• Print

Privacy and Security

Health Information Privacy, Security, and Your EHR

If your patients lack trust in Electronic Health Records (EHRs) and Health Information Exchanges (HIEs), feeling that the confidentiality and accuracy of their electronic health information is at risk, they may not want to disclose health information to you. Withholding their health information could have life-threatening consequences. To reap the promise of digital health information to achieve better health outcomes, smarter spending, and healthier people, providers and individuals alike must trust that an individual’s health information is private and secure.

Your practice, not your EHR developer, is responsible for taking the steps needed to protect the confidentiality, integrity, and availability of health information in your EHR system.


Cybersecurity Game shield icon


Your Medical Practice

Play the Game

Integrating Privacy & Security Into Your Medical Practice

The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. HIPAA Rules have detailed requirements regarding both privacy and security.

  • The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the
  • The HIPAA Security Rule covers electronic protected health information (ePHI).

In addition to HIPAA, you must comply with all other applicable federal, state, and local laws.


Read More

Security Risk Assessment

The security management process standard is a requirement in the HIPAA Security Rule. Conducting a risk analysis is one of the requirements that provides instructions to implement the security management process. ONC worked with OCR to create a Security Risk Assessment (SRA) Tool to help guide health care providers (from small practices) through the risk assessment process.

Use of this tool is not required by the HIPAA Security Rule but is meant to provide helpful assistance.

Read More

Privacy & Security and Meaningful Use

HIPAA privacy and security requirements are embedded in the Medicare and Medicaid EHR Incentive Programs through the following Meaningful Use requirements.  To fulfill requirements of Meaningful Use, eligible providers need to “attest” that they have met certain measures or requirements regarding the use of the EHR for patient care. 

Learn more about privacy, security, and Meaningful Use in Chapter Five of the downloadable Privacy & Security Guide.


Download Chap. 5 [PDF- 278 KB]

Mobile Devices Privacy and Security

Health IT: Mobile Devices Privacy and Security


Read More




Privacy & Security Resources

Get started today! HHS Office of the National Coordinator for Health IT (ONC), Office for Civil Rights (OCR), and other HHS agencies have developed and issued a number of guidance, tools, and educational materials designed to help you better integrate privacy and security into your practice’s use of EHRs. A brief description of each resource is provided, along with a direct link.

Read More