On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. This report states: “[a] key factor to achieving a high-level of trust among individuals, health care providers, and other health care organizations participating in electronic health information exchange is the development of, and adherence to, a consistent and coordinated approach to privacy and security. Clear, understandable, uniform principles are a first step in developing a consistent and coordinated approach to privacy and security and a key component to building the trust required to realized the potential benefits of electronic health information exchange.” [p. 1]
With eight principles outlined the report, “[t]he goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network.” [p. 1] The principles provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. Both of those documents are available on the HIPAA.com site.
In this posting, we reproduce Level 1 descriptions of the eight principles: “short title and concise statement.” In eight subsequent postings, we add Level 2 descriptions of each principle: “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.” As the report states:
“These principles are expected to guide the actions of all health care-related persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information. These principles are not intended to apply to individuals with respect to their own individually identifiable health information… Individuals may use and/or disclose their individual health information as they choose [as they are not covered entities, as defined in HIPAA Administrative Simplification standards].” [p. 4]
The eight principles are:
» INDIVIDUAL ACCESS. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format. [p. 6]
» CORRECTION. Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied. [p. 7]
» OPENNESS AND TRANSPARENCY. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information. [p. 7]
» INDIVIDUAL CHOICE. Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information. [p. 8]
» COLLECTION, USE, AND DISCLOSURE LIMITATION. Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. [p. 8]
» DATA QUALITY AND INTEGRITY. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. [p. 8]
» SAFEGUARDS. Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure. [p. 9]
» ACCOUNTABILITY. These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches. [p. 9]
Leave a Reply