OCR Outlines a Framework for Health Information Exchanges

June 24, 2011
On December 15, the U.S. Department of Health and Human Office for Civil Rights ("OCR") issued new guidance documents that describe how health care

On December 15, the U.S. Department of Health and Human Office for Civil Rights ("OCR") issued new guidance documents that describe how health care organizations may engage in the exchange of electronic health information consistent with HIPAA Privacy Rule standards. The guidance consists of two documents: (1) the Nationwide Privacy and Security Framework for Electronic Exchange of Individually Identifiable Health Information (the "Framework"); and (2) the Health IT Privacy and Security Toolkit (the "Toolkit"). The Toolkit is intended to provide practical assistance to organizations seeking to implement the Framework.

For those grappling with the challenges of implementing a regional health information organization ("RHIO") or other health information exchange, the Framework and the Toolkit provide a wealth of useful guidance. Perhaps most importantly, the OCR guidance should help dispel nagging doubts in some quarters that RHIOs can be implemented in a manner that is HIPAA-compliant. The guidance is organized around eight guiding principles: (1) Individual Access; (2) Correction; (3) Openness and Transparency; (4) Individual Choice; (5) Collection, Use and Disclosure Limitation; (6) Data Quality Integrity; (7) Safeguards; and (8) Accountability.

The Framework emphasizes that adherence to "clear, understandable, uniform principles" is critical to achieving the necessary degree of trust among individual patients and stakeholders in a health information exchange program. In some cases, the Framework and Toolkit describe best practices that exceed the requirements of the HIPAA Privacy Rule. For example, the guidance documents recommend that individuals be provided a reasonable opportunity and capability to make informed decisions about the collection, use and disclosure of their individually identifiable health information. The Privacy Rule does not provide patients with this sort of broad right of control, particularly when a use or disclosure is for a HIPAA covered entity's "treatment, payment or health care operations" purposes.

The Framework and the Toolkit represent a welcome effort by OCR to clear the path to adoption of electronic health information exchanges. However, there seems to be an implicit assumption in OCR's guidance that the greatest barrier to RHIOs and other exchanges is a lack of public confidence regarding privacy protections. As the folks at the Department of Treasury can attest, it's never an easy thing to create consumer confidence.

Sponsored Recommendations

How Digital Co-Pilots for patients help navigate care journeys to lower costs, increase profits, and improve patient outcomes

Discover how digital care journey platforms act as 'co-pilots' for patients, improving outcomes and reducing costs, while boosting profitability and patient satisfaction in this...

5 Strategies to Enhance Population Health with the ACG System

Explore five key ACG System features designed to amplify your population health program. Learn how to apply insights for targeted, effective care, improve overall health outcomes...

A 4-step plan for denial prevention

Denial prevention is a top priority in today’s revenue cycle. It’s also one area where most organizations fall behind. The good news? The technology and tactics to prevent denials...

Healthcare Industry Predictions 2024 and Beyond

The next five years are all about mastering generative AI — is the healthcare industry ready?