The model policies contained in this paper are recommended by the Markle Connecting for Health Policy Subcommittee to be used in conjunction with the Markle Connecting for Health “Model Contract for Health Information Exchange”1 for those working to establish sub-network organizations (SNOs)2 that will use a Record Locator Service (RLS) and operate as part of the National Health Information Network (NHIN). The policies establish baseline privacy protections designed to apply to all individuals receiving care from a SNO Participant (Participant). The goal of these policies is to provide a framework for protecting health information while simultaneously permitting use of the information that is both productive and meaningful. The policies are intended to be useful for SNOs whether or not they are using an RLS.
The federal HIPAA Privacy and Security Rules provide the baseline for the model policies, although in some cases greater privacy protections and individual rights are recommended by the Markle Connecting for Health Policy Subcommittee. Where provisions are derived from the HIPAA Privacy or Security Rules, citations are provided. In no instance do these policies permit less protection of personal health information than those required by federal law; however, participation in a SNO is not a surrogate for determining whether a Participant is a HIPAA “Covered Entity” or is in compliance with the HIPAA regulations. Importantly, the model policies permit Participants to establish and follow their own more protective data management, privacy and security policies, and procedures. In addition, some customization may be necessary at the SNO and Participant level to ensure consistency and compliance with applicable state laws. Many of these policies can and should already be in place at the Participant level. Some are aspirational and should be considered in the future as a networked environment for health information emerges and technology enables greater consumer access to their health records. The policies will need to be customized to reflect the Participants’ unique circumstances and modified to take account of applicable state laws.
The model policies are deeply rooted in nine privacy principles that together form a comprehensive privacy protective architecture, as discussed in the Markle Connecting for Health “Architecture for Privacy in a Networked Health Information Environment.” These principles and the policies that flow from them promote balance between consumer control of and access to health information and the operational need to ensure that information uses and disclosures are not overly restricted such that consumers would be denied many of the benefits and improvements that information technology can bring to the health care system. The policies reflect a carefully balanced view of all of the principles and avoid emphasizing some over others in any way that would weaken the overall approach. The nine privacy principles are as follows:
Openness and Transparency. Openness about developments, procedures, policies, technology, and practices with respect to the treatment of personal health data is essential to protecting privacy. Individuals should be able to understand what information exists about them, how that information is used, and how they can exercise reasonable control over that information. This transparency helps promote privacy practices and instills confidence in individuals with regard to data privacy, which in turn can help increase participation in health data networks.
Purpose Specification and Minimization. Data use must be limited to the amount necessary to accomplish specified purposes. Minimization of use will help reduce privacy violations, which can easily occur when data is collected for one legitimate reason and then reused for different or unauthorized purposes.
Collection Limitation. Personal health data should be obtained only by fair and lawful means, and, if applicable, with the knowledge or consent of the pertinent individual. In an electronic networked environment, it is particularly important for individuals to understand how information concerning them is being collected because electronic collection methods may be confusing to average users. Similarly, individuals may not be aware of the potential abuses that can arise if they submit personal health information via an electronic method.
Use Limitation. The use and disclosure of health information should be limited to those purposes specified by the data recipient. Certain exceptions such as law enforcement or security may warrant reuse of data for other purposes. However, when data is used for purposes other than those originally specified, prior de-identification of the data can help protect individual privacy while enabling important benefits to be derived from the information.
Individual Participation and Control. Every individual should retain the right to request and receive in a timely and intelligible manner information regarding who has that individual’s health data and what specific data the party has, to know any reason for a denial of such request, and to challenge or amend any personal information. Because individuals have a vital stake in their own personal health information, such rights enable them to be participants in the collection and use of their data. Individual participation promotes data quality, privacy, and confidence in privacy practices.
Data Integrity and Quality. Health data should be accurate, complete, relevant, and up-to-date to ensure its usefulness. The quality of health care depends on the existence of accurate health information. Moreover, individuals can be adversely affected by inaccurate health information in other arenas like insurance and employment. Thus, the integrity of health data must be maintained and individuals must be permitted to view information about them and amend such health information so that it is accurate and complete.
Security Safeguards and Controls. Security safeguards are essential to privacy protection because they help prevent data loss, corruption, unauthorized use, modification, and disclosure. With increasing levels of cyber-crime, networked environments may be particularly susceptible without adequate security controls. Design and implementation of various technical security precautions such as identity management tools, data scrubbing, hashing, auditing, authenticating, and other tools can strengthen information privacy.
Accountability and Oversight. Privacy protections have little weight if privacy violators are not held accountable for compliance failures. Employee training, privacy audits, and other oversight tools can help to identify and address privacy violations and security breaches by holding accountable those who violate privacy requirements and identifying and correcting weaknesses in their security systems.
Remedies. The maintenance of privacy protection depends upon legal and financial means to remedy any privacy or security breaches. Such remedies should hold violators accountable for compliance failures, reassure individuals about the organization’s commitment to information privacy, and mitigate any harm that privacy violations may cause individuals.
These nine principles underlie the recommended model privacy policies presented below. While certain principles are emphasized by each individual policy, the policies as a whole balance all of the principles equally so that certain principles are not emphasized over others—which would undermine the effectiveness of the overall approach. Moreover, the policies are individual elements of an integrated and comprehensive Markle Connecting for Health policy framework—The Markle Connecting for Health Common Framework: Resources for Implementing Private and Secure Health Information Exchange—that is intended to be considered in its entirety. In that regard, please refer to the following additional materials developed by the Markle Connecting for Health Policy Subcommittee: “A Model Contract for Health Information Exchange,” “Background Issues on Data Quality,” “Auditing Access to and Use of a Health Information Exchange,” “Breaches of Confidential Health Information,” “Authentication of System Users,” “Notification and Consent When Using a Record Locator Service,” “Patients’ Access to Their Own Health Information,” and “Correctly Matching Patients with Their Records.”
Although most of the recommended model policies can and should be implemented in the current technological environment, there are a few for which organizational and technical barriers may currently be prohibitive. For example, although patients would benefit from access to the RLS and the ability to obtain audit trails of those who have requested information about them from the index, technical and administrative barriers currently do not allow for such access. Health care participants, system vendors, and others should work toward implementing these functionalities as they will enhance privacy protections and help implement the privacy principles of openness and transparency, security safeguards and controls, purpose specification and minimization, use limitation, collection limitation, and accountability. Similarly, in the future, Participants and vendors should seek to realize the other policies that cannot be implemented at this time due to organizational and technical constraints.
The emergence of a networked electronic health information environment will transform patient care and improve the efficiency and effectiveness of the health system. At the same time, the emerging electronic health information infrastructure and the massive increase in the volume of health data that is easily collected, linked, and disseminated create unprecedented privacy and security risks that need to be adequately and appropriately addressed. By incorporating the principles outlined above and the basic requirements set forth in HIPAA, these recommended model policies seek to achieve a balance between maintaining the confidentiality of health information and maximizing the benefits of using such information. Integration of these privacy measures into the emerging networked health care environment can ensure that the benefits of electronic health information are realized while the confidentiality of health information is preserved.
Each of the recommended privacy policies outlined below contains an introductory section that provides background and explains the basis for the policy in law, the privacy principles described above, and other sources. The introductory sections are followed by recommended language for use by SNOs in drafting their own Policies and Procedures to use in conjunction with the Markle Connecting for Health “Model Contract for Health Information Exchange.”