Friday, March 23, 2012

Privacy and Security PIN for State HIE

The Office of the National Coordinator has released a third Project Information Notice (PIN) for the State Health Information Exchange Cooperative Agreement Program. The first PIN came out in July 2010 and dealt with some baseline responsibilities of States and State Designate Entities (SDE) in transparency, monitoring, trust and strategy. The second PIN issued by the ONC for state-level planning allowed for Direct Project specifications and services to be used as the simplest means for providing HIE services while complying with national standards. The second PIN specified the essential transport and content standards that support exchange of structured lab results and patient care summaries would be Direct and SOAP for transport, consolidated Clinical Document Architecture (CDA) and Laboratory Results Interface specifications for care summary and lab exchange. This is well aligned with the proposed rule for Stage 2 Meaningful Use.

Now this third PIN builds on the existing work while adding some significant requirements to the state level efforts. It provides guidance to states to evaluate their current privacy and security policies and practices and determine if alignment gaps exist. The guidance outlines a core set of privacy and security expectations under eight domains:

  1. Individual Access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information (IIHI) in a readable form and format.
  2. Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their IIHI, and to have erroneous information corrected or to have a dispute documented if their requests are denied.
  3. Openness and transparency: There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.
  4. Individual Choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. Individuals should be able to designate someone (family member, caregiver, domestic partner or legal guardian) to make decisions on their behalf. This process should be fair and not burdensome.
  5. Collection, Use and Disclosure Limitation: Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specified purpose and never to discriminate inappropriately. This information should only be collected, used or disclosed to accomplish a specific purpose, and purposes of information exchange should be specified.
  6. Data Quality and Integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up to date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.
  7. Safeguards: Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.
  8. Accountability: These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

Those that have an HIE architectural model which includes data aggregation where HIE entities that store, assemble or aggregate individually identifiable health information, whether centrally or in a federated model must incorporate all seven domains. For those which have a current architectural model which uses only point-to-point directed exchange numbers 1, 2, 4, and 6 above are optional.

The guidance on Individual Choice is especially interesting:
Where HIE entities store, assemble or aggregate IIHI beyond what is required for an initial directed transaction, HIE entities should ensure individuals have meaningful choice regarding whether their IIHI may be exchanged through the HIE entity. This type of exchange will likely occur in a query/response model or where information is aggregated for analytics or reporting purposes.

A patient's meaningful choice means that choice is:
  • Made with advance knowledge/time;
  • Not used for discriminatory purposes or as condition for receiving medical treatment;
  • Made with full transparency and education;
  • Commensurate with circumstances for why IIHI is exchanged;
  • Consistent with patient expectations;
  • Revocable at any time.
Both opt-in and opt-out models can be acceptable means of obtaining patient choice provided that choice is meaningful (ie., use of either model must meet the requirements described above and not be limited to, for example, a provider's boilerplate form or reliance on the patient to read material posted on a provider's waiting room wall or website).

Where meaningful choice is required, HIE entities should either (1) directly ensure patients have the opportunity for meaningful choice; or (2) ensure that the health care providers for which it facilitates electronic health information exchange provide individuals with meaningful choice regarding the exchange of their IIHI. Choice should be offered to each patient on a prospective basis and periodically renewed. Attention should be paid to minimizing provider burden.

This new guidance is likely to create some additional policy work, particularly for those states that are moving beyond simply directed exchange. I'd be interested in what you think about this new guidance.

Privacy and Security Program Information Notice (ONC-HIE-PIN-003)

HIE Privacy and Security Program Information Notice (ONC-HIE-PIN-003)


  1. Halamka points out the use of "shall" vs "should" in this document. All of the FIPPs mentioned use "should" - implying that there's room for local interpretation. This is another point where HIEs have to choose to provide access to patients or to ignore patients. Fair info practices remain, as before, a state-level affair even as the nationwide health information network struggles to emerge.

  2. "Shall" and "should" are legal terms with very precise requirements. There is not really much room for local interpretation, however, there is flexibility when the term "should" is used. Since the the fair information practice policies in this guidance are designated as "should," they will currently be optional for states to employ.