ONC Sends Guidance to States on Privacy, Security Requirements for Exchanges

Stay ahead of developments in federal and state health care law, regulation and transactions with timely, expert news and analysis.

By Kendra Casey Plank  


The Office of the National Coordinator for Health Information Technology has sent guidance to state health information exchange grant recipients on how they should be safeguarding individuals' health care data included in health information exchange activities.

In a March 22 program information notice (PIN), ONC said the guidance is meant to provide “additional direction” to states and state-designated entities on privacy and security frameworks that are required as part of states' obligations under the $550 million grant program that provided federal funding for developing state-based HIEs.

“This PIN guidance provides a common set of privacy and security rules of the road to assure provider and public trust and enable rapid progress in health information exchange to support patient care,” ONC said in the document. “It addresses concerns from State leaders and other stakeholders that health information exchange efforts have been hampered and slowed by the lack of consistent approaches to core privacy and security issues and responds to request for clear national guidance.”

ONC Chief Privacy Officer Joy Pritts told the 20th National HIPAA Summit March 27 in Washington that the guidance builds off of recommendations for HIE privacy and security by the Health IT Policy Committee's tiger team.

Pritts said the guidance directs state HIEs that store, assemble, or aggregate individually identifiable health information (IHII) to give patients electronic access to their compiled IIHI and the ability to request corrections and dispute information accuracy.

HIEs also are directed to give patients “meaningful choice” about whether their IIHI may be exchanged through the HIE entity, Pritts said. However, she noted that HIEs that serve solely as “information conduits” and do not store, assemble, or aggregate data are not required to provide consent options, unless otherwise required by law.

States can use so-called opt-in or opt-out models to satisfy the individual choice requirements, Pritts said, provided the models include such provisions as:

  • giving individuals sufficient time and knowledge for making choices;
  • not using individuals' choices as conditions of receiving medical treatment; and
  • making choices revocable at any time.

The guidance also recommends states give individuals choices about which providers can access their IIHI and give individuals more granular choices than having all or none of their data exchanged.

Pritts said the guidance was meant to address privacy and security questions for data and situations not already covered by existing Health Insurance Portability and Accountability Act rules.

In fact, she said, the guidance does not refer to patient data as protected health information, but rather IIHI, because of that term's broader application to health data that will be exchanged through HIEs.

The guidance is available at http://op.bna.com/mdw.nsf/r?Open=plon-8sssl5.

Request Health Care on Bloomberg Law