On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.
In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”
The first of the eight principles is:
(L1) INDIVIDUAL ACCESS. Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format. [p. 6]
(L2) Access to information enables individuals to manage their health care and wellbeing. Individuals should have a reasonable means of access to their individually identifiable health information. Individuals should be able to obtain this information easily, consistent with security needs for authentication of the individual; and such information should be provided promptly so as to be useful for managing their health. Additionally, the persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information should provide such information in a readable form and format, including an electronic format, when appropriate. In limited instances, medical or other circumstances may result in the appropriate denial of individual access to their health information.