Collection, Use, and Disclosure Limitation Key Privacy/Security Principle of Meaningful Use 2011 Objectives

On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.

In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”

The fifth of the eight principles is:

(L1) COLLECTION, USE, AND DISCLOSURE LIMITATION. Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately. [p. 8]

(L2) Establishing appropriate limits on the type and amount of information collected, used, and/or disclosed increases privacy protections and is essential to building trust in electronic exchange of individually identifiable health information because it minimizes potential misuse and abuse. Persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information should only collect, use, and/or disclose information necessary to accomplish a specified purpose(s). Persons and entities should take advantage of technological advances to limit data collection, use, and/or disclosure.