Monday, March 26, 2012

The State HIE Privacy and Security Program Information Notice

On March 22, ONC issued important privacy and security guidance to State Designated Entities.  It addresses concerns from State leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues.  The Program Information Notice (PIN) provides clear national guidance.

It covers eight Core Domains
1. Individual access
2. Correction
3. Openness and transparency
4. Individual choice
5. Collection, use and disclosure limitation
6. Data quality and integrity
7. Safeguards
8. Accountability

Here's a summary of the highlights:

Access and Correction
Where HIE entities store, assemble or aggregate individually identifiable health information (IIHI), such as longitudinal patient records with data from multiple providers, HIE entities should make concrete plans to give patients electronic access to their compiled IIHI and develop clearly defined processes (1) for individuals to request corrections to their IIHI and (2) to resolve disputes about information accuracy and document when requests are denied.

Openness and transparency
Where HIE entities store, assemble or aggregate IIHI, individuals should have the ability to request and review documentation to determine who has accessed their information or to whom it has been disclosed.

Individual Choice
Push Model
Where HIE entities serve solely as information conduits for directed exchange of IIHI and do not access IIHI or use IIHI beyond what is required to encrypt and route it, patient choice is not required beyond existing law. Such sharing of IIHI from one health care provider directly to another is currently within patient expectations.

Pull Model
Where HIE entities store, assemble or aggregate IIHI beyond what is required for an initial directed transaction, HIE entities should ensure individuals have meaningful choice regarding whether their IIHI may be exchanged through the HIE entity.   Both opt-in and opt-out models can be acceptable means of obtaining patient choice provided that choice is meaningful

Use and Disclosure Limitation
In principle, a health care provider should only access the minimum amount of information needed for treatment of the patient.

Data quality and integrity
Where HIE entities store, assemble or aggregate IIHI, they should implement strategies and approaches to ensure the data exchanged are complete and accurate and that patients are correctly matched with their data.

HIE entities should conduct a thorough assessment of risks and vulnerabilities.

HIE entities should ensure appropriate monitoring mechanisms are in place to report and mitigate non-adherence to policies and breaches.

In my view, these are very reasonable principles.   The use of "shall" and "should" in these guidelines is important to note.   Shall means your must and should means it's a good idea to try.   Should is used for more aspirational goals that need additional technology, standards, and policies.

Massachusetts goes live with its statewide HIE this Fall, so it was very helpful that no new regulations are required by the PIN for Push transport models.    The new guidance is completely aligned with the Strategic and Operating Plan we already have in process to replace existing paper-based workflows with electronic workflows leveraging current consent models.

1 comment:

Adrian Gropper said...

As you point out, there's a difference between "shall" and "should". All of the fair information practice policies in this guidance are labeled "should". This leaves room for each state to continue to interpret privacy selectively and will slow down the emergence of a nationwide health information network while adding to patient confusion around HIPAA. Let's hope state HIEs try to get ahead of the privacy issues this time.