An ad-hoc subgroup of members from the American Health Information Community's (AHIC) Consumer Empowerment (CE) and Confidentiality, Privacy, and Security (CPS) Workgroups was convened to evaluate privacy protections governing personal health records (PHRs) for the purpose of initiating and framing the development of certification criteria for PHRs related to privacy policies.
A "PHR Service Provider" may be an employer, health care provider, health insurance plan, or an independent third-party vendor. Information used to populate PHRs may come from existing electronic health records, health insurance plan claim systems, or entered directly by the consumer. Some PHR Service Providers, such as health care providers and health insurance plans, are subject to the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
The subgroup believes that personal health information included in a PHR, regardless of the type of PHR Service Provider or the source of the information, should be governed by a minimum set of privacy protections. Therefore, to ensure that an individual's information is appropriately protected the subgroup proposes that each PHR Service Provider establish a privacy policy based on the "Essential PHR Privacy Policy Components" listed in the table below.
In developing the Essential PHR Privacy Policy Components, the subgroup decided that specificity would lead to clearer privacy policies. As a result, when greater specificity would allow an individual to clearly understand the requirements in a privacy policy, but that requirement created an obligation for the PHR Service Provider, that tradeoff was made for the benefit of the individual. One such tradeoff occurred within the attribute "how data are used and/or disclosed." The subgroup believes that consumers should be afforded sole control over the use of and accesses to data in his or her PHR. However, in cases where a PHR is provided in an integrated fashion, (i.e., as part of an electronic health record (EHR)) the individual would not have the same right of control over the health information maintained in that EHR.
For discussion purposes the table below contains a third column that, where possible, crosswalks the privacy policy components below to their HIPAA Privacy Rule counterparts. In general, sections 164.520 and 164.530 (notice of privacy practices and administrative requirements) of the HIPAA Privacy Rule were used for this crosswalk because of their relation to the document's scope. It is important to note however, that a direct (one-to-one) comparison of the privacy policy components to the HIPAA Privacy Rule was complicated by the mixture of privacy policy requirements and notice requirements in the description of certain components. Therefore, for each topic as relevant, both the overarching privacy policy or need for written privacy policies and the more exacting requirements for individual notice have been articulated. We believe that this column will serve as a useful way to judge the PHR Service Provider privacy policy component with that of current HIPAA Privacy Rule standards and what privacy policy component may mean if offered by a HIPAA covered entity.
| Essential PHR Privacy Policy Components | |||||
|---|---|---|---|---|---|
| Category | Attribute | Privacy Policy Components | Crosswalk to HIPAA Privacy Rule Requirements | ||
| Communication between PHR Service Provider and user about privacy policy | Privacy contact information available | • A specific contact and contact information shall be easily and promptly accessible to users seeking information concerning the privacy policy. • The timeframes for responding shall be made clear in the policy. • Responses to requests shall be made as soon as reasonably possible. |
• � 164.520(b)(1)(vii) requires that a covered entity�s (CE) NPP contain the name or title, and telephone number of a person or office to contact for further information about matters covered by the NPP. • � 164.530 (a) (1) requires a CE to designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity and a contact person or office who is responsible for receiving complaints and able to provide further information about matters covered by the NPP. • There is no requirement imposing a timeframe for response or an obligation on the CE to respond. |
||
| Version management: effective date and amendments | • The policy shall visibly display its effective date • Historical policies and the effective dates of any amendments shall be made available to the consumer upon request. |
• � 164.520(b)(1)(viii) requires that the NPP contain the date on which the NPP is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published. • The administrative requirements for policies and procedures assume but, unlike those above for the NPP, do not expressly call for an effective date. In some cases the effective date of the NPP serves as the effective date for the policy. • � 164.520(e) requires a CE to document compliance with the NPP requirements by retaining copies of the NPPs issued for six years from date of creation or when last in use whichever is later. • � 164.520(c) requires a CE to make the NPP available upon request to any person and distribute the NPP to individuals as required by the Rule, but there is no express provision requiring the CE to provide access to historical copies of the NPP or to its policies and procedures. |
|||
| Notification of policy change | • The policy requires that users shall be notified, pursuant to the sentence below, when the privacy policy is changed or amended with a clear indication of the differences between the new policy and the previously effective policy. • The policy shall include a reasonable timeframe (e.g., 30 days) within which a consumer must be notified of changes or amendments before the changes or amendments become effective. |
• � 164.530(i) requires a CE to change its policies and procedures as necessary to comply with changes in law, and any delay in revisions to the policies and/or the NPP is no excuse not comply with the law. • � 164.520(b)(3) requires a CE to promptly revise and distribute its NPP whenever there is a material change to the privacy practices stated in the NPP. • � 164.520(b)(1)(v) requires the CE to expressly reserve in the NPP the right to make changes in its policies and procedures effective for PHI collected or created prior to the effective date of the revised NPP. Otherwise, the revised policy can only be applied to PHI collected or created on or after the effective date. • � 164.530(i)(5) allows changes to policies and procedures that do not materially alter the NPP to be made at any time and implemented after the date on which the change has been documented. • � 164.520(c)(1) requires that health plans provide notice at time of enrollment, within 60 days of a material revision to the NPP, and once every three years; (2) providers to provide notice at first service delivery, and if a facility is maintained, have it available for hand out and posted at the site, and to provide and/or post revised notices promptly on or after effective date. • � 164.520(c)(3) requires a CE that maintains a website providing information about the CE�s services or benefits to post its NPP on the website. Provision of notice requirements may be met via email if individual agrees to electronic notice. • No prior notice to the individual or identification of changes is required by the Rule. |
|||
| User option(s) after a change in Policy | • Users shall be provided with the opportunity to either: • affirmatively accept the policy change (and such opportunity must be provided before any new use or disclosure of that individual�s health data), • or be allowed to terminate their contract or user agreement with the PHR Service Provider, without penalty, if they have concerns about the change in privacy policy. |
• No comparable provision. Individuals often have the choice of health plans and providers, and are free to take their business elsewhere for whatever reason. However, the nature of the relationship and legal or economic restrictions beyond the scope of the Privacy Rule makes this policy difficult if not impossible in contexts other than a PHR. | |||
| Accessibility and readability of policy | • Accessibility and readability of policy | • The policy shall be posted on the website and shall be easily accessible. • The policy can be provided to a consumer in electronic or written format. • The policy shall be written in plain language and shall be available to consumers in the language(s) that the PHR is designed to support.[1] |
• � 164.520(c)(3) requires a CE that maintains a website providing information about the CE�s services or benefits to post its NPP on the website. Provision of notice requirements may be met via email if individual agrees to electronic notice. An individual receiving electronic notice retains the rights to a paper copy upon request. • � 164.520(b)(1) requires the NPP to be written in plain language. The availability of the NPP in other languages is not a requirement of the Privacy Rule but may be required by other law, such as LEP. • These requirements do not directly apply to all policies and procedures, but just to the NPP |
Terminated accounts, change in company status, or discontinuation of service | Treatment of personal health information contained within terminated accounts | • The policy shall address how the PHR Service Provider handles personal health information upon termination of the user�s contract or user agreement with the PHR Service Provider. • Upon termination of the user�s contract or user agreement with a PHR Service Provider, the PHR Service Provider shall cease any further use or disclosure of the consumer data (identifiable or as part of aggregate data). • The policy shall address how long the PHR Service Provider maintains personal health information after the user�s account has been terminated, providing a reasonable amount of time to ensure that the user has the opportunity to download or move their data to another service. |
• The Privacy Rule does not impose special rules for the use or disclosure of PHI based on the individual�s contractual relationship with the entity. All PHI is protected in the same manner for so long as the entity maintains the records. The Rule does not impose record retention requirements. These requirements would be onerous and impracticable if applied in other than a PHR setting. • The Privacy Rule does not limit or control uses or disclosures once PHI has been de-identified. |
| Treatment of personal health information upon discontinued operations or change in company status | • The policy shall address how personal information is treated if the PHR Service Provider discontinues operations of its service, transfers ownership of the service, is acquired, or goes out of business. | • � 164.502(a)(1)(ii) allows a covered entity to disclose use and disclose PHI for �health care operations� purposes, one of which is the sale, transfer, merger, or consolidation of all or part of the CE with another CE (or another entity that would become a CE upon completion of the transaction) and due diligence in connection with such transaction. See also definition of �health care operations� at �164.501. • �164.520(b)(1)(ii)(A) requires that uses and disclosures for treatment payment and health care operations be described in the NPP and that at least one example of each be included. • �164.530(c) requires that a CE appropriately safeguard PHI, which includes when disposing of PHI. |
|||
| User data collection | Tracking of user behavior and attributes | • The policy shall address the use and purposes of data points collected by the PHR Service Provider about the consumer (e.g. cookies - small pieces of code placed on the user�s computer). | • Does not appear to be a direct Privacy Rule counterpart (one may analyze as similar to an ID, but there is no counterpart on �cookies� that may track unrelated computer uses by an individual); however, any demographic information collected on the individual is PHI and uses/disclosures are thus controlled by the Rule. | ||
| The use and disclosure of user data | How data are used and/or disclosed | • The policy shall state that the personal information contained within the PHR, regardless of its source, is under the sole control of the consumer. The policy shall state that all other uses or any disclosures of consumer data from the PHR, whether the consumer is identifiable or not, shall require consumer authorization. • The PHR Service Provider shall notify users if and how they use and/or disclose consumer data. |
• �164.520(b)(1)(ii) requires the NPP to describe the uses and disclosures of PHI the CE is permitted and required to make by the Privacy Rule without the individual�s authorization; any legal limitation on such permitted uses/disclosures; and the fact that all other uses or disclosures will be made with the individual�s authorization. The description must be detailed enough to give fair notice. • NPP �164.520(b)(2)(i) permits the CE to add any self-limitations to permitted uses/disclosures that it decides to adopt. Thus, a CE may elect a PHR use/disclosure policy that grants total control to the individual and may state that in the NPP. This would not be a policy it would likely adopt with respect to the EHR, resulting in either separate notices or a more complex notice to cover the points unique to the PHR. • �164.520(b)(1)(v)(C) also requires a CE to state in the NPP that it must abide by the terms of the notice currently in effect. • �164.502 provides the roadmap of permitted and required uses and disclosures in the Rule, with pointers to more specific regulatory standards, such as �164.506; �164.510, and �164.512. The authorization requirements are contained in �164.508. • The policy applies equally to identifiable and , presumably, de-identified information. As noted above, once PHI has been de-identified, the Rule no longer controls the uses or disclosures of such information. The standards for de-identification are at �164.514(a)-(c). |
||
| Availability of audit trails | • The policy shall state that the user shall have access to information on when and by whom their data was accessed. | • � 164.528 gives the individual the right to have an accounting of certain disclosures upon request. The CE has 60 days to provide the accounting and it must contain the date, description of the PHI disclosed, to whom it was disclosed and the purpose for disclosures made up to 6 years prior to the request. A CE does not need to account for �uses� or for TPO disclosures, disclosures authorized by the individual, limited data sets, and certain other disclosures. The accounting may be suspended or delayed with respect to certain law enforcement and health oversight disclosures. Note that this policy thus provides individual access to information over and above the accounting for disclosure rights in HIPAA by incorporating uses and providing for no disclosure exceptions, including those �authorized� by the individual. • �164.530 requires adequate safeguards to prevent impermissible uses or disclosures but does not specifically require audit trails. However, note that the Security Rule at �164.308(a)(1)(ii)(D) requires monitoring of system access through audit logs, access reports, and security incident tracking reports. Neither Rule gives the individual access rights to audit trails run by the entity. • �164.520(b) requires that the NPP include notification of individual rights, including the right to an accounting for disclosures. |
|||
| Definition of terminology | Key terms | • The policy shall define key terms used in the policy such as: • �personal health information� • �de-identified personal health information� • �use� of health data • �disclosure� of health data • �affiliate� and �business associate� |
• �160.103 defines the following: • Business Associate (but not affiliate) • Disclosure • Protected (not personal) health information • Use Note that the Privacy Rule does not require the NPP to include definitions of terms, but the plain language requirement might result in some use of definitions or simplified, common usage terms. • �164.514(a)-(c) provides the standard and requirements (not a definition) for de-identification of PHI. |
||
| Adherence to published guidelines or codes | Enforcement policies | • The policy shall contain a representation and warranty by the PHR Service Provider that it complies with all applicable federal and state laws. • If the PHR is offered by a covered • Some method of recourse shall be available for users who feel their privacy has been violated or the PHR Service Provider�s privacy policies have been violated and that method shall be clearly communicated in the policy. |
• �164.520 requires that the NPP contain information about how a CE will comply with the HIPAA Privacy Rule requirements, including uses and disclosures, individual rights, entity obligations, where and how to complain and/or contact the entity. • �164.530(d), (e), and (f), respectively, require that CEs have their own complaint system, and to have sanction and mitigation policies for cases of violations. • OCR handles privacy complaints and OESS handles security complaints. Civil money penalties are available and criminal violations are handled by DOJ. |
||
1 According to the www.plainlanguage.gov website, plain language is described as language a reader can understand the first time. The way to get to that point often consists of extensive testing with members of the anticipated user group.