The federal government should take fair information practices into account when it sets privacy and security policies for health information exchange (HIE). That, at least, is the recommendation of the Health IT Policy Committee workgroup called the Tiger Team, which recently issued a draft set of policies in a 19-page letter to the Health IT Policy Committee.
Fair information practices stipulate that data must be collected lawfully, must be used only to carry out a specified purpose, and must be made available to an individual if he or she requests it. The Tiger Team examined five key elements of HIE, from patient content to the use of intermediaries, in the context of these practices.
Based on fair information practices, an intermediary “may not collect, use or disclose personal . . . health information [PHI] for any purpose other than to provide the services specified in the business associate or service agreement with the data provider,” the Tiger Team wrote in its letter.
In addition, health care providers should be responsible for keeping a patient’s PHI private and secure. To that end, patients have the right to “meaningful consent” when their PHI must be shared, as well as the right to opt out of HIE in favor of what the Tiger Team calls a directed exchange model, in which the provider maintains control over the information exchange.
The exchange of information ultimately “should be limited to treatment of the individual who is the subject of the information, unless the provider has the consent of the subject individual to access, use, exchange or disclose his or her information to treat others,” the Tiger Team recommended. Such a policy seems to be in line with fair information practices, and, as Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society, points out in the HIMSS Blog, it will help define the policies that guide health IT implementation.