|
|
 |
Connecting for Health also has released a separate but related Common Framework of policy and technology resources for privacy and security in internet-based networks connecting medical professionals from different institutions and clinics.
Go to the Connecting Professionals Main Page
The framework below proposes a set of practices that, when taken together, encourage appropriate handling of personal health information as it flows to and from personal health records (PHRs) and similar applications or supporting services.
Click on the individual documents below to read descriptions and to view or download them as PDF documents. Or, download the entire Common Framework in PDF (8.11 MB).
The Common Framework for Networked Personal Health Information: Overview and Principles provides background on the documents and how they relate to each other. All resources are available free of charge.
The Common Framework for Networked Personal Health Information includes the following published components:
-
Overview and Principles
Provides an overview, definitions, context, and foundational principles for the Common Framework for Networked Personal Health Information.
-
Consumers as Network Participants
Explains why consumer participation can be transformative in health care as it has been in other sectors; why networked PHRs are a vital tool to empowering consumers, and how policies can help guide an emerging industry.
-
Policy Overview
Describes the policy landscape, including how the Health Information Portability and Accountability Act (HIPAA) as well as state and contract laws apply to emerging consumer data streams. Explains unregulated and regulated areas of the current environment, and argues for a voluntary common framework of policies.
-
Policy Notice to Consumers
Recommends preferred practices for giving consumers access to the policies for collection, use, and disclosures of personal health information, including privacy and security practices, terms and conditions of use, and other relevant policies.
-
Consumer Consent to Collections, Uses, and Disclosures of Information
Describes mechanisms to capture the consumer's agreement prior to any collection, use, or disclosure of personal data; explains why notice and consent are not sufficient by themselves in providing adequate protection for consumers.
-
Chain-of-Trust Agreements
Describes the merits and limitations of contractual mechanisms among parties exchanging personal health information; recommends important limitations to place on unaffiliated third parties.
-
Notification of Misuse or Breach
Discusses what to do if something goes wrong. Recommends that consumers be individually informed if their personal information was, or is reasonably believed to have been, disclosed or acquired by an unauthorized person or party in a form that carries significant risk of compromising the security, confidentiality, or integrity of personal information.
-
Dispute Resolution
Recommends that consumers be provided a clear and logical pathway to resolve disputes such as over breach or misuse, data quality or matching errors, allegations of unfair or deceptive trade practices, etc.
-
Discrimination and Compelled Disclosures
Recommends policies to bar discrimination and "compelled disclosures" – such as when the consumer's authorization for release of data is required in order to obtain employment, benefits, or other services.
-
Consumer Obtainment and Control of Information
Covers several areas to facilitate the consumer's ability to electronically collect, store, and control copies of personal health information, including requesting data in an electronic format, allowing for proxy access to an account, requesting amendments, or disputing entries of data. Also covers appropriate retention of information in inactive accounts, and consumer requests to "delete" data and terminate their accounts.
-
Enforcement of Policies
Raises the issue of how policies and practices should be enforced on the network; describes the pros and cons of several different enforcement mechanisms, including: enforcing current laws, amending and expanding HIPAA, creating new law to govern Consumer Access Services, encouraging self-attestation with third-party validation, and encouraging consumer-based ratings.
-
Technology Overview
Describes the complexity of emerging digital health data streams; explains how information can be combined to build revealing profiles of individuals; depicts how health care entities and consumer technology innovators operate under different cultures that can clash without basic rules of the road.
-
Authentication of Consumers
Provides a framework for establishing and confirming the identity of individual consumers so that they may participate on a network.
-
Immutable Audit Trails
Recommends that audit trails be a basic requirement of PHRs and supporting services; explains the value of providing consumers with convenient electronic access to an audit trail as a mechanism to demonstrate compliance with use and disclosure authorization(s).
-
Limitations on Identifying Information
Recommends strong limitations on disclosures of identifying data to third parties. Supports disclosures only of those data that are reasonably necessary to perform the limited function(s) to which the third parties are authorized. Provides a caveat about considering data "de-identified."
-
Portability of Information
Highlights the importance of the consumer's ability to export and import information in industry-standard formats as they become available.
-
Security and Systems Requirements
Provides a brief outline on basic security protections. Recommends continuous monitoring of industry practices and threats, as well as personnel training and strict policies regarding who can access consumer data, and consequences for security violations.
-
An Architecture for Consumer Participation
Provides a view on how Consumer Access Services can fit within the Connecting for Health approach to architecture for a Nationwide Health Information Network (NHIN).
©2008-2009, Markle Foundation.
This work was originally published as part of a compendium called The Connecting for Health Common Framework for Networked Personal Health Information and is made available subject to the terms of a license (License) which may be viewed in its entirety at: http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.
|
|
|
