P2

SNO Policy 800: Amendment of Data

Purpose and Principles: This recommended model policy integrates the right granted by the HIPAA Privacy Rule of individuals to amend health information about them under certain circumstances.³⁷ Accurate health information not only is indispensable to the delivery of health care, but is important to individuals’ applications for insurance and employment and in a variety of other arenas. Allowing individuals to verify the accuracy and completeness of information concerning them contributes to the transparency of Participants’ operations and fosters confidence in Participants’ privacy practices and commitment to data accuracy. This policy promotes the privacy principles of data integrity and quality, openness and transparency, individual participation and control, and accountability and oversight. Using such a model policy will enable Participants to more readily rely upon the integrity and quality of their data and more easily monitor, account for, and remedy systemic data inaccuracies, corruptions, and other data deficiencies or privacy lapses.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide, make available, or request health information through the SNO.

Policy: Each Participant shall comply with applicable federal, state and local laws and regulations regarding individual rights to request amendment of health information.³⁸ If an individual requests, and the Participant accepts, an amendment to the health information about the individual, the Participant shall make reasonable efforts to inform other Participants that accessed or received such information through the SNO, within a reasonable time, if the recipient institution may have relied or could foreseeably rely on the information to the detriment of the individual.

SNO Policy 900: Requests for Restrictions

Purpose and Principles: To advance the privacy principles of individual participation and control, use limitation and accountability and oversight, this recommended model policy requires Participants who agree to individuals’ request for restrictions in accordance with the HIPAA Privacy Rule to comply with such request with regard to the release of information in the SNO.³⁹ Such compliance ensures permissible use of health information and accountability on the part of Participants who agree to individually requested use restrictions. Without the ability to request restrictions and without assurance that Participants will honor these agreed-upon restrictions, individuals may remain silent about important information that could affect their health. By creating confidence in Participants and their privacy protections and encouraging individual participation, this policy fosters dialog between individuals and Participants. Improved communications between a provider and patient improves the overall delivery of health care.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide or make available health information through the SNO.

Policy: If a Participant agrees to an individual’s request for restrictions,⁴⁰ as permitted under the HIPAA Privacy Rule, such Participant shall ensure that it complies with the restrictions when releasing information through the SNO. If an agreed-upon restriction will or could affect the requesting institution’s uses and/or disclosures of health information, at the time of disclosure, the Participant disclosing such health information shall notify the requesting institution of the fact that certain information has been restricted, without disclosing the content of any such restriction.

SNO Policy 1000: Mitigation

Purpose and Principles: By incorporating HIPAA’s requirement that entities have procedures to and take steps to mitigate harm resulting from an impermissible use or disclosure of health information,⁴¹ this model policy reflects the privacy principles of remedies, accountability and oversight, security safeguards and controls, openness and transparency, and data integrity and quality. Without the duty to mitigate harm from privacy violations, Participants may not promptly address data security weaknesses or breaches which could lead to greater privacy lapses in the future, diminish the confidence that individuals have in Participants’ privacy practices, and compromise the accuracy, integrity, and quality of Participants’ data. Remedial action and mitigation are essential both to reassure individuals that Participants are vigilant in addressing privacy violations and ameliorating any harm from such violations and to help Participants ensure that their data oversight practices and security measures are functioning and effective.

Recommended Language

Scope and Applicability: This Policy applies to all institutions that have registered with and are participating in the SNO and that may provide, make available, or request health information through the SNO.

Policy: Each Participant shall implement a process to mitigate, and shall mitigate and take appropriate remedial action, to the extent practicable, any harmful effect that is known to the institution of a use or disclosure of health information through the SNO in violation of applicable laws and/or regulations and/or these Policies by the institution, or its workforce members, agents, and contractors. Steps to mitigate could include, among other things, Participant notification to the individual of the disclosure of information about them or Participant request to the party who received such information to return and/or destroy the impermissibly disclosed information.