Practical Information From HHS About Privacy, Security and Health IT: ONC’s Guide to Privacy and Security of Electronic Health Information

In the draft Interoperability Roadmap, ONC committed to helping individuals, providers, and the health and health IT community better understand how existing federal law — the Health Insurance Portability and Accountability Act (HIPAA) — supports interoperable exchange of information for health. Today, we take a first step to fulfill that commitment and published the revised Guide to Privacy and Security of Electronic Health Information.

Last published in 2011, this Guide has been updated to bring new, practical information about privacy and security to small and medium-sized provider practices, health , health IT, other information technology professionals, and the public at large, many of whom may be considered Business Associates.

The Guide includes practical information on issues like cybersecurity, patient access through Certified Electronic Health Record Technology (CEHRT), and other Electronic Health Record (EHR) technology features available under the 2014 Edition Certification rule. The Guide also includes new, practical examples of the HIPAA Privacy and Security Rules in action, to help everyone understand how those rules may impact their businesses and the people they serve.

Privacy and Security Rules in Action

The Guide offers many scenarios for anyone who has struggled to understand when someone is or is not a Business Associate (BA). Here are three of the examples:

  1. You hire a case management service to identify your diabetic and pre-diabetic patients at high risk of non-compliance and recommend optimal interventions to you for those patients. The case management service is a BA acting on your behalf by providing case management services to you.
  2. You hire a web designer to maintain your practice’s website and improve its online access for patients seeking to view/download or transmit their health information. The designer must have regular access to patient records to ensure the site is working correctly. The web designer is a BA.
  3. You hire a web designer to maintain your practice’s website. The designer installs the new electronic version of the Notice of Privacy Practices (NPP) and improves the look and feel of the general site. However, the designer has no access to PHI. The web designer is not a BA.

Permitted Uses

The Guide also provides information about when a provider (or any HIPAA-covered entity) is permitted to exchange information about an individual for treatment, payment, or health care operations without being required to have the individual sign a piece of paper before the exchange occurs.

And, the Guide explains how a patient can approve the disclosure of his or her health information to a third party (like a friend or a relative who is helping to provide care) without a formal written process:

For example, if a patient begins discussing health information while family or friends are present in the examining room, this is a “circumstance that clearly gave the individual the opportunity to agree, acquiesce, or object.” You [the provider] do not need a written authorization to continue the discussion [with the family or friends].

Tackling Security

The Guide also provides practical tips and information about security. Chapter 6 focuses on a “Sample Seven-Step Approach for Implementing a Security Management Process” and can be downloaded separately from the rest of the Guide as a handy reference takeaway.

To ensure that providers and patients take full advantage of the secure, private communications capabilities of 2014 Edition CEHRT, the Guide explains how providers can use their 2014 Edition CEHRT to electronically communicate with their patients while remaining compliant with the HIPAA Security Rule.

The Guide tackles cybersecurity and encryption, explaining in practical terms what encryption is and why it is important. The Guide also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs. Here’s an excerpt:

  • When my staff is trying to communicate with the health IT developer’s staff, how will each party authenticate its identity? For example, how will my staff know that an individual who contacts them is the health IT developer representative and not a hacker trying to pose as such?
  • How much remote access will the health IT developer have to my system to provide support and other services? How will this remote access be secured?
  • If I want to securely email with my patients, will this system enable me to do that as required by the Security Rule?

We are really proud of our Guide, which we could not have published without the help of the HHS Office for Civil Rights (@hhsocr), the HHS office that is responsible for HIPAA regulations and enforcement. We hope you find it useful. Let us know what you think!


  1. John Dodd says:

    I think there is a need for a future vision of the use of attribute-based access management and use of Cloud and InterCloud Security and Privacy Policies and protection mechanisms that can be used for nation-wide interoperability that can scale. The HIE approaches of 10 years ago can not scale but can be put into the cloud and cross cloud interoperability can be protected. The technologies for such information sharing can be leveraged from defense and intelligence. I describe the approach in the book I am developing and would share with ONC. We have to future scape the views and than incrementally evolve to it.
    John Dodd

  2. Andy Nold says:

    For relatively current information on best practices for “Cloud and InterCloud Security and Privacy Policies”, I recommend the study materials for the Certificate in Cloud Security Knowledge, provided by the Cloud Security Alliance ( The study materials provided numerous points for Privacy and Legal concerns.

  3. William says:

    Good information about an important subject, thank you. I am particularly interested in the guidance relating to the exchange of information regarding patients and treatment. As part of a joined-up system of healthcare it is naturally important that all the relevant information should be available to the different parties treating a person. But the challenge is to protect the security and privacy of the patient while still providing the best possible joined-up care.

  4. Lynn says:

    I sighed in a the doctors office sat down only to be called back up to go pee in a cup. I man came in behind me and signed in and came over to sit beside me. In a few min. he returned to the desk looked at the sign in sheet where the office staff had run an narrow ink line through the names. He sat down again and immediately began calling my name and directing his attention totally to me. The room was full and the people became uncomfortable. As a R.N. there were indications something was wrong with him-was I the target- I did not know him. I tried to softly say yes or act as if I could not hear all his questions and comments and kept looking at my magazine. I felt very uncomfortable and the staff knew it. We descalated the situation by removing me to a back office. Would this have happened if he could not see our names on the sign in sheet? I know there are forms that would delete the name seeing issue. I deserve my visit with my doctor to be protected physically and by HIPPA.

Leave a ReplyComment Policy