As electronic health record (EHR) adoption becomes widespread, and providers increasingly embrace the patient engagement opportunities of digital health, EHR customers look to EHR vendors to ensure that health information is available where and when it is needed. And yet we know from our experience that many providers continue to face challenges when they seek access to protected health information (PHI)—challenges that could impact patient care and safety. That’s why we are highlighting two recent resources that improve the awareness of EHR vendors’ obligations to make health information available to their health care provider customers.

As we mark National Cyber Security Awareness Month, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched an updated HIPAA Security Risk Assessment (SRA) Tool. The tool’s new features make it even more useful in assisting small and medium-sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

To better prevent attacks on health information technology, organizations need better visibility into what to expect and how to respond. Timely information on the nature of attacks is critical to that ability. To enable better dissemination of threat information, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC) and the Assistant Secretary for Preparedness and Response (ASPR) released two Funding Opportunity Announcements (FOAs) to build the capacity of an Information Sharing and Analysis Organization (ISAO).

Many of us now use wearables and other types of health information technology to help us manage our health and the health of our loved ones. These fitness trackers, their related social media sites where individuals share health information, and other technologies are changing the way we interact and control our own health. However, they did not exist when Congress originally enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996.