Health Data Privacy Recommendations Balance Security, Accessibility

Advisers detail how health information exchanges should ensure safety and accuracy of patient medical information while still complying with meaningful use requirements.

Image Gallery: African Hospital Digitizes Medical Records
(click for larger image and for full photo gallery)
Collection, Use, and Disclosure Limitation -- Individually identifiable health information should be collected, used, and/or disclosed only to the extent necessary to accomplish a specified purpose(s) and never to discriminate inappropriately.

Data Quality and Integrity -- Persons and entities should take reasonable steps to ensure that individually identifiable health information is complete, accurate, and up-to-date to the extent necessary for the person's or entity's intended purposes and has not been altered or destroyed in an unauthorized manner.

Safeguards -- Individually identifiable health information should be protected with reasonable administrative, technical, and physical safeguards to ensure its confidentiality, integrity, and availability and to prevent unauthorized or inappropriate access, use, or disclosure.

Accountability -- These principles should be implemented, and adherence assured, through appropriate monitoring, and other means and methods should be in place to report and mitigate non-adherence and breaches.

The Tiger Team's letter specifically noted that its list didn't include policies around the concepts of remedies or redress, although it is arguably implicit in the principle of accountability. "As our work evolves toward a full complement of privacy policies and practices, it likely will be important to further spell out remedies as an added component of FIPs," the letter said.

The authors also recommend that third-party service organizations may not collect, use, or disclose personally identifiable health information for any purpose other than to provide the services specified in the contract with the data provider. These organizations should also retain a patient's health information only for as long as necessary to provide the functions specified in the contract with the data provider.

On the issue of accountability, the Tiger Team recommends that the responsibility for maintaining the privacy and security of a patient's record rests with the patient's providers.

Turning its attention to improvements in technology to better safeguard patient privacy, the letter stated that in a digital environment, robust privacy and security policies should be strengthened by innovative technological solutions that can better protect data.

"This includes requiring that electronic record systems adopt adequate security protections (like encryption, audit trails, and access controls), but it also extends to decisions about infrastructure and how health information exchange will occur. The Tiger Team's future work will also need to address the role of technology in protecting privacy and security," the authors said.