Earlier this week, the Department of Health and Human Services issued a framework, “Nationwide Privacy and Security Framework For Electronic Exchange of Individually Identifiable Health Information December 15, 2008” for protecting patient privacy and securing medical records, in particular online protected health information (PHI) records.
It is interesting to see that the framework is overwhelmingly based upon the OECD privacy principles.
For years I’ve been preaching to organizations that building a privacy program around the OECD principles is good for many reaons, not the least of which is to be in compliance with most data protection (privacy) laws that exist throughout the world. Here is yet one more example of how a government oversight agency, the Department of Health and Human Services (HHS), is also using the principles as the basis for their recommended framework.
HHS Secretary Mike Leavitt said, “Finding the balance between increase access to information and privacy is very important. If we don’t have it, we won’t succeed. Consumers shouldn’t be in a position to have to accept privacy risks they don’t want. Each consumer should be able to choose products and services that best fit their health needs and privacy preferences.”
It is important to note that recently Medicare announced an “e-Prescribing Incentive Program” to encourage physicians to issue prescriptions online. On January 1, 2009, Medicare, which is administered by HHS, will begin offering doctors bonus payments for prescribing medicine electronically. Starting in 2012, Medicare will actually penalize doctors who continue to write prescriptions on paper.
Along with this encouragement and push to digitize PHI should come more diligent compliance enforcement.
Tags: awareness and training, HHS, HIPAA, Information Security, IT compliance, IT training, PHI, policies and procedures, privacy framework, privacy training, protected health information, risk management, security training