Key Elements: Managing Privacy, Security & Confidentiality

Privacy, Security & Confidentiality Principles

In order to produce work that is and will remain relevant given the shifting environment and rapid developments in the areas of privacy, security and confidentiality, the committee sought to take a simple and clear approach to the underlying core issues most often encountered in these areas. To do so, the committee drafted a set of consensus principles, a core set of “common questions” (instead of strategies and actions) and a strong bibliography of leading articles on related subjects. The Committee recommends that eHI establish a multi-stakeholder task force to continue to monitor, address and give guidance on emerging questions and issues related to privacy and security.

Consensus was reached on the principles; however, given the environment there are a number of questions that must be applied at the organizational level. The “common questions” are intended to be a starting place for facilitating the dialogue that must occur. The Blueprint does not suggest answers to these questions. They are intended to be applicable for any organization that stores, transmits, and/or uses personal health information and should guide the organization in the development of internal policies and procedures related to privacy, security and confidentiality.

PRINCIPLES

1. Transparency
   
   
   • Policies for the permissible use of personal health information by those other than the patient should be clearly defined, accessible, and communicated in an easily understood format.
   • Individuals have the right to know how their personal health information has been used and who has access to it.
     
     
2. Collection and Use of Personal Health Information
   
   
   • Personal health information of the individual consumer should be obtainable consistent with applicable federal, state and local law. It should be accurate, up-to-date, and limited to what is appropriate and relevant for the intended use.
   • Consumers have a right to privacy of their personal health information, taking into account existing exceptions under law. Consumers should be apprised when they have a choice in how their personal health information will be used and shared and when they can limit uses of their personal health information.
     
     
3. Individual Control
   
   
   • Individuals should be able to limit when and with whom their identifiable personal health information is shared. Individuals should be able to delegate these responsibilities to another person.
   • Individuals should be able to readily obtain an audit trail that discloses by whom their personal health information has been accessed and how it has been used.
     
     
4. Security
   
   
   • Measures should be implemented to protect the integrity, security, and confidentiality of each individual’s personal health information, ensuring that it cannot be lost, stolen, or accessed or modified in an inappropriate way.
   • Organizations that store, transmit, or use personal health information should have in place mechanisms for authentication and authorization of system users.
     
     
5. Audit
   
   
   • Each such organization must have a comprehensive audit process to examine compliance with its internal privacy, security, and confidentiality policies and procedures.
   • Organizations have a responsibility to ensure that an individual is notified when the organization learns of unauthorized or inappropriate access to that individual’s personal health information.
     
     
6. Accountability and Oversight
   
   
   • Individuals should be apprised as to who monitors policy compliance with privacy, security and confidentiality policies, how complaints will be handled, how individuals will be informed of a violation and existing remedies available to them.
   
   
7. Technology and Privacy
   
   
   • Technological developments must be adopted in harmony with policies and business rules that foster trust and transparency.
   • Privacy protections must be at the forefront of all technological standards. Privacy issues cannot be addressed post-system design and implementation.

 

COMMON CORE QUESTIONS ABOUT PRIVACY AND SECURITY

Given the dynamic nature of public and private sector developments for privacy, security and confidentiality, a specific direction or set of rules for stakeholders to follow is lacking. Further complicating the situation are the questions that are asked -- to which the relevant answers depend on the stakeholder.

Today there are inconsistencies in federal and state privacy and security laws and this is further complicated by stakeholders’ interpretations of the laws and the reconciliation of the inconsistencies. There are a number of projects underway at the federal and state level to reconcile these issues; however, it is important to understand what exists today and to have stakeholders achieve consensus on relevant interpretations.

The common core questions below are intended to help organizations examine and address the underlying issues most often encountered in the areas of privacy and security. Organizations ranging from health information exchanges (HIEs) and provider organizations, to researchers, vendors, policy experts and lawmakers at the national, state, and local levels can apply these questions. Because the context in which stakeholders operate will vary, these questions serve as a guide to facilitate relevant answers given different environments. These questions are not meant to be asked only one time – as the environment changes, organizations will need to readdress these questions to ensure they continue to be compliant.

Policy decisions should be the driver of technology; however, these questions should be asked in the context of the technology and its capabilities.

1. What federal and state privacy and security laws are you subject to? Are partner stakeholders subject to the same laws? What are the implications if stakeholders are subject to different laws?
   
   
2. There may be differences under federal and state laws as to how different types of health information are handled (e.g. mental health and substance abuse). What are the implications of having different laws for different types of health information?
   
   
3. What are the implications of having different federal and state laws affecting privacy and security? Is there consensus on how the laws apply to each stakeholder? What are the implications of having different laws across states?
   
   
4. Not all entities are covered by the same laws, even in the situation where they perform the same services. What are the implications of having some entities performing similar services covered by federal law (e.g., HIPAA) and others not?
   
   
   • How does this impact your competitiveness?
     
     
   • How does this impact your ability to exchange information with others?
     
     
   • Does contracting with non-covered entities create different levels of accountability and/or enforceability in the exchange of health information?
     
     
   • Assuming you are not a covered entity or its business associate, what would be the implications of complying with enforceable confidentiality, privacy, and security requirements at least equivalent to relevant HIPAA principles?
     
     
5. Should there be different confidentiality, privacy, and security protections for electronic records as compared to paper records, whether in whole or in part?
   
   
6. Is there a minimum set of confidentiality, privacy, and security protections that you think any organization that stores, transmits, and/or uses personal health information should follow? If not HIPAA, then what?
   
   
7. How and when should privacy and security policies be available to employees? How will employees be held accountable for following these policies?
   
   
8. How do you collect, maintain, store, share or transmit personal health information?
   
   
9. What is your approach for dealing with breaches of privacy and security?
   
   
10. How and at what point in time do you communicate your privacy and security practices to patients/consumers? How and at what point in time do you communicate changes in your practices?
    
    
11. What level of consent and how much control are consumers given over the flow of their information, i.e., “authorization and consent,” before disclosure, “ability to review and correct information,” and so on? What level of control should consumers have over the use of de-identified patient data for population health initiatives or research that is outside the direct care delivery process? What is the best way to educate consumers about these issues and the impact of their choices?