We applaud CMS for establishing this policy and strongly urge that it be retained in the final rule. Building trust in health information exchange requires a comprehensive framework of privacy and security policies that establish clear rules for how health information can be accessed used and disclosed. Such policies should be based on fair information practice principles, and include appropriate oversight and accountability. Most privacy law – including the federal regulations under the Health Insurance Portability and Accountability Act (HIPAA) – is based on fair information practice principles. The ability for patients to have some choice with respect to how their health information is shared is a critical component of fair information practices.