The Office of the National Coordinator for Health Information Technology (ONC), U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and other HHS agencies have developed a number of resources for you. These tools, guidance documents, and educational materials are intended to help you better integrate HIPAA and other federal health information privacy and security into your practice.
Tools and Templates
- Sync for Science (S4S) API Privacy and Security [PDF - 939 KB]. Led an independent privacy and security technical and administrative testing, analysis, and assessment of a voluntary subset of S4S pilot organizations’ implementations of the S4S API.
- Guide to Privacy and Security of Electronic Health Information [PDF – 1.3 MB]. ONC tool to help small health care practices in particular succeed in their privacy and security responsibilities. The Guide includes a sample seven-step approach for implementing a security management process.
- Security Risk Assessment (SRA) Tool. HHS downloadable tool to help providers from small practices navigate the security risk analysis process.
- Security Risk Analysis Guidance . OCR’s expectations for how providers can meet the risk analysis requirements of the HIPAA Security Rule.
- HIPAA Security Toolkit Application. National Institute of Standards and Technology (NIST) toolkit to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
- Certified Health IT Product List. ONC’s authoritative, comprehensive listing of complete Electronic Health Records (EHRs) and EHR modules that have been tested and certified under the ONC Health IT (HIT) Certification Program.
- Sample Business Associate Contract Provisions. OCR sample Business Associate (BA) contract language to help Covered Entities (CEs) more easily comply with the HIPAA Privacy Rule.
- TEMPLATE - Model Notices of Privacy Practices (NPPs). ONC and OCR’s customizable NPPs for use by providers and health plans.
- Mobile Devices – Keeping Health Information Private and Secure. ONC’s web page dedicated to resources for helping providers protect and secure health information on mobile devices.
Education and Training for Providers and Professionals
- HIPAA Privacy and Security Rules Training. Online modules on HIPAA Privacy, Security, and Breach Notification Rule compliance, developed by OCR and Medscape for health care professionals.
- Patient Privacy: A Guide for Providers
- HIPAA and You: Building a Culture of Compliance
- Examining Compliance with the HIPAA Privacy Rule
- Understanding the Basics of HIPAA Security Risk Analysis and Risk Management
- Your Mobile Device and Health Information Privacy and Security
- EHRs and HIPAA: Steps for Maintaining the Privacy and Security of Patient Information
- HIPAA Security Rule Educational Paper Series. A series of educational papers on the HIPAA Security Rule, as well as additional links to HIPAA Security Rule guidance.
- Regional Extension Centers (RECs). ONC website offering information about RECs, which offer competent technical assistance to help providers in all phases of Electronic Health Record (EHR) adoption. To find your local REC, go to your state or county medical association and other professional associations for additional assistance. Find your closest REC by zip code.
- VIDEOS - Security Risk Assessment. ONC videos providing introductions to security risk analysis and contingency planning and offering instruction on how to use the Security Risk Assessment (SRA) Tool.
- Privacy and Security Training Games. ONC’s interactive game series on medical practice cybersecurity and contingency planning.
- Top 10 Tips for Cybersecurity in Health Care. ONC’s tips to help small health care practices apply cybersecurity and risk management principles.
- VIDEO - Ensuring the Security of Electronic Health Records. Short ONC video emphasizing the importance of keeping electronic health information safe and secure.
- Health Care Professionals’ Privacy, Security, and Breach Notification Guide [PDF - 1.7 MB]. Centers for Medicare and Medicaid Services (CMS) fact sheet summarizing what HIPAA does and does not do or require.
- Meaningful Consent for Patients in Electronic Health Information Exchange. ONC’s web pages providing information about meaningful consent and the eConsent Trial.
- Understanding and Preventing Medical Identity Theft. CMS booklet describing common medical identity theft schemes and how to guard against them.
- Emergency Readiness. ONC web page of resources on emergency preparedness for healthcare organizations.
- HIPAA and Emergency Situations. OCR web page of resources on HIPAA and emergency situations.
- SAFER Guides. ONC guides that enable health care organizations to address EHR safety in a variety of areas.
- VIDEOS - Data Segmentation. “Data segmentation” is the term often used to describe the electronic labeling or tagging of a patient’s health information in a way that allows patients or providers to electronically share parts, but not all, of a patient record. ONC videos provide an overview of data segmentation and offer a glimpse into some of the data segmentation initiatives.
Communicating with Patients about Health Information Privacy and Security
- Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care [PDF - 58.6 KB]. OCR guide providing information regarding when a provider is allowed to share a patient’s information under HIPAA.
- Guidance Materials for Consumers. OCR web page providing health information privacy rights resources for consumers, including a number of printer-friendly fact sheets.
- Patients and Families Portal on HealthIT.gov. ONC portal presenting health information technology information to patients and caregivers, with a focus on protecting the privacy and security of health information.
- Permitted Uses and Disclosures: Exchange for Health Oversight Activities [PDF - 750 KB] | Versión en Español
- Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF - 673 KB] | Versión en Español
- Permitted Uses and Disclosures: Exchange for Treatment [PDF - 732 KB] | Versión en Español
- Permitted Uses and Disclosures: Exchange for Public Health Activities [PDF - 921 KB]
- HIPAA Privacy Rule Summary. OCR summary of key elements of the Privacy Rule, including who is covered, what information is protected, and how information can be used and disclosed.
- HIPAA Security Rule Summary. OCR summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place.
- Am I a Covered Entity? Assistance in determining if you are a Covered Entity (CE).
- HIPAA Breach Notification Rule. OCR summary of key elements of the Breach Notification Rule, including the legal definition of a breach.
- Instructions for Submitting a Breach Notification. OCR summary of what you are required to do if you have a breach.
- HIPAA Enforcement. OCR information about their HIPAA enforcement process and audit program.
- HIPAA Frequently Asked Questions (FAQs) Database. OCR’s searchable database providing information on a variety of topics related to HIPAA.
- De-Identifying Protected Health Information. OCR guidance on de-identification of PHI to enable you to aggregate patient data without violating patient privacy.
Other Federal and State Privacy and Security Resources
- Reports on Related State Law, Business Practices, and Policy. Health Information Security and Privacy Collaboration (HISPC) reports on state law, business practices, and policy variations related to privacy and security and the electronic exchange of health information.
- Health Information Privacy Law and Policy. ONC web page providing links to various federal, state, and organizational resources on the topic of health information privacy law and policy.
- Federal Advisory Committees (FACAs) – Health IT Policy Committee (HITPC) Privacy and Security Workgroup. Home page for the HITPC Privacy and Security Workgroup.
- Prior HITPC Privacy & Security Tiger Team/Working Group Recommendations to the National Coordinator
- Personal Health Records (PHR) Roundtable. Materials from "Personal Health Records — Understanding the Evolving Landscape". The Roundtable was designed to inform ONC’s Congressionally mandated report on privacy and security requirements for non-Covered Entities (non-CEs), with a focus on personal health records (PHRs) and related service providers
- Infographic - Everyone has a role in protecting and securing health information.