• Print

Privacy & Security

Guide to Privacy and Security of Electronic Health Information

Need help implementing the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules in your health care practice? Check out the Guide to Privacy and Security of Electronic Health Information [PDF - 1.27 MB].

The Office of the National Coordinator for Health Information Technology (ONC), in coordination with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), created the Guide to help you integrate privacy and security into your practice. The Guide covers a variety of topics highlighted below. Download a pdf of the full Guide [PDF - 1.27 MB] to learn more.

HIPAA Basics

The HIPAA Rules provide federal protections for patient health information held by Covered Entities (CEs) and Business Associates (BAs). HIPAA gives patients many rights with respect to their health information.

The Guide (especially Chapter 2) [PDF - 493 KB] provides details on the HIPAA Privacy, Security, and Breach Notification Rules, such as:

  • What types of information HIPAA protects
  • Who must comply with HIPAA
  • How patient information can be used and disclosed under the HIPAA Privacy Rule

Patient Health Information Rights

Under the HIPAA Privacy Rule, you have responsibilities to patients, which include:

  • Providing a Notice of Privacy Practices (NPP)
  • Responding to patients’ requests for:
    • Access to their Protected Health Information (PHI)
    • Amendments to their PHI
    • Accounting of disclosures
    • Restrictions on uses and disclosures of their health information
    • Confidential communications

Visit Chapter 3 of the Guide [PDF - 248 KB] to learn more about these areas of responsibility.

Electronic Health Records (EHRs) and Cybersecurity

Electronic PHI (ePHI) may exist in your practice in a variety of systems, including Electronic Health Records (EHRs). Because all electronic systems are vulnerable to cyber-attacks, you must consider all of your practice’s systems and technologies when conducting security efforts.

While a discussion of ePHI security goes far beyond EHRs, visit Chapter 4 of the Guide [PDF - 275 KB] to learn more about EHR security and cybersecurity.

Privacy and Security in Meaningful Use

You may be familiar with the Medicare and Medicaid EHR Incentive Programs (also called “Meaningful Use” Programs). The Meaningful Use Programs set staged requirements for providers. Providers receive incentive payments as they demonstrate progressively integrated EHR use.

Some of the Meaningful Use requirements relate to your practice’s obligations under the HIPAA Privacy and Security Rules. Visit Chapter 5 of the Guide [PDF - 254 KB] to learn more about the Stage 1 and Stage 2 Meaningful Use core objectives that address privacy and security.

Sample Seven-Step Approach for Implementing a Security Management Process

Chapter 6 [PDF - 561 KB] describes a sample seven-step approach that can help you implement a security management process in your organization. The approach includes help for addressing security-related requirements of Meaningful Use.

Breach Notification and HIPAA Enforcement

You have responsibilities to report breaches of unsecured PHI. To learn more about these requirements and HIPAA enforcement, visit Chapter 7 of the Guide [PDF - 323 KB]. CEs and BAs that fail to comply with the HIPAA Rules could face civil and criminal penalties.




This Guide is not intended to serve as legal advice or as recommendations based on a provider or professional’s specific circumstances. We encourage providers and professionals to seek expert advice when evaluating the use of this Guide.