be found here.
The guide is targeted at hospitals, providers and their business associates, but can provide some guidance for employers and their health plans. It suggests that covered entities adopt a step-by-step approach for implementing a security management process. The suggested approach includes:
The guide also details HIPAA breach notification requirements and explains encryption. A large focus of the guidance is on electronic health records, but some of the concepts can apply to any storage of electronic protected health information.