Last week, during a keynote speech to the National Health Information Network Forum here D.C., Health and Human Services (HHS) Secretary Leavitt announced key privacy principles for electronic health information exchange, called The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information. Leavitt hopes these principles will guide the actions of all health care related entities that participate in networks that electronically exchange patient health information.
The principles in the new Privacy and Security Framework include: Individual Access; Correction; Openness and Transparency; Individual Choice; Collection, Use, and Disclosure Limitation; Data Quality and Integrity; Safeguards; and Accountability. In tandem, HHS’s Office of Civil Rights also published new HIPAA Privacy Rule Guidance as part of a “toolkit” to implement the new framework of principles. The guidance provides some important clarifying information on how the Privacy Rule governs covered entities involved in electronic health information exchange. For example, the guidance clarifies that covered entities must enter into business associate agreements with HIEs and RHIOs when these entities are exchanging information on behalf of a covered entity (e.g. exchanging data for treatment purposes).
The guidance also clarifies that personal health records offered to consumers by covered entities are covered by the HIPAA Privacy and Security Rules. However, the guidance merely encourages covered entities to adopt stronger privacy and security policies for electronic personal health information consistent with the principles in the new framework. To be sure, the new framework of principles put forth by Leavitt represents an important step forward in improving privacy protections for personal health information. The principles are similar to those contained in the Markle Foundation’s Connecting for Health Common Frameworks, which were created with multi-stakeholder input. However, the Common Framework principles are supplemented by detailed policy recommendations and require entities to be held accountable for how they handle electronic personal health information.
In contrast, Leavitt’s framework does not specify any detailed policies and does not include any plan for holding entities accountable for complying with the principles. As a result, it falls significantly short of what is needed to build public trust in health IT. CDT is hopeful that both Congress and the new Administration will take further action to ensure a comprehensive framework of protections for personal health information that will build patient trust and facilitate the widespread adoption of health information technology. The building blocks are being laid, and CDT believes that we need to take advantage of every opportunity presented to improve privacy protections for personal health information.