Health Information Technology

Privacy and Security of Health Information

One of the most difficult tasks in the evolution from a paper to an electronic health record (EHR) is determining how to most effectively manage access to and use of health information. While health IT can help protect health information through security measures like encryption, it also makes it easier to distribute health information, raising concerns that a patient’s privacy will be violated. As a result, finding secure new ways to keep information private and secure is paramount. Consumer and provider trust in these electronic systems is essential to their effectiveness and success.

Legal protections for health information exist today, but most were not created in the current context of widespread use of health IT. It is important to understand what these protections are, their strengths and limitations, and possible options for filling the gaps in protecting health information as the nation moves toward a fully or predominantly electronic health care environment.


The primary federal legal protections against inappropriate health information sharing are the Health Insurance Portability and Accountability Act (HIPAA) and its Privacy and Security rules. This set of laws provides a uniform federal floor, or minimum, of privacy protections. More »


The HITECH Act (Health Information Technology for Economic and Clinical Health Act), which was passed as part of the stimulus legislation in 2009, made a number of significant changes to HIPAA, strengthening privacy and security protections in a variety of ways. Perhaps most notably, HITECH expanded the scope of HIPAA and its Privacy and Security Rules to include all business associates and their subcontractors, and explicitly designated health information exchanges (HIEs) as business associates. More »