|
| |
AHIMA -- E-Health Tenets
AHIMA's Recommendations to Ensure Privacy and Quality of Personal Health Information
on the Internet
About AHIMA
The American Health Information Management Association (AHIMA) is a dynamic
organization representing 40,000 professionals vested in the art and science
of health information management. As such, AHIMA is committed to the collection
of timely and accurate individually identifiable health information, and the
maintenance, storage, retention, disclosure and use of that information in a
manner that is private and secure.
Background
In recent years, the efforts of the Association have expanded to encompass
issues concerning individually identifiable health information on the Internet.
The Internet provides consumers and healthcare providers with the opportunity
to improve consumer health and the quality of healthcare rendered, through the
exchange of complete and timely health information. For example:
-
Healthcare providers can construct systems allowing consumers access
to their own health records via the internet. Within these consumer health
records, providers can establish hyperlinks to pertinent, reputable reference
materials. These reference materials can then serve as tools for consumers
to better understand their own health, and to make positive lifestyle changes.
-
Consumers can develop their own electronic personal health records.
They might use these records to provide new healthcare providers with complete
and accurate medical history, or to maintain comprehensive immunization
information.
Although the Internet creates new and diverse options in health information,
the nature of an electronic environment also poses risks. For example:
- Personal health information might be obtained and used inappropriately
by unauthorized individuals or organizations.
- A consumer's health information might be incomplete, incorrect, out of
date, misinterpreted, entered fraudulently, or altered without detection resulting
in financial or health-related harm to the consumer.
To minimize these risks, while benefiting from the Internet's myriad opportunities,
AHIMA offers the following fundamental principles and accompanying basic operational
tenets as a blueprint for protecting the privacy, and ensuring the quality of
personal health information on the Internet.
AHIMA's Fundamental Principles to Protect Privacy and Ensure Quality of Personal
Health Information on the Internet
AHIMA created a task force of association professionals to develop tenets to
address concerns regarding personal health information on the Internet. To assist
in the development of these tenets, AHIMA hosted an E-Health Consumer Conference
in which they brought together representatives from national consumer advocate
groups to identify concerns and opportunities that face consumers when their
personal health information is on the Internet.
Out of these collaborative efforts, the task force developed 39 fundamental
principles and tenets on e-health that are summarized in these principles.
- E-health organizations should conspicuously provide an easily understandable
notice of their health information practices. Such notices should inform e-health
consumers what personal health information is being collected, who is collecting
the data, and how it is being used.
- E-health organizations should facilitate the collection of authentic, accurate,
timely, and complete individually identifiable personal health information.
- E-health organizations should maintain individually identifiable personal
health information in a manner that ensures the information is private, secure,
and retained or destroyed only in accordance with the e-health consumer's
authorization or applicable federal and state laws.
Definitions
E-health Organizations: Organizations that collect and display individually
identifiable health information via the Internet.
E-health Consumers: Individuals whose individually identifiable health information
is collected, maintained, or displayed via the Internet.
AHIMA's Basic Operational Tenets for Protecting the Privacy of Personal Health
Information on the Internet
| |
Tenet Applies
to Sites
Maintained by: |
Tenet Addresses |
| No. |
Tenet |
Provider
|
Consumer
|
Third- Party
|
Educate Consumers
|
Facilitate Authentic,
Accurate, Timely, & Complete Info |
Maintain and Retain
Private, secure Info |
| 1. |
Inform consumers about what information
is collected, by whom, and how it will be used. The notice of information
practices should be conspicuously provided in language the layperson can
understand. |
X |
X |
X |
X |
|
X |
| 2. |
Web site ownership, or relationships a
reasonable person would believe likely to influence the site’s information
or services, should be clearly indicated on the home page or on a page
directly accessible from the home page. |
X |
X |
X |
X |
|
X |
| 3. |
Provide users with reference information
for contacting customer support (e-mail address or phone number, hours
available, and time zone). |
X |
X |
X |
X |
|
|
| 4. |
Site owners should provide a mechanism
for assistance in interpreting medical abbreviations and terminology
|
X |
|
X |
X |
|
|
| 5. |
Provide users with a clear explanation
of the content of the record, in addition to instructions for navigating
the site. |
X |
X |
X |
X |
|
|
| 6. |
Inform consumers as to the security measures
that sites use to protect their information from unauthorized access and
use. This security information should be placed on the home page or a
page directly accessible from the home page. |
X |
X |
X |
X |
|
X |
| 7. |
Obtain and maintain a list of authorized
users. |
X |
X |
X |
|
|
X |
| 8. |
Notify users on screen when they enter
or leave the e-health owner’s Web site. |
X |
X |
X |
X |
|
X |
| 9. |
Give consumers meaningful opportunities
to make choices about what information is collected and how the information
will be used.1 Sites should collect no
information without the user’s knowledge. Give Web site consumers the
right to opt into or out of specific uses and disclosures of information.
|
X |
X |
X |
X |
|
X |
| 10. |
Restrict the health information collected
to what is necessary to carry out the legitimate purpose for which it
was collected.2 |
X |
X |
X |
|
|
X |
| |
Tenet Applies
to Sites
Maintained by: |
Tenet Addresses |
| No. |
Tenet |
Provider
|
Consumer
|
Third- Party
|
Educate Consumers
|
Facilitate Authentic,
Accurate, Timely, & Complete Info |
Maintain and Retain
Private, secure Info |
| 11. |
Collect and use healthcare information
only for a necessary lawful purpose.3
|
X |
X |
X |
|
|
X |
| 12. |
Privacy protections should
follow consumers’ data.4 |
X |
X |
X |
|
|
X |
| 13. |
Web sites should maintain
a consumer-specific log of information disclosures. This log should be
available for review by the consumer. |
X |
X |
X |
X |
|
X |
| 14. |
E-health sites should develop,
implement, and adhere to a rigorous information security infrastructure
that includes appropriate policies, procedures, technology, and architecture
to protect information against threats to data integrity and repudiation.
|
X |
X |
X |
|
X |
X |
| 15. |
Collect, maintain, and disclose
information in a manner that safeguards personal information,5
and complies with applicable federal and state laws and regulations.6
|
X |
X |
X |
|
X |
X |
| 16. |
Give consumers the opportunity
to see, copy, and append their records.7
Tools for appending should be easy to find and use. |
X |
X |
X |
X |
X |
X |
| 17. |
E-health site owners have
an obligation to make sure that the information they collect and display
at their site is of high quality. |
X |
X |
X |
|
X |
|
| 18. |
E-health sites should establish
and implement methods to assure data recovery after intentional or unintentional
loss. |
|
|
|
|
X |
X |
| 19. |
E-health sites should develop
and maintain a data dictionary that is available to consumers. The data
dictionary should define what will be collected, explain the aim or purpose
of each data element, provide clear and concise data definitions, set
acceptable values or value ranges, and state when and who will enter the
data, and how it will be authenticated. |
X |
X |
X |
X |
X |
|
| 20. |
E-health site owners shall
specify data element definitions that conform to standard nomenclature
and formally approved standards. |
X |
X |
X |
|
X |
|
| |
Tenet Applies
to Sites
Maintained by: |
Tenet Addresses |
| No. |
Tenet |
Provider
|
Consumer
|
Third- Party
|
Educate Consumers
|
Facilitate Authentic,
Accurate, Timely, & Complete Info |
Maintain and Retain
Private, secure Info |
| 21. |
Regardless of format, information
must be decipherable and readable. |
X |
X |
X |
|
X |
|
| 22. |
Record data at or near the
time of the event or observation. |
X |
|
X |
|
X |
|
| 23. |
Consumers who provide their
own health information for access by others on the Web will be advised
as to the importance of providing the information in a timely manner.
|
|
X |
|
X |
X |
|
| 24. |
The length of time between
an event that produces data and when the data is available at the Web
site to those who need the information, should be minimal. |
X |
X |
X |
|
X |
|
| 25. |
Data should be authentic
and represent what was intended or defined by the official source. It
should be objective, unbiased, and comply with known standards.8
|
X |
X |
X |
|
X |
|
| 26. |
Data should yield
the same results on repeated collection, processing, storing, and displaying
of information. |
X |
X |
X |
|
X |
|
| 27. |
Make data available to authorized
internal and external users when and where it is needed. |
X |
X |
X |
|
X |
|
| 28. |
Edits, validation checks,
procedures, and controls should be established and implemented to ensure
errors are avoided when reviewing, recording, or updating information.
|
X |
X |
X |
|
X |
|
| 29. |
Appropriate hyperlinks to
directories, references, additional information, and other applications,
should be established and maintained. |
X |
X |
X |
X |
X |
|
| |
Tenet Applies
to Sites
Maintained by: |
Tenet Addresses |
| No. |
Tenet |
Provider
|
Consumer
|
Third- Party
|
Educate Consumers
|
Facilitate Authentic,
Accurate, Timely, & Complete Info |
Maintain and Retain
Private, secure Info |
| 30. |
E-health sites should develop,
implement, and adhere to policies that define whom, how, and when data
can be entered or modified. |
X |
X |
X |
|
X |
X |
| 31. |
Advise consumers as to the
importance of accurate data entry. Methods for checking the accuracy of
the information entered should be suggested and their use encouraged.
|
|
X |
|
X |
X |
|
| 32. |
Continuous data quality validation
activities should be performed, including periodic quantitative, legal,
and qualitative analysis. |
X |
|
X |
|
X |
|
| 33. |
Implement appropriate education
and training. |
X |
X |
X |
X |
X |
X |
| 34. |
E-health sites that collect
or display individually identifiable consumer health information should
make sure that the data is documented, authenticated, corrected, stored,
retained, and destroyed in a manner that is consistent with the requirements
of federal and state law and regulation. |
X |
X |
X |
|
X |
X |
| 35. |
E-health site owners should
ensure the record’s content conforms to known health data standards.9
|
X |
X |
X |
|
X |
|
| 36. |
Each record should indicate
the date when the displayed information was recorded, last updated, and
last substantially changed. |
X |
X |
X |
X |
X |
X |
| 37. |
Systems should be in place
to ensure that data collected and displayed is complete, unless otherwise
stated. |
X |
X |
X |
X |
X |
|
| 38. |
The site should specify whether
the information available is the primary healthcare record, or a subset
of information collected and maintained elsewhere. |
X |
|
|
X |
X |
|
| 39. |
The site should specify when,
where, and how to access individually identifiable consumer health information
that is collected and maintained, but which is not available at the particular
e-health site. |
X |
X |
X |
X |
X |
|
Laws and Regulations with Which E-health Sites Must Comply
| Title |
Citation |
Applicability |
| |
|
Provider Maintained Sites |
Consumer Maintained Repositories
|
Third-Party Maintained Sites |
| HIPAA |
Public Law 104-191, Title II, Subtitle F, Sec 262; |
X |
|
X |
| HIPAA—Proposed Standards for Privacy of Individually
Identifiable Health Information |
45 CFR, Parts 160-164 |
X |
|
X |
| HIPAA Standard Transactions Defined by Format (ANSI X12N,
version 4010, code sets ICD-9, CPT-4, HCPCS) and Data Sets |
45, CFR, Part 142 |
X |
|
|
| Federal Privacy Act of 1974 |
5 USC 552a(e)(1) |
X
If Federal |
|
|
| Alcohol and Substance Abuse |
42 CFR, Part 2 |
X
If operate federally assisted alcohol and substance abuse program |
|
|
| Access to Employee Exposure and Medical Records |
29 CFR 1910.1 |
X
If contain |
|
|
| Medicare Conditions of Participation
Long-term Care
Home Health
Hospice
Hospitals
Drug Alcohol and Substance Abuse
Physical Medicine and Rehab
Ambulatory Surgical Care
Managed Care
Specialized Providers |
42 CFR 483
42 CFR 484
42 CFR 418
42 CFR 482
42 USC 290dd-3
42 CFR 485
42 CFR 416
42 417 |
X
If treat Medicare consumers |
|
|
| State Healthcare Facility Licensure Laws |
|
X |
|
|
| State Laws Relative to Record Retention and Destruction
|
|
X |
|
|
Standards That May Be Applicable to E-health Sites
| |
Applicability
|
| Title |
Provider Maintained Sites
|
Consumer Maintained Sites
|
Third- Party Maintained
Sites |
| Accreditation Agency Standards:
Joint Commission
AAAHC
NCQA
CARF
AOA |
X |
|
|
| (ASTM) Standard Guide for Description for
Content and Structure of an Automated Primary Record of Care (E1384) |
X |
|
|
AHIMA acknowledges and thanks the efforts of the team who co-authored these
recommendations:
Barbara Fuller, JD, RHIA
Gwen Hughes, RHIA
Leslie Fox, MA, RHIA
Deborah Kohn, MPH, RHIA
Howard Tischler
Sandra Fuller, MA, RHIA
Bonnie Cassidy, MPA, RHIA
Kelly McLendon, RHIA
Kevin Smith, RHIA
Barbara Demster, MS, RHIA
Bambang Parmanto, Ph.D.
Notes
- Fair Information Practice Principles published, in
the 1973 government report Records, Computers, and the Rights of Citizens.
- AHIMA Tenet on Confidentiality and Federal Legislation
- AHIMA Tenet relative to Confidentiality and Federal
Legislation
- Fair Information Practice Principles, published in
the 1973 government report Records, Computers, and the Rights of Citizens.
- Fair Information Practice Principles, published in the
1973 government report Records, Computers, and the Rights of Citizens.
- See Appendix A for a list of applicable federal laws
and regulations
- Fair Information Practice Principles, published in the
1973 government report Records, Computers, and the Rights of Citizens.
- See Standards that May Be Applicable
to E-health Sites for a list of standards that may be applicable to e-health
sites
- See Standards that May Be Applicable
to E-health Sites for a list of standards that may be applicable to e-health
sites
|
[ About AHIMA
| Schools/Jobs
| Professional Development
| HIM Resources
| Foundation
| Help
| Site Map
]
|
Copyright © 2008 by the American Health Information Management Association. All rights reserved. No part of this site may be reproduced, reprinted, stored in a retrieval system, or transmitted, in any form or by any means, electronic, photocopying, recording, or otherwise, without the prior written permission of the association. |
|
All contents, including images and graphics, on this Web site are copyrighted by AHIMA unless otherwise noted. You must obtain permission to reproduce any information, graphics, or images from this site. Permission must also be obtained to link to any of AHIMA's Web sites. To request permission, fill out the AHIMA Permissions Request or contact permissions@ahima.org. |
| |
Print page
