- The Office of the National Coordinator (ONC) is asking for comments and requests for updates to its Personal Health Record Model Privacy Notice (MPN).
With the push toward interoperability, it is increasingly important for consumers to understand how their data is being used and what a company’s policy is when it comes to data sharing, ONC leaders explained in a blog post.
“The 2011 version of the MPN was developed in collaboration with the Federal Trade Commission and focused on Personal Health Records (PHRs), which were the emerging technology at the time,” the post stated. “We plan to update the MPN to make it applicable to a broad range of consumer health technologies beyond just PHRs – and we need your input to make it the best possible resource for the community.”
The voluntary Personal Health Record MPN was originally published in 2011. However, ONC explained that there have been requests for further information for consumers about how health technology products store, use, and share health information, specifically in relation to HIPAA regulations.
Therefore, ONC is seeking suggestions for changes “to better align with the current consumer health technology landscape,” according to the Federal Register posting.
“Since the development of the MPN, the consumer health technology landscape has greatly evolved,” the Federal Registry request states. “More consumers are now able to electronically access their health information than ever before.”
Consumers are accessing their clinical and claims data, which is typically collected and maintained by healthcare providers under current HIPAA regulations. However, individuals “are also interacting with fitness and wellness data from devices offered by health technology developers that may not be regulated by HIPAA.”
In general, HIPAA regulations govern how covered entities and their business associates maintain, access, use and disclose individually identifiable health information and protected health information, otherwise known as “PHI.” Specifically, the HIPAA regulations include requirements for: keeping information private in the Privacy Rule, which also includes notifying individuals about how their PHI can be accessed, used, and disclosed; adopting administrative, technical and physical safeguards to secure electronic PHI; and mandating notice to affected individuals when a breach of PHI occurs.
Technology developers that are not subject to HIPAA regulations are subject to other federal laws, such as the FTC’s Health Breach Notification Rule, according to ONC. This is why a new version of MPN is being considered, to try and be a resource for those technology developers that want to communicate their privacy practices to consumers in an understandable way.
“ONC seeks comment concerning what information practices health technology developers should disclose to consumers and what language should be used to describe those practices in an updated MPN,” the request explains, adding that it is not seeking recommendations on best practices.
One of the areas that ONC seeks updates on specifically is security and encryption. For example, ONC wants to know how much detail should be given to consumers when it comes to security practices.
“How can information about various security practices, often technical in nature, be presented in a way that is understandable for the consumer?” the request asks, using encryption at rest and encryption in motion as examples, as well as where information might be encrypted (i.e. in the cloud).
Sharing and storage was another area the ONC request is asking for updates on within MPNs. For example, it could be beneficial to know what privacy and security issues consumers are most concerned about.
ONC is accepting comments on the Personal Health Record MPN until April 15, 2016.