1. Confidentiality of personal health information is of the utmost importance in the delivery of healthcare. All care providers have a responsibility to take necessary steps to maintain the trust of the patient as we strive to improve healthcare quality.
  2. Private health information should have the strictest protection and should be supplied only in circumstances necessary for the provision of safe, high-quality care and improved health outcomes.
  3. The framework established by the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule should be maintained. HIPAA established a uniform framework for acceptable uses and disclosures of individually-identifiable health information within healthcare delivery and payment systems for the privacy and security of health information.
  4. The Privacy Rule requires that healthcare providers and health plans use the minimum necessary amount of personal health information to treat patients and pay for care by relying on patients’ “implied consent” for treatment, payment of claims, and other essential healthcare operations. This model has served patients well by ensuring quick and appropriate access to medical care, especially in emergency situations where the patient may be unable to give written consent.
  5. Personal health information must be secured and protected from misuses and inappropriate disclosures under applicable laws and regulations. Strict enforcement of violations is essential to protect individuals’ privacy.
  6. Providers should have as complete a patient’s record as necessary to provide care. Having access to a complete and timely medical record allows providers to remain confident that they are well-informed in the clinical decision-making process.
  7. A privacy framework should be consistent nationally so that providers, health plans, and researchers working across state lines may exchange information efficiently and effectively in order to provide treatment, extend coverage, and advance medical knowledge, whether through a national health information network or another means of health information exchange.
  8. The timely and accurate flow of de-identified data is crucial to achieving the quality-improving benefits of a national health information exchange while protecting individuals’ privacy. Federal privacy policy should continue the HIPAA regulations for the de-identification and/or aggregation of data to allow access to properly de-identified information.  This allows researchers, public health officials, and others to assess quality of care, investigate threats to the public’s health, respond quickly in emergency situations, and collect information vital to improving healthcare safety and quality.
  9. To the extent not already provided under HIPAA, privacy rules should apply to all individuals and organizations that create, compile, store, transmit, or use personal health information. A similar expectation of acceptable uses and disclosures for non-HIPAA covered health information is important in order to maintain consumer trust.