Now this third PIN builds on the existing work while adding some significant requirements to the state level efforts. It provides guidance to states to evaluate their current privacy and security policies and practices and determine if alignment gaps exist. The guidance outlines a core set of privacy and security expectations under eight domains:
- Individual Access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information (IIHI) in a readable form and format.
- Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their IIHI, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
- Openness and transparency: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
- Individual Choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. Individuals should be able to designate someone (family member, caregiver, domestic partner or legal guardian) to make decisions on their behalf. This process should be fair and not burdensome.
- Collection, Use and Disclosure Limitation: Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose and never to discriminate inappropriately. This information should only be collected, used or disclosed to accomplish a specific purpose, and purposes of information exchange should be specified.
- Data Quality and Integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up to date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
- Safeguards: Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.
- Accountability: These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.
Those that have an HIE architectural model which includes data aggregation where HIE entities that store, assemble or aggregate individually identifiable health information, whether centrally or in a federated model must incorporate all seven domains. For those which have a current architectural model which uses only point-to-point directed exchange numbers 1, 2, 4, and 6 above are optional.
The guidance on Individual Choice is especially interesting:
Where HIE entities store, assemble or aggregate IIHI beyond what is required for an initial directed transaction, HIE entities should ensure individuals have meaningful choice regarding whether their IIHI may be exchanged through the HIE entity. This type of exchange will likely occur in a query/response model or where information is aggregated for analytics or reporting purposes.
A patient's meaningful choice means that choice is:
- Made with advance knowledge/time;
- Not used for discriminatory purposes or as condition for receiving medical treatment;
- Made with full transparency and education;
- Commensurate with circumstances for why IIHI is exchanged;
- Consistent with patient expectations;
Both opt-in and opt-out models can be acceptable means of obtaining patient choice provided that choice is meaningful (ie., use of either model must meet the requirements described above and not be limited to, for example, a provider's boilerplate form or reliance on the patient to read material posted on a provider's waiting room wall or website).
- Revocable at any time.
Where meaningful choice is required, HIE entities should either (1) directly ensure patients have the opportunity for meaningful choice; or (2) ensure that the health care providers for which it facilitates electronic health information exchange provide individuals with meaningful choice regarding the exchange of their IIHI. Choice should be offered to each patient on a prospective basis and periodically renewed. Attention should be paid to minimizing provider burden.
This new guidance is likely to create some additional policy work, particularly for those states that are moving beyond simply directed exchange. I'd be interested in what you think about this new guidance.
Privacy and Security Program Information Notice (ONC-HIE-PIN-003)
HIE Privacy and Security Program Information Notice (ONC-HIE-PIN-003)