ONC Releases Updated Guide to Privacy and Security of Electronic Health Information

20 May 2015 Health Care Law Today Blog

The Office of the National Coordinator for Health Information Technology (“ONC”) of the U.S. Department of Health and Human Services (“HHS”) recently released Version 2.0 of the Guide to Privacy and Security of Electronic Health Information (“Guide”). The Guide is a tool intended to assist providers as they work to comply with federal programs’ requirements administered through HHS and its various offices (such as ONC).

Last published in 2011, the new 2015 version of the Guide provides updated information about compliance with the Medicare & Medicaid Electronic Health Record Incentive Programs (also called “Meaningful Use” Programs) as well as the changes made by the Health Information Technology and Economic Health Act (“HITECH”) as implemented by the Omnibus Final Rule.

At a high level, the Guide includes practical information on issues facing providers such as cybersecurity and patient access to information through certified electronic health record (“EHR”) technology features available under the 2014 Edition Certification rule. The Guide is a practicable and useful tool in that it walks providers though applicable rules and standards, addressing topics such as “why do privacy and security matter”, “understanding provider responsibilities under HIPAA”, “understanding electronic health records, the HIPAA security rule and cybersecurity” and “breach notification, HIPAA enforcement, and other laws and requirements”.

The Guide also addresses the Meaningful Use Programs, which set requirements for providers to demonstrate progressively integrated use of EHRs and to receive incentives for such meaningful use. The Meaningful Use Programs incorporate and require implementation of several key the HIPAA security requirements for ePHI. The Guide describes the Meaningful Use security requirements (which require implementation of certain technical controls to safeguard of PHI against unauthorized access, audit controls, and an annual security risk assessment) and ways to satisfy these requirements.

With respect to HIPAA Privacy, Security, and Breach Notification Rules, the Guide addresses and provides information regarding what to do if a provider has a breach (distinguishing between secured and unsecured PHI), the risk assessment process for breaches, and how to report breaches. The Guide also describes the types of key state laws that may impose requirements that are more stringent than HIPAA.

Finally, the Guide provides a sample seven-step approach to implement a security management process, which the ONC indicates providers can use as a takeaway reference.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services


Hatch Comments on DNC-Related Construction Projects in Milwaukee
14 June 2019
Milwaukee Business Journal
Bernard Quoted on Debt-Relief Settlement with ITT Tech Lender
14 June 2019
Wall Street Journal
Dodd and Daughter Profiled in Wisconsin Golf
13 June 2019
Wisconsin Golf
Brinckerhoff Comments on SCOTUS Ruling in Patent Case
11 June 2019
Intellectual Property Magazine
Review of 2020 Medicare Changes for Telehealth
11 December 2019
Member Call
2019 NDI Executive Exchange
14-15 November 2019
Chicago, IL
Association for Corporate Counsel Annual Meeting 2019
27-30 October 2019
Phoenix, AZ
Foley's Government Contracts Annual Update
16 October 2019
Liviona, MI