Privacy & Security

How do I protect the confidentiality, integrity, and availability of personal health information in my EHR system?

Under federal regulation, your practice is responsible for protecting the confidentiality, integrity, and availability of personal health information that is maintained in or can be accessed through your electronic health record (EHR) system. “Privacy” generally refers to an individual’s ability to keep certain personal health information free from unauthorized access and the ability to access and share the information themselves. “Security” is the way your practice controls access and protects this information, including safeguarding it from accidental or intentional disclosure.

Protecting patient privacy and securing electronic health information is a shared responsibility. Adherence to privacy and security standards fosters patient trust. It assures patients that their electronic health information — while under your control — will remain confidential, accurate, and secure. This increases the likelihood that patients will share their health information with you, which gives clinicians a more complete picture of patients’ overall health. Together, clinicians and their patients can make better-informed decisions.

Health information breaches can have serious consequences. They can:

• Harm patients
• Damage an organization’s reputation
• Cause financial harm

Poor privacy and security practices make the patient information available through your health information system more vulnerable to a successful cyber-attack.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations define the national standards (requirements) for securing an individual’s protected health information (PHI) and the consequences of not doing so.

The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of an individual’s electronic PHI (ePHI).

The Privacy Rule requires appropriate safeguards to ensure the privacy of PHI and sets limits and conditions on the uses and disclosures of such information without a patient’s authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The privacy standards apply to personal health information in any form, whereas the security standards apply only to that information in electronic form.

The privacy standards give patients more control over their health information and set boundaries on the use and disclosure of health records. They also provide safeguards that clinicians and other covered entities — as well as their business associates — must follow to protect the privacy of health information.

The security standards require all clinicians to assess the risks to their information systems and take appropriate steps to ensure the confidentiality, integrity, and availability of personal health information.

Note: “Security” applies to the spectrum of physical, technical, and administrative safeguards put in place to meet these requirements. For example, the HIPAA Security Rule requires a covered entity to implement policies and procedures that authorize access to ePHI only when such access is appropriate based on the user’s or recipient’s role.

Covered entities and business associates

Under HIPAA Rules, covered entities (CEs) and business associates (BAs) must institute federal protections for personal health information created, received, used, or maintained by or on behalf of a covered entity, and patients have an array of rights with respect to that information.

CEs include health plans, healthcare clearinghouses, and clinicians who conduct certain healthcare transactions electronically, including billing. In addition, BAs who maintain this information — on behalf of covered entities — must comply with the Privacy Rule, the Security Rule, and the Business Associate Agreement (BAA) with the CE.

This suite of HIPAA regulations includes:

• The Privacy Rule, which protects the privacy of individually identifiable health information
• The Security Rule, which sets national standards for the security of electronic protected health information
• The Breach Notification Rule, which requires CEs to notify affected individuals, the HHS secretary, and, in certain circumstances, the media after a breach of unsecured protected health information. Business Associates must provide breach notification to the CE or another BA.

Whether personal health information is on a computer or mobile device, in an EHR, on paper, or in other media, clinicians have a responsibility to meet applicable HIPAA Rules requirements for safeguarding health information.

Patients, and their caregivers, have a right to access their health information. The HIPAA Privacy Rule generally requires health plans and most healthcare providers (clinicians and hospitals) to provide individuals, upon request, with access to their protected health information in one or more “designated record sets” maintained by or on behalf of the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.

Learn more:

• Read about how you can make these powerful tools work for you and how you can choose patient access training and technical resources for your practice or clinic.

Individuals and their personal representatives (caregivers), have the right to access this PHI regardless of:

• The date the information was created
• Whether the information is maintained in paper or electronic systems onsite or remotely or is archived
• Where the PHI originated

This helps individuals take control of their health and well-being, and it helps clinicians engage their patients.

Individuals with access to their health information are better able to:

• Monitor chronic conditions
• Adhere to treatment plans
• Find errors in their records and request fixes
• Track progress in wellness or disease management programs
• Directly contribute their information to research

Healthcare is evolving into a system supported by rapid, secure exchange of electronic health information, and the new precision medicine model of patient-powered research is discovering more targeted treatments. Thus, it’s more important than ever for individuals to have ready access to their health information.

Individuals have the right to see their health records, get a copy of the information, and have it sent to a specialist or other designated third party — including to a mobile app or researcher. To learn more, watch these videos about the right to access from the patient’s perspective published by the U.S. Department of Health and Human Services’ Office of the National Coordinator (ONC) and the Office for Civil Rights (OCR), the federal enforcer of the HIPAA Rules. To help better understand how to implement this right for your patients, check out these FAQs.

To learn more about the HIPAA Privacy Rule Right of Access, including how you can integrate it into your practice, consider taking HHS-developed online training. Participants receive free Continuing Medical Education or Continuing Education credit.

Patient consent

The HIPAA Privacy Rule permits CEs to get patient consent before using or disclosing protected health information for treatment, payment, and health care operations (TPO). However, patient consent isn’t required for TPO under HIPAA. Entities can share PHI digitally or by phone, fax, or mail.

But many entities and states have adopted their own policies or laws requiring patient consent. When CEs are in different states, it is important to understand whether a state law applies to the sharing of protected health information.

Learn more about patient consent for electronic health information exchange and interoperability.

Read about patient consent for the disclosure of substance use disorder records:

• Disclosure of Substance Use Disorder Patient Records: Does Part 2 Apply to Me?
• Disclosure of Substance Use Disorder Patient Records: How Do I Exchange Part 2 Data?

Note: This playbook includes a selected set of privacy and security resources. For more information, visit ONC’s Health IT Privacy and Security Resources webpage.

Additional resources

The HIPAA Privacy and Security Rules require clinicians to protect personal health information and records by establishing sound security business practices. The following resources and guides will help you implement HIPAA Privacy, Security, and Breach Notification Rules.

• Read about sharing information with patients’ loved ones, including same-sex spouses, under the HIPAA Privacy Rule.
• Read about sharing mental and behavioral health information, including information related to opioid overdose, under HIPAA.

Using Technology to Enable Privacy and Manage Patient Choice – Consent Management

Check out these resources:

• 2015 Edition Final Rule: Data Segmentation for Privacy (DS4P) [PDF – 568 KB]
• 2015 Edition Health Information Technology (Health IT) Certification Criteria, Base Electronic Health Record (EHR) Definition, and ONC Health IT Certification Program Modifications Final Rule [PDF – 265 KB]

The following resources — developed by the Office of the National Coordinator (ONC), the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), and other HHS departments — will help you incorporate privacy and security into your electronic health record (EHR) system.

In addition to the video below, the Guide to Privacy and Security of Electronic Health Information, you will find tools, guidance documents, and educational materials designed to help you better integrate the Health Insurance Portability and Accountability Act (HIPAA) and other federal health information privacy and security regulations into your practice.

Read more about how to protect and secure patients' health information when using mobile devices.

The (HIPAA) Security Rule requires covered entities and their business associates to conduct a risk assessment of their healthcare organization. Conducting a security risk assessment involves identifying, estimating, and prioritizing information security risks that could compromise the confidentiality, integrity, and availability of protected health information in a healthcare practice. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.

Assessing the risks in a practice and implementing solutions to mitigate them supports our national and economic security by ensuring we maintain a reliable and functioning healthcare infrastructure.

To help protect patient information and the framework that enables health information exchange, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) worked with the Office for Civil Rights (OCR) to provide a Security Risk Assessment (SRA) Tool.

In October 2019, HHS released version 3.1 of the popular tool. The tool is designed to aid small and medium sized health care organizations in their efforts to assess potential security risks to the confidentiality, integrity, and availability of ePHI. Conducting a thorough security risk analysis can help reduce the chance of identified vulnerabilities to your practice/organization being exploited, including malware, ransomware, and other cyberattacks.

Using the free SRA Tool can help your organization:

• Identify potential risks to ePHI. Your practice can use the tool to identify potential threats, like cyberattacks and theft, and vulnerabilities, like weak EHR login credentials. When you’re aware of these risks, you can develop more effective plans to protect ePHI.
• Review all electronic devices involved with ePHI. The tool can help you/your practice review all electronic devices that store or capture ePHI, including EHR hardware, software (like technical endpoints/APIs), and devices that can access data maintained in an EHR (like smartphones and tablets). You can also add documentation of risk identification and analysis processes, like vulnerability scans and site walkthroughs. Involve your EHR developer in the process.
• Assess your overall security risks regularly. As new cybersecurity threats emerge, it’s important to review and update your security protections regularly to keep ePHI secure. Your practice may choose to conduct this review annually or as needed (for example, when your practice adopts new technology). Remember, security risk management is an iterative and ongoing process.
• Meet HIPAA Security Rule requirements. The tool can help your practice meet HIPAA Security Rule requirements by uncovering weaknesses in your security policies, processes, and systems. The Security Rule pertains to all ePHI your organization creates, receives, maintains, or transmits—not just the ePHI in your EHR or other health IT products.

Note: The tool is meant to provide helpful assistance. Using the SRA Tool isn’t required by the HIPAA Security Rule and does not guarantee HIPAA compliance.

The current version of the SRA Tool includes functionality updates based on public input. New features include:

• Threat and vulnerability validation
• Improved asset and vendor management (multi-select and delete functions added)
• Incorporation of NIST Cybersecurity Framework references
• Capability to export the Detailed Report to Excel
• Addition of question flagging and a Flagged Report

Explore these resources to learn more about the SRA Tool:

• Download the interactive Security Risk Assessment Tool and review the User Guide for tips
• Read the HHS Guidance on Risk Analysis, including requirements under the HIPAA Security Rule

Learn more:

• Read about ransomware and how HIPAA compliance can help you prevent a ransomware infection
• Check out cybersecurity newsletters that identify emerging and prevalent issues and highlight best practices to safeguard protected health information
• View additional guidance on cybersecurity and ransomware, including a cybersecurity checklist and infographic

Learn more:

• Learn more about access right, health apps, & APIs
• Check out a learning module on application programming interfaces and the role they play in health information exchange
• Read a report on key privacy and security considerations for healthcare APIs