On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.
In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”
The sixth of the eight principles is:
(L1) DATA QUALITY AND INTEGRITY. Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner. [p. 8]
(L2) The completeness and accuracy of an individual’s health information may affect, among other things, the quality of care that the individual receives, medical decisions, and health outcomes. Persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information have a responsibility to maintain individually identifiable health information that is useful for its intended purposes, which involves taking reasonable steps to ensure that information is accurate, complete, and up-to-date, and has not been altered or destroyed in an unauthorized manner. Persons and entities have a responsibility to update or correct individually identifiable health information and to provide timely notice of these changes to others with whom the underlying information has been shared. Moreover, persons and entities should develop processes to detect, prevent, and mitigate any unauthorized changes to, or deletions of, individually identifiable health information.