InformationWeek reports on recommendations about data privacy set out in a letter (pdf) from the Privacy and Security Tiger Team, a group that advises the Health Information Policy Committee of the Department of Health and Human Services on privacy and security issues relating to patients’ medical information.
The letter recommends that the HIT Policy Committee adopt the guidelines set out in the Fair Information Practices (FIP), a set of codes established in 1973 to provide safeguards for personal privacy. The Tiger Team said healthcare providers and third-party service organizations should follow FIP codes as they implement health IT such as electronic health records (EHRs) that will be used to exchange patient information.
“This overarching set of principles, when taken together, constitute good data stewardship and form a foundation of public trust in the collection, access, use, and disclosure of personal information,” the letter said. […]
The Tiger Team’s letter specifically noted that its list didn’t include policies around the concepts of remedies or redress, although it is arguably implicit in the principle of accountability. “As our work evolves toward a full complement of privacy policies and practices, it likely will be important to further spell out remedies as an added component of FIPs,” the letter said.
The authors also recommend that third-party service organizations may not collect, use, or disclose personally identifiable health information for any purpose other than to provide the services specified in the contract with the data provider. These organizations should also retain a patient’s health information only for as long as necessary to provide the functions specified in the contract with the data provider. […]
Turning its attention to improvements in technology to better safeguard patient privacy, the letter stated that in a digital environment, robust privacy and security policies should be strengthened by innovative technological solutions that can better protect data.