The following appeared a few days ago.
Policy Post 14.9, June 24, 2008
A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) CDT Calls for the Adoption of a Comprehensive Privacy and Security Framework for Health Information Technology
(2) Basics Required in any Health Information Technology Policy
(3) CDT's Suggested Implementation
A lot more here:
The document addresses the three areas listed above.
Most useful from a very useful document are these two sections.
First is the set of Core Privacy Principles from Markle.
Privacy and security policies should incorporate "fair information practices" (FIPs) such as those outlined in the Markle Foundation's Connecting for Health initiative:
- Openness and Transparency: A general policy of openness should be enforced for any new developments, practices, and policies with respect to personal data. Individuals should be able to know what information exists about them, who has access to it, and where it is stored.
- Purpose Specification and Minimization: Patients should be made aware of the purpose for data collection at the time the data are collected. The data should not be used for any other purpose without first notifying the patient.
- Collection Limitation: Personal health information should only be collected for specified purposes and should be obtained by lawful and fair means - and where possible, with the knowledge or consent of the data subject.
- Use Limitation: Personal data should not be disclosed, made available, or otherwise used for purposes other than those specified.
- Individual Participation and Control: Individuals should be able to obtain from each entity that controls personal health data, information about whether or not the entity has data relating to them. As well, individuals should have the right to have the data communicated to them in a timely and reasonable manner. Finally, individuals should be able to challenge data relating to them, and have it rectified, completed, or amended.
- Data Integrity and Quality: All personal data collected should be relevant to the purposes for which they are to be used and should be accurate, complete, and current.
- Security Safeguards and Controls: Personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification, or disclosure.
- Accountability and Oversight: Entities in control of personal health data must be held accountable for implementing these information practices.
- Remedies: Legal and financial remedies must exist to address any security breaches or privacy violations.
Second is a list of issues the US Congress (and our Government) should consider when developing a new Privacy and Security Framework.
The list includes:
- The appropriate role for patient consent for different e-health activities.
- The ability of consumers to have information about when, where, and how their Personal Health Information (PHI) is accessed, used, disclosed, and stored.
- The right of individuals to view all PHI that is collected about them and be able to correct or remove data that is not timely, accurate, relevant, or complete.
- Limits on the collection, use, disclosure, and retention of PHI.
- Requirements with respect to data quality.
- Reasonable security safeguards given advances in affordable security technology.
- Use of PHI for marketing.
- Other secondary uses (or "reuses") of health information.
- Responsibilities of "downstream" users of PHI.
- Accountability for complying with rules and policies governing access, use, disclosure, enforcement, and remedies for privacy violations or security breaches.
- Uses and safeguards for de-identified information.
They then go on to make the very valid point that a ‘one size fits all’ approach to all users of health information is not good enough and that those using differing data sets should have different responsibilities and accountabilities.
All is all a useful contribution indeed!