essential and demonstrates strong organizational commitment
to build trust and gain consumer confidence.
ONC’s “Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information” outlines principles that, when taken together, constitute
good data stewardship and form a foundation of public trust in
the collection, access, use, and disclosure of personal information by HIEs. To complement the framework, the Office for Civil
Rights (OCR) published a series of fact sheets that clarify how
the HIPAA privacy rule applies to and can be used to help structure privacy policies behind electronic HIE.
ONC’s framework and OCR’s fact sheets call for the following
principles in an HIE:
Individual Access: HIEs should provide consumers with a
“simple and timely means to access and obtain their individually identifiable health information in a readable form and format,” according to ONC’s framework.
4 OCR’s guidance further
states, “An individual’s right to access his or her PHI is a critical
aspect of the Privacy Rule, the application of which naturally extends to an electronic environment. The Privacy Rule’s specific
standards address individuals’ requests for access and timely
action by the covered entity, including the provision of access,
denial of access, and documentation.”
Correction: HIEs should provide patients “a timely means
to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information
corrected or to have a dispute documented if their requests
6 OCR notes the privacy rule provides individuals
with the “right to have their protected health information (PHI)
amended in a manner that is fully consistent” with the framework.
Openness and Transparency: Policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information should be open and transparent, according to ONC and OCR. Entities that participate in
HIEs should provide “clear notice of their policies and procedures regarding how an individual’s identifiable health information” is protected, used, and disclosed.
Individual Choice: HIEs should provide individuals with “a
reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.”
9 (This is commonly
referred to as the individual’s right to consent to identifiable
health information exchange.) OCR further notes the framework “emphasizes the opportunity and ability of an individual
to make choices with respect to the electronic exchange of their
individually identifiable health information.”
Collection, Use, and Disclosure Limitation: “Individually
identifiable health information should be collected, used, and/
or disclosed only to the extent necessary to accomplish a specified purpose.”
11 OCR notes that the framework “emphasized that
appropriate limits should be set on the type and amount of information collected, used, and disclosed, and that authorized
persons and entities should only collect, use, and disclose infor-
HIE Operations across Different States
IN A MULTISTATE exchange, the technology available may
not easily support variations in state laws and may require
manual intervention. For example, an HIE operating in state
A may need to respond differently to requests for information
than an HIE operating in state B, depending on the laws of
the two states. More specifically, HIV or mental health data
may need to be suppressed to comply with the law of state
A, but in the case of state B, full disclosure may be provided.
In states that require suppression of specific clinical information, HIEs must decide if or when to include a notice to
clinicians that certain types of data have been redacted and
that the information provided may be incomplete.†
mation necessary to accomplish a specified purpose.”
Safeguards: “Individually identifiable health information
should be protected with reasonable administrative, technical,
and physical safeguards (HIPAA security rule) to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.”
13 OCR notes
that the HIPAA privacy rule “supports the Safeguards Principle
by requiring covered entities to implement appropriate safeguards to protect the privacy of protected health information
HIE Governance Policies and Procedures
Policies and procedures govern the operations of the HIE, and
many factors must be taken into consideration during their development or revision. For example, the HIPAA privacy and security rules require PHI be accessible to patients; maintained
in a manner that secures patient privacy, security, and data integrity; and released in accordance with state and federal laws.
Appendix B, available in the online version of this practice brief,
outlines the areas that must be taken into account when establishing policies and procedures for HIE operations.
The policies and procedures also set expectations for the
workforce. Training and accountability for the workforce members must be clearly delineated. Access to all available resources
(including policies and procedures) must be part of an ongoing
education and compliance program, which must be enforced by
HIEs typically contract with vendors for the technology they use
to exchange health information. According to Randall E. Sermons, an attorney with HIE experience, when contracting with
technology vendors, HIEs must consider how the technology is
delivered, the licensing required to use the technology, and the
technology’s ability to protect data. Unique liability concerns
within HIEs, such as liability for technology malfunctions and
vicarious liability for acts of a data participant, must also be taken into consideration.