Professional Documents
Culture Documents
Articulo 4.2 Howell
Articulo 4.2 Howell
BOB BROWN
I
n my HIPAA article published in the May-June 2007
issue of the Journal of Health Care Compliance, I re-
ported on the spread of online personal health record
(PHR) systems and the lack of any consistent mandato-
ry or voluntary standards for protecting the privacy and
security of individually identifiable health information
contained in these systems. Since the publication of that
article, the use of PHRs has accelerated, especially with
the introduction of PHRs by such experienced Internet
technology companies as Google and Microsoft.
With millions more people signing up for PHRs, the
lack of standards for protecting the sensitive personal data
contained in these systems has become even more wor-
risome. Two recent developments, however, may help to
Bob Brown, PhD, is the director significantly improve the privacy and security of PHRs.
of Health Information Technology,
Michigan State University Kalamazoo On December 15, 2008, the Office of the National Co-
Center for Medical Studies. ordinator for Health Information Technology (ONC) re-
leased a document entitled “Nationwide Privacy and Se-
curity Framework for Electronic Exchange of Individu-
ally Identified Health Information”. The Framework is
a short document containing eight principles designed
to establish a consistent approach to addressing the pri-
vacy and security challenges of online PHRs and elec-
tronic health information exchanges (HIEs), regardless
of whether or not the organization operating the PHR or
HIE service is an entity covered by the Health Insurance
Portability and Accountability Act (HIPAA) standards.
In keeping with the voluntary self-regulation and pub-
lic-private partnership models encouraged by the Bush
administration, these principles are not required stan-
dards but are rather “principles…expected to guide the
actions of all health-related persons and entities that par-
ticipate in a network for the purpose of elec- playing, and transmitting the individual’s
tronic exchange of individually identifiable disagreement with the individually identi-
health information.” (p. 6) The principles fiable health information in question.
were developed after an ONC review of a
variety of privacy and security standards, OPENNESS AND TRANSPARENCY
best practices, guidelines, and other docu- All policies, procedures, and technologies
ments from authoritative sources such as that are employed to collect and dissemi-
the Organization for Economic Cooperation nate individually identifiable health infor-
and Development, the International Secu- mation should be made available to the in-
rity Trust and Privacy Alliance, the Federal dividual in an understandable form. Indi-
Trade Commission, and the HIPAA privacy viduals should be able to learn how their
and security standards. information is collected, who collects it,
The eight principles are (1) individual who sees it, how it is used, and what con-
access; (2) correction; (3) openness and trol they have over the information. The
transparency; (4) individual choice; (5) col- policies and procedures governing the use
lection, use, and disclosure limitation; (6) and disclosure of individually identifiable
data quality and integrity; (7) safeguards; health information should be available be-
and (8) accountability. fore any uses and disclosures occur.