CP4

Purpose

For personal health information to flow in or out of a consumer-accessible application, it may pass among two or more organizations. Each participant in such "consumer data streams" may have its own legal and business interests to protect. However, consumers should be able to trust the entire chain of entities and business processes that handle their personal health data. Contracts are one mechanism to bind partners to specified privacy and security policies regarding confidential information they exchange or share.

Like other policy areas in this framework, chain-of-trust agreements are often necessary in certain relationships, but not by themselves sufficient to create a privacy-protective environment. In practice, such contracts have significant weaknesses, including their lack of transparency to consumers and their inconsistent enforcement. For one, breaches may not be discovered because organizations may not rigorously monitor the behavior of all of their business partners. Secondly, if an accusation of breach occurs, enforcement depends on one party engaging another party in a legal action, most likely under contract law. Organizations often seek to settle legal disputes out of court – or avoid litigation altogether.

Still, chain-of-trust agreements serve as important instruments in encouraging "good network citizenship." There are several possible relationships in which parties seek chain-of-trust agreements. HIPAA Business Associate agreements are one example. (See CP1: Policy Overview.)

There is a problem with scaling this chain-of-trust model, however. It is unreasonable, for example, for each doctor's office to negotiate and sign a chain-of-trust agreement with every Consumer Access Service or networked PHR provider. Instead of each participant signing agreements with each other participant, it may be more practical if all participants agreed to a basic set of "network rules" – a set of common practices that each participant would sign and publicly commit to uphold. Although there are no such large-scale arrangements for Consumer Access Services or PHRs today, such models should be explored.

The HIPAA regulations permit consumers to request their personal health information directly from Covered Entities. Consumers may then store the information with any Consumer Access Service of their choice. In this case, the Consumer Access Service does not need a chain-of-trust agreement with the Covered Entity. The consent agreement(s) between the consumer and the Consumer Access Service should spell out the information-handling practices of the Consumer Access Service. (See CP4: Consumer Consent to Collections, Uses, and Disclosures of Information.)

A Consumer Access Service may not be regulated under HIPAA, and it may have unregulated relationships with many different types of third parties. In such cases, chain-of-trust agreements between the Consumer Access Service and its third parties are a prudent mechanism to discourage unacceptable actions. Such agreements should prohibit activities that are inconsistent with fair information practice principles, such as the surreptitious re-identification of de-identified data without the consumer's knowledge or consent. The recommended practice language below is primarily intended for this scenario (i.e., an uncovered Consumer Access Service's relationship with unrelated and unregulated third parties), but it may be helpful in other relationships as well.

Recommended Practice

Consumer Access Services should contractually bind third parties with which they share or exchange personally identifiable, partially identifying, and de-identified data to:

• Prohibit unauthorized use and disclosure of such data.
• Protect the data in accordance with policies and authorizations agreed to by the consumer, when applicable.
• Prohibit unauthorized attempts to identify de-identified data by, among other things, combining it with other databases of information. (See CT4: Limitations on Identifying Information for a discussion of personally identifiable, partially identifying, and "de-identified" data.)
• Notify the Consumer Access Service if the third party is aware of a breach or misuse of information in a form that carries significant risk of compromising the security, confidentiality or integrity of personal information. (See CP5: Notification of Misuse or Breach.)