ONC's Privacy Officer: The Latest TipsLucia Savage Describes New Guide, Outlines Key Challenges
The Office of the National Coordinator for Health IT has issued an updated guide to assist smaller physician practices in sorting through important privacy and security issues, says Lucia Savage, ONC's chief privacy officer.
The updated version of the guide, first issued in 2011, provides new real-life examples of how the HIPAA privacy and security rules applies to these practices, she says in an April 13 interview with Information Security Media Group at the HIMSS 2015 conference in Chicago
"It's a practical guide; we try to make it relevant for the practice that physicians have today," she says. "One of the highlights is Chapter 7, which is a checklist for a small or medium-sized practice to go through their own processes to figure out if they're meeting the standards ... to help them have proper security for their information."
In a new blog, Savage also notes that the guide offers insights on identifying vendors that qualify as business associates that are directly liable for HIPAA compliance under the HIPAA Omnibus Rule.
Also included in the guide is an update on how healthcare providers can securely use patient portals to communicate with patients, she says. "The guide is designed for small and medium-sized practices and the people who support them," she says. The aim is to assist with HIPAA compliance efforts and also "to help them understand how they, in fact, can already share information with other physicians and patients."
Misunderstandings about HIPAA often contribute to healthcare providers not engaging in the exchange of patient electronic health information, she notes. "We need to be a lot clearer about what the HIPAA rules are and how they support interoperable exchange."
ONC is also reviewing the many comments it received on its interoperability roadmap, which outlines the agency's proposals for promoting nationwide, secure exchange of health information over the next decade.
"Nationally we're looking at a lot of issues related to cybersecurity," she adds. "Recent high-profile data breaches, including those affecting Anthem and Premera Blue Cross, are drawing attention to the need to ramp up security in healthcare, she notes.
"Without going into details, I want to assure that there is a lot of work being done to strengthen and enhance the way healthcare as an industry responds to cyberthreats and to up their game now that we're in the sightline of the cybercriminals," she says.
In the interview, Savage also discusses:
- Why the Department of Health and Human Service's Centers for Medicare and Medicaid Services has proposed lowering the requirements for the use of secure messaging by healthcare providers, and also for patients electronically accessing their health records, in Stages 1 and 2 of the HITECH Act "meaningful use" financial incentive program for electronic health records;
- The feedback that ONC has received about privacy and security proposals in its interoperability roadmap;
- Why patients should challenge their healthcare organizations when they ask for Social Security numbers.
Savage was appointed ONC chief privacy officer in October 2014 by HHS Secretary Sylvia Mathews Burwell. Previously, she was senior associate general counsel at United Healthcare, general counsel at the Pacific Business Group on Health and compliance manager at Stanford University.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.