- (a) These Office of Health Information Technology Privacy Policies, are rooted in nine (9) privacy principles discussed in the Connecting for Health "The Architecture for Privacy in a Networked Health Information Environment" and a tenth adapted from NeHII, Inc. by the office that, taken together with privacy policies and procedures already deployed by participating entities as covered entities under HIPAA from a comprehensive array of administrative safeguards addressing privacy of protected health information.
- (b) The office has modeled its privacy policies on the Connecting For Health "Model Privacy Policies and Procedures for Health Information Exchange", with a number of differences based on state law, physical and technical safeguards available through the State Health Alliance for Records Exchange, and State Health Alliance for Records Exchange’s unique operating environment.
- (c) These core privacy principles and the policies that flow from them promote balance between consumer control of and access to health information and the operational need of covered entities to ensure that information uses and disclosures are not overly restricted, such that consumers would be denied many of the benefits and improvements that information technology can bring to the healthcare system.
(d)
- (1) The policies are intended to reflect a carefully balanced view of all of the principles and avoid emphasizing some over others in any way that would weaken the overall approach.
(2) The guiding office privacy principles are as follows:
- (A) Openness and transparency.
(i) Openness about developments, procedures, policies, technology, and practices with respect to the treatment of personal health data is essential to protecting privacy.
(ii) Individuals should be able to understand what information exists about them, how the protected health information is used, and how they can exercise reasonable control over that information.
- (iii) This transparency helps promote privacy practices and instills confidence with regard to data privacy, which in turn can help increase consumer participation in health information networks;
(B) Purpose specification and minimization.
- (i) Data use must be limited to the amount necessary to accomplish specified purposes.
- (ii) Minimization of use will help reduce privacy violations, which can easily occur when data is collected for one (1) legitimate reason and then reused for different or unauthorized purposes;
(C) Collection limitation.
- (i) Personal health data should be obtained only by fair and lawful means, and, if applicable, with the knowledge or consent of the pertinent individual.
- (ii) In an electronic networked environment, it is particularly important for individuals to understand how information concerning them is being collected because electronic collection methods may be confusing to average users.
- (iii) Similarly, individuals may not be aware of the potential abuses that can arise if they submit personal health information via an electronic method;
(D) Use limitation.
- (i) Protected health information should be obtained by one (1) participating entity from another only pursuant to mutual agreement that the information is being accessed for qualifying treatment, payment, or operations purposes of the requesting participating entity or for other purposes permitted by law.
- (ii) The use and disclosure of health information should be limited to those purposes specified by the State Health Alliance for Records Exchange.
- (iii) Certain exceptions such as public health reporting, law enforcement, or security may warrant reuse of data for other purposes.
- (iv) However, when data is used for purposes other than those originally specified, prior deidentification of the data can


help protect individual privacy while enabling important benefits to be derived from the information;
(E) Individual participation and control.
- (i) Every individual should retain the right to:
- (a) (a) Request and receive in a timely and intelligible manner information regarding who has that individual’s health data and what specific data the party has;
(b) (b) Know any reason for a denial of such request; and
(c) (c) Challenge or amend any personal information.
(ii) Because individuals have a vital stake in their own personal health information, such rights enable them to be participants in the collection and use of their data.
- (iii) Individual participation promotes data quality, privacy, and confidence in privacy practices;
(F) Data integrity and quality.
- (i) Health data should be accurate, complete, relevant, and up-to-date to ensure its usefulness.
- (ii) The quality of health care depends on the existence of accurate health information.
- (iii) Moreover, individuals can be adversely affected by inaccurate health information in other arenas, such as insurance and employment.
- (iv) Therefore, the State Health Alliance for Records Exchange must maintain the integrity of health data and individuals must be allowed to view information about them and request to amend such health information so that it is accurate and complete;
(G) Security safeguards and controls.
- (i) Security safeguards are essential to privacy protection because they help prevent data loss, corruption, unauthorized use, modification, and disclosure.
- (ii) With increasing levels of cybercrime, networked environments may be particularly susceptible without adequate security controls.
- (iii) Design and implementation of various technical security precautions such as identity management tools, data scrubbing, hashing, auditing, authenticating, and other tools can strengthen information privacy;
(H) Accountability and oversight.
- (i) Privacy protections have little weight if privacy violators are not held accountable for compliance failures.
- (ii) Employee training, privacy audits, and other oversight tools can help to identify and address privacy violations, security violations, and security breaches by holding accountable those who violate privacy requirements, and by identifying and correcting weaknesses in their security systems;
(I) Remedies.
- (i) The maintenance of privacy protection depends upon legal and financial means to remedy any privacy or security breaches.
- (ii) Such remedies should:
- (a) (a) Hold violators accountable for compliance failures;
(b) (b) Reassure individuals about the organization's commitment to information privacy; and
(c) (c) Mitigate any harm that privacy violations may cause individuals; and
(J) Reliance on covered entity policies and enforcement.
- (i) While the office should have a number of core policies and procedures for the benefit and confidence of all participating entities, the office should not try to replace policies, procedures, and methods already adopted by participating entities as covered entities under HIPAA.
- (ii) The office should identify, disseminate, and enforce only those policies and procedures necessary for coordination of privacy response, but should recognize that existing participating entity policies govern in all other areas.
- (iii) The office policies incorporate the principles outlined in the preceding principles as well as basic requirements set forth in HIPAA.
- (iv) The office policies seek to achieve a balance between maintaining the confidentiality of health information and maximizing the benefits of such information.
Codification Notes: "HIPAA” means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.