On December 15, 2008, the Office of the National Coordinator for Health Information Technology of the U.S. Department of Health and Human Services (HHS) published its 11 page report: Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. The eight principles in this report underpin the HIPAA Administrative Simplification Privacy and Security Rule standards, provide a foundation of the Privacy provisions of the HITECH Act in the American Recovery and Reinvestment Act of 2009, signed by President Obama on February 17, 2009, and are a key objective of proposed 2011 Objective recommendations for Meaningful Use published by HHS’ Health IT Policy Committee on June 16, 2009. The Framework and Meaningful Use documents are available here.
In this series of postings, we reproduce—one at a time—Level 1 and Level 2 descriptions of the eight principles. A Level 1 (L1) description is a “short title and concise statement,” and a Level 2 (L2) description is a “short explanation that further elaborates on the principle, what it is designed to do, and its parameters.”
The eighth and last of the principles is:
(L1) ACCOUNTABILITY. These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches. [p. 9]
(L2) These nationwide privacy and security principles will not be effective in building trust in electronic exchange of individually identifiable health information unless there is compliance with these Principles and enforcement mechanisms. Mechanisms for assuring accountability include policies and procedures and other tools. At a minimum, such mechanisms adopted by persons and entities that participate in a network for the purpose of electronic exchange of individually identifiable health information should address: (1) monitoring for internal compliance, including authentication and authorizations for access to or disclosure of individually identifiable health information; (2) the ability to receive and act on complaints, including taking corrective measures; and (3) the provision of reasonable mitigation measures, including notice to individuals of privacy violations or security breaches that pose substantial risk of harm to such individuals.