Key Resources

Briefs

Empowering consumers with convenient and secure access to networked health information is key to transforming America’s health care system and improving the health of our nation’s citizens.

While there is great potential for benefit to consumers in using services that help them collect and manage their own health information, there is also great potential for risk to the security and confidentiality of consumers’ health information as less regulated organizations record personal health information with new Internet-based services. 

The recommended policies and practices of the Markle Common Framework for Networked Personal Health Information are designed to protect consumers, and to guide the organizations that collect, share, and store health information about them.

The framework below proposes a set of practices that, when taken together, encourage appropriate handling of personal health information as it flows to and from personal health records (PHRs) and similar applications or supporting services.

Click on the individual documents below to read them online or download the PDFs.

  • Overview and Principles

    Provides an overview, definitions, context, and foundational principles for the Markle Common Framework for Networked Personal Health Information.

  • Consumers as Network Participants

    Explains why consumer participation can be transformative in health care as it has been in other sectors; why networked PHRs are a vital tool to empowering consumers, and how policies can help guide an emerging industry.

  • Consumers Access Practice Areas
    • Consumer Policy (CP)
      • CP1 Policy Overview

        Describes the policy landscape, including how the Health Information Portability and Accountability Act (HIPAA) as well as state and contract laws apply to emerging consumer data streams. Explains unregulated and regulated areas of the current environment, and argues for a voluntary common framework of policies.

      • CP2 Policy Notice to Consumers

        Recommends preferred practices for giving consumers access to the policies for collection, use, and disclosures of personal health information, including privacy and security practices, terms and conditions of use, and other relevant policies.

      • CP3 Consumer Consent to Collections, Uses and Disclosures of Information

        Describes mechanisms to capture the consumer's agreement prior to any collection, use, or disclosure of personal data; explains why notice and consent are not sufficient by themselves in providing adequate protection for consumers.

      • CP4 Chain-of-Trust Agreements

        Describes the merits and limitations of contractual mechanisms among parties exchanging personal health information; recommends important limitations to place on unaffiliated third parties.

      • CP5 Notifications of Misuse of Breach

        Discusses what to do if something goes wrong. Recommends that consumers be individually informed if their personal information was, or is reasonably believed to have been, disclosed or acquired by an unauthorized person or party in a form that carries significant risk of compromising the security, confidentiality, or integrity of personal information.

      • CP6 Dispute Resolution

        Recommends that consumers be provided a clear and logical pathway to resolve disputes such as over breach or misuse, data quality or matching errors, allegations of unfair or deceptive trade practices, etc.

      • CP7 Discrimination and Compelled Disclosures

        Recommends policies to bar discrimination and "compelled disclosures" – such as when the consumer's authorization for release of data is required in order to obtain employment, benefits, or other services.

      • CP8 Consumer Obtainment and Control of Information

        Covers several areas to facilitate the consumer's ability to electronically collect, store, and control copies of personal health information, including requesting data in an electronic format, allowing for proxy access to an account, requesting amendments, or disputing entries of data. Also covers appropriate retention of information in inactive accounts, and consumer requests to "delete" data and terminate their accounts.

      • CP9 Enforcement of Policies

        Raises the issue of how policies and practices should be enforced on the network; describes the pros and cons of several different enforcement mechanisms, including: enforcing current laws, amending and expanding HIPAA, creating new law to govern Consumer Access Services, encouraging self-attestation with third-party validation, and encouraging consumer-based ratings.

    • Consumer Technology (CT)
      • CT1 Technology Overview

        Describes the complexity of emerging digital health data streams; explains how information can be combined to build revealing profiles of individuals; depicts how health care entities and consumer technology innovators operate under different cultures that can clash without basic rules of the road.

      • CT2 Authentication of Consumers

        Provides a framework for establishing and confirming the identity of individual consumers so that they may participate on a network.

      • CT3 Immutable Audit Trails

        Recommends that audit trails be a basic requirement of PHRs and supporting services; explains the value of providing consumers with convenient electronic access to an audit trail as a mechanism to demonstrate compliance with use and disclosure authorization(s).

      • CT4 Limitations on Identifying Information

        Recommends strong limitations on disclosures of identifying data to third parties. Supports disclosures only of those data that are reasonably necessary to perform the limited function(s) to which the third parties are authorized. Provides a caveat about considering data "de-identified."

      • CT5 Portability of Information

        Highlights the importance of the consumer's ability to export and import information in industry-standard formats as they become available.

      • CT6 Security and Systems Requirements

        Provides a brief outline on basic security protections. Recommends continuous monitoring of industry practices and threats, as well as personnel training and strict policies regarding who can access consumer data, and consequences for security violations.

      • CT7 An Architecture for Consumer Participation

        Provides a view on how Consumer Access Services can fit within the Markle Connecting for Health approach to architecture for a Nationwide Health Information Network (NHIN).

 
 

©2008-2011, Markle Foundation

This work was originally published as part of a compendium called The Markle Connecting for Health Common Framework for Networked Personal Health Information. It is made available free of charge, but subject to the terms of a License. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.