P2
Related Practice Areas
- The Markle Common Framework: Overview and Principles
- P1: The Architecture for Privacy in a Networked Health Environment
- P3: Notification and Consent When Using a Record Locator Service
- P6: Patients' Access to Their Own Health Information
- P7: Auditing Access to and Use of a Health Information Exchange
Additional Resources
- Policies in Practice: Consent
- Policies in Practice: Key Laws and Regulations
- Frequently Asked Questions
- Acknowledgements
Download P2: Model Privacy Policies and Procedures for Health Information Exchange
SNO Policy 100: Compliance with Law and Policy
Purpose and Principles: In the spirit of the privacy principles of openness and transparency, data integrity and quality, accountability and oversight, and remedies, a requirement that Participants comply with applicable law and SNO policies and promulgate the internal policies required for such compliance is indispensable to the successful realization of essential privacy protections. In addition, the recommended model provision below governing conflicts between SNO policies and Participant policies, which states that the policy that is most protective of individual privacy should govern decision making, is designed to make clear that the policies provide a floor and Participants may choose to enhance privacy protections where appropriate. This deference to more protective policies echoes the HIPAA federal pre-emption requirements which do not preempt more protective state privacy laws.3
The recommended policy’s requirement that Participants develop internal policies will help implement the principles of sound data management practices and accountability as well as ensure that decisions affecting individuals' privacy interests are made thoughtfully, rather than on an ad hoc basis. Written documentation of such policies facilitates the training of personnel who will handle health information and enhances the accountability of both Participants and members of their workforce. Finally, the existence of internal policies for compliance with applicable law and SNO policies creates transparency surrounding Participants’ handling and safeguarding of data. Policies to establish privacy protection compliance, enforcement procedures and remedies following violations are crucial to maintaining health information privacy.
Recommended Language
Scope and Applicability: This Policy applies to all Participants that have registered with and are participating in the SNO and the RLS and that may provide, make available, or request health information through the SNO and the RLS.
Policy:
- Laws. Each Participant shall, at all times, comply with all applicable federal, state, and local laws and regulations, including, but not limited to, those protecting the confidentiality and security of individually identifiable health information and establishing certain individual privacy rights. Each Participant shall use reasonable efforts to stay abreast of any changes or updates to and interpretations of such laws and regulations to ensure compliance.
- SNO Policies. Each Participant shall, at all times, comply with all applicable SNO policies and procedures (“SNO Policies”). These SNO Policies may be revised and updated from time to time upon reasonable written notice to Participant. Each Participant is responsible for ensuring it has, and is in compliance with, the most recent version of these SNO Policies.
- Participant Policies. Each Participant is responsible for ensuring that it has the requisite, appropriate, and necessary internal policies for compliance with applicable laws and these SNO Policies. In the event of a conflict between these SNO Policies and an institution’s own policies and procedures, the Participant shall comply with the policy that is more protective of individual privacy and security.