Most health care providers are covered entities, and thus, have HIPAA responsibilities for individually identifiable health information. Use this HHS tool to confirm you are a covered entity.

Your leadership—especially emphasizing the importance of protecting patient health information—is vital to your privacy and security activities. For example, HIPAA requires covered providers to designate both a privacy and a security officer on their staff.

Documentation shows why and where you have security measures in place, how you created them, and what you do to monitor them. Create a paper or electronic folder for your records.

CMS advises all providers that attest for the EHR incentive programs to retain all relevant records that support attestation. These records will be essential if you ever are audited for compliance with HIPAA or an EHR incentive program.

Conduct a security risk analysis (or reassessment if you already conducted an initial risk analysis) that compares your current security measures to what is legally and pragmatically required to safeguard patient health information. The risk analysis also identifies high priority threats and vulnerabilities. The HHS Office for Civil Rights' has issued Guidance on Risk Analysis, and in conjunction with ONC, a security risk assessment tool. Also, ONC offers a set of questions tailored to small practices that can help you get started on a risk analysis. You or a security risk professional can conduct your practice's risk analysis, but you either way you will want to know what to expect.

Often, basic security measures can be highly effective and affordable. Using your risk analysis results, discuss and develop an action plan to mitigate the identified risks. The plan should have five components: administrative, physical, and technical safeguards; policies and procedures; and organizational standards.

Begin implementing your action plan. Develop written and up-to-date policies and procedures about how your practice protects e-PHI. Retain outdated policies and procedures.

To safeguard patient health information, your workforce must know how to implement your policies, procedures, and security audits. HIPAA requires you as a covered provider to train your workforce on policies and procedures. Also, your staff must receive formal training on breach notification.

Your patients may be concerned about confidentiality and security of health information in an EHR. Emphasize the benefits of EHRs to them as patients, perhaps using patient education materials available in the Privacy & Security Resources section.

Make sure your business associate agreements require compliance with HIPAA and HITECH Breach Notification requirements.

HIPAA privacy and security requirements are embedded in the CMS EHR Incentive Programs Meaningful Use requirements [PDF - 1.3 MB. For example, eligible providers need to “attest” that they have met certain measures or requirements regarding the privacy and security of health information in their EHRs.

Do not register and attest for an EHR Incentive program until you have conducted your security risk analysis (or reassessment) and corrected any deficiencies identified during the risk analysis. Document these changes/corrections. Providers participating in the EHR Incentive Program can be audited.

When you attest to meaningful use, it is a legal statement that you have met specific standards, including that you protect ePHI.