The 19-page letter, dated August 19, was authored by members of the Privacy and Security Tiger Team, a workgroup that advises the HIT Policy Committee on privacy and security issues relating to patient data.
The letter recommends that the HIT Policy Committee adopt the guidelines set out in the Fair Information Practices (FIP), a set of codes established in 1973 to provide safeguards for personal privacy. The Tiger Team said healthcare providers and third-party service organizations should follow FIP codes as they implement health IT such as electronic health records (EHRs) that will be used to exchange patient information.
"This overarching set of principles, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information," the letter said.
The letter continued: "We used the formulation of FIPs endorsed by the HIT Policy Committee and adopted by [Office of the National Coordinator] in the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information."
The principles outlined are:
Individual Access -- Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
Correction -- Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
Openness and Transparency -- There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
Individual Choice -- Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information. (This is commonly referred to as the individual's right to consent to identifiable health information exchange.)
Collection, Use, and Disclosure Limitation -- Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.
Data Quality and Integrity -- Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
Safeguards -- Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.
Accountability -- These principles should be implemented, and adherence assured, through appropriate monitoring, and other means and methods should be in place to report and mitigate non-adherence and breaches.
The Tiger Team's letter specifically noted that its list didn't include policies around the concepts of remedies or redress, although it is arguably implicit in the principle of accountability. "As our work evolves toward a full complement of privacy policies and practices, it likely will be important to further spell out remedies as an added component of FIPs," the letter said.
The authors also recommend that third-party service organizations may not collect, use, or disclose personally identifiable health information for any purpose other than to provide the services specified in the contract with the data provider. These organizations should also retain a patient's health information only for as long as necessary to provide the functions specified in the contract with the data provider.
On the issue of accountability, the Tiger Team recommends that the responsibility for maintaining the privacy and security of a patient's record rests with the patient's providers.
Turning its attention to improvements in technology to better safeguard patient privacy, the letter stated that in a digital environment, robust privacy and security policies should be strengthened by innovative technological solutions that can better protect data.
"This includes requiring that electronic record systems adopt adequate security protections (like encryption, audit trails, and access controls), but it also extends to decisions about infrastructure and how health information exchange will occur. The Tiger Team's future work will also need to address the role of technology in protecting privacy and security," the authors said.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.