Health Information Technology Framework

Privacy & Security

Privacy and security ensures that shared health information is protected from exposure to accidental or inappropriate disclosure, unauthorized access, modification, removal, and/or destruction. Consumers/Patients must have confidence that their privacy is protected and their healthcare data is secure. The HIE will make health information available and accessible, ensure the data sources (such a physicians, hospitals, laboratories, pharmacies, and other health care providers) protect healthcare data and information and ensure healthcare data and information is disclosed only with proper authorization and authentication.

  1. What, if any, state laws impact privacy and security and how? (More details)

    • Understand current state privacy law as compared to HIPAA and document differences
    • Identify appropriate privacy and security standards for your state
    • Understand current privacy and security policies in use by the data sources
    Close

  2. What is your exchanges approach to the 5 A's (authorization, access, authentication, accountability, auditing)? (More details)

    • Develop policies for authorization, authentication, access, audit, accountability for initial HIE services planned for implementation within 2 years
    • Determine who needs access and what are the minimum legal disclosure requirements according to state and federal law
    • Identify the specific HIE services to be provided within the first 2 years, then consider the impact of potential privacy and security policy approaches on current clinical workflow, administrative workflow, and current policies and procedures in place at the different institutions and providers
    Close

  3. What are your foundational principals regarding privacy and security? (More details)

    • Categorize types of uses for the data to frame the discussion on privacy and security (e.g., emergency treatment, ambulatory treatment, public health reporting and biosurveillance, post-marketing surveillance, quality, research)
    • Review privacy and security models and approaches currently in use
    • Clearly delineate and document risks with selected privacy and security approaches (e.g., risk of low adoption due to substantial additional administrative burden)
    • Understand the wants, needs and concerns of the data sources and other stakeholders regarding privacy and security
    • Balance privacy and security recommendations with need for 1) financially sustainable HIE, 2) technical architecture, 3) maximizing participation of data sources, 4) maximizing user adoption, and 5) minimizing impact to current business processes.
    Close

  4. How do participants assure other stakeholders that they are in compliance with your exchange's approach and principles? (More details)

    • Vet team-recommended privacy and security approach with data sources, and with intended users of the HIE service, as well as other stakeholders
    • Develop flexible mechanism/infrastructure to address future requests for HIE (e.g., another use is proposed by a stakeholder) that cannot be anticipated at this time
    Close

  5. Expected Project Outcomes (More details)

    • Documented approach to privacy and security policies, including roles and responsibilities, risks and expected impact on clinical workflow, administrative workflow, adoption by users, participation of data sources, technical architecture and HIE financial sustainability.
    • Consensus from key data sources on privacy and security approach, evidenced by a signed agreement with the primary data sources.
    • Approved policies dealing with the 5 As
      • Authorization
      • Authentication
      • Access
      • Audit
      • Accountability
    • Documented structure or mechanism to address review of future requests for access to data for other purposes.
    Close
or

Achieve Meaningful Use.