Health IT Privacy and Security Resources for Providers

• Sync for Science (S4S) API Privacy and Security [PDF – 939 KB]. Led an independent privacy and security technical and administrative testing, analysis, and assessment of a voluntary subset of S4S pilot organizations’ implementations of the S4S API.
• Guide to Privacy and Security of Electronic Health Information [PDF – 1.3 MB]. ONC tool to help small health care practices in particular succeed in their privacy and security responsibilities. The Guide includes a sample seven-step approach for implementing a security management process.
• Security Risk Assessment (SRA) Tool. HHS downloadable tool to help providers from small practices navigate the security risk analysis process.
• HIPAA Security Toolkit Application. National Institute of Standards and Technology (NIST) toolkit to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
• Certified Health IT Product List. ONC’s authoritative, comprehensive listing of complete Electronic Health Records (EHRs) and EHR modules that have been tested and certified under the ONC Health IT (HIT) Certification Program.
• Sample Business Associate Contract Provisions. OCR sample Business Associate (BA) contract language to help Covered Entities (CEs) more easily comply with the HIPAA Privacy Rule.
• TEMPLATE – Model Notices of Privacy Practices (NPPs). ONC and OCR’s customizable NPPs for use by providers and health plans.

• HIPAA Privacy and Security Rules Training. Online modules on HIPAA Privacy, Security, and Breach Notification Rule compliance, developed by OCR and Medscape for health care professionals.
• Examining Compliance with the HIPAA Privacy Rule
• HIPAA Security Rule Educational Paper Series. A series of educational papers on the HIPAA Security Rule, as well as additional links to HIPAA Security Rule guidance.
• Regional Extension Centers (RECs). ONC website offering information about RECs, which offer competent technical assistance to help providers in all phases of Electronic Health Record (EHR) adoption. To find your local REC, go to your state or county medical association and other professional associations for additional assistance.
• Top 10 Tips for Cybersecurity in Health Care. ONC’s tips to help small health care practices apply cybersecurity and risk management principles.
• Health Care Professionals’ Privacy, Security, and Breach Notification Guide [PDF – 1.7 MB]. Centers for Medicare and Medicaid Services (CMS) fact sheet summarizing what HIPAA does and does not do or require.
• Meaningful Consent for Patients in Electronic Health Information Exchange. ONC’s web pages providing information about meaningful consent and the eConsent Trial.
• HIPAA and Emergency Situations. OCR web page of resources on HIPAA and emergency situations.
• SAFER Guides. ONC guides that enable health care organizations to address EHR safety in a variety of areas.

• Communicating with a Patient’s Family, Friends, or Others Involved in the Patient’s Care [PDF – 58.6 KB]. OCR guide providing information regarding when a provider is allowed to share a patient’s information under HIPAA.
• Guidance Materials for Consumers. OCR web page providing health information privacy rights resources for consumers, including a number of printer-friendly fact sheets.

• Permitted Uses and Disclosures: Exchange for Health Oversight Activities [PDF – 750 KB] | Versión en Español
• Permitted Uses and Disclosures: Exchange for Health Care Operation [PDF – 673 KB] | Versión en Español
• Permitted Uses and Disclosures: Exchange for Treatment [PDF – 732 KB] | Versión en Español
• Permitted Uses and Disclosures: Exchange for Public Health Activities [PDF – 921 KB]
• HIPAA Privacy Rule Summary. OCR summary of key elements of the Privacy Rule, including who is covered, what information is protected, and how information can be used and disclosed.
• HIPAA Security Rule Summary. OCR summary of key elements of the Security Rule, including who is covered, what information is protected, and what safeguards must be in place.
• Am I a Covered Entity? Assistance in determining if you are a Covered Entity (CE).
• HIPAA Breach Notification Rule. OCR summary of key elements of the Breach Notification Rule, including the legal definition of a breach.
• Instructions for Submitting a Breach Notification. OCR summary of what you are required to do if you have a breach.
• HIPAA Enforcement. OCR information about their HIPAA enforcement process and audit program.
• HIPAA Frequently Asked Questions (FAQs) Database. OCR’s searchable database providing information on a variety of topics related to HIPAA.
• De-Identifying Protected Health Information. OCR guidance on de-identification of PHI to enable you to aggregate patient data without violating patient privacy.

• Health Information Privacy Law and Policy. ONC web page providing links to various federal, state, and organizational resources on the topic of health information privacy law and policy.

1. The security risk analysis is optional for small providers.

False. All providers who are “covered entities” under HIPAA are required to perform a risk analysis. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. Simply installing a certified EHR fulfills the security risk analysis MU requirement.

False. Even with a certified EHR, you must perform a full security risk analysis. Security requirements address all electronic protected health information you maintain, not just what is in your EHR.

3. My EHR vendor took care of everything I need to do about privacy and security.

False. Your EHR vendor may be able to provide information, assistance, and training on the privacy and security aspects of the EHR product. However, EHR vendors are not responsible for making their products compliant with HIPAA Privacy and Security Rules. It is solely your responsibility to have a complete risk analysis conducted.

4. I have to outsource the security risk analysis.

False. It is possible for small practices to do risk analysis themselves using self-help tools. However, doing a thorough and professional risk analysis that will stand up to a compliance review will require expert knowledge that could be obtained through services of an experienced outside professional.

5. A checklist will suffice for the risk analysis requirement.

False. Checklists can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.

6. There is a specific risk analysis method that I must follow.

False. A risk analysis can be performed in countless ways. OCR has issued Guidance on Risk Analysis Requirements of the Security Rule. This guidance assists organizations in identifying and implementing the most effective and appropriate safeguards to secure e-PHI.

7. My security risk analysis only needs to look at my EHR.

False. Review all electronic devices that store, capture, or modify electronic protected health information. Include your EHR hardware and software and devices that can access your EHR data (e.g., your tablet computer, your practice manager’s mobile phone). Remember that copiers also store data. Please see U.S. Department of Health and Human Services (HHS) guidance on remote use.

8. I only need to do a risk analysis once.

False. To comply with HIPAA, you must continue to review, correct or modify, and update security protections. For more on reassessing your security practices, please see the Reassessing Your Security Practice in a Health IT Environment.

9. Before I attest for an EHR incentive program, I must fully mitigate all risks.

False. The EHR incentive program requires correcting any deficiencies (identified during the risk analysis) during the reporting period, as part of its risk management process.

10. Each year, I’ll have to completely redo my security risk analysis.

False. Perform the full security risk analysis as you adopt an EHR. Each year or when changes to your practice or electronic systems occur, review and update the prior analysis for changes in risks. Under the Meaningful Use Programs, reviews are required for each EHR reporting period. For EPs, the EHR reporting period will be 90 days or a full calendar year, depending on the EP’s year of participation in the program.