Skip Navigation Bar

National Information Center on Health Services Research and Health Care Technology (NICHSR)

Serving the Information Needs of the Health Services Research Community

Email Updates
Please enter your email address in the box below for updates:
  

Brown ArrowPrivacy/Security and Research with Electronic Health Records

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules protect individually-identifiable health information and grant rights grant to individuals concerning the privacy and security of their data. Together, these rules and other provisions in HIPAA established the groundrules for widespread use of electronic health records to collect and exchange both administrative and clinical data. These rules have far-reaching implications for all involved in the delivery, payment and study of health services.

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization. The Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections. (Department of Health and Human Services)

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. (Department of Health and Human Services)

The Office for Civil Rights of the U.S. Department of Health and Human Services is responsible for enforcing the HIPAA Privacy Rule and the HIPAA Security Rule, as well as the confidentiality provisions of the Patient Safety and Quality Improvement Act of 2005 (PSQIA) or Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. OCR also provides up-to-date advice and resources specifically related to HIPAA and Research.

The Office of the National Coordinator for Health Information Technology (ONC) has established a central resource that explains Privacy and Security Policy in the context of the implementation of electronic health data exchange, for both researchers and providers.

News: EHR Privacy/Security and Research

Data, Tools, and Statistics

  • Privacy & Security Training Games - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    Using a game format, this security training module requires users to respond to privacy and security challenges often faced in a typical small medical practice.

  • SAFER Guides - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    The product consist of nine pdf guides in the following areas: High Priority Practice, Organizational Responsibilities, Contingency Planning, System Configuration, System Interfaces, Patient Identification, Computerized Provider Order Entry with Decision Support, Test Results Reporting and Follow Up, Clinician Communication

  • SAFER: SAFER Guides for EHRs - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    Organized into nine guides, this toolkit allows healthcare organizations identify recommended practices to optimize the safety and safe use of EHRs. Interactive PDFs can be filled out, saved, and transmitted between team.

  • Security Risk Assessment - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    Tools and video help an organization assess their security risk.

  • eConsent Toolkit - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    The eConsent Toolkit is designed to assist in supporting meaningful consent. It contains planning resources, educational resources, the story engine tool, and technical resources.

Legislation, Regulation, and Guidance

  • Adminstrative Simplification Overview - (Centers for Medicare & Medicaid Services (CMS))  Details

    To reduce paperwork and streamline business processes across the health care system, the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the Patient Protection and Affordable Care Act (ACA) set national standards for: Electronic transactions, Code sets, Unique identifiers

  • HIPAA Privacy Rule Information for Researchers - (National Institutes of Health (NIH))  Details

    Research organizations and researchers may or may not be covered by the HIPAA Privacy Rule. This website provides information on the Privacy Rule for the research community, specifically addressing Clinical Research, Health Services Research, Research Repositories and Databases, Institutional Review Boards, Privacy Boards, Authorizations and Information for Patients.

  • Health Information Privacy: Model Notices - (Office of Civil Rights, HHS (OCR) USA, Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    ONC and OCR have announced the creation of model Notices of Privacy Practices for health care providers and health plans to use to communicate with their patients and plan members.

Policy, Position Statements

Guidelines, Journals, and Other Publications

  • How to Use the SAFER Guides - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This video explains the optimal use of the SAFER guides, which were developed to help organizations conduct self-assessments to optimize the safe use of electronic health records.

  • ONC HIT Certification Program (2013) images/pdf.gif icon - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This document adds additional general program guidance related to surveillance, supplementing the "Permanent Certification Program Final Rule".

  • Privacy, Security, and Electronic Health Records - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This website provides an overview on the various requirements related to HIPAA, privacy and security, and the responsibilities of providers in protecting patient rights.

  • Report of the Evidence on Health IT Safety and Interventions: Final Report (2016) images/pdf.gif icon - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This report focuses on; Research on the types, severity, and frequency of health IT-related events; Research on usability and interoperability; and identification and evaluation of tools and interventions intended to avoid the risks of health IT or that use health IT to make care safer.

Webinars / Meetings

Upcoming Meetings / Webinars

  • Emergency Ready - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    These on-demand videos are designed to assist organizations in preparing their systems for privacy protection in an emergency situation.

  • Security Risk Assessment Videos - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This series of videos is designed to assist organizations in performing a risk assessment.

  • Upcoming Privacy and Security Meetings - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This committee meets throughout the year. Meetings are posted with information on connecting to a webcast of the meeting.

Archived Meetings / Webinars

Past meetings with available web content

  • Cybersecurity and Healthcare Facilities - (Office of the Assistant Secretary for Preparedness and Response, HHS (ASPR))  Details

    A 2016 recorded webinar in which speakers discuss how the federal government is addressing cybersecurity and how healthcare organizations can prepare and plan for cybersecurity incidents.

  • eHealth Events - (Centers for Medicare & Medicaid Services (CMS))  Details

    Upcoming and past eHealth webinars to educate the health care community about eHealth programs and resources available to help align health information technology (Health IT) and electronic standards programs.

  • Electronic Health Records Research Symposium August 2, 2012 - (University of Cincinnati. Center for Clinical and Translational Science and Training USA)  Details

    The website for this meeting Includes slide from contributed papers, including: "Regulatory Challenges and Solutions", "Technical Infrastructure Challenges and Solutions", and "Leveraging EHRs to Advance Research and Improve Healthcare: Challenges and Opportunities"

  • Webinar Recordings - (West Virginia Regional Health Information Technology Extension Center (WV RHITEC) USA)  Details

    This series of webinars looks at various aspects surrounding security and privacy of the electronic health record.

Education

  • HIM Professional Roles in E-HIM - (American Health Information Management Association (AHIMA))  Details

    This page provides an overview of the careers that have developed to support the implementation of the electronic health record.

  • Educational Resources - (Centers for Medicare & Medicaid Services (CMS))  Details

    CMS has assembled a variety of resources to assist professionals in obtaining training in the proper use of the electronic health record.

  • ONC HIT Curriculum Overview - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    Registration is required to utilize this free curriculum. Included in the course are Working with Health IT Systems, Configuring Electronic Health Records, and Planning, Management and Leadership for Health IT.

Special Issues

  • Mobile Health Privacy & Security - (Healthcare Information Management Systems Society (HIMSS) USA)  Details

    A resource list of information related to the issues surrounding security within the mobile environment is provided.

  • Privacy and Security - (Healthcare Information and Management Systems Society)  Details

    This website discusses the work of the various work groups within the organization dealing with privacy issues.

  • Patient Identification and Matching: Final Report (2014) images/pdf.gif icon - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    The issue of correctly matching the patient to their EHR is the subject of this report, which includes best practices for patient safety and information security.

  • Planning Room - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This area of HealthIT.gov was designed to solicit public input on the Federal Health IT Strategic Plan.

  • Privacy & Security - (American Health Information Management Association (AHIMA))  Details

    This collection of links from AHIMA presents an overview on privacy and security related to the electronic health record. A link is provided to their Practice Briefs.

Grants

  • Health IT Adoption Programs - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    This website outlines IT adoption programs that can provide funding for EHR adoption.

Key Organizations

  • American Health Information Management Association (AHIMA) - (American Health Information Management Association (AHIMA))  Details

    Professional community that improves healthcare by advancing best practices and standards for health information management and the trusted source for education, research, and professional credentialing.

  • Electronic Privacy Information Center (EPIC) Details

    EPIC is a public interest research center in Washington, D.C. It was established in 1994 to focus public attention on emerging civil liberties issues and to protect privacy, the First Amendment, and constitutional values.

  • HealthIT.gov - (Office of the National Coordinator for Health Information Technology, HHS (ONC))  Details

    Resource to support the adoption of health information technology and the promotion of nationwide health information exchange to improve health care.

  • IHE USA Details

    IHE USA is a part of the international group, and focuses on fostering consistent information standards.

  • Office for Civil Rights - (Department of Health and Human Services (HHS) U.S.)  Details

    OCR helps to provide protections from discrimination in health care and social service programs. It also helps to protect the privacy of the health information held by health insurers and certain health care providers and health insurers.

  • Security - (National Institute of Standards and Technology (NIST) US)  Details

    A set of tools, podcasts and use cases designed to assist organizations in protecting patient privacy.

  • World Privacy Forum Details

    This non-profit organization focuses on conducting in-depth research, analysis, and consumer education in the area of privacy.