Purpose: For personal health information to flow in or out of a consumer-accessible application, it may pass among two or more organizations. Each participant in such "consumer data streams" may have its own legal and business interests to protect. However, consumers should be able to trust the entire chain of entities and business processes that handle their personal health data. Contracts are one mechanism to bind partners to specified privacy and security policies regarding confidential information they exchange or share.
Like other policy areas in this framework, chain-of-trust agreements are often necessary in certain relationships, but not by themselves sufficient to create a privacy-protective environment. In practice, such contracts have significant weaknesses, including their lack of transparency to consumers and their inconsistent enforcement. For one, breaches may not be discovered because organizations may not rigorously monitor the behavior of all of their business partners. Secondly, if an accusation of breach occurs, enforcement depends on one party engaging another party in a legal action, most likely under contract law. Organizations often seek to settle legal disputes out of court – or avoid litigation altogether.
Still, chain-of-trust agreements serve as important instruments in encouraging "good network citizenship." There are several possible relationships in which parties seek chain-of-trust agreements. HIPAA Business Associate agreements are one example. (See CP1: Policy Overview.)
There is a problem with scaling this chain-of-trust model, however. It is unreasonable, for example, for each doctor's office to negotiate and sign a chain-of-trust agreement with every Consumer Access Service or networked PHR provider. Instead of each participant signing agreements with each other participant, it may be more practical if all participants agreed to a basic set of "network rules" – a set of common practices that each participant would sign and publicly commit to uphold. Although there are no such large-scale arrangements for Consumer Access Services or PHRs today, such models should be explored.
The HIPAA regulations permit consumers to request their personal health information directly from Covered Entities. Consumers may then store the information with any Consumer Access Service of their choice. In this case, the Consumer Access Service does not need a chain-of-trust agreement with the Covered Entity. The consent agreement(s) between the consumer and the Consumer Access Service should spell out the information-handling practices of the Consumer Access Service. (See CP4: Consumer Consent to Collections, Uses, and Disclosures of Information.)
A Consumer Access Service may not be regulated under HIPAA, and it may have unregulated relationships with many different types of third parties. In such cases, chain-of-trust agreements between the Consumer Access Service and its third parties are a prudent mechanism to discourage unacceptable actions. Such agreements should prohibit activities that are inconsistent with fair information practice principles, such as the surreptitious re-identification of de-identified data without the consumer's knowledge or consent. The recommended practice language below is primarily intended for this scenario (i.e., an uncovered Consumer Access Service's relationship with unrelated and unregulated third parties), but it may be helpful in other relationships as well.
©2008, Markle Foundation
This work was originally published as part of a compendium called
The Connecting for Health Common Framework for Networked Personal Health Information and is made available subject to the terms of a license (License) which may be viewed in its entirety at:
http://www.connectingforhealth.org/license.html. You may make copies of this work; however, by copying or exercising any other rights to the work, you accept and agree to be bound by the terms of the License. All copies of this work must reproduce this copyright information and notice.
