[Federal Register Volume 72, Number 196 (Thursday, October 11, 2007)]
[Notices]
[Pages 57945-57946]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 07-5010]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES


Office of the National Coordinator for Health Information 
Technology; American Health Information Community Confidentiality, 
Privacy, and Security Workgroup Meeting

ACTION: Announcement of meeting.

-----------------------------------------------------------------------

SUMMARY: This notice announces the 15th meeting of the American Health 
Information Community Confidentiality, Privacy, and Security Workgroup 
in accordance with the Federal Advisory Committee Act (Pub. L. 92-463, 
5 U.S.C., App.).

DATES: November 8, 2007, from 1 p.m. to 5 p.m. [Eastern Time].

ADDRESSES: Mary C. Switzer Building (330 C Street, SW., Washington, DC 
20201), Conference Room 4090 (please bring photo ID for entry to a 
Federal building).

FOR FURTHER INFORMATION CONTACT: http://www.hhs.gov/healthit/ahic/confidentiality/.

SUPPLEMENTARY INFORMATION: The American Health Information Community 
Confidentiality, Privacy, and Security (CPS) workgroup is seeking 
public feedback on the following. To submit comments via e-mail 
(preferred), please send them to [email protected] (to ensure that 
your e-mail is received and appropriately filed, we ask that you put 
``CPS Public Comment'' in the subject line of your e-mail) or mail your 
comments to Steven Posnack, Office of the National Coordinator (ONC), 
330 C Street, SW., Suite 4090, Washington, DC 20201. Written testimony 
submitted by the public is not required to address all of the questions 
listed below, and answers to any or all of the questions will be 
accepted so long as they comply with the following guidelines. Comments 
should be double-spaced and submitted via e-mail or mail by 5 p.m. 
Eastern Standard Time on November 30, 2007 in order to receive 
consideration by the CPS workgroup.
    On June 12th, 2007 the AHIC accepted for recommendation to the 
Secretary of HHS the following recommendation made by the CPS 
Workgroup: All persons and entities, excluding consumers, that 
participate directly in, or comprise, an electronic health information 
exchange network, through which individually identifiable health 
information is stored, compiled, transmitted, modified or accessed 
should be required to meet enforceable privacy and security criteria at 
least equivalent to any relevant HIPAA requirements (45 CFR Parts 160 
and 164). Furthermore, any person or entity that functions as a 
Business Associate (as described in 45 CFR 160.103) and participates 
directly in, or comprises, an electronic health information exchange 
network should be required to meet enforceable privacy and security 
criteria at least equivalent to any relevant HIPAA requirements, 
independent of those established by contractual arrangements (such as a 
Business Associate Agreement as provided for in HIPAA).
    Over the past several months the CPS workgroup has been evaluating, 
at a more granular level, two key questions raised by the 
recommendation above. What constitutes a ``relevant'' HIPAA requirement 
for particular ``direct participants'' and what, if any, additional 
confidentiality, privacy, security protections may be needed beyond 
those already contained in the HIPAA Privacy and Security Rules (the 
Rules) in order to ensure trust in electronic health information 
exchange.
    Given that the Rules were written to be applicable to health plans, 
healthcare clearinghouses, and health care provides conducting certain 
electronic health care transactions, we understand that some persons or 
entities may have an appropriate reason for not needing to meet a 
particular requirement. To date, the CPS Workgroup is considering 
recommendations regarding the relevancy of the following HIPAA 
requirements: (1) Sec.  164.520 Notice of privacy practices for 
protected health information; (2) Sec.  164.52 Access of individuals to 
protected health information; and (3) Sec.  164.526 Amendment of 
protected health information, with respect to organizations such as 
health information exchanges (HIEs) and regional health information 
organizations (RHIOs). The Workgroup would like to encourage HIEs, 
RHIOs and other similar organizations to submit answers to the 
following questions in order for the Workgroup to validate or refine 
our current thinking.
    (1) Please describe your electronic health information exchange 
model.
    a. What type(s) of health information do you exchange and for what 
purpose(s)?
    b. Who participates in your network (e.g., providers, patients, 
insurers, labs)?
    c. How do you exchange health information?
    i. Do you maintain a ``repository'' where records/health 
information is stored in one location? If so, is it by provider or as 
one comprehensive record?
    ii. Do you use a record locator (where records reside in numerous 
locations)?
    iii. If neither, please describe.
    (2) Have you established business associate contracts or data 
sharing agreements? If so, with whom (by category of entity)? Have you 
established contracts or data sharing agreements with all of the 
participants in your network? If not, why not?
    (3) What level of participation do you provide to individuals (e.g. 
patients/consumers)?
    a. Do you provide individuals with a phone number and contact 
person?

[[Page 57946]]

    b. Do you permit individuals to access/review/obtain copies of 
their health information via your network?
    c. Do you provide individuals information about who has viewed or 
exchange their health information?
    d. Do you permit individuals to change/amend health information via 
your network? If so, what type(s) of health information?
    e. Do patients of providers or insurers who participate in the 
network have the right not to have their information shared with you? 
If so, how is the right exercised? Do individuals who participate have 
the right to specify certain restrictions with respect to the 
information that is shared (for example, who can access and what can be 
accessed)? If so, please describe.
    (4) Does our organization have a notice of privacy practices or 
privacy policy? If so, do you send it out, when, and to whom do you 
send it to? Do you have it posted on your Web site?
    (5) Do you have a policy on notification in the event of a security 
breach? Do you notify companies/entities participating in your network? 
Do you ever notify individuals (patients)? If so, in what 
circumstances?
    The meeting will be available via Web cast. For additional 
information, go to: http://www.hhs.gov/healthit/ahic/cps_instruct.html.

    Dated: October 2, 2007.
Judith Sparrow,
Director, American Health Information Community, Office of Programs and 
Coordination, Office of the National Coordinator for Health Information 
Technology.
[FR Doc. 07-5010 Filed 10-10-07 8:45 am]
BILLING CODE 4150-24-M