The Office of the National Coordinator for Health Information Technology Health IT Playbook

Section 7

Privacy & Security

In this section

Learn how to:

How do I protect the confidentiality, integrity, and availability of personal health information in my EHR system?

Under federal regulation, your practice is responsible for protecting the confidentiality, integrity, and availability of personal health information that is maintained in or can be accessed through your electronic health record (EHR) system. “Privacy” generally refers to an individual’s ability to keep certain personal health information free from unauthorized access and the ability to access and share the information themselves. “Security” is the way your practice controls access and protects this information, including safeguarding it from accidental or intentional disclosure.

Protecting patient privacy and securing electronic health information is a shared responsibility. Adherence to privacy and security standards fosters patient trust. It assures patients that their electronic health information — while under your control — will remain confidential, accurate, and secure. This increases the likelihood that patients will share their health information with you, which gives clinicians a more complete picture of patients’ overall health. Together, clinicians and their patients can make better-informed decisions.

Health information breaches can have serious consequences. They can:

  • Harm patients
  • Damage an organization’s reputation
  • Cause financial harm

Poor privacy and security practices make the patient information available through your health information system more vulnerable to a successful cyber-attack.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations define the national standards (requirements) for securing an individual’s protected health information (PHI) and the consequences of not doing so.

The Security Rule requires appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of an individual’s electronic PHI (ePHI).

The Privacy Rule requires appropriate safeguards to ensure the privacy of PHI and sets limits and conditions on the uses and disclosures of such information without a patient’s authorization. The rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections. The privacy standards apply to personal health information in any form, whereas the security standards apply only to that information in electronic form.

The privacy standards give patients more control over their health information and set boundaries on the use and disclosure of health records. They also provide safeguards that clinicians and other covered entities — as well as their business associates — must follow to protect the privacy of health information.

The security standards require all clinicians to assess the risks to their information systems and take appropriate steps to ensure the confidentiality, integrity, and availability of personal health information.

Note: “Security” applies to the spectrum of physical, technical, and administrative safeguards put in place to meet these requirements. For example, the HIPAA Security Rule requires a covered entity to implement policies and procedures that authorize access to ePHI only when such access is appropriate based on the user’s or recipient’s role.

Covered entities and business associates

Under HIPAA Rules, covered entities (CEs) and business associates (BAs) must institute federal protections for personal health information created, received, used, or maintained by or on behalf of a covered entity, and patients have an array of rights with respect to that information.

CEs include health plans, healthcare clearinghouses, and clinicians who conduct certain healthcare transactions electronically, including billing. In addition, BAs who maintain this information — on behalf of covered entities — must comply with the Privacy Rule, the Security Rule, and the Business Associate Agreement (BAA) with the CE.

This suite of HIPAA regulations includes:

  • The Privacy Rule, which protects the privacy of individually identifiable health information
  • The Security Rule, which sets national standards for the security of electronic protected health information
  • The Breach Notification Rule, which requires CEs to notify affected individuals, the HHS secretary, and, in certain circumstances, the media after a breach of unsecured protected health information. Business Associates must provide breach notification to the CE or another BA.

Whether personal health information is on a computer or mobile device, in an EHR, on paper, or in other media, clinicians have a responsibility to meet applicable HIPAA Rules requirements for safeguarding health information.

Patients, and their caregivers, have a right to access their health information. The HIPAA Privacy Rule generally requires health plans and most healthcare providers (clinicians and hospitals) to provide individuals, upon request, with access to their protected health information in one or more “designated record sets” maintained by or on behalf of the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual’s choice.

Learn more:

  • Read about how you can make these powerful tools work for you and how you can choose patient access training and technical resources for your practice or clinic.

Individuals and their personal representatives (caregivers), have the right to access this PHI regardless of:

  • The date the information was created
  • Whether the information is maintained in paper or electronic systems onsite or remotely or is archived
  • Where the PHI originated

This helps individuals take control of their health and well-being, and it helps clinicians engage their patients.

Individuals with access to their health information are better able to:

  • Monitor chronic conditions
  • Adhere to treatment plans
  • Find errors in their records and request fixes
  • Track progress in wellness or disease management programs
  • Directly contribute their information to research

Healthcare is evolving into a system supported by rapid, secure exchange of electronic health information, and the new precision medicine model of patient-powered research is discovering more targeted treatments. Thus, it’s more important than ever for individuals to have ready access to their health information.

Individuals have the right to see their health records, get a copy of the information, and have it sent to a specialist or other designated third party — including to a mobile app or researcher. To learn more, watch these videos about the right to access from the patient’s perspective published by the U.S. Department of Health and Human Services’ Office of the National Coordinator (ONC) and the Office for Civil Rights (OCR), the federal enforcer of the HIPAA Rules. To help better understand how to implement this right for your patients, check out these FAQs.

To learn more about the HIPAA Privacy Rule Right of Access, including how you can integrate it into your practice, consider taking HHS-developed online training. Participants receive free Continuing Medical Education or Continuing Education credit.

Patient consent

The HIPAA Privacy Rule permits CEs to get patient consent before using or disclosing protected health information for treatment, payment, and health care operations (TPO). However, patient consent isn’t required for TPO under HIPAA. Entities can share PHI digitally or by phone, fax, or mail.

But many entities and states have adopted their own policies or laws requiring patient consent. When CEs are in different states, it is important to understand whether a state law applies to the sharing of protected health information.

Learn more about patient consent for electronic health information exchange and interoperability.

Read about patient consent for the disclosure of substance use disorder records:

Note: This playbook includes a selected set of privacy and security resources. For more information, visit ONC’s Health IT Privacy and Security Resources webpage.

Additional resources

The HIPAA Privacy and Security Rules require clinicians to protect personal health information and records by establishing sound security business practices. The following resources and guides will help you implement HIPAA Privacy, Security, and Breach Notification Rules.

Your Practice and the HIPAA Rules

Your Practice and the HIPAA Rules

Overview
Provides details on the HIPAA Privacy, Security, and Breach Notification Rules, such as:

  • What types of information HIPAA protects
  • Who must comply with HIPAA
  • How patient information can be used and disclosed under the HIPAA Privacy Rule

Who it’s for
Clinicians and health IT professionals

When it’s used
To plan for a wide variety of activities, such as EHR implementation and development of an information exchange strategy

Download Your Practice and the HIPAA Rules [PDF – 716 KB]

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Overview
Informs clinicians about how to meet reporting requirements for breaches of unsecured personal health information

Who it’s for
Clinicians and health IT professionals

When it’s used
To gain a deeper understanding of HIPAA enforcement and what to do if a breach occurs

Download Breach Notification, HIPAA Enforcement, and Other Laws and Requirements [PDF – 736 KB]

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures: Exchange for Treatment

Overview
Explains how HIPAA supports sharing personal health information between and among healthcare clinicians to treat patients

Who it’s for
Clinicians and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other healthcare organizations

Download Permitted Uses and Disclosures: Exchange for Treatment [PDF – 700 KB]

Permitted Uses and Disclosures: Exchange for Healthcare Operations

Permitted Uses and Disclosures: Exchange for Healthcare Operation

Overview
Explains how HIPAA supports sharing personal health information between and among healthcare clinicians to coordinate patient care

Who it’s for
Clinicians and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other healthcare organizations

Download Permitted Uses and Disclosures: Exchange for Healthcare Operations [PDF – 656 KB]

Permitted Uses and Disclosures: Exchange for Public Health Activities

Permitted Uses and Disclosures: Exchange for Public Health Activities

Overview
Explains how HIPAA supports sharing personal health information with public health agencies authorized by state or federal law to collect that information

Who it’s for
Clinicians, public health organizations, and health IT professionals

When it’s used
To set up policies and procedures for sharing patient data with other healthcare organizations for public health activities

Download Permitted Uses and Disclosures: Exchange for Public Health Activities [PDF – 946 KB]

Permitted Uses and Disclosures: Exchange for Health Oversight Activities

Permitted Uses and Disclosures: Exchange of Health Information at the Federal, State, and Local Level

Overview
Explains how a key provision of the HIPAA Privacy Rule permits covered entities to share protected health information electronically with health oversight agencies without obtaining written authorization from the individual or patient

Who it’s for
Clinicians, health plans, nursing homes, and hospitals

When it’s used
To set up policies and procedures for sharing patient data with federal, state, and local organizations for health oversight activities

Permitted Uses and Disclosures: Exchange for Health Oversight Activities [PDF – 770 KB]

HIPAA Enforcement

Visit HIPAA Enforcement website

Overview
Explains how the U.S. Department of Health and Human Services (HHS) Office for Civil Rights enforces the HIPAA Privacy and Security Rules

Who it’s for
Clinicians and health IT professionals

When it’s used
Use it:

  • To plan an EHR implementation
  • To develop privacy and security policies
  • To conduct a security risk assessment
  • To implement major system upgrades
  • To prepare for an audit

Visit HIPAA Enforcement website

The following resources — developed by the Office of the National Coordinator (ONC), the U.S. Department of Health and Human Services (HHS), the Office for Civil Rights (OCR), and other HHS departments — will help you incorporate privacy and security into your electronic health record (EHR) system.

In addition to the video below, the Guide to Privacy and Security of Electronic Health Information, you will find tools, guidance documents, and educational materials designed to help you better integrate the Health Insurance Portability and Accountability Act (HIPAA) and other federal health information privacy and security regulations into your practice.

Guide to Privacy and Security of Electronic Health Information

Overview
Helps clinicians better understand how to integrate federal health information privacy and security requirements into their practice

Who it’s for
Clinicians and health IT professionals

When it’s used
To quickly reference information about HIPPA privacy and security in an electronic environment

Visit the Guide to Privacy and Security of Electronic Health Information

Mobile Devices and Protected Health Information (PHI)

Overview
Tips to help protect and secure PHI while using mobile devices

Who it’s for
Clinicians and health IT professionals

When it’s used
To develop policies for privacy and security for mobile technologies or to consider your organization’s use of mobile devices

Download Mobile Devices and Protected Health Information (PHI) [PDF – 625 KB]

Privacy & Security Training Games

Overview
Provides web-based games to train users on how to respond to privacy and security challenges regularly encountered in typical small medical practices

Who it’s for
Clinicians and support staff

When it’s used
To address all aspects of privacy and security education of staff or consultants

Check out Privacy & Security Training Games

The (HIPAA) Security Rule requires covered entities and their business associates to conduct a risk assessment of their healthcare organization. Conducting a security risk assessment involves identifying, estimating, and prioritizing information security risks that could compromise the confidentiality, integrity, and availability of protected health information in a healthcare practice. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.

Assessing the risks in a practice and implementing solutions to mitigate them supports our national and economic security by ensuring we maintain a reliable and functioning healthcare infrastructure.

To help protect patient information and the framework that enables health information exchange, the U.S. Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology (ONC) worked with the Office for Civil Rights (OCR) to provide a Security Risk Assessment (SRA) Tool.

In October 2019, HHS released version 3.1 of the popular tool. The tool is designed to aid small and medium sized health care organizations in their efforts to assess potential security risks to the confidentiality, integrity, and availability of ePHI. Conducting a thorough security risk analysis can help reduce the chance of identified vulnerabilities to your practice/organization being exploited, including malware, ransomware, and other cyberattacks.

Using the free SRA Tool can help your organization:

  • Identify potential risks to ePHI. Your practice can use the tool to identify potential threats, like cyberattacks and theft, and vulnerabilities, like weak EHR login credentials. When you’re aware of these risks, you can develop more effective plans to protect ePHI.
  • Review all electronic devices involved with ePHI. The tool can help you/your practice review all electronic devices that store or capture ePHI, including EHR hardware, software (like technical endpoints/APIs), and devices that can access data maintained in an EHR (like smartphones and tablets). You can also add documentation of risk identification and analysis processes, like vulnerability scans and site walkthroughs. Involve your EHR developer in the process.
  • Assess your overall security risks regularly. As new cybersecurity threats emerge, it’s important to review and update your security protections regularly to keep ePHI secure. Your practice may choose to conduct this review annually or as needed (for example, when your practice adopts new technology). Remember, security risk management is an iterative and ongoing process.
  • Meet HIPAA Security Rule requirements. The tool can help your practice meet HIPAA Security Rule requirements by uncovering weaknesses in your security policies, processes, and systems. The Security Rule pertains to all ePHI your organization creates, receives, maintains, or transmits—not just the ePHI in your EHR or other health IT products.

Note: The tool is meant to provide helpful assistance. Using the SRA Tool isn’t required by the HIPAA Security Rule and does not guarantee HIPAA compliance.

The current version of the SRA Tool includes functionality updates based on public input. New features include:

  • Threat and vulnerability validation
  • Improved asset and vendor management (multi-select and delete functions added)
  • Incorporation of NIST Cybersecurity Framework references
  • Capability to export the Detailed Report to Excel
  • Addition of question flagging and a Flagged Report

Security Risk Assessment Tool

Overview
A software application for healthcare providers to perform and document their security risk assessment

Who it’s for
Small to medium-sized practices and their business associates

When it’s used
To perform an assessment of the risks to your environment annually or as needed, and help you identify potential threats and vulnerabilities to ePHI

Visit the Security Risk Assessment Tool website

Explore these resources to learn more about the SRA Tool:

Top 10 Tips for Cybersecurity in Healthcare

Top 10 Tips for Cybersecurity in Healthcare

Overview
Tips to help small healthcare practices apply cybersecurity and risk management principles

Who it’s for
Small healthcare practices

When it’s used
To educate staff on privacy and security awareness, to plan an electronic health record (EHR) implementation, to develop policies for privacy and security, or to implement major system upgrades

Download Top 10 Tips for Cybersecurity in Healthcare [PDF – 505 KB]

Learn more:

Take Steps to Protect and Secure Information When Using a Mobile Device

Take Steps to Protect and Secure Information When Using a Mobile Device

Overview
Tips for protecting and securing patient health information on mobile devices

Who it’s for
Clinicians and support staff who use mobile devices to send, receive, transmit, or store patient health information

When it’s used
To educate staff on privacy and security awareness, to plan an EHR implementation involving mobile technology, or to implement major system upgrades

Download Take Steps to Protect and Secure Information When Using a Mobile Device [PDF – 350 KB]

Sample 7-Step Approach for Implementing a Security Management Process

Sample Seven-Step Approach for Implementing a Security Management Process

Overview
A 7-step approach for implementing a security management process consistent with the HIPAA Security Rule

Who it’s for
Covered entities and business associates

When it’s used
To educate staff on privacy and security awareness, to plan an EHR implementation, to conduct a security risk assessment, or to implement major system upgrades

Download Sample 7-Step Approach for Implementing a Security Management Process [PDF – 555 KB]

Learn more:

Section 7 Recap

Protect the confidentiality, integrity, and availability of personal health information.

  • Protect personal health information
  • Explore more privacy and security resources
  • Perform a risk assessment of your practice

Content last updated on: March 11, 2020