The Office of the National Coordinator for Health Information Technology (ONCHIT) issued a paper Monday called The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The summary states that the framework creates a set of consistent principles to:
. .address the privacy and security challenges related to electronic
health information exchange through a network for all persons,
regardless of the legal framework that may apply to a particular
organization. The goal of this effort is to establish a policy
framework for electronic health information exchange that can help
guide the Nation’s adoption of health information technologies and help
improve the availability of health information and health care quality.
The principles have been designed to establish the roles of individuals
and the responsibilities of those who hold and exchange electronic
individually identifiable health information through a network.”
Along with the Nationwide Privacy and Security Framework the Department of Health and Human Services (HHS) has issued The Health IT Privacy and Security Toolkit. The Toolkit includes new HIPAA Privacy Rule guidance documents developed by the ONCHIT and the Office for Civil Rights (OCR) to help facilitate the electronic exchange of health information.
Of particular interest to many interested in PHRs will be the OCR’s guidance on Personal Health Records and the HIPAA Privacy Rule and the draft Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance (the “Leavitt Label”).
- Individual Access Principle – Individuals
should be provided with a simple and timely means to access and obtain
their individually identifiable health information in a readable form
- Correction Principle – Individuals
should be provided with a timely means to dispute the accuracy or
integrity of their individually identifiable health information, and to
have erroneous information corrected or to have a dispute documented if
their requests are denied.
- Openness and Transparency Principle – There
should be openness and transparency about policies, procedures, and
technologies that directly affect individuals and/or their individually
identifiable health information.
- Individual Choice Principle – Individuals
should be provided a reasonable opportunity and capability to make
informed decisions about the collection, use, and disclosure of their
individually identifiable health information.
- Collection, Use, and Disclosure Limitation Principle – Individually
identifiable health information should be collected, used, and/or
disclosed only to the extent necessary to accomplish a specified
purpose(s) and never to discriminate inappropriately.
- Data Quality and Integrity Principle – Persons
and entities should take reasonable steps to ensure that individually
identifiable health information is complete, accurate, and up-to-date
to the extent necessary for the person’s or entity’s intended purposes
and has not been altered or destroyed in an unauthorized manner.
- Safeguards Principle – Individually
identifiable health information should be protected with reasonable
administrative, technical, and physical safeguards to ensure its
confidentiality, integrity, and availability and to prevent
unauthorized or inappropriate access, use, or disclosure.
- Accountability Principle – These
principles should be implemented, and adherence assured, through
appropriate monitoring and other means and methods should be in place
to report and mitigate non-adherence and breaches.
I have only made an initial pass though the information and guidance documents. There is a lot to read and digest over the holidays. Please post in the comments your thoughts on the new federal principles and guidelines.
Bob Coffield is a health care lawyer who writes the Health Care Law Blog, where this post first appeared.