HHS Outlines Voluntary HIE Guidelines

'Trust Principles' Spell Out Consumers' Rights

By , May 6, 2013.
HHS Outlines Voluntary HIE Guidelines

The Department of Health and Human Services has released voluntary guidelines for health information exchange that include "trust principles" for security and privacy.

See Also: Preparing for OCR Audits: Presented by Mac McMillan of the HIMSS Privacy and Policy Task Force

The new "Governance Framework for Trusted Electronic Health Information Exchange" document also includes organizational, business and technical principles.

The framework, for example, calls for providing patients with privacy and security policy notices; giving patients the opportunity to decide whether to have their data exchanged; and allowing patients to access their health data and request changes to it.

David Whitlinger, executive director at New York eHealth Collaborative, which oversees New York's statewide HIE, says that the trust principles of the ONC governance framework are in line to what many HIE efforts are already doing. "They're not being too prescriptive," he says.

Evolving Governance Strategy

The release of the framework was announced in a blog by Farzad Mostashari, M.D., who leads the Office of the National Coordinator for Health IT. ONC is the unit of HHS responsible for setting policies and standards for the HITECH Act's incentive program for electronic health records. It also has doled out HITECH funding for health information exchanges

"We've published this framework to provide a common foundation for all types of governance models," Mostashari says in the blog. "Entities that set health information exchange policy should look to the framework's principles as a way to align their work with national priorities. It is critical that we are all working from a similar understanding of the expectations for nationwide electronic health information exchange."

Last year, ONC dropped plans for voluntary "rules of the road" within the context of a Nationwide Health Information Network Governance Rule after receiving public feedback that a regulation would be premature given that HIEs are in the early stages of development (see: ONC Backs Off HIE 'Rules of Road').

Instead, ONC has opted for a gradual rollout of voluntary guidance (see: Mostashari's Vision for Secure Exchange). The new governance framework is "a living document," Mostashari says in his blog. "As we learn with you, we will consider updating these principles over time to reflect policy changes, technological maturity and market innovations, as necessary."

The framework's "intended audience" includes any entities that set HIE policy, including state governments, public-private partnerships, health information exchange organizations and private companies.

While compliance with the recommendations in the framework is voluntary, ONC says that "third party assessors, such as certifying and accrediting organizations, may find the framework's guiding principles informative as they develop methods to assess the competency, credibility and trustworthiness of HIE governance entities."

Trusted Exchange

In the guidelines, ONC writes, "trust is a prerequisite for electronic HIE and starts with patients. Without trust, the ultimate success of an electronic HIE initiative could be jeopardized."

With that in mind, ONC says that any entity that sets HIE policy should abide by trust principles, including allowing patients to:

  • Be able to publicly access a notice of data practices. Such a notice would explain the purposes for which personally identifiable and de-identified data could be electronically exchanged, such as for treatment, payment, research, quality improvement, public health reporting or population health management.
  • Receive a simple explanation of an HIE's privacy and security policies and its practices.
  • Be provided with a "meaningful choice" as to whether their personally identifiable information can be electronically exchanged.
  • Be able to request data exchange limits based on data type or source, such as for information related to substance abuse treatment.
  • Be able to electronically access and request corrections to their personally identifiable information.
  • Be assured that their personally identifiable information is consistently and accurately matched when electronically exchanged.

Other Principles

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cybersecurity's Growing Pains

The future of cybersecurity may be full of surprises. But these twists will cause a big sensation,...

Latest Tweets and Mentions

ARTICLE Cybersecurity's Growing Pains

The future of cybersecurity may be full of surprises. But these twists will cause a big sensation,...

The ISMG Network