Skip to Main Content

We have a new app!

Take the Access library with you wherever you go—easy access to books, videos, images, podcasts, personalized features, and more.

Download the Access App here: iOS and Android. Learn more here!

“The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.”

—Earl Warren, 14th Chief Justice of the United States


  • Informaticists will be knowledgeable of the laws and regulations that govern the protection of ePHI.

  • Informaticists will be knowledgeable of the administrative, technical, and physical security controls that safeguard ePHI.

  • Informaticists will be able to describe the roles and responsibilities of other IT professionals that protect the data in clinical applications.

  • Informaticists will be knowledgeable of best practices for safeguarding health information and have resources to evaluate practices in their organization.


Ensuring the accuracy and confidentiality of sensitive medical information is so vital to what we do every day as clinical informaticists. Patients, providers, and even insurance companies are counting on us to “get it right.” This responsibility can feel like a daunting task, learning what is required and where to begin. Do you remember the saying, “It takes a village to raise a child?” It is also true when it comes to protecting our clients’ privacy and health information: It takes a village. Do you know everyone in your village? Do you understand their role and yours? This chapter introduces core concepts of information technology (IT) security and information privacy and the roles of many professionals engaged in data protection.

Information privacy is concerned with establishing rules that govern collecting and handling personal information, which can include medical information. Across individual physician practices or large integrated healthcare systems, it is impossible to guarantee that information contained in an electronic health record is 100% private. Rules that govern medical information include security controls built into the system and also privacy practices defining who may access medical information. Security engineers practice a concept of defense in depth, building multiple security controls to protect sensitive data systems like moats with drawbridges or watch towers with cannons surrounding a castle to protect against invaders. The security controls include administrative, physical, and technical safeguards that address human factors as well as configuration settings that may contribute to loss of data. Each safeguard adds a layer to make the entire system secure and ensure privacy.

This chapter will provide some background on the regulatory frameworks for safeguarding health information in clinical information systems. Primarily, three U.S. federal privacy laws apply to medical information held by public and private organizations in the United States. Federal agencies providing clinical care to military veterans, active duty military personnel, and dependents and participants in clinical research studies must follow the Privacy Act (PA) of 1974 and the Federal Information Security Management Act (FISMA) of 2002. Healthcare organizations that bill patients and/or their insurance plan for services provided must also comply with the Fair Credit Reporting Act (FRCA) of 1970 and also the Health Insurance Portability and Accountability Act (HIPAA) of 1996 when collecting, storing, and transmitting identifiable health information and ...

Pop-up div Successfully Displayed

This div only appears when the trigger link is hovered over. Otherwise it is hidden from view.