On December 15, the U.S. Department of Health and Human Office for Civil Rights ("OCR") issued new guidance documents that describe how health care organizations may engage in the exchange of electronic health information consistent with HIPAA Privacy Rule standards. The guidance consists of two documents: (1) the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (the "Framework"); and (2) the Health IT Privacy and Security Toolkit (the "Toolkit"). The Toolkit is intended to provide practical assistance to organizations seeking to implement the Framework.
For those grappling with the challenges of implementing a regional health information organization ("RHIO") or other health information exchange, the Framework and the Toolkit provide a wealth of useful guidance. Perhaps most importantly, the OCR guidance should help dispel nagging doubts in some quarters that RHIOs can be implemented in a manner that is HIPAA-compliant. The guidance is organized around eight guiding principles: (1) Individual Access; (2) Correction; (3) Openness and Transparency; (4) Individual Choice; (5) Collection, Use and Disclosure Limitation; (6) Data Quality Integrity; (7) Safeguards; and (8) Accountability.
The Framework emphasizes that adherence to "clear, understandable, uniform principles" is critical to achieving the necessary degree of trust among individual patients and stakeholders in a health information exchange program. In some cases, the Framework and Toolkit describe best practices that exceed the requirements of the HIPAA Privacy Rule. For example, the guidance documents recommend that individuals be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. The Privacy Rule does not provide patients with this sort of broad right of control, particularly when a use or disclosure is for a HIPAA covered entity's "treatment, payment or health care operations" purposes.
The Framework and the Toolkit represent a welcome effort by OCR to clear the path to adoption of electronic health information exchanges. However, there seems to be an implicit assumption in OCR's guidance that the greatest barrier to RHIOs and other exchanges is a lack of public confidence regarding privacy protections. As the folks at the Department of Treasury can attest, it's never an easy thing to create consumer confidence.