Panel drafts privacy recommendations for health data exchanges

Recommendations developed in response to specific privacy-related questions

A "tiger team" that advises the federally charted Health IT Policy Committee will submit a list of recommendations on Thursday for ensuring the privacy and security of personally identifiable health information in Health Data Exchanges .

The recommendations were developed in response to a specific set of privacy-related questions raised by the Office of the National Coordinator for Health Information Technology. They touch upon and clarify topics such as patient consent and the use of third-party service providers in the exchange of personally identifiable health information.

A 19-page letter, detailing all of the recommendations is scheduled to be submitted to David Blumenthal, chairman of the HIT Policy Committee on Thursday. (A draft of the letter is available here .

One of the bigger recommendations relates to patient consent. The direct exchange of electronic patient data between health providers for treatment purposes does not require any additional patient consent, the panel noted. The same rules that apply to paper or faxed exchanges of health information should apply in the electronic realm as well.

However, any data exchange that involves a third-party does require specific and "meaningful" patient consent, the letter noted. Any such consent also needs to be transparently and easily revocable by the patient at any time, the panel said.

The letter also recommended further exploration of technologies that allow individuals to exercise more granular control over the data for instance permitting the exchange of certain kinds of health data, but not all.

Third-party service organizations should also not be allowed to collect, use or share personal health data for any purposes other what's specified in their service agreements, the panel recommended.

Third parties should also be required to retain personal health data only for as long as it is reasonably needed and should then be required to destroy the data, the panel said.

All third parties having access to patient health information also need to comply with the privacy and security requirements of HIPAA.

The so-called tiger team has been working for the past few months to try and develop privacy recommendations for healthcare data, prior to Oct. 1 this year. That's the date by which hospitals will need to demonstrate they have achieved "meaningful use" of health information technology, if they want to receive millions of dollars in federal incentives under the American Recovery and Reinvestment Act.

The Act sets aside close to $17 billion in incentives for hospitals and health care providers who use health information technology in a meaningful way.

The tiger team's proposals will need to be reviewed and approved by the HIT Policy Committee before they can go into effect.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is .

Read more about privacy in Computerworld's Privacy Topic Center.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags governmentprivacyregulationindustry verticalshealth care

Show Comments