HHS Issues Guidance on HIPAA Privacy Rule, Electronic Exchange of Health Information
The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) and Office of the National Coordinator for Health Information Technology (ONC) issued new guidance on Dec. 15, 2008. The guidance consists of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (the Framework) and the Health IT Privacy and Security Toolkit (the Toolkit), a document designed to assist health information exchange stakeholders in implementing the Framework.
The OCR and the ONC designed the Framework and the Toolkit to serve as guides for entities that exchange electronic protected health information in a networked environment in their efforts to comply with the Health Insurance Portability and Accountability Act's (HIPAA) privacy standards (the Privacy Rule).
The Framework and the Toolkit clarify how the Privacy Rule applies to and can be used by health care entities to structure policies behind electronic health information exchange in a networked environment. These new guidance documents provide a helpful set of guiding principles and answer questions shared by many HIPAA covered entities.
The Framework emphasizes that adherence to “clear, understandable, uniform principles” is crucial to achieving a high level of trust from individual patients as well as stakeholders participating in electronic health information exchange. Accordingly, both the Framework and the Toolkit are organized around a set of key principles.
Building upon the Framework's introduction of the principles, the Toolkit provides a brief summary of each principle and then identifies how the Privacy Rule is consistent with and promotes each principle. A Frequently Asked Questions section is included for each principle to clarify concerns shared by covered entities and their business associates.
Although the OCR and the ONC advise that the principles do not constitute legal advice, they encourage adherence to the principles even when the principles set higher standards than legal requirements. In some instances the principles do indeed set higher standards—the individual choice principle, for example, is not a HIPAA requirement. The eight principles as defined by the OCR and the ONC are:
- Individual Access Principle: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
- Correction Principle: Individuals should have a way to timely question the accuracy or integrity of their individually identifiable health information and to have erroneous information corrected or to have a dispute documented if their requests are denied.
- Openness and Transparency Principle: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
- Individual Choice Principle: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.
- Collection, Use, and Disclosure Limitation Principle: Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish specified purposes and never to discriminate inappropriately.
- Data Quality and Integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
- Safeguards Principle: Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
- Accountability Principle: The Principles in the Framework should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.
The new HIPAA guidance documents are available on the ONC Web site.