The Office of the National Coordinator for Health Information Technology Health IT Playbook

Privacy & Security

What do I need to know to protect the confidentiality, integrity, and availability of Personal Health Information in my EHR system?

Privacy is an individual’s right to keep certain Personal Health Information free from unauthorized access. Security is the means to control access and protect this information from accidental or intentional disclosure. Your practice is responsible for protecting the confidentiality, integrity, and availability of personal health information in your EHR system.

Everyone has a role to play in the privacy and security of electronic health information — it is truly a shared responsibility. Healthcare providers are required to comply with the law that protects a person’s right to privacy.

Adherence to privacy and security standards creates trust with your patients so that they are certain that the confidentiality and accuracy of their electronic health information is secure. This creates an environment where patients are more willing to share their health information so that you have a more complete picture of patients’ overall health and together, you and your patients can make more-informed decisions.

In addition, when breaches of health information occur, they can have serious consequences for your organization, including reputational and financial harm or harm to your patients. Poor privacy and security practices heighten the vulnerability of patient information in your health information system, increasing the risk of a successful cyber-attack.

Your practice is responsible for protecting the confidentiality, integrity, and availability of personal health information in your EHR.

Summary: Resources and guides for implementing HIPAA privacy, security, and breach notification rules in your practice. The HIPAA Privacy and Security Rules require that providers protect personal health information and records by putting sound security business practices in place.

Overview
The Health Insurance Portability and Accountability Act (HIPAA) regulations define the requirements for safeguarding Personal Health Information (PHI) and the consequences of not doing so. The standards that have been developed under HIPAA are designed to protect the confidentiality, integrity, and availability of an individual’s health information.

The privacy standards apply to personal health information in any form, whereas the security standards apply only to that information in electronic form. Fundamentally, the privacy standards give patients more control over their health information and set boundaries on the use and disclosure of health records. They also provide safeguards that providers and other covered entities must follow to protect the privacy of health information.

The security standards require all providers to assess the risks to their information systems and to take appropriate steps to ensure the confidentiality, integrity, and availability of patient information. Security applies to the spectrum of physical, technical, and administrative safeguards put in place to meet these requirements.

Patients and their Caregivers Have a Right to Get their Health data
The HIPAA Privacy Rule has always provided individuals with the right to access and receive a copy of their health information from their doctors, hospitals and health insurance plans. This right is critical to enabling individuals to take ownership of their health and well-being. This right is critical to support your desire to engage your patients. Individuals with access to their health information are better able to monitor chronic conditions, adhere to treatment plans, find and request fixes to errors in their records, track progress in wellness or disease management programs, and directly contribute their information to research. As the health care system evolves and transforms into one supported by rapid, secure exchange of electronic health information and more targeted treatments discovered through the new precision medicine model of patient-powered research, it is more important than ever for individuals to have ready access to their health information. To understand this right better from the patient’s perspective, check out the videos ONC and OCR have published: https://www.healthit.gov/access.

Covered Entities and Business Associates
HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs) and give patients an array of rights with respect to that information. CEs are defined as health plans, clearinghouses and providers, who bill CMS electronically. In addition, BAs who maintain this information on behalf of covered entities, must also comply.

This suite of regulations includes the Privacy Rule, which protects the privacy of individually identifiable health information; the Security Rule, which sets national standards for the security of electronic protected health information; and the Breach Notification Rule, which requires CEs and BAs to provide notification following a breach of unsecured protected health information.

Whether patient health information is on a computer, in an Electronic Health Record (EHR), on paper, or in other media, providers have responsibilities for safeguarding the information by meeting the requirements of the Rules.

Additional Resources
A selected set of privacy and security resources have been included within the Playbook. For additional resources go to ONC’s Health IT Privacy and Security Resources webpage.

Your Practice and the HIPAA Rules

Your Practice and the HIPAA Rules

Overview
Provides details on the HIPAA Privacy, Security and Breach Notification Rules, such as:
(1) What types of information HIPAA protects;
(2) Who must comply with HIPAA; and
(3) How patient information can be used and disclosed under the HIPAA Privacy Rule.

Who it’s for
Providers and health IT professionals

When it’s used
Use it for a wide variety of purposes, including EHR implementation planning and planning your information exchange strategy

Download Your Practice and the HIPAA Rules [PDF - 716 KB]

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Breach Notification, HIPAA Enforcement, and Other Laws and Requirements

Overview
Informs providers how to meet reporting requirements for breaches of unsecured personal health information

Who it’s for
Providers and health IT professionals

When it’s used
For a deeper understanding of how HIPAA is enforced, or if a security breach occurs

Download Breach Notification, HIPAA Enforcement, and Other Laws and Requirements [PDF - 736 KB]

Permitted Uses and Disclosures: Exchange for Health Care Operation

Permitted Uses and Disclosures: Exchange for Health Care Operation

Overview
Explains how HIPAA supports sharing of personal health information between and among health care providers to treat or coordinate care for their patients

Who it’s for
Providers and health IT professionals

When it’s used
Use this when setting up policies and procedures for sharing data about patients with other healthcare organizations

Download Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 656 KB]

Permitted Uses and Disclosures: Exchange for Treatment

Permitted Uses and Disclosures: Exchange for Treatment

Overview
Explains how HIPAA supports sharing of personal health information between and among health care providers to treat or coordinate care for their patients

Who it’s for
Providers and health IT professionals

When it’s used
Use this when setting up policies and procedures for sharing data about patients with other healthcare organizations

Download Permitted Uses and Disclosures: Exchange for Treatment [PDF - 700 KB]

HIPAA Enforcement

Overview
Explains how the HHS Office of Civil Rights enforces the HIPAA Privacy and Security rules as well as enforcement highlights and some case examples

Who it’s for
Providers and health IT professionals

When it’s used
When planning an EHR implementation, when developing privacy and security policies, when conducting a security risk assessment, when major system upgrades are implemented, when preparing for an audit

Visit HIPAA Enforcement site

Summary: Guidance, tools, and educational materials designed to help you better integrate privacy and security into your practice’s use of EHRs. The Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and other HHS agencies have developed a number of resources for you. These tools, guidance documents, and educational materials are intended to help you better integrate HIPAA and other federal health information privacy and security into your practice.

Additional Resources
In addition to the Guide to Privacy and Security of Electronic Health Information, additional resources are provided below.

Guide to Privacy and Security of Electronic Health Information

Overview
Helps providers better understand how to integrate federal health information privacy and security requirements into their practice

Who it’s for
Providers and health IT professionals

When it’s used
In all situations where you want a reliable quick reference to HIPAA privacy and security in an electronic environment

Visit the Guide to Privacy and Security of Electronic Health Information site

Mobile Device Privacy and Security

Overview
Answers the most commonly asked questions about mobile devices and their privacy and security risks

Who it’s for
Providers and health IT professionals

When it’s used
When developing policies for privacy and security for mobile technologies, or considering your organizations use of mobile devices

Visit the Mobile Device Privacy and Security site

Privacy & Security Training Games

Overview
Provides web-based games to train users how to respond to privacy and security challenges regularly encountered in a typical small medical practice

Who it’s for
Providers and support staff

When it’s used
During all aspects of privacy and security education in your office and with staff or consultants

Check out Privacy & Security Training Games

Summary: Tools and resources to perform a risk analysis of your practice or organization to identify and address any security deficiencies or potential risks to electronic personal health information.

The intent of the HIPAA Security Rule is to put good security business practices in place. A step in that process is to conduct a Security Risk Analysis (SRA). A SRA is a series of queries designed to help you determine where the risks have been, where they still might be, and to mitigate them.

To comply with HIPAA, you must not only identify your practice’s vulnerabilities and threats, but also mitigate those risks with policies, procedures, and training.

In addition to the Security Risk Analysis process, please visit our Security Risk Assessment webpage for more helpful information and to download the HHS SRA tool. This tool assists medical and other health professionals in performing a security risk assessment of protected health information in their system(s).

Security Risk Assessment Tool

Overview
Assists medical and other health professionals perform a security risk assessment of protected health information in their system(s)

Who it’s for
Providers and health IT professionals

When it’s used
On a regular basis, to evaluate risk and when you have made changes to your technology or office security practices or policies

Visit the Security Risk Assessment Tool site

Top 10 Tips for Cybersecurity in Health Care

Top 10 Tips for Cybersecurity in Health Care

Overview
Gives advice to help organizations work toward the goal of having appropriate cybersecurity protections in place

Who it’s for
Providers and health IT professionals

When it’s used
When planning for an EHR implementation, when developing policies for privacy and security or when major system upgrades are implemented

Download Top 10 Tips for Cybersecurity in Health Care [PDF - 505 KB]

Take Steps to Protect and Secure Information When Using a Mobile Device

Take Steps to Protect and Secure Information When Using a Mobile Device

Overview
Provides tips for protecting and securing patient health information when using a mobile device

Who it’s for
Providers and support staff who use mobile devices to send, receive, transmit, or store patient health information

When it’s used
When planning an EHR implementation where mobile technology will be deployed, when planning to attest for Meaningful Use or when major system upgrades are implemented

Download Take Steps to Protect and Secure Information When Using a Mobile Device [PDF - 350 KB]

Sample Seven-Step Approach for Implementing a Security Management Process

Sample Seven-Step Approach for Implementing a Security Management Process

Overview
Describes a seven-step approach for implementing a security management process consistent with the HIPAA Security Rule

Who it’s for
Providers and health IT professionals

When it’s used
When planning for an EHR implementation, when conducting a security risk assessment or when major system upgrades are implemented

Download Sample Seven-Step Approach for Implementing a Security Management Process [PDF - 555 KB]

Join the conversation.

Let us know how we can improve and expand on Privacy and Security.