For those of you on the lookout for the next big buzzword in healthcare privacy and security, it just may be "data stewardship." Â On December 21, 2007, the National Committee on Vital and Health Statistics ("NCVHS") submitted a report to the Secretary of the Department of Health and Human Services ("HHS") entitled "Enhanced Protections for Uses of Health Data: A Stewardship Framework for 'Secondary Uses' of Electronically Collected and Transmitted Health Data." The NCVHS report is part of a movement that has been gathering momentum in the past year to subject a variety of health care information technology enterprises to privacy regulation. Â In June 2007, the American Health Information Community ("AHIC") Confidentiality, Privacy and Security Workgroup sent a letter to HHS, recommending that any business associate, within the meaning of HIPAA, that participates directly in, or comprises, an electronic health information exchange network should be required by law to meet privacy and security standards at least equivalent to HIPAA. Â Also in June 2007, NCVHS sent a letter to HHS endorsing passage of laws and regulations to ensure that all entities that handle PHI are covered by a federal privacy law.
The NCVHS report proposes that all organizations and individuals with access to personal health data follow attributes of appropriate data stewardship. The American Medical Informatics Association defines health data stewardship as encompassing the responsibilities and accountabilities associated with managing, collecting, viewing, storing, sharing, disclosing, or otherwise making use of personal health information. NCVHS recommendations describe the attributes of appropriate data stewardship. The report, which can be found at http://www.ncvhs.hhs.gov/071221lt.pdf, makes for interesting reading, particularly in its critiques of the HIPAA regulatory framework.