P1
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P2: Model Privacy Policies and Procedures for Health Information Exchange
- P3: Notification and Consent When Using a Record Locator Service
- P6: Patients' Access to Their Own Health Information
- P8: Breaches of Confidential Health Information
Additional Resources
Download P1: The Architecture for Privacy in a Networked Health Environment
Acknowledgements
The members of the Markle Connecting for Health Policy Subcommittee have accomplished an extraordinary task in less than a year’s time—the development of an evolving piece of work that can serve as the core of nationwide health information exchange—the policy components of the Markle Connecting for Health Common Framework for Private and Secure Health Information Exchange, published in 2006. During this time, we have been fortunate to work with respected experts in the fields of health, information technology, and privacy law, all of whom have contributed their time, energy, and expertise to a daunting enterprise. Our consultants and volunteers have worked long hours in meetings and conference calls to negotiate the intricacies of such issues as privacy, security, authentication, notification, and consent in health information exchange. We offer them our heartfelt thanks for taking on this journey with us, and look forward to the remaining work ahead.
In addition, we would like to offer special thanks to the volunteers and consultants who authored the initial drafts of this body of work—their hard work created a strong foundation upon which to focus the Subcommittee’s deliberations: Stefaan Verhulst, Clay Shirky, Peter Swire, Gerry Hinkley, Allen Briskin, Marcy Wilder, William Braithwaite, and Janlori Goldman.
Finally, we must note that none of this work would have been possible without the leadership and inspiration of our co-chairs, William Braithwaite and Mark Frisse.They have led us with steady hands and determination of spirit.
Markle Connecting for Health Policy Subcommittee
|
William Braithwaite, MD, eHealth Initiative, (Co-Chair) Mark Frisse, MD, MBA, MSc, Vanderbilt Center for Better Health, (Co-Chair) Laura Adams, Rhode Island Quality Institute Phyllis Borzi, JD, George Washington University Medical Center Susan Christensen,* JD, Agency for Healthcare Research and Quality, United States Department of Health and Human Services Art Davidson, MD, MSHP, Denver Public Health Mary Jo Deering,* PhD, National Cancer Institute/National Institutes of Health, United States Department of Health and Human Services Jim Dempsey, JD, Center for Democracy and Technology Hank Fanberg, Christus Health Linda Fischetti,* RN, MS, Veterans Health Administration Seth Foldy, MD, City of Milwaukee Health Department Janlori Goldman, JD, Columbia College of Physicians and Surgeons Ken Goodman, PhD, University of Miami John Halamka, MD, CareGroup Healthcare System Joseph Heyman, MD, American Medical Association Gerry Hinkley, JD, Davis, Wright, Tremaine LLP Charles Jaffe, MD, PhD, Intel Corporation Jim Keese, Eastman Kodak Company Linda Kloss, RHIA, CAE, American Health Information Management Association Gil Kuperman, MD, PhD, New York-Presbyterian Hospital Ned McCulloch, JD, IBM Corporation Patrick McMahon, Microsoft Corporation Omid Moghadam, Intel Corporation Joyce Niland, PhD, City of Hope National Medical Center |
Louise Novotny, Communication Workers of America Michele O'Connor, MPA, RHIA, MPI Services Initiate Victoria Prescott, JD, Regenstrief Institute for Healthcare Marc A. Rodwin, JD, PhD, Suffolk University Law School Kristen B. Rosati, JD, Coppersmith Gordon Schermer Owens & Nelson PLC Sara Rosenbaum, JD, George Washington University Medical Center David A. Ross, ScD, Public Health Informatics Institute Clay Shirky, New York University (Chair, Technical Subcommittee) Don Simborg, MD, American Medical Informatics Association Michael Skinner, Santa Barbara Care Data Exchange Joel Slackman, BlueCross/BlueShield Association Peter P. Swire, JD, Moritz College of Law, Ohio State University Paul Tang, MD, Palo Alto Medical Foundation Micky Tripathi, Massachusetts eHealth Collaborative Cynthia Wark,* CAPT, United States Public Health Service Commissioned Corps, Centers for Medicare and Medicaid Services, United States Department of Health and Human Services John C. Wiesendanger, MHS, West Virginia Medical Institute/Quality Insights of Delaware/Quality Insights of Pennsylvania Marcy Wilder, JD, Hogan & Hartson LLP Scott Williams, MD, MPH, HealthInsight Robert B. Williams, MD, MIS, Deloitte Joy Wilson, National Conference of State Legislatures Rochelle Woolley, RxHub Amy Zimmerman-Levitan, MPH, Rhode Island State Department of Health |
*Note: Federal employees participate in the Subcommittee but make no endorsement
__________
- Considered and applied together, these principles add up to an integrated and comprehensive approach to privacy necessary for a connected health information exchange environment. It is critical that the nine principles are considered as part of one package—elevating certain principles over others will simply weaken the overall architectural solution to privacy protection in a networked health information environment.
- The use of technology for privacy protection depends to a large extent on the level of automatization of the envisaged process.
- HIPAA applies directly only to covered entities, which are health care providers, health plans (e.g., insurers, health maintenance organizations), and health care clearinghouses (organizations that facilitate the processing of health care claims and information). No other health care record keepers are covered directly. However, an organization that is not a covered entity may still become subject to the HIPAA rules if it functions as a business associate for a covered entity. A business associate is someone who carries out a function involving the use or disclosure of individually identifiable health information on behalf of a covered entity. The limited scope of the HIPAA rules and the narrow onward transfer provision mean that some health data covered by the rules can be transferred to others and escape the privacy protections of HIPAA.
- Phishing is a tool used to gain personal information for purposes of identity theft. It involves using (fraudulent) e-mail messages that appear to come from legitimate businesses.