Information Exchange and Procedures for Health Model ...

Model Privacy Policies and Procedures for Health Information Exchange

THE CONNECTING FOR HEALTH COMMON FRAMEWORK

M1 M2T1 T2 T3 T4 T5 T6

P1 P2 P3 P4 P5 P6 P7 P8P5 P6 P7 P8

CONNECTING FOR HEALTH COMMON FRAMEWORK

Model Privacy Policies and Proceduresfor Health Information Exchange

The document you are reading is part of The Connecting for Health Common Framework, which is

available in full and in its most current version at: http://www.connectingforhealth.org/. The Common

Framework will be revised and expanded over time. As of October 2006, the Common Framework

included the following published components:

1Connecting for Health Common Framework | www.connectingforhealth.org | April 2006

Model Privacy Policies and Procedures forHealth Information Exchange*

The model policies contained in this paper are ∗

recommended by the Connecting for HealthPolicy Subcommittee to be used in conjunctionwith the Connecting for Health “ModelContract for Health Information Exchange”1 forthose working to establish sub-networkorganizations (SNOs)2 that will use a RecordLocator Service (RLS) and operate as part of theNational Health Information Network (NHIN).The policies establish baseline privacyprotections designed to apply to all individualsreceiving care from a SNO Participant(Participant). The goal of these policies is toprovide a framework for protecting healthinformation while simultaneously permitting useof the information that is both productive andmeaningful. The policies are intended to beuseful for SNOs whether or not they are usingan RLS.

The federal HIPAA Privacy and SecurityRules provide the baseline for the modelpolicies, although in some cases greater privacyprotections and individual rights arerecommended by the Connecting for HealthPolicy Subcommittee. Where provisions arederived from the HIPAA Privacy or SecurityRules, citations are provided. In no instance dothese policies permit less protection of personalhealth information than those required by

* Connecting for Health thanks Marcy Wilder of Hogan &

Hartson LLP for drafting this paper.1 See Connecting for Health, “A Model Contract for

Health Information Exchange.”2 A sub-network organization (SNO) is to operate as a

health information data exchange organization (whetherregionally or affinity-based) that operates as a part of theNational Health Information Network (NHIN), anationwide environment for the electronic exchange ofhealth information made up of a “network of networks.”

©2006, Markle FoundationThis work was originally published as part of The Connecting forHealth Common Framework: Resources for Implementing Privateand Secure Health Information Exchange and is made availablesubject to the terms of a license (License) which may be viewed in itsentirety at: http://www.connectingforhealth.org/license.html. Youmay make copies of this work; however, by copying or exercising anyother rights to the work, you accept and agree to be bound by theterms of the License. All copies of this work must reproduce thiscopyright information and notice.

federal law; however, participation in a SNO isnot a surrogate for determining whether aParticipant is a HIPAA “Covered Entity” or is incompliance with the HIPAA regulations.Importantly, the model policies permitParticipants to establish and follow their ownmore protective data management, privacy andsecurity policies, and procedures. In addition,some customization may be necessary at theSNO and Participant level to ensure consistencyand compliance with applicable state laws. Manyof these policies can and should already be inplace at the Participant level. Some areaspirational and should be considered in thefuture as a networked environment for healthinformation emerges and technology enablesgreater consumer access to their health records.The policies will need to be customized to reflectthe Participants’ unique circumstances andmodified to take account of applicable statelaws.

The model policies are deeply rooted in nineprivacy principles that together form acomprehensive privacy protective architecture,as discussed in the Connecting for Health“Architecture for Privacy in a Networked HealthInformation Environment.” These principles andthe policies that flow from them promotebalance between consumer control of andaccess to health information and the operationalneed to ensure that information uses anddisclosures are not overly restricted such thatconsumers would be denied many of thebenefits and improvements that informationtechnology can bring to the health care system.The policies reflect a carefully balanced view ofall of the principles and avoid emphasizing someover others in any way that would weaken theoverall approach. The nine privacy principles areas follows:

Openness and Transparency.Openness about developments,procedures, policies, technology, andpractices with respect to the treatment ofpersonal health data is essential to



protecting privacy. Individuals should beable to understand what informationexists about them, how that informationis used, and how they can exercisereasonable control over that information.This transparency helps promote privacypractices and instills confidence inindividuals with regard to data privacy,which in turn can help increaseparticipation in health data networks.

Purpose Specification andMinimization. Data use must be limitedto the amount necessary to accomplishspecified purposes. Minimization of usewill help reduce privacy violations, whichcan easily occur when data is collectedfor one legitimate reason and thenreused for different or unauthorizedpurposes.

Collection Limitation. Personal healthdata should be obtained only by fair andlawful means, and, if applicable, with theknowledge or consent of the pertinentindividual. In an electronic networkedenvironment, it is particularly importantfor individuals to understand howinformation concerning them is beingcollected because electronic collectionmethods may be confusing to averageusers. Similarly, individuals may not beaware of the potential abuses that canarise if they submit personal healthinformation via an electronic method.

Use Limitation. The use and disclosureof health information should be limited tothose purposes specified by the datarecipient. Certain exceptions such as lawenforcement or security may warrantreuse of data for other purposes.However, when data is used for purposesother than those originally specified,prior de-identification of the data canhelp protect individual privacy whileenabling important benefits to be derivedfrom the information.

Individual Participation and Control.Every individual should retain the right torequest and receive in a timely and

intelligible manner information regardingwho has that individual’s health data andwhat specific data the party has, to knowany reason for a denial of such request,and to challenge or amend any personalinformation. Because individuals have avital stake in their own personal healthinformation, such rights enable them tobe participants in the collection and useof their data. Individual participationpromotes data quality, privacy, andconfidence in privacy practices.

Data Integrity and Quality. Healthdata should be accurate, complete,relevant, and up-to-date to ensure itsusefulness. The quality of health caredepends on the existence of accuratehealth information. Moreover, individualscan be adversely affected by inaccuratehealth information in other arenas likeinsurance and employment. Thus, theintegrity of health data must bemaintained and individuals must bepermitted to view information aboutthem and amend such health informationso that it is accurate and complete.

Security Safeguards and Controls.Security safeguards are essential toprivacy protection because they helpprevent data loss, corruption,unauthorized use, modification, anddisclosure. With increasing levels ofcyber-crime, networked environmentsmay be particularly susceptible withoutadequate security controls. Design andimplementation of various technicalsecurity precautions such as identitymanagement tools, data scrubbing,hashing, auditing, authenticating, andother tools can strengthen informationprivacy.

Accountability and Oversight. Privacyprotections have little weight if privacyviolators are not held accountable forcompliance failures. Employee training,privacy audits, and other oversight toolscan help to identify and address privacyviolations and security breaches byholding accountable those who violate



privacy requirements and identifying andcorrecting weaknesses in their securitysystems.

Remedies. The maintenance of privacyprotection depends upon legal andfinancial means to remedy any privacy orsecurity breaches. Such remedies shouldhold violators accountable for compliancefailures, reassure individuals about theorganization’s commitment toinformation privacy, and mitigate anyharm that privacy violations may causeindividuals.

These nine principles underlie therecommended model privacy policies presentedbelow. While certain principles are emphasizedby each individual policy, the policies as a wholebalance all of the principles equally so thatcertain principles are not emphasized overothers—which would undermine theeffectiveness of the overall approach. Moreover,the policies are individual elements of anintegrated and comprehensive Connecting forHealth policy framework—The Connecting forHealth Common Framework: Resources forImplementing Private and Secure HealthInformation Exchange—that is intended to beconsidered in its entirety. In that regard, pleaserefer to the following additional materialsdeveloped by the Connecting for HealthPolicy Subcommittee: “A Model Contract forHealth Information Exchange,” “BackgroundIssues on Data Quality,” “Auditing Access to andUse of a Health Information Exchange,”“Breaches of Confidential Health Information,”“Authentication of System Users,” “Notificationand Consent When Using a Record LocatorService,” “Patients’ Access to Their Own HealthInformation,” and “Correctly Matching Patientswith Their Records.”

Although most of the recommended modelpolicies can and should be implemented in thecurrent technological environment, there are afew for which organizational and technicalbarriers may currently be prohibitive. Forexample, although patients would benefit fromaccess to the RLS and the ability to obtain audittrails of those who have requested informationabout them from the index, technical andadministrative barriers currently do not allow for

such access. Health care participants, systemvendors, and others should work towardimplementing these functionalities as they willenhance privacy protections and help implementthe privacy principles of openness andtransparency, security safeguards and controls,purpose specification and minimization, uselimitation, collection limitation, andaccountability. Similarly, in the future,Participants and vendors should seek to realizethe other policies that cannot be implemented atthis time due to organizational and technicalconstraints.

The emergence of a networked electronichealth information environment will transformpatient care and improve the efficiency andeffectiveness of the health system. At the sametime, the emerging electronic health informationinfrastructure and the massive increase in thevolume of health data that is easily collected,linked, and disseminated create unprecedentedprivacy and security risks that need to beadequately and appropriately addressed. Byincorporating the principles outlined above andthe basic requirements set forth in HIPAA, theserecommended model policies seek to achieve abalance between maintaining the confidentialityof health information and maximizing thebenefits of using such information. Integrationof these privacy measures into the emergingnetworked health care environment can ensurethat the benefits of electronic health informationare realized while the confidentiality of healthinformation is preserved.

Each of the recommended privacy policiesoutlined below contains an introductory sectionthat provides background and explains the basisfor the policy in law, the privacy principlesdescribed above, and other sources. Theintroductory sections are followed byrecommended language for use by SNOs indrafting their own Policies and Procedures touse in conjunction with the Connecting forHealth “Model Contract for Health InformationExchange.”

SNO Policy 100: Compliance withLaw and PolicyPurpose and Principles: In the spirit of theprivacy principles of openness and transparency,data integrity and quality, accountability and



oversight, and remedies, a requirement thatParticipants comply with applicable law and SNOpolicies and promulgate the internal policiesrequired for such compliance is indispensable tothe successful realization of essential privacyprotections. In addition, the recommendedmodel provision below governing conflictsbetween SNO policies and Participant policies,which states that the policy that is mostprotective of individual privacy should governdecision making, is designed to make clear thatthe policies provide a floor and Participants maychoose to enhance privacy protections whereappropriate. This deference to more protectivepolicies echoes the HIPAA federal pre-emptionrequirements which do not preempt moreprotective state privacy laws.3

The recommended policy’s requirement thatParticipants develop internal policies will helpimplement the principles of sound datamanagement practices and accountability aswell as ensure that decisions affectingindividuals' privacy interests are madethoughtfully, rather than on an ad hoc basis.Written documentation of such policiesfacilitates the training of personnel who willhandle health information and enhances theaccountability of both Participants and membersof their workforce. Finally, the existence ofinternal policies for compliance with applicablelaw and SNO policies creates transparencysurrounding Participants’ handling andsafeguarding of data. Policies to establishprivacy protection compliance, enforcementprocedures and remedies following violations arecrucial to maintaining health information privacy.

Recommended LanguageScope and Applicability: This Policy applies toall Participants that have registered with and areparticipating in the SNO and the RLS and thatmay provide, make available, or request healthinformation through the SNO and the RLS.

Policy:

1. Laws. Each Participant shall, at all times,comply with all applicable federal, state, andlocal laws and regulations, including, but notlimited to, those protecting theconfidentiality and security of individually

3 45 C.F.R. § 160.203.

identifiable health information andestablishing certain individual privacy rights.Each Participant shall use reasonable effortsto stay abreast of any changes or updates toand interpretations of such laws andregulations to ensure compliance.

2. SNO Policies. Each Participant shall, at alltimes, comply with all applicable SNOpolicies and procedures (“SNO Policies”).These SNO Policies may be revised andupdated from time to time upon reasonablewritten notice to Participant. EachParticipant is responsible for ensuring it has,and is in compliance with, the most recentversion of these SNO Policies.

3. Participant Policies. Each Participant isresponsible for ensuring that it has therequisite, appropriate, and necessaryinternal policies for compliance withapplicable laws and these SNO Policies. Inthe event of a conflict between these SNOPolicies and an institution’s own policies andprocedures, the Participant shall complywith the policy that is more protective ofindividual privacy and security.

SNO Policy 200:Notice of Privacy PracticesPurpose and Principles: This recommendedpolicy incorporates the HIPAA requirementsobligating entities to provide individuals a noticeof the entities’ privacy practices.4 The policyexceeds HIPAA’s requirements by also requiringdisclosures to individuals of certain informationrelated to the SNO and RLS.5 For example,under the model policy, the Privacy Noticeshould inform individuals about whatinformation the Participant may make available

4 45 C.F.R. § 164.520.5 HIPAA requires the Notice of Privacy Practices to include

a description, with “at least one example, of the types ofuses and disclosures that the covered entity is permitted… to make for … treatment, payment and health careoperations” and a description of those other purposes forwhich the entity “is permitted or required … to use ordisclose protected health information without” individualauthorization. 45 C.F.R. § 164.520(b)(1)(ii)(A). Unlike thisrecommended model policy, HIPAA does not require thePrivacy Notice to set forth what specific information maybe disclosed and who may access the information.



through the SNO and RLS, who is able to accessthe information, and how they can haveinformation concerning them removed from theRLS. These are not HIPAA requirements, butrather build and expand upon the privacy law tohelp incorporate information related to the NHINand the RLS. This recommended model policyalso exceeds HIPAA’s requirements by providingsuggestions for additional, voluntary protectionsthat could be implemented on the Participantlevel to enhance consumer protections, such asexcluding individuals from the RLS index unlessprior consent is obtained or loading informationinto the RLS only after a notification andopportunity to decline participation has beenprovided to individual patients.

This recommended model policy promotesthe privacy principles of openness andtransparency, purpose specification andminimization, use limitation, collection limitation,and individual participation and control. Inaddition, the model policy helps ensure thatinformation is collected and shared electronicallyin a fair manner with the knowledge of relevantindividuals, which is particularly important in anetworked environment where the technologymay be unfamiliar to average users.

Recommended LanguageScope and Applicability: This Policy applies toall Participants that have registered with and areparticipating in the SNO and the RLS and thatmay provide or make available healthinformation through the SNO and the RLS.

Policy:

Each Participant shall develop and maintain anotice of privacy practices (the “Notice”) thatcomplies with applicable law and this Policy.

1. Content. The Notice shall meet the contentrequirements set forth under the HIPAAPrivacy Rule6 and comply with all applicablelaws and regulations. The Notice also shallinclude a description of the SNO and theRLS and inform individuals regarding: (1)what information the institution may includein and make available through the SNO andthe RLS; (2) who is able to access theinformation in the SNO and the RLS; (3) for

6 45 C.F.R. § 164.520(b).

what purposes such information can beaccessed; and (4) how the individual canhave his or her information removed fromthe RLS.

2. Provision to Individuals. Each Participantshall have its own policies and proceduresgoverning distribution of the Notice toindividuals, which policies and proceduresshall be consistent with this Policy andcomply with applicable laws and regulations.

• For Participants that are health careproviders, the Notice shall be: (1)available to the public upon request; (2)posted on all web sites of the Participantand available electronically through suchsites; (3) provided to a patient at the dateof first service delivery; (4) available atthe institution; and (5) posted in a clearand prominent location where it isreasonable to expect individuals seekingservice to be able to read the Notice.7

• For Participants that are health plans, theNotice shall be: (1) available to the publicupon request; (2) provided to newenrollees at the time of plan enrollment;(3) provided to current plan enrolleeswithin 60 days of a material revision; and(4) posted on the plan’s web sites andavailable electronically through such sites.Participating health plan institutions alsoshall notify individuals covered by the planof the availability of the Notice and how toobtain a copy at least once every threeyears.8

3. Individual Acknowledgement. EachParticipant that is a health care providershall make a good faith effort to obtain theindividual’s written acknowledgement ofreceipt of the Notice or to document theirefforts and/or failure to do so. Theacknowledgement of the Notice shall complywith all applicable laws and regulations.9

Each Participant shall have its own policiesand procedures governing obtaining an

7 See 45 C.F.R. § 164.520(c)(2), (3).8 See 45 C.F.R. § 164.520(c)(1), (3).9 See 45 C.F.R. § 164.520(c)(2)(ii).



acknowledgement, which policies andprocedures shall be consistent with thisPolicy and comply with applicable laws andregulations.

4. Participant Choice. Participants maychoose a more proactive notice distributionprocess than provided herein and mayinclude more detail in their notice of privacypractices. Possible additional protections forindividuals whose information may be madeavailable through the RLS (not all of whichpertain to notice policies alone) couldinclude: mailing the revised notice or anotification letter allowing for removal orexclusion of the information about thatindividual from the RLS to every individualprior to loading the information into the RLSor shortly thereafter; excluding individualsfrom the RLS index unless individual consentis obtained; loading individual informationinto the RLS on a going-forward, newindividual encounter basis only; developinga method for time-stamping an RLS recordto indicate when the record was loaded intothe index; developing a method for allowingindividuals to limit access to their RLSrecords; and obtaining individual consentprior to each inquiry made to the RLS indexby a Participant, or on a periodic basis.

SNO Policy 300: IndividualParticipation and Control ofInformation Posted to the RLSPurpose and Principles: This recommendedmodel policy provides greater privacy protectionover personal health information than the HIPAAPrivacy Rule by allowing individuals to electwhether or not to have information about themincluded in the RLS. Importantly, individuals aretreated as participants in the process of healthinformation collection and dissemination, ratherthan as spectators. Providing such consumerprotections allows individuals to betterunderstand the conditions under whichinformation concerning them might be used, torestrict such use, and to develop confidence inthe protections surrounding the use of theirdata.

This model policy promotes the privacyprinciples of individual participation and control,

purpose specification and minimization, uselimitation, and collection limitation. Byenhancing reasonable individual control over thecollection and use of health information thepolicy will promote consumer confidence thathealth information is being used and collected inaccordance with individual preferences.

Recommended LanguageScope and Applicability: This Policy applies toall institutions that have registered with and areparticipating in the SNO and the RLS and thatmay provide or make available healthinformation through the SNO and the RLS.

Policy:

1. Choice Not to Have InformationIncluded in the RLS. All individuals maychoose not to have information about themincluded in or made available through theRLS.

2. Effect of Choice. An individual’s choice notto have information about him or herincluded in or made available through theRLS shall be exercised through theParticipant, as described in the institution’sNotice, after which time the institution shallno longer include the individual in the RLS.Participants shall develop and implementappropriate mechanisms to removeinformation about an individual from theRLS if the individual chooses to have suchinformation excluded from the RLS.

3. Revocation. An individual who has chosennot to make information concerning him orher available through the RLS subsequentlymay be included in the RLS only if theindividual revokes his or her decision orsubsequently chooses to renew participationin the RLS.

4. Documentation. Each Participant shalldocument and maintain documentation of allpatients’ decisions not to have informationabout them included in the RLS.

5. Participant Choice. Participants shallestablish reasonable and appropriateprocesses to enable the exercise of apatient’s choice not to have information



about him or her included in the RLS. EachParticipant retains the authority to decidewhether and when to obtain patient consentprior to making information availablethrough the RLS.

6. Provision of Coverage or Care. AParticipant shall not withhold coverage orcare from an individual on the basis of thatindividual’s choice not to have informationabout him or her included in the RLS.

SNO Policy 400: Uses andDisclosures of Health InformationPurpose and Principles: Through a variety ofmechanisms, this model policy reflects theprivacy principles of purpose specification andminimization, security safeguards and controls,use limitation, collection limitation,accountability and oversight, and data integrityand quality. The recommended policy integratesHIPAA’s general premise that health informationmay be used only for permissible purposes andits more specific requirement that entities maydisclose only the amount of informationreasonably necessary to achieve a particularpurpose.10 In general, requests for disclosure ofand/or use of health information for treatment,payment, and the health care operations of acovered entity, as each is defined by HIPAA, willbe permitted.11 Furthermore, subject to certain

10 45 C.F.R. § 164.502(b).11 45 C.F.R. §§ 164.502(1)(ii), 506. Under HIPAA, treatment

is defined as “the provision, coordination, or managementof health care and related services by one or more healthcare providers … ” 45 C.F.R. § 164.501. Payment refersto “activities undertaken by: (i) A health plan to obtainpremiums or to determine or fulfill its responsibility forcoverage and provision of benefits under the health plan;or (ii) A covered health care provider or health plan toobtain or provide reimbursement for the provision ofhealth care.” Such activities include eligibility andcoverage determinations; risk adjustments; billing, claimsmanagement and collection activities; medical necessityreview; and utilization review. Id. Health care operationsincludes activities related to covered functions for (i)conducting quality assessment and improvement; (ii)evaluating competence, qualifications and performance ofhealth care professionals, evaluating health planperformance, training and credentialing activities; (iii)underwriting, “premium rating, and other activitiesrelating to the creation, renewal or replacement of acontract of health insurance or health benefits”; (iv)“conducting or arranging for medical review, legalservices, and auditing functions;” (v) business planning

limitations and under certain circumstances,requesting disclosure of and using healthinformation for law enforcement,12 disasterrelief,13 research,14 and public health15 purposesalso may be permissible. Accessing healthinformation through either the RLS or the SNOfor marketing or marketing-related purposes isprohibited without specific patientauthorization.16 Under no circumstances mayhealth information be accessed or used fordiscriminatory purposes. For example, a healthplan would not be permitted to use the RLS todetermine if a member has visited a health careprovider for whom the health plan has not beenbilled. Such activity would be an impermissibleand discriminatory purpose and is prohibited byapplicable law and under this Policy. SNOs mayprovide guidance to Participants detailing thepermissibility or impermissibility of requesting orusing health information for certain specifiedpurposes under applicable law.

Requiring consideration of the purpose of ause and minimization of the use of informationreduces the likelihood of inadvertent orintentional misuses of information. The modelpolicy helps enhance the fair and legal collectionand use of data, the oversight of data use andaccountability for privacy violations by ensuringthat Participants have legally requireddocumentation prior to the use or disclosure ofinformation.17 In addition, the integration ofHIPAA’s accounting of disclosures and individualaccess to information requirements allowsindividuals to understand how healthinformation about them is shared and toexercise certain rights regarding informationabout them with greater precision and ease.18

The recommended provision also requiressecurity measures essential to identify andremedy loss, unauthorized access, destruction,use, modification, or disclosure of personalhealth information. The audit requirementreflects the HIPAA Security Rule’s general

and development; and (vi) business management andadministrative activities. Id.

12 45 C.F.R. § 164.512(f).13 45 C.F.R. § 164.510(b)(4).14 45 C.F.R. § 164.512(i).15 45 C.F.R. § 164.512(b).16 45 C.F.R. 164.508(a)(3) & (b).17 See 45 C.F.R. § 164.530(j).18 See 45 C.F.R. §§ 164.528; 164.524.



requirement that entities implement policies toprevent security violations, assess security risks,and examine data storage and accesstechnology19 but, in a manner more protectivethan HIPAA, would establish monitoringrequirements as to when information is accessedand by whom. To prevent unauthorized accessof information and maintain data integrity andquality the authentication provision of the modelpolicy requires that both the identity andauthority of an entity requesting healthinformation be verified and authenticated,integrating requirements from the HIPAA PrivacyRule and Security Rule.20

The combination of this recommendedpolicy’s use and security provisions helpsguarantee that health information is used andaccessed only as authorized and thatParticipants have proper measures in place toidentify and address privacy violations.Consequently, individuals can remain confidentthat information about them is being used withcare and in the manner promised byParticipants.

Recommended LanguageScope and Applicability: This Policy applies toall institutions that have registered with and areparticipating in the SNO and that may provide,make available, or request health informationthrough the SNO.

Policy:

1. Compliance with Law. All disclosures ofhealth information through the SNO and theuse of information obtained from the SNOshall be consistent with all applicablefederal, state, and local laws and regulationsand shall not be used for any unlawfuldiscriminatory purpose. If applicable lawrequires that certain documentation exist orthat other conditions be met prior to usingor disclosing health information for aparticular purpose, the requesting institutionshall ensure that it has obtained therequired documentation or met the requisiteconditions and shall provide evidence ofsuch at the request of the disclosing

19 45 C.F.R. §§ 164.316, 164.308(a)(1)(i).20 45 C.F.R. §§ 164.514(h), 164.312(d).

institution.21

2. Purposes. A Participant may request healthinformation through the RLS or SNO only forpurposes permitted by applicable law. EachParticipant shall provide or request healthinformation through the RLS or SNO only tothe extent necessary and only for thosepurposes that are permitted by applicablefederal, state, and local laws and regulationsand these Policies.22 Information may not berequested for marketing or marketingrelated purposes without specific patientauthorization. Under no circumstances mayinformation be requested for adiscriminatory purpose. In the absence of apermissible purpose, a Participant may notrequest information through the RLS or fromthe SNO.

3. SNO Policies. Uses and disclosures of andrequests for health information via the SNOshall comply with all SNO Policies, including,but not limited to, the SNO Policy onMinimum Necessary and the SNO Policy onInformation Subject to Special Protection.23

4. Participant Policies. Each Participant shallrefer to and comply with its own internalpolicies and procedures regardingdisclosures of health information and theconditions that shall be met anddocumentation that shall be obtained, ifany, prior to making such disclosures.

5. Accounting of Disclosures. EachParticipant disclosing health informationthrough the SNO shall work towardsimplementing a system to document thepurposes for which such disclosures aremade, as provided by the requestinginstitution, and any other information thatmay be necessary for compliance with theHIPAA Privacy Rule’s accounting ofdisclosures requirement.24 Each Participant isresponsible for ensuring its compliance withsuch requirement and may choose to

21 See 45 C.F.R. § 164.530(j).22 45 C.F.R. § 164.502(a), (b).23 45 C.F.R. § 164.502(b).24 45 C.F.R. § 164.528. For HIPAA Covered Entities, this is

currently required by law.



provide individuals with more information inthe accounting than is required. Eachrequesting institution shall provideinformation required for the disclosinginstitution to meet its obligations under theHIPAA Privacy Rule’s accounting ofdisclosures requirement.

6. Audit Logs. Participants and SNOs shallconsider and work towards maintaining anaudit log documenting which Participantsposted and accessed the information aboutan individual through the RLS and whensuch information was posted andaccessed.25 Participants and SNOs shallconsider and work towards implementing asystem wherein, upon request, patientshave a means of seeing who has posted andwho has accessed information about themthrough the RLS and when such informationwas accessed.26

7. Authentication. Each Participant shallfollow uniform minimum authenticationrequirements for verifying andauthenticating those within their institutionswho shall have access to, as well as otherParticipants who request access to,information through the SNO and/or theRLS.27 28

8. Access. Each SNO should have a formalprocess through which information in theRLS can be requested by a patient or on apatient’s behalf.29 Participants and SNOsshall consider and work towards providingpatients direct access to the informationcontained in the RLS that is about them.30

SNO Policy 500: InformationSubject to Special ProtectionPurpose and Principles: This model policypromotes the privacy principles of purpose

25 See 45 C.F.R. §§ 164.316, 164.308(a)(1)(i).26 See Connecting for Health, “Auditing Access to and

Use of a Health Information Exchange.”27 See 45 C.F.R. §§ 164.514(h), 164.312(d).28 See Connecting for Health, “Authentication of System

Users.”29 See 45 C.F.R. § 164.524.30 See Connecting for Health, “Patients’ Access to Their

Own Health Information.”

specification and minimization, securitysafeguards and controls, use limitation, dataintegrity and quality, collection limitation, andindividual participation and control. Thisrecommended provision facilitates individualizedprivacy protections by requiring Participants toheed any special protections of certaininformation set forth under applicable law. Incomplying with these special protections,Participants’ collection, use and disclosure ofhealth information is limited to legitimatepurposes. Moreover, in guaranteeing deferenceto the law or policy most protective of privacy,the provision below echoes HIPAA’s federalpreemption requirements which defer to statelaws that are more protective than HIPAA’s ownprivacy provisions.31

Recommended LanguageScope and Applicability: This Policy applies toall institutions that have registered with and areparticipating in the SNO and that may provide ormake available health information through theSNO.

Policy:

Some health information may be subject tospecial protection under federal, state, and/orlocal laws and regulations (e.g., substanceabuse, mental health, and HIV). Each Participantshall determine and identify what information issubject to special protection under applicablelaw prior to disclosing any information throughthe SNO. Each Participant is responsible forcomplying with such laws and regulations.

SNO Policy 600:Minimum NecessaryPurpose and Principles: To promote theprivacy principles of collection limitation, uselimitation, data integrity and quality, andsecurity safeguards and controls, thisrecommended model policy incorporatesHIPAA’s requirement that entities may discloseonly the amount of information reasonablynecessary to achieve a particular purpose.32 Thepolicy exempts treatment disclosures from thisminimum necessary requirement to balance theprotection of privacy and the provision of quality

31 45 C.F.R. § 164.203.32 45 C.F.R. § 164.502(b).



health care. In assessing the smallest amount ofinformation that is necessary to accomplish aparticular purpose, Participants are less likely tocollect, use or disclose information for anunauthorized purpose. Minimal collection,access, use and disclosure increases publicconfidence in the privacy practices ofParticipants, enhances information privacy, anddiminishes the potential for data corruption andsecurity violations.


Policy:

1. Uses. Each Participant shall use only theminimum amount of health informationobtained through the SNO as is necessaryfor the purpose of such use. EachParticipant shall share health informationobtained through the SNO with and allowaccess to such information by only thoseworkforce members, agents, andcontractors who need the information inconnection with their job function or duties.

2. Disclosures. Each Participant shall disclosethrough the SNO only the minimum amountof health information as is necessary for thepurpose of the disclosure. Disclosures to ahealth care provider for treatment purposesand disclosures required by law are notsubject to this Minimum Necessary Policy.

3. Requests. Each Participant shall requestonly the minimum amount of healthinformation through the SNO as is necessaryfor the intended purpose of the request.This Minimum Necessary Policy does notapply to requests by health care providersfor treatment purposes.

4. Entire Medical Record. A Participant shallnot use, disclose, or request an individual’sentire medical record except wherespecifically justified as the amount that isreasonably necessary to accomplish thepurpose of the use, disclosure, or request.

This limit does not apply to disclosures to orrequests by a health care provider fortreatment purposes or disclosures requiredby law.

SNO Policy 700: Workforce, Agents,and ContractorsPurpose and Principles: By incorporatingHIPAA’s administrative requirements forworkforce training, sanctions for privacyviolations, and the reporting of complaints,33 thisrecommended model policy advances theprivacy principles of use limitation, securitysafeguards and controls, accountability andoversight, data integrity and quality, andremedies. Because a Participant’s workforce isresponsible for implementation of privacypractices, proper training is vital to ensure thelegitimate use of health information and theprompt identification, reporting, and correctionof any security weaknesses. Individualaccountability in the form of sanctions for thosepersons responsible for privacy violations isfundamental to encouraging compliance withprivacy practices. Without such incentive forcompliance, privacy violations and security risksmay go unchecked and lead to larger privacyproblems. Similarly, providing for the reportingof non-compliance enables Participants todiscover and correct privacy violations andidentify and sanction privacy violators. Thismodel policy helps guarantee the legitimate useof health data, the proper implementation ofParticipants’ privacy practices, and the promptidentification of and undertaking of remedialaction for privacy violations.


Policy:

1. Access to System. Each Participant shallallow access to the SNO only by thoseworkforce members, agents, andcontractors who have a legitimate andappropriate need to use the SNO and/or

33 45 C.F.R. § 164.530.



release or obtain information through theSNO. No workforce member, agent, orcontractor shall be provided with access tothe SNO without first having been trained onthese Policies, as set forth below.

2. Training. Each Participant shall developand implement a training program for itsworkforce members, agents, andcontractors who will have access to the SNOto ensure compliance with these Policies.34

The training shall include a detailed reviewof applicable Policies and each trainedworkforce member, agent, and contractorshall sign a representation that he or shereceived, read, and understands thesePolicies.

3. Discipline for Non-Compliance. EachParticipant shall implement procedures todiscipline and hold workforce members,agents, and contractors accountable forensuring that they do not use, disclose, orrequest health information except aspermitted by these Policies and that theycomply with these Policies.35 Such disciplinemeasures shall include, but not be limitedto, verbal and written warnings, demotion,and termination and provide for retrainingwhere appropriate.

4. Reporting of Non-Compliance. EachParticipant shall have a mechanism for, andshall encourage, all workforce members,agents, and contractors to report any non-compliance with these Policies to theParticipant.36 Each Participant also shallestablish a process for individuals whosehealth information is included in the RLS toreport any non-compliance with thesePolicies or concerns about improperdisclosures of information about them.

SNO Policy 800: Amendmentof DataPurpose and Principles: This recommendedmodel policy integrates the right granted by theHIPAA Privacy Rule of individuals to amend

34 See 45 C.F.R. § 164.530(b).35 45 C.F.R. § 164.530(e).36 See 45 C.F.R. § 164.530(a), (d).

health information about them under certaincircumstances.37 Accurate health information notonly is indispensable to the delivery of healthcare, but is important to individuals’ applicationsfor insurance and employment and in a varietyof other arenas. Allowing individuals to verifythe accuracy and completeness of informationconcerning them contributes to the transparencyof Participants’ operations and fostersconfidence in Participants’ privacy practices andcommitment to data accuracy. This policypromotes the privacy principles of data integrityand quality, openness and transparency,individual participation and control, andaccountability and oversight. Using such a modelpolicy will enable Participants to more readilyrely upon the integrity and quality of their dataand more easily monitor, account for, andremedy systemic data inaccuracies, corruptions,and other data deficiencies or privacy lapses.


Policy:

Each Participant shall comply with applicablefederal, state and local laws and regulationsregarding individual rights to requestamendment of health information.38 If anindividual requests, and the Participant accepts,an amendment to the health information aboutthe individual, the Participant shall makereasonable efforts to inform other Participantsthat accessed or received such informationthrough the SNO, within a reasonable time, ifthe recipient institution may have relied or couldforeseeably rely on the information to thedetriment of the individual.

SNO Policy 900: Requestsfor RestrictionsPurpose and Principles: To advance theprivacy principles of individual participation andcontrol, use limitation and accountability andoversight, this recommended model policy

37 45 C.F.R. § 164.526.38 45 C.F.R. § 164.526.



requires Participants who agree to individuals’request for restrictions in accordance with theHIPAA Privacy Rule to comply with such requestwith regard to the release of information in theSNO.39 Such compliance ensures permissible useof health information and accountability on thepart of Participants who agree to individuallyrequested use restrictions. Without the ability torequest restrictions and without assurance thatParticipants will honor these agreed-uponrestrictions, individuals may remain silent aboutimportant information that could affect theirhealth. By creating confidence in Participantsand their privacy protections and encouragingindividual participation, this policy fosters dialogbetween individuals and Participants. Improvedcommunications between a provider and patientimproves the overall delivery of health care.

Recommended LanguageScope and Applicability: This Policy applies toall institutions that have registered with and areparticipating in the SNO and that may provide ormake available health information through theSNO.

Policy:

If a Participant agrees to an individual’s requestfor restrictions,40 as permitted under the HIPAAPrivacy Rule, such Participant shall ensure that itcomplies with the restrictions when releasinginformation through the SNO. If an agreed-uponrestriction will or could affect the requestinginstitution’s uses and/or disclosures of healthinformation, at the time of disclosure, theParticipant disclosing such health informationshall notify the requesting institution of the factthat certain information has been restricted,without disclosing the content of any suchrestriction.

39 45 C.F.R. § 164.522.40 Under the HIPAA Privacy Rule, individuals have the right

to request restrictions on the use and/or disclosure ofhealth information about them. 45 C.F.R. § 164.522. Forexample, an individual could request that information notbe used or disclosed for a particular purpose or thatcertain information not be disclosed to a particularindividual. Covered entities are not required to agree tosuch requests under HIPAA.

SNO Policy 1000: MitigationPurpose and Principles: By incorporatingHIPAA’s requirement that entities haveprocedures to and take steps to mitigate harmresulting from an impermissible use ordisclosure of health information,41 this modelpolicy reflects the privacy principles of remedies,accountability and oversight, security safeguardsand controls, openness and transparency, anddata integrity and quality. Without the duty tomitigate harm from privacy violations,Participants may not promptly address datasecurity weaknesses or breaches which couldlead to greater privacy lapses in the future,diminish the confidence that individuals have inParticipants’ privacy practices, and compromisethe accuracy, integrity, and quality ofParticipants’ data. Remedial action andmitigation are essential both to reassureindividuals that Participants are vigilant inaddressing privacy violations and amelioratingany harm from such violations and to helpParticipants ensure that their data oversightpractices and security measures are functioningand effective.


Policy:

Each Participant shall implement a process tomitigate, and shall mitigate and take appropriateremedial action, to the extent practicable, anyharmful effect that is known to the institution ofa use or disclosure of health information throughthe SNO in violation of applicable laws and/orregulations and/or these Policies by theinstitution, or its workforce members, agents,and contractors. Steps to mitigate could include,among other things, Participant notification tothe individual of the disclosure of informationabout them or Participant request to the partywho received such information to return and/ordestroy the impermissibly disclosed information.

41 45 C.F.R. § 164.530(f).



AcknowledgementsThe members of the Connecting for Health Policy Subcommittee have accomplished an extraordinarytask in less than a year’s time—the development of an evolving piece of work that can serve as the coreof nationwide health information exchange—the policy components of The Common Framework.During this time, we have been fortunate to work with respected experts in the fields of health,information technology, and privacy law, all of whom have contributed their time, energy, and expertiseto a daunting enterprise. Our consultants and volunteers have worked long hours in meetings andconference calls to negotiate the intricacies of such issues as privacy, security, authentication,notification, and consent in health information exchange.We offer them our heartfelt thanks for taking onthis journey with us, and look forward to the remaining work ahead.

In addition, we would like to offer special thanks to the volunteers and consultants who authored theinitial drafts of this body of work—their hard work created a strong foundation upon which to focus theSubcommittee’s deliberations:Stefaan Verhulst, Clay Shirky, Peter Swire, Gerry Hinkley, Allen Briskin,Marcy Wilder, William Braithwaite, and Janlori Goldman.

Finally, we must note that none of this work would have been possible without the leadership andinspiration of our co-chairs, William Braithwaite and Mark Frisse.They have led us with steady hands anddetermination of spirit.

Connecting for Health Policy Subcommittee

William Braithwaite, MD, eHealthInitiative, (Co-Chair)

Mark Frisse, MD, MBA, MSc, VanderbiltCenter for Better Health, (Co-Chair)

Laura Adams, Rhode Island QualityInstitute

Phyllis Borzi, JD, George WashingtonUniversity Medical Center

Susan Christensen*, JD, Agency forHealthcare Research and Quality,United States Department of Health andHuman Services

Art Davidson, MD, MSHP, DenverPublic Health

Mary Jo Deering*, PhD, National CancerInstitute/National Institutes of Health,United States Department of Health andHuman Services

Jim Dempsey, JD, Center for Democracyand Technology

Hank Fanberg, Christus Health

Linda Fischetti*, RN, MS, Veterans HealthAdministration

Seth Foldy, MD, City of MilwaukeeHealth Department

Janlori Goldman, JD, Columbia College ofPhysicians and Surgeons

Ken Goodman, PhD, University of Miami

John Halamka, MD, CareGroupHealthcare System

Joseph Heyman, MD, AmericanMedical Association

Gerry Hinkley, JD, Davis, Wright,Tremaine LLP

Charles Jaffe, MD, PhD, Intel Corporation

Jim Keese, Eastman Kodak Company

Linda Kloss, RHIA, CAE, American HealthInformation Management Association

Gil Kuperman, MD, PhD, New York-Presbyterian Hospital

Ned McCulloch, JD, IBM Corporation

Patrick McMahon, Microsoft Corporation

Omid Moghadam, Intel Corporation



Joyce Niland, PhD, City of Hope NationalMedical Center

Louise Novotny, Communication Workersof America

Michele O'Connor, MPA, RHIA, MPIServices Initiate

Victoria Prescott, JD, Regenstrief Institutefor Healthcare

Marc A. Rodwin, JD, PhD, SuffolkUniversity Law School

Kristen B. Rosati, JD, Coppersmith GordonSchermer Owens & Nelson PLC

Sara Rosenbaum, JD, George WashingtonUniversity Medical Center

David A. Ross, ScD, Public HealthInformatics Institute

Clay Shirky, New York University (Chair,Technical Subcommittee)

Don Simborg, MD, American MedicalInformatics Association

Michael Skinner, Santa Barbara CareData Exchange

Joel Slackman, BlueCross/BlueShieldAssociation

Peter P. Swire, JD, Moritz College of Law,Ohio State University

Paul Tang, MD, Palo Alto MedicalFoundation

Micky Tripathi, Massachusetts eHealthCollaborative

Cynthia Wark*, CAPT, United StatesPublic Health Service Commissioned Corps,Centers for Medicare and Medicaid Services,United States Department of Health andHuman Services

John C. Wiesendanger, MHS, WestVirginia Medical Institute/Quality Insights ofDelaware/Quality Insights of Pennsylvania

Marcy Wilder, JD, Hogan & Hartson LLP

Scott Williams, MD, MPH, HealthInsight

Robert B. Williams, MD, MIS, Deloitte

Joy Wilson, National Conference ofState Legislatures

Rochelle Woolley, RxHub

Amy Zimmerman-Levitan, MPH, RhodeIsland State Department of Health

*Note: Federal employees participate in theSubcommittee but make no endorsement

Date post:	22-Feb-2022
Category:	Documents
Upload:	others
View:	1 times
Download:	0 times

Information Exchange and Procedures for Health Model ...

Documents