Confidentiality, Privacy & Security Workgroup: April 2007 Meeting Materials

***For Workgroup Consideration and Discussion***

Working Hypothesis 4/12/07:

All persons and entities that participate in an electronic health information exchange network, at a local, state, regional or nationwide level, through which individually identifiable electronic health information is stored, compiled, transmitted, or accessed, should be required to meet privacy and security criteria at least equivalent to relevant HIPAA[FN1] requirements.

Sub-Hypothesis 1:

For a given participant there may be one or more appropriate “enforceable” mechanisms to ensure privacy and security requirements are met.

Examples include: Certification/Accreditation, federal law, state law, business associate agreements, federal contracts.

Sub-Hypothesis 2:

For a given participant’s role and characteristics, certain privacy and security requirements may be more relevant than others.

Example: Similar to the treatment of health care clearinghouses under HIPAA it may not be appropriate for a health information exchange to provide privacy notices.

Sub-Hypothesis 3:

Option 1 [Recommended]:

Entities that perform Business Associate functions (as described in HIPAA) that participate in an electronic health information exchange network should be accountable for meeting relevant privacy and security requirements directly, and not through contractual arrangements (such as a Business Associate Agreement as provided for in HIPAA).

Option 2:

Depending upon a given participant’s role in an electronic health information exchange network, such participant should be accountable for meeting relevant privacy and security requirements directly (i.e., they should be considered a Covered Entity under HIPAA), and not merely through contractual arrangements (such as a Business Associate Agreement as provided for in HIPAA).

Option 3:

Business associates that participate in an electronic health information exchange network should be accountable for meeting specified HIPAA requirements (e.g., incident response and notification). HIPAA should be modified to more explicitly state the requirements of business associates such that they will be directly accountable to the standard rather than only accountable to a contractual agreement with a covered entity.

Working Hypothesis 3/15/07:

Entities that create, store, or transmitindividually identifiable electronic health information for purposes of clinical care or consumer management of such information, should be required to meet enforceable privacy and security requirements at least equivalent to the relevant HIPAA principles, even if they are not "covered entities" under HIPAA today.

1 HIPAA is used in this case to help establish a common understanding of what federal health information privacy and security requirements apply to whom. Our workgroup intends to evaluate in the future whether the overall, baseline standard for participating in these networks should be changed to a standard that exceeds the current HIPAA privacy and security rules.