Health IT Privacy and Security Resources
The Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and other HHS agencies have developed a number of resources for you. These tools, guidance documents, and educational materials are intended to help you better integrate HIPAA and other federal health information privacy and security into your practice.
Tools and Templates
- Guide to Privacy and Security of Electronic Health Information [PDF - 1.3 MB]. ONC tool to help small health care practices in particular succeed in their privacy and security responsibilities. The Guide includes a sample seven-step approach for implementing a security management process.
- Security Risk Assessment (SRA) Tool. HHS downloadable tool to help providers from small practices navigate the security risk analysis process.
- Security Risk Analysis Guidance [PDF - 41 KB]. OCR’s expectations for how providers can meet the risk analysis requirements of the HIPAA Security Rule.
- HIPAA Security Toolkit Application. National Institute of Standards and Technology (NIST) toolkit to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
- Certified Health IT Product List. ONC’s authoritative, comprehensive listing of complete Electronic Health Records (EHRs) and EHR modules that have been tested and certified under the ONC Health IT (HIT) Certification Program.
- Sample Business Associate Contract Provisions. OCR sample Business Associate (BA) contract language to help Covered Entities (CEs) more easily comply with the HIPAA Privacy Rule.
- TEMPLATE - Model Notices of Privacy Practices (NPPs). ONC and OCR’s customizable NPPs for use by providers and health plans.
- Mobile Devices – Keeping Health Information Private and Secure. ONC’s web page dedicated to resources for helping providers protect and secure health information on mobile devices.
Education and Training for Providers and Professionals
- HIPAA Privacy and Security Rules Training. Online modules on HIPAA Privacy, Security, and Breach Notification Rule compliance, developed by OCR and Medscape for health care professionals.
- Patient Privacy: A Guide for Providers
- HIPAA and You: Building a Culture of Compliance
- Examining Compliance with the HIPAA Privacy Rule
- Understanding the Basics of HIPAA Security Risk Analysis and Risk Management
- Your Mobile Device and Health Information Privacy and Security
- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information
- HIPAA Security Rule Educational Paper Series. A series of educational papers on the HIPAA Security Rule, as well as additional links to HIPAA Security Rule guidance.
- Regional Extension Centers (RECs). ONC website offering information about RECs, which offer competent technical assistance to help providers in all phases of Electronic Health Record (EHR) adoption. To find your local REC, go to your state or county medical association and other professional associations for additional assistance. Find your closest REC by zip code.
- VIDEOS - Security Risk Assessment. ONC videos providing introductions to security risk analysis and contingency planning and offering instruction on how to use the Security Risk Assessment (SRA) Tool.
- Privacy and Security Training Games. ONC’s interactive game series on medical practice cybersecurity and contingency planning.
- Top 10 Tips for Cybersecurity in Health Care. ONC’s tips to help small health care practices apply cybersecurity and risk management principles.
- VIDEO - Ensuring the Security of Electronic Health Records. Short ONC video emphasizing the importance of keeping electronic health information safe and secure.
- Protecting ePHI in Offsite Use/Access [PDF- 153 KB]. OCR guidance on how to protect electronic Protected Health Information (ePHI) when it is accessed or used outside of the organization’s physical space.
- Health Care Professionals’ Privacy, Security, and Breach Notification Guide [PDF - 1.7 MB]. Centers for Medicare and Medicaid Services (CMS) fact sheet summarizing what HIPAA does and does not do or require.
- Meaningful Consent for Patients in Electronic Health Information Exchange. ONC’s web pages providing information about meaningful consent and the eConsent Trial.
- VIDEOS - Meaningful Consent. ONC videos giving an overview of the eConsent Trial, showing eConsent patient educational materials, and instructing on how to use Story Engine to create patient educational materials.
- Understanding and Preventing Medical Identity Theft. CMS booklet describing common medical identity theft schemes and how to guard against them.
- Emergency Readiness. ONC web page of resources on emergency preparedness for healthcare organizations.
- HIPAA and Emergency Situations. OCR web page of resources on HIPAA and emergency situations.
- SAFER Guides. ONC guides that enable health care organizations to address EHR safety in a variety of areas.
- VIDEOS - Data Segmentation. “Data segmentation” is the term often used to describe the electronic labeling or tagging of a patient’s health information in a way that allows patients or providers to electronically share parts, but not all, of a patient record. ONC videos provide an overview of data segmentation and offer a glimpse into some of the data segmentation initiatives.
Communicating with Patients about Health Information Privacy and Security
- Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care [PDF - 58.6 KB]. OCR guide providing information regarding when a provider is allowed to share a patient’s information under HIPAA.
- Guidance Materials for Consumers. OCR web page providing health information privacy rights resources for consumers, including a number of printer-friendly fact sheets.
- What Patients Need to Know about EHRs [PDF - 552 KB]. ONC brochure that providers can use to give patients more information about Electronic Health Records (EHRs).
- Patients and Families Portal on HealthIT.gov. ONC portal presenting health information technology information to patients and caregivers, with a focus on protecting the privacy and security of health information.
- How to File a Complaint. OCR web page instructing patients in how to file a complaint if they believe any of their privacy rights or any of the HIPAA Rules have been violated.
- VIDEO - Your Health Information, Your Rights. OCR video providing patients with insight into their health information rights under HIPAA.
- Protecting Your Privacy and Identity. Federal Trade Commission (FTC) web page to help consumers protect their personal information and identity.
- Health IT: How to Keep Your Health Information Private and Secure. ONC fact sheet instructing patients on how to secure their health information.
- VIDEOS - OCR Series of Patient VideosWeb Site Disclaimers. OCR series of videos that explains to patients their rights and responsibilities under HIPAA.
- Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 673 KB]
- Permitted Uses and Disclosures: Exchange for Treatment [PDF - 732 KB]
- HIPAA Privacy Rule Summary. OCR summary of key elements of the Privacy Rule, including who is covered, what information is protected, and how information can be used and disclosed.
- HIPAA Security Rule Summary. OCR summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place.
- Am I a Covered Entity? Assistance in determining if you are a Covered Entity (CE).
- HIPAA Breach Notification Rule. OCR summary of key elements of the Breach Notification Rule, including the legal definition of a breach.
- Instructions for Submitting a Breach Notification. OCR summary of what you are required to do if you have a breach.
- HIPAA Enforcement. OCR information about their HIPAA enforcement process and audit program.
- HIPAA Frequently Asked Questions (FAQs) Database. OCR’s searchable database providing information on a variety of topics related to HIPAA.
- De-Identifying Protected Health Information. OCR guidance on de-identification of PHI to enable you to aggregate patient data without violating patient privacy.
Meaningful Use Guidance
- Meaningful Use Official Website. Centers for Medicare and Medicaid Services (CMS) official information site for the Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs.
- EHR Incentives and Certification. ONC resource for general Meaningful Use information and the certification process for EHR technologies.
- An Introduction to the Medicare and Medicaid EHR Incentive Programs for Eligible Professionals. CMS brochure on the basics of the Meaningful Use program.
- Meaningful Use Eligibility Flow Chart. CMS flow chart to help providers determine if they are eligible for the Meaningful Use program.
- Stage 1 Meaningful Use. CMS resource for Stage 1 Meaningful Use information, including requirements which relate to privacy and security. (Scroll down to “2014 Definition Resources” and select “Eligible Professional 2014 Definition Spec Sheets.” Click on “(13) Protect electronic health information.”)
- Stage 2 Meaningful Use. CMS resource for Stage 2 Meaningful Use information, including requirements which relate to privacy and security. (Scroll down to “Stage 2 Resources” and click on “Stage 2 Meaningful Use Specification Sheet Table of Contents for Eligible Professionals.” Select (9) and (17) from this page.)
Other Federal and State Privacy and Security Resources
- Reports on Related State Law, Business Practices, and Policy. Health Information Security and Privacy Collaboration (HISPC) reports on state law, business practices, and policy variations related to privacy and security and the electronic exchange of health information.
- Health Information Privacy Law and Policy. ONC web page providing links to various federal, state, and organizational resources on the topic of health information privacy law and policy.
- Federal Advisory Committees (FACAs) – Health IT Policy Committee (HITPC) Privacy and Security Workgroup. Home page for the HITPC Privacy and Security Workgroup.