Health IT Privacy and Security Resources
Get started today! ONC, HHS Office for Civil Rights (OCR), and other HHS agencies have developed and issued a number of guidance, tools, and educational materials designed to help you better integrate privacy and security into your practice. Below are brief description of each health IT privacy and security resource, along with a direct link.
Technical Assistance
- Regional extension centers (RECs) offer competent technical assistance with expertise in directly assisting providers in solo or small practice with all phases of adopting an EHR. To find your local REC, go to or your state or county medical association and other professional associations for additional assistance. Find your closest REC by zip code.
Regulatory & Guidance Information
HIPAA
- Health Information Privacy. U.S. Department of Health and Human Services. Guidance for covered entities on understanding HIPAA privacy.
- OCR’s Summary of the HIPAA Privacy Rule. Summary of key elements of the Privacy Rule, including who is covered, what information is protected and how information can be used and disclosed.
- OCR’s Summary of the HIPAA Security Rule. Summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place.
- “Are You a Covered Entity?” Describes to whom the Administrative Simplification standards adopted by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply.
- Breach Notification Rule. U.S. Department of Health and Human Services. (2009) Describes the interim final breach notification regulations, issued in August 2009, implementing section 13402 of the Health Information Technology for Economic and Clinical Health (HITECH) Act.
- OCR’s Guidance on the HIPAA Privacy Rule and Health IT Toolkit. These guidance documents discuss the HIPAA Privacy Rule and how it can facilitate the electronic exchange of health information.
- OCR’s Guidance on Risk Analysis under the HIPAA Security Rule [PDF - 41 KB]. This guidance clarifies OCR’s expectations for organizations working to meet the risk analysis requirements of the HIPAA Security Rule.
- OCR’s Guidance to Render Unsecured Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals. This guidance explains the circumstances under which PHI is considered unusable, unreadable or indecipherable for the purposes of HIPAA compliance.
- OCR’s Remote Use Guidance [PDF- 153 KB]. This guidance provides guidance on how a covered entity may protect ePHI when it is accessed or used outside of the organization’s physical space.
- OCR’s HIPAA Frequently Asked Questions (FAQs) Database. This searchable database provides information on a variety of topics related to HIPAA.
- OCR’s Sample Business Associate Contract Provisions. This document provides sample business associate contract language to help covered entities more easily comply with the HIPAA Privacy Rule.
- OCR’s HIPAA Privacy & Security Audit Program. This website provides an overview of the HIPAA Privacy and Security Audit Program.
- The Nationwide Privacy & Security Framework for Electronic Exchange of Individually Identifiable Health Information [PDF - 76.9 KB]. This document, created by ONC, outlines a privacy and security policy framework for electronic health information exchange and an approach for addressing privacy and security challenges.
Meaningful Use – Health IT Privacy and Security
- Core Measure 12 [PDF - 145 KB]: Centers for Medicare & Medicaid Services. Eligible Professional Meaningful Use Core Measures. Measure 12 of 15. Nov. 7, 2010. This document provides definitions, attestation requirements and other information related to Meaningful Use Core Measure 12, providing an electronic copy of health information to patients.
- Core Measure 15 [PDF - 140 KB]: Centers for Medicare & Medicaid Services. Eligible Professional Meaningful Use Core Measures. Measure 15 of 15. Nov. 7, 2010. This document provides definitions, attestation requirements and other information related to Meaningful Use Core Measure 15, protecting electronic health information.
- Centers for Medicare & Medicaid Services. Eligible Professional Meaningful Use Table of Contents Core and Menu Set Objectives [PDF - 138 KB]. This document provides a listing of and links to Meaningful Use Core Objectives and Menu Objectives for Eligible Professionals.
- Meaningful Use Grid – Stage 1 [PDF - 364 KB]. This grid provides a quick reference for meaningful use objectives and measures as well as standards and certification criteria.
Tools
- Security Risk Assessment Tool. This tool can be used to help your practice conduct a security risk assessment.
- ONC’s Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices [PDF - 109 KB]. This guide provides information to help small health care practices learn about security measures they may need to consider as they use health information technology.
- ONC’s Cybersecurity Checklist [PDF - 507 KB]. This checklist provides 10 simple best practices that should be taken to reduce the most important threats to the safety of EHRs.
- HRSA Health IT Adoption Toolbox: HHS’ Health Resources and Services Administration (HRSA) compiled planning, implementation and evaluation resources to help health centers, safety net providers, and ambulatory care providers implement health IT applications in their facilities to meet administrative, IT and clinical quality objectives.
- HRSA Health IT Adoption Toolbox, Privacy and Security: Privacy and Security information in the toolbox.
Education & Training Materials
- HIPAA Privacy Rule Training Materials. To find educational materials to help you learn more about the HIPAA Privacy Rule, visit the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) HIPAA Training Materials page.
- HIPAA Security Rule Training Materials To find educational materials to help you learn more about the HIPAA Security Rule and other sources of standards for safeguarding ePHI, visit the OCR Security Rule Guidance page.
- Uses & Disclosures: A Provider’s Privacy Guide [PDF - 1.7 MB] regarding uses and disclosures of health information, a two-page fact sheet about when protected health information can be used or shared without a patient’s express permission.
- Data Segmentation in Electronic Health Information [PDF - 468 KB] – ONC Whitepaper
- Consumer Consent Options [PDF - 713 KB] – ONC Whitepaper
- “Building Trust in Health Information Exchange”. (2011). This document provides a statement on privacy and security by ONC and OCR and describes efforts by HHS to ensure electronic health information is protected.
- Health Information Security and Privacy Collaboration (HISPC). A series of products created by the Health Information Security and Privacy Collaboration (HISPC) to address the privacy and security challenges presented by electronic health information exchange through multi-state collaboration.
Brochures, Fact Sheets, & Videos
- ONC Cybersecurity Video . A short video on cybersecurity emphasizing the importance of keeping electronic health information safe and secure.
Patient Relations & Health Information Privacy and Security
- A Health Care Provider’s Guide to the HIPAA Privacy Rule: Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care [PDF - 58.6 KB] This guide provides information for health care providers regarding when a provider is allowed to share a patient’s information under HIPAA.
- Health Information Privacy for Consumers and Patients. This document provides information on health information privacy for consumers, including information on the HIPAA Privacy Rule and Security Rule.
- What Patients Need to Know about EHRs [PDF - 552 KB]. U.S. Department of Health and Human Services. This document provides patients with information about electronic health records.
- HealthIT.gov portal for patients and families. This portal provides information on health information technology specifically designed for patients and their families, including information on protecting the privacy and security of their health information.
Other Federal & State-Level Privacy and Security Resources
- National Institute of Standards and Technology (NIST)'s HIPAA Security Toolkit Application is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
- Health Information Security and Privacy Collaboration (HISPC) reports on state law, business practices and policy related to privacy and security and the electronic exchange of health information.
- National Governors Association (NGA) produced a report on state consent laws and health information exchange . View the report: State and Federal Laws Affecting Interstate Health Information Exchange - March 2011 [PDF - 761 KB] [PDF - 761 KB]
- Center on Medical Record Rights and Privacy .This website has information developed for consumers/patients summarizing medical record privacy laws in each state.
- Federal Privacy and Security Law Table [PDF - 158 KB]. (February 2010) This table provides a table summarizing federal laws and regulations addressing privacy and security.