Health information technology (HIT) and electronic health records (EHR) increasingly play an important role in the U.S. health care system. Many providers and health plans are using technology to improve care coordination, engage patients in primary care, raise transparency, and lower costs. Health insurance exchanges (HIX), part of the federal health reform law, will use electronic records extensively to enroll and manage health insurance for millions of people eligible for Medicaid, subsidized insurance, and the Small Business Health Options Program (SHOP). Both Medicare and Medicaid have electronic health record incentive programs to encourage adoption by physicians and hospitals.

Any organization implementing health IT services will need to make patient privacy a major consideration. The Health Insurance Portability and Accountability Act (HIPAA), and the Patient Safety and Quality Improvement Act (PSQIA) both contain strict privacy and confidentiality provisions that will affect how organizations keep and use patient data. Organizations that run afoul of federal privacy laws could face stiff penalties.

Guide for Health IT Privacy:

Medical practices using health IT have some help from the Office of the National Coordination for Health Information Technology, which publishes a Guide to Privacy and Security of Health Information. The guide offers strategies for integrating privacy and security into medical practices, discusses how physicians can cultivate patient trust of electronic health records, and gives detail information about privacy laws. Its guidelines include:

  • Ensuring patients can request medical record access
  • Handling patient health information carefully to protect their privacy
  • Keeping a patient’s information within their record as accurate as possible

10-step Plan for Electronic Health Record “Meaningful Use:”

The guide also an extensive overview of meaningful use criteria and requirements for HIPAA and the Centers for Medicare and Medicaid Services (CMS). A 10-step plan to achieve meaningful use helps medical practices navigate those requirements. The steps include:

  1. Confirming you are a “covered entity” and, thus, responsible for HIPAA compliance
  2. Providing leadership, from designating a privacy and security officer to analyzing security risk and promoting a culture that fosters patient privacy and protection
  3. Documenting your process, findings, and actions in the event of an audit
  4. Conducting security risk analysis that is specific to your situation
  5. Developing an action plan based on results from your risk analysis
  6. Managing and mitigating risk based on up-to-date, written policies and procedures
  7. Providing regular education and training to your workforce on ways to implement policies, procedures, and security audits
  8. Communicating with patients about the confidentiality and security of their health information
  9. Updating business associate agreements to ensure compliance with HIPAA and Health Information Technology for Economic and Clinical Health Act (HITECH) breach notification requirements
  10. Attesting for the security risk analysis meaningful use objective


Kip Piper is a Medicare, Medicaid, and health reform consultant, speaker, and author.  A senior consultant with Sellers Dorsey, a national healthcare consultancy, as well as an advisor with Fleishman-Hillard and TogoRun.  Kip Piper advises health plans, hospitals and health systems, states, drug and device manufacturers, and investment firms throughout the U.S.  For more, visit  Follow on Twitter at @KipPiper and connect with Kip on LinkedIn.