On the specific issue of privacy and data protection and the linking of patient records:

• The Health Information Environment requires uniform adherence to a set of policies that are based upon local or sub-network trust relationships, protect privacy and security (at or above applicable federal and state legislation and regulation), minimize the risk of user data misuse, and provide for accountability, transparency and oversight.
• The Health Information Environment is premised on a model of patient authorization and control. Patients must be able to: choose whether or not to participate in information sharing; exercise their rights under HIPAA; control who has access to their records (whether in whole or in part); see who has accessed their information; review, contribute to and amend their records (without unreasonable fees); receive paper or electronic copies of their information; and reliably and securely share all or portions of their records among institutions.
• The Health Information Environment does not require the use of a mandated national unique health identifier.
• However, standardized methodologies are required to identify patients and these methodologies must accommodate any broadly accepted identifier that may emerge to be used as additional sources of likelihood of match. No system will ever rely on a single identifier, as some secondary set of information will be needed to resolve ambiguous matches.
• Any proposed solution for accurately linking patient records must:
  • Support the accurate, timely, private and secure handling and transmission of patient records.
  • Increase the quality of care, the economic sustainability of the healthcare system, and the privacy of patient data.
  • Create value for many different kinds of participants, including (but not limited to) individual healthcare professionals and patients.
• The Health Information Environment is a network of networks, linked only by registries through which information about how to find the sources of authorized records can be found, not any of the actual content of the health records. The registry system knows only where authorized records are, not what is in them.
• To achieve these capabilities, the Health Information Environment requires the addition of one new piece of infrastructure at the sub-network level based on an architecture that separates the function of locating authorized records from the function of transferring them to authorized users. This piece of infrastructure is the Record Locator Service (RLS), described later in this response, and is operated by a multi-stakeholder collaborative at the regional or non-geographic sub-network level and built on the current enterprise use of Master Patient Indices. The Record Locator Service itself is subject to privacy and security requirements, and is based on open standards set by the Standards and Policy Entity.
• The system supports
  1. Linking of records via a registry of information about where records are located and sharing among users participating in the system, but it also allows
  2. Linking without sharing, or sharing pursuant only to higher authorization, as well as
  3. The ability to choose not to link information in certain sensitive treatment situations determined by users.

By leaving these decisions at the edges (e.g., with patients and the professionals that support them), the architecture supports a range of approaches. It also allows higher levels of approval to be set locally for sharing some records. This obviates the need to have "one size fits all" policies as would be necessary for centrally controlled approaches. The Record Locator Service needs to enable a care professional looking for a specific piece of information (PCP visit or ER record) to find it rapidly. An open design question is how and where in the model this capability can best be accomplished.