Privacy and Security Resources for Providers

The Office of the National Coordinator for Health Information Technology (ONC), , and other HHS agencies have developed a number of resources for you. These tools, guidance documents, and educational materials are intended to help you better integrate HIPAA and other federal health information privacy and security into your practice.

Tools and Templates

  • Sync for Science (S4S) API Privacy and Security [PDF - 939 KB]. Led an independent privacy and security technical and administrative testing, analysis, and assessment of a voluntary subset of S4S pilot organizations’ implementations of the S4S API.
  • Guide to Privacy and Security of Electronic Health Information [PDF – 1.3 MB]. ONC tool to help small health care practices in particular succeed in their privacy and security responsibilities. The Guide includes a sample seven-step approach for implementing a security management process.
  • Security Risk Assessment (SRA) Tool. HHS downloadable tool to help providers from small practices navigate the security risk analysis process.
  • Security Risk Analysis Guidance . OCR’s expectations for how providers can meet the risk analysis requirements of the HIPAA Security Rule.
  • . National Institute of Standards and Technology (NIST) toolkit to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment.
  • . ONC’s authoritative, comprehensive listing of complete Electronic Health Records (EHRs) and EHR modules that have been tested and certified under the ONC (HIT) Certification Program.
  • . OCR sample Business Associate (BA) contract language to help Covered Entities (CEs) more easily comply with the HIPAA Privacy Rule.
  • . ONC and OCR’s customizable NPPs for use by providers and health plans.
  • Mobile Devices – Keeping Health Information Private and Secure. ONC’s web page dedicated to resources for helping providers protect and secure health information on mobile devices.

Education and Training for Providers and Professionals

  • . Online modules on HIPAA Privacy, Security, and Breach Notification Rule compliance, developed by OCR and Medscape for health care professionals.
  • . A series of educational papers on the HIPAA Security Rule, as well as additional links to HIPAA Security Rule guidance.
  • Regional Extension Centers (RECs). ONC website offering information about RECs, which offer competent technical assistance to help providers in all phases of Electronic Health Record (EHR) adoption. To find your local REC, go to your state or county medical association and other professional associations for additional assistance. Find your closest REC by zip code.
  • VIDEOS - Security Risk Assessment. ONC videos providing introductions to security risk analysis and contingency planning and offering instruction on how to use the Security Risk Assessment (SRA) Tool.
  • Privacy and Security Training Games. ONC’s interactive game series on medical practice cybersecurity and contingency planning.
  • Top 10 Tips for Cybersecurity in Health Care. ONC’s tips to help small health care practices apply cybersecurity and risk management principles.
  • . Short ONC video emphasizing the importance of keeping electronic health information safe and secure.
  • . Centers for Medicare and Medicaid Services (CMS) fact sheet summarizing what HIPAA does and does not do or require.
  • Meaningful Consent for Patients in Electronic Health Information Exchange. ONC’s web pages providing information about meaningful consent and the eConsent Trial.
  • . CMS booklet describing common medical identity theft schemes and how to guard against them.
  • Emergency Readiness. ONC web page of resources on emergency preparedness for healthcare organizations.
  • . OCR web page of resources on HIPAA and emergency situations.
  • SAFER Guides. ONC guides that enable health care organizations to address EHR safety in a variety of areas.
  • . “Data segmentation” is the term often used to describe the electronic labeling or tagging of a patient’s health information in a way that allows patients or providers to electronically share parts, but not all, of a patient record. ONC videos provide an overview of data segmentation and offer a glimpse into some of the data segmentation initiatives.

Communicating with Patients about Health Information Privacy and Security

HIPAA Guidance

Other Federal and State Privacy and Security Resources

Content last reviewed on August 28, 2019