– DRAFT for Discussion Purposes only –
| Category | Attribute | Privacy Policy Components |
|---|---|---|
| Communication between vendor and user about privacy policy | Privacy contact information available | • A specific contact and contact information shall be easily and promptly accessible to users seeking information concerning the privacy policy. • The timeframes for responding shall be made clear in the policy. • Responses to requests shall be made as soon as reasonably possible. |
| Version management: effective date and amendments | • The policy shall visibly display its effective date • Historical policies and the effective dates of any amendments shall be made available to the consumer upon request. |
|
| Notification of policy change | • The policy requires that users shall be notified, pursuant to the sentence below, when the privacy policy is changed or amended with a clear indication of the differences between the new policy and the previously effective policy. • The policy shall include a reasonable timeframe (e.g., 30 days) within which a consumer must be notified of changes or amendments before the changes or amendments become effective. |
|
| User option(s) after a change in Policy | • Users shall be provided with the opportunity to either: • affirmatively accept the policy change (and such opportunity must be provided before any new use or disclosure of that individual’s health data), • or be allowed to terminate their contract or user agreement with the PHR vendor, without penalty, if they have concerns about the change in privacy policy. |
|
| Accessibility and readability of policy | Accessibility and readability of policy | • The policy shall be posted on the website and shall be easily accessible. • The policy can be provided to a consumer in electronic or written format. • The policy shall be written in plain language and shall be available to consumers in the language(s) that the PHR is designed to support.1 |
| Terminated accounts, change in company status, or discontinuation of service | Treatment of personal health information contained within terminated accounts | • The policy shall address how vendors handle personal health information upon termination of the user’s contract or user agreement with the PHR vendor. • Upon termination of the user’s contract or user agreement with a PHR vendor, the vendor shall cease any further use or disclosure of the consumer data (identifiable or as part of aggregate data). • The policy shall address how long the vendor maintains personal health information after the user’s account has been terminated, providing a reasonable amount of time to ensure that the user has the opportunity to download or move their data to another service. |
| Treatment of personal health information upon discontinued operations or change in company status | • The policy shall address how personal information is treated if the vendor discontinues operations of its service, transfers ownership of the service, is acquired, or goes out of business. | |
| User data collection | Tracking of user behavior and attributes | • The policy shall address the use and purposes of data points collected by the vendor about the consumer (e.g. cookies - small pieces of code placed on the user’s computer). |
| The use and disclosure of user data | How data are used and/or disclosed | • The policy shall state that the personal information in the PHR, regardless of the source, is for the sole use of the consumer. The policy shall state that all other uses or any disclosures of consumer data from the PHR, whether the consumer is identifiable or not, shall require consumer authorization. • PHR vendors shall notify users if and how they use and/or disclose consumer data. |
| Availability of audit trails | • The policy shall state that the user shall have access to information on when and by whom their data was accessed. | |
| Definition of terminology | Key terms | • The policy shall define key terms used in the policy such as: o “personal health information” o “de-identified personal health information” o “use” of health data o “disclosure” of health data o “affiliate” and “business associate” |
| Adherence to published guidelines or codes | Enforcement policies | • The policy shall contain a representation and warranty by the vendor that it complies with all applicable federal and state laws. • If the PHR is offered by a covered entity, HIPAA shall be specifically addressed. • Some method of recourse shall be available for users who feel their privacy has been violated or the vendor’s privacy policies have been violated and that method shall be clearly communicated in the policy. |
1According to the www.plainlanguage.gov website, plain language is described as language a reader can understand the first time. The way to get to that point often consists of extensive testing with members of the anticipated user group.
– DRAFT for Discussion Purposes only –