The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

The principles of the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information below establish a single, consistent approach to address the privacy and security challenges related to electronic health information exchange through a network for all persons, regardless of the legal framework that may apply to a particular organization. The goal of this effort is to establish a policy framework for electronic health information exchange that can help guide the Nation’s adoption of health information technologies and help improve the availability of health information and health care quality. The principles have been designed to establish the roles of individuals and the responsibilities of those who hold and exchange electronic individually identifiable health information through a network.

• The Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information

The Health IT Privacy and Security Toolkit

As part of a Privacy and Security Toolkit to implement the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (Privacy and Security Framework) the Office of the National Coordinator for Health Information Technology (ONC) and the Office for Civil Rights (OCR) developed a number of materials and guidance, respectively. The materials and guidance below are organized by the principle they relate to.

Individual Access Principle - Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.

• The HIPAA Privacy Rule's Right of Access and Health Information Technology

Correction Principle - Individuals should be provided with a timely means to dispute the accuracy or integrity of their individually identifiable health information, and to have erroneous information corrected or to have a dispute documented if their requests are denied.

• HIPAA Privacy Rule and the Privacy and Security Framework: Correction Principle and FAQs

Openness and Transparency Principle - There should be openness and transparency about policies, procedures, and technologies that directly affect individuals and/or their individually identifiable health information.

• HIPAA Privacy Rule and the Privacy and Security Framework: Openness and Transparency Principle and FAQs
• Draft Model Personal Health Record (PHR) Privacy Notice & Facts-At-A-Glance (the "Leavitt Label")

Individual Choice Principle - Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.

• HIPAA Privacy Rule and the Privacy and Security Framework: Individual Choice Principle and FAQs

Collection, Use, and Disclosure Limitation Principle - Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.

• HIPAA Privacy Rule and the Privacy and Security Framework: Collection, Use, and Disclosure Limitation Principle and FAQs

Data Quality and Integrity Principle - Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed in an unauthorized manner.

Safeguards Principle - Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

• HIPAA Privacy Rule and the Privacy and Security Framework: Safeguards Principle and FAQs
• Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices

Accountability Principle - These principles should be implemented, and adherence assured, through appropriate monitoring and other means and methods should be in place to report and mitigate non-adherence and breaches.

• HIPAA Privacy Rule and the Privacy and Security Framework: Accountability Principle and FAQs