Question

Model and Security Policy Increasingly patients are creating and maintaining personal health records (PHRS) with data from a variety of healthcare providers as well as data they have generated about their health. What provisions should be included in a model privacy and security policy that patients might use in making decisions related to their privacy and the security of their PHRS?

Answer 1

Personal Health Record (PHR) is a electronic tool that is intended to allow consumers to store, manage, Durand share their personal health information

PHR model privacy and security is a tool that PHR companies can use to communicate their privacy and security policies and data sharing practices to individuals

HIPAA (HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY) rule applies to PHR

PROCESS:

PHASE 1--understanding the landscape

PHASE2--stake holders input

PHASE3--consumer testing and tool development

PROVISIONS REQUIRED IN MODEL PRIVACY AND SECURITY POLICIES

1.REQUIRES CONSUMER CONSENT TO COLLECT, USE, DISCLOSE, MAINTAIN, STORE DATA IN THE PHR

Broader control over the above process should be given to consumer and this helps the consumer to actively involve in decision making.

General consent is sufficient for routine access to data in PHR.

specific consent is needed for activities that consumers would not reasonably expect or fully understand or if there is a potential for abuse or misuse of consumer data for activities like marketing and research.

PHR users should voluntarily participate in marketing or research activities or only if law permits..

2.ESTABLISH SAFE HARBOR TO ENCOURAGE BEST PRACTICE

this should demonstrate that privacy practices are more protective than that is required by law

Safe harbor regime should be independent approval and oversight components to meet standards

First an audit is done and if the company succeeds in the audit, a logo or symbol or icon is allotted to it so that it is easy for consumers to recognize the safe one

3.PHR POLICIES SHOULD BE PREPARED TO HANDLE DISPUTES CONCERNING INFORMATION IN THE PHR

PHR providers should clearly convey their consumers about the policies for handling disputes cincerning to the consent of PHR

PHR contains days from 2 sources --dats from traditional health system and data from consumer himself

Users can be free to change data that they input the self or that Comes from other non traditional sources

4.PROHIBIT COMPELLED USE OF PHR

despite the many potential benefits, individuals should be free to choose whether or not to open a PHR account

They should not be compelled to disclose info held in PHR

5.REQUIRES PHR PROVIDERS TO HAVE DATA RETENTION AND ACCOUNT TERMINATION

6.PHR PROVIDERS SHOULD ADOPT REASONABLE SECURITY PROTECTION INCLUDING STRONG AUTHENTICATION POLICIES

it includes 4components--IDENTITY PROOFING

IDENTIFIERS TOKEN

ONGOING MONITORING

ONGOING AUDITING AND ENFORCEMENT

7.PHR PROVIDERS SHOULD USE IMMUTABLE AUDIT TRAILS

8.PLACE STRONG PROHIBITION ON RE-IDENTIFICATION OF AGGREGATE OR DE IDENTIFIED DATA FROM A PHR

9.DATA IN A PHR SHOULD BE PORTABLE, HUMAN RELATABLE AND DIVISIBLE

Users should be able to share only a part of their record rather than entire record

10.PHR PROVIDERS SHOULD ADOPT FIP(FEDERAL INFORMATION PROCESSING) FOR DATA COLLECTED ABOUT CONSUMERS ,USE OF PHR, THEIR ACTIVITIES ONLINE ETC

11.MAKE ALL PHRs SUBJECT TO CONSISTENT FEDERAL RULES

12.EXTEND FEDERAL POLICIES BEYOND PHR VENDORS TO OTHERS WITH SIGNIFICANT ACCESS TO PHR INFORMATION LIKE

Entities that offer products or services through the website

Entities not covered by HIPAA that access health info

third party service providers etc

13.PHR PROVIDERS SHOULD CLARIFY TO CONSUMERS THEIR RELATIONSHIP WITH THIRD PARTY APPLICATIONS AND WEBSITES

14.STRONG AND CONSISTENT ENFORCEMENT OF RULES IS NEEDED

15.DATA IN PHR SHOULD BE PRESERVED

if all these are provided to the users, they will get confidence that this process is safe and secure and hence they will adopt personal health records

if proper information is provided,they will actively participate in decision making