Tiger Team to Blumenthal: Stick to fair info practices

In a letter to National Coordinator for Health IT David Blumenthal, MD, the federal Health IT (HIT) Policy Committee's Privacy and Security Tiger Team recommended an approach to privacy and security that is comprehensive and firmly guided by fair information practices.

“We understand the need to address ad hoc questions within the compressed implementation time frames, given the statutory deadlines of the EHR Incentives Program,” the letter stated. “However, the Office of the National Coordinator for Health IT (ONC) must apply the full set of fair information practices as an overarching framework to reach its goals of increasing public participation and trust in health IT.”

The recommendations made by the HIT Policy Committee's Tiger Team, comprised of industry stakeholders, applied to the electronic exchange of patient-identifiable health information among known entities to meet Stage I of meaningful use.

The recommended fair information policy principles included:

• Individual Access: Individuals should be provided with a simple and timely means to access and obtain their individually identifiable health information in a readable form and format.
• Correction: Individuals should be provided with a timely means to dispute the accuracy or integrity of their identifiable health information.
• Openness and Transparency: There should be openness and transparency about policies, procedures and technologies that directly affect individuals and/or identifiable health information.
• Individual Choice: Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of identifiable health information.
• Collection, Use and Disclosure Limitation: Individually identifiable health information should be collected, used and/or disclosed only to the extent necessary to accomplish a specific purpose and never to discriminate inappropriately.
• Data Quality and Integrity: Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate and up to date to the extent necessary for the person’s or entity’s intended purposes and has not been altered or destroyed.
• Safeguard: Individually identifiable health information should be protected with reasonable administrative, technical and physical safeguards to ensure its confidentiality, integrity and availability and to prevent unauthorized or inappropriate access, use or disclosure.

In addition, the Tiger Team offered a set of core values to guide ONC’s work to promote HIT:

• The relationship between the patient and his or her healthcare provider is the foundation for trust in health information exchange (HIE), particularly with respect to protecting the confidentiality of personal health information.
• As key agents of trust for patients, providers are responsible for maintaining the privacy and security of their patients’ records.
• We must consider patient needs and expectations. Patients should not be surprised about or harmed by collections, uses or disclosures of their information.
• Ultimately, to be successful in the use of health information exchange to improve health and healthcare, we need to earn the trust of both consumers and physicians.

The letter made recommendations including the use of intermediaries or third-party service providers in identifiable HIE, the ability of the patient to consent to participation in identifiable HIE at a general level and how consent should be implemented, and the ability of technology to support more granular patient consults.

“Only a systematic and comprehensive approach to privacy and security can achieve confidence among the public,” the letter concluded. “In particular, our recommendations do not address directly the need to also establish individual access, correction and safeguard capabilities, and we recommend these be considered closely in the very near future.”

The 19-page letter can be found here.