ONC Updates SAFER Guides to Assist HIPAA-Covered Entities with EHR Safety and Security

The Office of the National Coordinator for Health IT (ONC) has released updated versions of its SAFER Guides. The series of guides provide useful information to help covered entities make their EHRs more usable and safer and can be used by HIPAA-covered entities to assess potential vulnerabilities in their EHRs.

Hackers search for vulnerabilities in EHRs that can be exploited to gain access to data. It is therefore essential that healthcare organizations assess their EHRs for vulnerabilities. The SAFER Guides can help in this regard. ONC says its SAFER Guides “provide an easy-to-use template for voluntary provider self-assessment of EHR safety-related vulnerabilities.”

The SAFER Guides consist of compilations of expert-recommended, evidence-based best practices that can be adopted to improve the safety and usability of EHRs. Each guide covers a specific focus area and was compiled with assistance from experts in each field. Comments and recommendations were also sought over the past three years since the guides were first released and the feedback that was received has been incorporated into the updated versions.

Over the past 12 months the healthcare industry has been targeted by cybercriminals intent on gaining access to the protected health information of patients. However, ransomware has been one of the biggest threats. Ransomware is not used to gain access to PHI, instead it prevents healthcare providers from accessing their data.

The attackers claim they will provide a key to decrypt data if a ransom payment is made. Due to the frequency of ransomware attacks on healthcare organizations over the past 12 months it is no surprise that ONC has included ransomware prevention and mitigation strategies in one of the updated SAFER Guides.

Ransomware makes PHI unavailable, which can result in patients being exposed to significant safety risks. If access to PHI cannot be gained by physicians there is greater potential for medication errors. All too often operations also need to be postponed. Both can have a major negative impact on patients.

It is therefore essential for healthcare providers to plan for EHR downtime. ONC says “Effective contingency planning addresses the causes and consequences of EHR unavailability, and involves processes and preparations that can minimize the frequency and impact of such events, ensuring continuity of care.”

The Contingency Planning SAFER Guide can be used to reduce the impact of ransomware attacks and other causes of EHR downtime. The guide includes a self-assessment form that can be used by healthcare providers to obtain “an accurate snapshot of the organization’s EHR contingency planning status (in terms of safety).”

Contingency planning is required by the HIPAA Security Rule, although OCR points out that following the recommendations in the guides does not necessarily equate to compliance with that particular aspect of the HIPAA Security Rule. The guide just provides “a uniform approach to patient safety and data protection” that can be followed by HIPAA-covered entities as part of their compliance programs.

While many updates have been made, one of the main new inclusions in the SAFER Guides are recommendations provided by the National Academy of Medicine on communicating abnormal test results to patients. The Test Results Reporting and Follow-Up SAFER Guide covers safety practices for EHR technology that can be adopted to help with the communication and management of test results, including documentation and patient follow-ups.

The SAFER Guides can be downloaded free of charge from the ONC website.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news