Health Information Privacy and Security: A 10 Step Plan

Before you get started, identify potential assistance from your regional extension center (REC) about where you can get help beyond the Privacy & Security resources.

Work with your EHR vendor(s) to let them know that protecting patient health information and meeting your HIPAA privacy and security responsibilities regarding electronic health information…

in your EHR is one of your major goals. Involve your practice staff and any other partners that you have to help streamline this process.

For an overview of specific Meaningful Use Requirements regarding EHR privacy and security, download Chapter Two of the Guide to Privacy and Security of Health Information [PDF – 1.5 MB].

For an overview of HIPAA privacy and security requirements visit HHS OCR’s website.

Start your 10 steps at least 90 days before the day you target to start the EHR incentive program.


    1. Confirm you are a “Covered Entity”

Most health care providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. Use this HHS tool to confirm you are a covered entity.

    1. Provide Leadership

Your leadership—especially emphasizing the importance of protecting patient health information—is vital to your privacy and security activities. For example, HIPAA requires covered providers to designate both a privacy and a security officer on their staff.

  1. Document your process, findings, and actions

Documentation shows why and where you have security measures in place, how you created them, and what you do to monitor them. Create a paper or electronic folder for your records.

CMS advises all providers that attest for the EHR incentive programs to retain allrelevant records that support attestation. These records will be essential if you ever are audited for compliance with HIPAA or an EHR incentive program.

Risk Analysis & Action Plan

  1. Conduct Security Risk Analysis

Conduct a security risk analysis (or reassessment if you already conducted an initial risk analysis) that compares your current security measures to what is legally and pragmatically required to safeguard patient health information. The risk analysis also identifies high priority threats and vulnerabilities. The HHS Office for Civil Rights’ has issued Guidance on Risk Analysis, and in conjunction with ONC, a security risk assessment tool. Also, ONC offers a set of questionstailored to small practices that can help you get started on a risk analysis [PDF – 60 KB]. You or a security risk professional can conduct your practice’s risk analysis, but you either way you will want to know what to expect.

  1. Develop action plan for addressing threats & vulnerabilities

Often, basic security measures can be highly effective and affordable. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan should have five components: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

Risk Management

  1. Manage and mitigate risks

Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects e-PHI. Retain outdated policies and procedures.

  1. Prevent with workforce education and training

To safeguard patient health information, your workforce must know how to implement your policies, procedures, and security audits. HIPAA requires you as a covered provider to train your workforce on policies and procedures. Also, your staff must receive formal training on breach notification.

  1. Communicate with patients

Your patients may be concerned about confidentiality and security of health information in an EHR. Emphasize the benefits of EHRs to them as patients, perhaps using patient education materials available in the Privacy & Security Resources section.

  1. Update your business associate agreements

Make sure your business associate agreements require compliance with HIPAA and HITECH Breach Notification requirements.

Meaningful Use

  1. Attest for the security risk analysis MU objective

HIPAA privacy and security requirements are embedded in the CMS EHR Incentive Programs Meaningful Use requirements [PDF – 1.3 MB. For example, eligible providers need to “attest” that they have met certain measures or requirements regarding the privacy and security of health information in their EHRs.

Do not register and attest for an EHR Incentive program until you have conducted your security risk analysis (or reassessment) and corrected any deficiencies identified during the risk analysis. Document these changes/corrections. Providers participating in the EHR Incentive Program can be audited.

When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect ePHI.