Small to medium provider organizations such as community health centers, rural clinics, and critical access hospitals work to provide the highest quality health services with limited resources. Because they operate with a smaller staff than larger health systems, many employees take on tasks outside their job description. Provision of information technology (IT) services is often a task non-experts at these smaller operations must take on to achieve organizational objectives. The impact of this was never more apparent than when the Health Information Technology for Economic and Clinical Health Act’s Meaningful Use policies required objective measures for ensuring the safety of electronic Protected Health Information (ePHI) as dictated by the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA compliance requires that providers be prepared to handle ePHI properly and follow the requirements in the HIPAA Privacy, Security, and Breach Notification Rules. If a problem surfaces, an enforcement action can result—including million-dollar financial settlements, and Corrective Action Plans that can take years to complete and can cost many times the monetary settlements. In order to comply with the HIPAA Security Rule, providers need to maintain an ongoing security program. Beyond HIPAA policies there are modern technological concerns such as "ransomware" that requires further diligence and expertise from health center IT management and staff.

Maintaining a secure and yet, responsive clinical health IT system and conducting policy related objectives such as the security risk analysis (SRA) requirements in accordance with HIPAA policy are extremely complex tasks. The difficulties experienced by small to medium provider organizations in accomplishing these goals are comprehensive. The resource sets provided here include boiled down guidance and toolkits for common health IT privacy and security needs.