On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.
In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”
The third of the eight principles is:
(L1) OPENNESS AND TRANSPARENCY. There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information. [p. 7]
(L2) Trust in electronic exchange of individually identifiable health information can best be established in an open and transparent environment. Individuals should be able to understand what individually identifiable health information exists about them, how that individually identifiable health information is collected, used, and disclosed and whether and how they can exercise choice over such collections, uses, and disclosures. Persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information should provide reasonable opportunities for individuals to review who has accessed their individually identifiable health information or to whom it has been disclosed, in a readable form and format. Notice of policies, procedures, and technology—including what information will be provided under what circumstances—should be timely and, wherever possible, made in advance of the collection, use, and/or disclosure of individually identifiable health information. Policies and procedures developed consistent with this Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information should be communicated in a manner that is appropriate and understandable to individuals.