Privacy & Security Policy

Advancing Privacy and Security in Health Information Exchange

The public comment period ran through September 13, 2010, for proposed modifications to the HIPAA Privacy & Security Rules. These modifications will guide the implementation and enforcement of the provisions passed by Congress in the HITECH Act of 2009 that add new protections to the regulations from the original 1996 HIPAA authority.

The new regulations will improve patient privacy and security protections by:

  • Extending the Office for Civil Rights’ (OCR) enforcement to business associates and covered entities,
  • Strengthening individuals' rights to request and receive their medical information in electronic form, and
  • setting new limits on the use and sale of individuals’ information.

The OCR enforces the HIPAA Privacy and Security Rules and regulates any modifications to these rules.

These efforts, together with the ongoing Privacy and Security initiatives by The Office of the National Coordinator for Health Information Technology (ONC), will work to ensure that electronic health exchange is private and secure. “Building Trust in Health Information Exchange,” a joint OCR-ONC statement issued July 8, 2010, summarizes the work and highlights future work to continue to advance privacy and security in health information exchange.

The ONC, under authority of HITECH Act of 2009, is evaluating potential privacy and security protections for electronic health information exchange. The Chief Privacy Officer, Joy Pritts, is coordinating this effort within HHS as well as with other Federal agencies and State efforts.

Electronic health information exchange promises an array of potential benefits for individuals and the U.S. health care system through improved clinical care and reduced cost. At the same time, this environment also poses new challenges and opportunities for protecting individually identifiable health information. In health care, accurate and complete information about individuals is critical to providing high quality, coordinated care. If individuals and other participants in a network lack trust in electronic exchange of information due to perceived or actual risks to individually identifiable health information or the accuracy and completeness of such information, it may affect their willingness to disclose necessary health information and could have life-threatening consequences. Coordinated attention at the Federal and State levels is needed both to develop and implement appropriate privacy and security policies. Only by engaging all stakeholders, particularly consumers, can health information be protected and electronically exchanged in a manner that respects variations in individuals’ views on privacy and access.

Privacy and Security Whitepaper Series

ONC awarded The George Washington University Department of Health Policy a grant to conduct research and analyze key privacy and security legal and policy questions presented by the adoption of electronic health records and health information exchange. The two whitepapers, “Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis” and “Data Segmentation In Electronic Health Information Exchange: Policy Considerations and Analysis,” appear below.

Data Segmentation In Electronic Health Information Exchange: Policy Considerations and Analysis

Consumer Consent Options for Electronic Health Information Exchange: Policy Considerations and Analysis