eHI Home | Toolkit Home | About | News | Store | Contact Us Search
Getting OrganizedEngaging ConsumersTransforming Care DeliveryImproving Population HealthAligning Financial and Other IncentivesManaging Privacy, Confidentiality and SecurityManaging Technology and StandardsInfluencing Policy
Managing Privacy, Confidentiality and Security
 
 

 

Managing Privacy, Confidentiality and Security: Principles

  1. Transparency

    • Policies for the permissible use of personal health information by those other than the patient should be clearly defined, accessible, and communicated in an easily understood format.
    • Individuals have the right to know how their personal health information has been used and who has access to it.

  2. Collection and Use of Personal Health Information

    • Personal health information of the individual consumer should be obtainable consistent with applicable federal, state and local law. It should be accurate, up-to-date, and limited to what is appropriate and relevant for the intended use.
    • Consumers have a right to privacy of their personal health information, taking into account existing exceptions under law. Consumers should be apprised when they have a choice in how their personal health information will be used and shared and when they can limit uses of their personal health information.

  3. Individual Control

    • Individuals should be able to limit when and with whom their identifiable personal health information is shared. Individuals should be able to delegate these responsibilities to another person.
    • Individuals should be able to readily obtain an audit trail that discloses by whom their personal health information has been accessed and how it has been used.

  4. Security

    • Measures should be implemented to protect the integrity, security, and confidentiality of each individual’s personal health information, ensuring that it cannot be lost, stolen, or accessed or modified in an inappropriate way.
    • Organizations that store, transmit, or use personal health information should have in place mechanisms for authentication and authorization of system users.

  5. Audit

    • Each such organization must have a comprehensive audit process to examine compliance with its internal privacy, security, and confidentiality policies and procedures.
    • Organizations have a responsibility to ensure that an individual is notified when the organization learns of unauthorized or inappropriate access to that individual’s personal health information.

  6. Accountability and Oversight

    • Individuals should be apprised as to who monitors policy compliance with privacy, security and confidentiality policies, how complaints will be handled, how individuals will be informed of a violation and existing remedies available to them.

  7. Technology and Privacy

    • Technological developments must be adopted in harmony with policies and business rules that foster trust and transparency.
    • Privacy protections must be at the forefront of all technological standards. Privacy issues cannot be addressed post-system design and implementation.
 

 
© Copyright 2008 eHealth Initiative, Foundation for eHealth Initiative. All Rights Reserved. Privacy Policy | Disclaimer | License