The Office of the National Coordinator for Health Information Technology Health IT Playbook

Section 6

Privacy & Security

How do I protect the confidentiality, integrity, and availability of personal health information in my EHR system?

Privacy refers to an individual’s right to keep certain personal health information free from unauthorized access. Security is the means to control access and to protect this information from accidental or intentional disclosure. Your practice is responsible for protecting the confidentiality, integrity, and availability of personal health information in your electronic health record (EHR) system.

Everyone plays a role in securing electronic health information — it’s truly a shared responsibility. Health care providers must comply with the law that protects a person’s right to privacy.

Adherence to privacy and security standards fosters patient trust. It assures patients that their electronic health information — while under your control — will remain confidential, accurate, and secure. This creates an environment where patients are more willing to share their health information, which gives providers a more complete picture of patients’ overall health. Together, providers and their patients can make more-informed decisions.

Health information breaches can have serious consequences for your organization. Security breaches can:

  • Harm patients
  • Damage an organization’s reputation
  • Cause financial harm

Poor privacy and security practices make the patient information in your health information system more vulnerable and increases the risk of a successful cyber-attack.

The Health Insurance Portability and Accountability Act (HIPAA) regulations define the requirements for safeguarding personal health information (PHI) and the consequences of not doing so. The standards developed under HIPAA protect the confidentiality, integrity, and availability of an individual’s health information.

The privacy standards apply to personal health information in any form, whereas the security standards apply only to that information in electronic form.

The privacy standards give patients more control over their health information and set boundaries on the use and disclosure of health records. They also provide safeguards that providers and other covered entities must follow to protect the privacy of health information.

The security standards require all providers to assess the risks to their information systems and to take appropriate steps to ensure the confidentiality, integrity, and availability of patient information.

Note: Security applies to the spectrum of physical, technical, and administrative safeguards put in place to meet these requirements.

Patients, and their caregivers, have a right to their health data

HIPAA gives individuals the right to access and receive a copy of their health information from their doctors, hospitals, and health insurance plans. This critical right helps individuals take ownership of their health and well-being, and it supports providers’ desire to engage their patients.

Individuals with access to their health information are better able to:

  • Monitor chronic conditions
  • Adhere to treatment plans
  • Find and request fixes to errors in their records
  • Track progress in wellness or disease-management programs
  • Directly contribute their information to research

Health care is evolving into a system supported by rapid, secure exchange of electronic health information, and the new precision-medicine model of patient-powered research is discovering more targeted treatments. Thus, it’s more important than ever for individuals to have ready access to their health information.

Learn more with these videos about the right to access from the patient's perspective published by the Office of the National Coordinator (ONC) and the Office of Civil Rights.

Covered Entities and Business Associates

HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs), and they give patients an array of rights with respect to that information.

CEs include health plans, health care clearinghouses, and providers who bill electronically. In addition, BAs who maintain this information — on behalf of covered entities — must comply with the Security Rule and the Business Associate Agreement (BAA) with the CE.

This suite of HIPAA regulations includes:

  • The Privacy Rule, which protects the privacy of individually identifiable health information
  • The Security Rule, which sets national standards for the security of electronic protected health information
  • The Breach Notification Rule, which requires CEs and BAs to provide notification following a breach of unsecured protected health information

Whether patient health information resides on a computer, in an EHR, on paper, or in other media, providers have a responsibility to meet the HIPAA Rules requirements for safeguarding health information.

Note: This Playbook includes a selected set of privacy and security resources. For more information, visit ONC’s Health IT Privacy and Security Resources webpage.

Additional resources

The HIPAA Privacy and Security Rules require providers to protect personal health information and records by establishing sound security business practices. The following resources and guides will help you implement HIPAA privacy, security, and breach notification rules.

Your Practice and the HIPAA Rules

Your Practice and the HIPAA Rules

Overview
Provides details on the HIPAA Privacy, Security, and Breach Notification Rules, such as:

  • What types of information HIPAA protects
  • Who must comply with HIPAA
  • How patient information can be used and disclosed under the HIPAA Privacy Rule

Who it’s for
Providers and health IT professionals

When it’s used
To address a wide variety of purposes, such as planning EHR implementation and planning an information exchange strategy

Download Your Practice and the HIPAA Rules [PDF - 716 KB]

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Overview
Informs providers how to meet reporting requirements for unsecured personal health information breaches

Who it’s for
Providers and health IT professionals

When it’s used
To gain a deeper understanding of HIPAA enforcement, or if a security breach occurs

Download Breach Notification, HIPAA Enforcement, and Other Laws and Requirements [PDF - 736 KB]

Permitted Uses and Disclosures: Exchange for Health Care Operation

Permitted Uses and Disclosures: Exchange for Health Care Operation

Overview
Explains how HIPAA supports sharing personal health information between and among health care providers to treat or coordinate patient care

Who it’s for
Providers and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other health care organizations

Download Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 656 KB]

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures: Exchange for Treatment

Overview
Explains how HIPAA supports sharing personal health information between and among health care providers to treat or coordinate patient care

Who it’s for
Providers and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other health care organizations

Download Permitted Uses and Disclosures: Exchange for Treatment [PDF - 700 KB]

Permitted Uses and Disclosures: Exchange for Public Health Activities

Permitted Uses and Disclosures: Exchange for Public Health Activities

Overview
Explains how HIPAA supports sharing personal health information with public health agencies authorized by state or federal law to collect that information

Who it’s for
Providers, public health organizations, and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other health care organizations for public health activities

Download Permitted Uses and Disclosures: Exchange for Public Health Activities [PDF - 946 KB]

Permitted Uses and Disclosures: Exchange of Health Information at the Federal, State, and Local Level

Permitted Uses and Disclosures: Exchange of Health Information at the Federal, State, and Local Level

Overview
Explains how a key provision of the HIPAA Privacy Rule permits covered entities to share protected health information electronically with health oversight agencies without obtaining written authorization from the individual or patient

Who it’s for
Physicians, health plans, nursing homes, and hospitals

When it’s used
To set up policies and procedures for sharing patient data with federal, state, and local organizations for health oversight activities

Download Permitted Uses and Disclosures: Exchange of Health Information at the Federal, State, and Local Level [PDF - 770 KB]

HIPAA Enforcement

Visit HIPAA Enforcement website

Overview
Explains how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights enforces the HIPAA Privacy and Security rules, as well as enforcement highlights and some case examples

Who it’s for
Providers and health IT professionals

When it’s used
Use it to:

  • Plan an EHR implementation
  • Develop privacy and security policies
  • Conduct a security risk assessment
  • Implement major system upgrades
  • Prepare for an audit

Visit HIPAA Enforcement website

The following resources — developed by the Office of the National Coordinator (ONC), the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), and other HHS departments — will help you incorporate privacy and security into your electronic health record (EHR) system.

In addition to the video below, Guide to Privacy and Security of Electronic Health Information, you will find tools, guidance documents, and educational materials designed to help you better integrate the Health Insurance Portability and Accountability Act (HIPAA) and other federal health information privacy and security regulations into your practice.

Guide to Privacy and Security of Electronic Health Information

Overview
Helps providers better understand how to integrate federal health information privacy and security requirements into their practice

Who it’s for
Providers and health IT professionals

When it’s used
For a reliable, quick reference to HIPAA privacy and security in an electronic environment

Visit the Guide to Privacy and Security of Electronic Health Information website

Mobile Device Privacy and Security

Overview
Answers the most commonly asked questions about mobile devices and their privacy and security risk

Who it’s for
Providers and health IT professionals

When it’s used
To develop policies for privacy and security for mobile technologies, or to consider your organization’s use of mobile devices

Visit the Mobile Device Privacy and Security website

Privacy & Security Training Games

Overview
Provides web-based games to train users how to respond to privacy and security challenges regularly encountered in a typical small medical practice

Who it’s for
Providers and support staff

When it’s used
To address all aspects of privacy and security education of staff or consultants

Check out Privacy & Security Training Games

Conducting a security risk assessment is a process of identifying, estimating, and prioritizing information security risks that could compromise the confidentiality, availability, or integrity of protected health information in a health care practice.

Assessing the risks in a practice and implementing solutions to mitigate them supports our national and economic security by ensuring we maintain a reliable and functioning health care infrastructure.

To help protect patient information and the framework that enables health information exchange, the Office of the National Coordinator for Health Information Technology (ONC) worked with the Office for Civil Rights (OCR) to provide a Security Risk Assessment Tool.

Security Risk Assessment Tool

Overview
A software application for health care provides to perform and document a security risk assessment

Who it’s for
Small to medium-sized practices and their business associates

When it’s used
To make an annual assessment of the risks to your environment; evaluate the impact of changes and attest to the CMS EHR Incentive Program

Visit the Security Risk Assessment Tool website

Top 10 Tips for Cybersecurity in Health Care

Top 10 Tips for Cybersecurity in Health Care

Overview
Tips to help small health care practices apply cybersecurity and risk management principles

Who it’s for
Small health care practices

When it’s used
To educate staff on privacy and security awareness, to plan an electronic health record (EHR) implementation, to develop policies for privacy and security, or to implement major system upgrades

Download Top 10 Tips for Cybersecurity in Health Care [PDF - 505 KB]

Take Steps to Protect and Secure Information When Using a Mobile Device

Take Steps to Protect and Secure Information When Using a Mobile Device

Overview
Provides tips for protecting and securing patient health information on mobile devices

Who it’s for
Providers and support staff who use mobile devices to send, receive, transmit, or store patient health information

When it’s used
To educate staff on privacy and security awareness, to plan an EHR implementation involving mobile technology, to plan attestation for Meaningful Use, or to implement major system upgrades

Download Take Steps to Protect and Secure Information When Using a Mobile Device [PDF - 350 KB]

Sample 7-Step Approach for Implementing a Security Management Process

Sample Seven-Step Approach for Implementing a Security Management Process

Overview
Describes a 7-step approach for implementing a security-management process consistent with the HIPAA Security Rule

Who it’s for
Covered entities and business associates

When it’s used
To educate staff on privacy and security awareness, to plan an EHR implementation, to conduct a security-risk assessment, or to implement major system upgrades

Download Sample 7-Step Approach for Implementing a Security Management Process [PDF - 555 KB]

Section 6 Recap

Protect the confidentiality, integrity, and availability of personal health information.

  • Protect personal health information
  • Explore more privacy and security resources
  • Perform a risk assessment of your practice

Join the conversation.

Let us know how we can improve and expand on Privacy & Security.

Content last updated on: May 31, 2017