Secretary Leavitt Announces New Principles andTools to Protect Privacy

During his keynote address at Monday's (12-15-2008) Nationwide Health

Information Network Forum, HHS Secretary Michael Leavitt announced the

publication and availability of new privacy principles and a toolkit to

help protect privacy in the health IT environment. Secretary Leavitt

emphasized that appropriate privacy and security measures will be an

essential sociological enabler of groundbreaking technology.

The privacy principles articulated by Secretary Leavitt are as follows:

Individual Access - Consumers should be provided with a simple and

timely means to access and obtain their personal health information in a

readable form and format.

Correction - Consumers should be provided with a timely means to dispute

the accuracy or integrity of their personal identifiable health

information, and to have erroneous information corrected or to have a

dispute documented if their requests are denied. Consumers also should

be able to add to and amend personal health information in products

controlled by them such as personal health records (PHRs).

Openness and Transparency -- Consumers should have information about the

policies and practices related to the collection, use and disclosure of

their personal information. This can be accomplished through an

easy-to-read, standard notice about how their personal health

information is protected. This notice should indicate with whom their

information can or cannot be shared, under what conditions and how they

can exercise choice over such collections, uses and disclosures. In

addition, consumers should have reasonable opportunities to review who

has accessed their personal identifiable health information and to whom

it has been disclosed.

Individual Choice -- Consumers should be empowered to make decisions

about with whom, when, and how their personal health information is

shared (or not shared).

Collection, Use, and Disclosure Limitation - It is important to limit

the collection, use and disclosure of personal health information to the

extent necessary to accomplish a specified purpose. The ability to

collect and analyze health care data as part of a public good serves the

American people and it should be encouraged. But every precaution must

be taken to ensure that this personal health information is secured,

deidentified when appropriate, limited in scope and protected wherever

possible.

Data Integrity - Those who hold records must take reasonable steps to

ensure that information is accurate and up-to-date and has not been

altered or destroyed in an unauthorized manner. This principle is

tightly linked to the correction principle. A process must exist in

which, if consumers perceive a part of their record is inaccurate, they

can notify their provider. Of course the Health Insurance Portability

and Accountability Act (HIPAA) Privacy Rule provides consumers that

right, but this principle should be applied even where the information

is not covered by the Rule.

Safeguards - Personal identifiable health information should be

protected with reasonable administrative, technical, and physical

safeguards to ensure its confidentiality, integrity, and availability

and to prevent unauthorized or inappropriate access, use, or disclosure.

Accountability - Compliance with these principles is strongly encouraged

so that Americans can realize the benefit of electronic health

information exchange. Those who break rules and put consumers' personal

health information at risk must not be tolerated. Consumers need to be

confident that violators will be held accountable.

You can access further information and the principles and toolkit at

http://www.hhs.gov/healthit/privacy/framework.html

http://www.hhs.gov/healthit/privacy/framework.html> .