Privacy & Security

Protecting the privacy of individually identifiable health information is a priority for AHIMA and HIM professionals. AHIMA supports moving forward with HIT and EHRs to improve healthcare quality, safety and efficiency. We also recognize the critical need to balance the privacy and security of patient information to reach the overall goals of ARRA and HITECH.

• AHIMA Analysis of Modifications to the HIPAA Privacy Security, Enforcement, and Breach Notification Rules under the Health Information Technology for Econimic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules (January 25, 2013)
• AHIMA Comments to HIT Policy Tiger Team for Privacy and Security (May 11, 2011)
  
• ONC Funded George Washington University Medical Center, Consumer Consent Options White Paper (February 4, 2011)
• ONC Consumer Preferences Requirements Document (February 4, 2011)
• AHIMA Comments on HITECH Privacy Changes for HIPAA (September 2010)
• AHIMA Overview of the Proposed Rule: Modifications to the HIPAA Privacy, Security and Enforcement Under HITECH (August 2010)
• Outline of July 14 HIPAA-HITECH Proposed Rule
• July 14 HPAA-HITECH Proposed Rule
• AHIMA Analysis of ARRA Privacy (March 2009)

Privacy and Security Framework

The Office of the National Coordinator has established resources on including a Health IT Privacy and Security Toolkit with model privacy notices, reference to regulations, assessment of security practices. ONC has also developed a policy framework for addressing privacy and security with health information exchange.

• ONC's Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

Accounting of Disclosures

ARRA-HITECH requires entites using electronic health records to maintain an accounting of disclosures for treatment, payment and healthcare operations. In February 2010, the Interim Final Rule for Standards and Certification described the standards used for an accounting. AHIMA submitted the following comments to ONC specifically on accounting of disclsoures. The Office of Civil Rights released the proposed rule on May 27, 2011.

• AHIMA Comments on HIPAA Privacy Rule Accounting of Disclosures (July 2011)
  
• AHIMA Analysis of the NPRM HITECH Accounting of Disclosures (July 2011)
• OCR Releases Proposed Rule on Accounting of Disclosures (May 2011) 
• AHIMA's Comments on OCR's HITECH Accounting of Disclosures RFI (May 2010)
• AHIMA's Comments on IFR Related to Accounting of Disclosures (March 2010)
  

HITECH Breach Notification

Breach Notification Final Rule Update

On September 23, 2009 the Interim Final Rule on Breach Notification for Unsecured Protected Health Information became effective. This rule applies to all HIPAA-covered entities and HIPAA-related Business Associates (BAs).

• AHIMA Analysis of IFR on Breach Notification (August 2009)

Covered entities are required to begin reporting breaches to the Office of Civil Rights (OCR). OCR provides tools and guidance:

• OCR Guidance on Breach Notification
• OCR Report on Breach Notifications

 AHIMA Tools & Resources

• BAA Addendum Article
• Breach Notification Template Letter
• Model Plan for Breach Notification
• Model Breach Notification Letter
• The Path to Security Breach Notification Regulation
• Journal of AHIMA Privacy and Security Posts

Other Links & Resources

• ONC Privacy and Security Webpage
• Office for Civil Rights (OCR)
• Health Information Security and Privacy Technology Collaboration (HISPC)