archive-org.com » ORG » M » MARKLE.ORG

Total: 1237

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • CP5 | Markle | Advancing America's Future
    Expert Advisors Quick Links Rework America Connected Our Book America s Moment Initiative Overview Latest News Letters to Members Member Commentary Personal Stories Rework America Library Health Page Sections About Health Our Impact Steering Group Consumer Work Group HIE Committee Quick Links Blue Button Common Framework Health IT Health Library National Security Page Sections About National Security Post 9 11 Legacy Our Impact Task Force Quick Links National Security Library Reports and Recommendations Sharing and Collaboration The Lawfare Blog Library Quick Links Our Book America s Moment Archive Media Releases Member Commentary President s Letters Videos CP5 Purpose Secure and confidential data handling is a core responsibility for any Consumer Access Service Part of this responsibility includes developing an advance plan on what the Consumer Access Service will do if something goes wrong There have been many highly publicized inadvertent disclosures of sensitive personal data Our review of leading PHRs revealed a widespread lack of policy statements about responsibilities and actions that the company will take in the event of a breach or misuse of personal health information See Appendix A of CP2 Policy Notice to Consumers California is the leader among several states that have enacted laws requiring companies to notify affected consumers when sensitive personally identifiable data are disclosed into unauthorized hands but such requirements are not yet universal 1 Notification regarding health data breaches is controversial and subject to debate Open questions include for instance what constitutes a breach What types of data are at issue What constitutes notice We recommend that Consumer Access Services develop policies for breach or misuse of information Such policies should be posted as part of the part of the publicly available notice of privacy and security policies See CP2 Policy Notice to Consumers Notwithstanding the lack of guidance or industry acceptance Consumer Access Service policies should notify users of what the service believes to be a significant breach how it will notify users when a breach occurs and what recourse the user has in the event of a breach Recommended Practice A Consumer Access Service should notify individually any user whose personal information was or is reasonably believed to have been disclosed or acquired by an unauthorized person or party in a form that carries significant risk of compromising the security confidentiality or integrity of personal information The notification should be made in the most expedient time possible and without unreasonable delay consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system Notification practices should be consistent with state of the art security standards and should be risk based tailored to the potential risk to the consumer and the size complexity and nature of the Consumer Access Service s operations A current best practice for notification is described by the California Department of Consumer Affairs 2 The Privacy Commissioner of Canada has a helpful resource Overview of American Breach Notification Laws February 22

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp5 (2016-02-10)
    Open archived version from archive


  • CP8 | Markle | Advancing America's Future
    designating a proxy whether the proxy is initiating an account for a dependent child or parent whether there is a special use case such as an unconscious patient in an emergency room etc Because these issues require deliberation beyond the scope of our Work Group we offer only general recommendations Recommended Practice The consumer s ability to designate proxy access should be as specific as feasible regarding In addition proxy access should be Note Time limiting or revoking proxy access is typically on a going forward basis it will not recall information previously obtained and copied by a proxy Example A consumer named Millie provides proxy access to her caregiver and her doctor then later revokes it Both proxies had made electronic copies of Millie s information into their own systems during the time they had legitimate access to Millie s information Millie s act of revoking proxy access does not mean that the information her caregiver or her doctor obtained is somehow automatically erased or withdrawn from their systems Those former proxies may keep or erase the copies of Millie s information depending on the proxies own policies and obligations under which they obtained the information In this example the doctor s obligation to retain information may differ substantially from those of the caregiver See Area 4 Retention of Information below Authorization to data such as read only write only read write or read write edit Access to data types e g access to all information access only to medications etc Access to functions e g send a message to a provider grant revoke proxy access to someone else etc when appropriate Role permissions e g health professionals elective proxies selected by consumer legal proxies determined by law such as parents or guardians of minors Ability to further designate proxies e g can those serving as proxies designate others as proxies Subject to the granting of separate authentication and or login processes for proxies Tracked in immutable audit logs designating each specific proxy access and major activities See CT3 Immutable Audit Trails Time limited and easily revocable Area 3 Requests to Amend or Dispute Entries Under HIPAA consumers have the right to request that information be added to their health data held by Covered Entities to make it more accurate or complete Consumer Access Services whether HIPAA covered or not have the potential to engage consumers in the essential and never ending effort to improve data quality across the health sector We recommend a multi stakeholder effort to define a standard messaging envelope and markup language for consumers to request amendments or dispute entries to their information obtained through consumer data streams To the extent feasible Consumer Access Services can facilitate the routing of such requests back to health data sources This practice area concerns only information that is professionally sourced e g from a doctor s office hospital lab pharmacy payer etc We presume that consumers will be able to edit or delete their own data entries at will Recommended Practice Users should be able to identify any errors or omissions in the posted information and be afforded a process to communicate requests for changes back to the original source of information A Consumer Access Service should provide notice to users as to whether a request to modify a record requires that the user submit a request to the Consumer Access Service or directly to the appropriate Health Data Source If the former the Consumer Access Service should provide an easy and convenient method for the consumer to request corrections If the latter the Consumer Access Service should notify the user that he needs to contact the Health Data Source directly Ideally the Consumer Access Service should provide information about how the user can contact the original source s of information that the consumer believes to be in need or amendment e g the original source s customer service 1 800 number Consumer Access Services should provide mechanisms to route data correction requests and responses between consumers and Health Data Sources electronically as standards and protocols for such requests and responses become widely available Ideally such standard messages will include Consumer request for emendation or removal of data Response back from Health Data Source confirming concurrence with request or reason for denial of request Consumer s dispute of data not changed to be appended to data in question Area 4 Retention of Health Information Statutes vary from state to state regarding the time that medical professionals are required to retain patient information The average requirement for record retention is 5 to 7 years after the patient has last visited although some states require data retention much longer Information maintained in Consumer Access Services offered by health professionals or health care facilities may be subject to such laws Many Consumer Access Services however are not offered by regulated health care professionals or facilities and therefore generally are not subject to these state record retention requirements In fact there are no clear general guidelines for how long unregulated entities should store health information on behalf of consumers Our Work Group does not propose a general standard for a minimum or maximum time that a Consumer Access Service or PHR should retain information in an inactive consumer account The participants did agree however that Consumer Access Services Recommended Practice For organizations authorized by the consumer to store information as part of a consumer data stream the data retention practices of Consumer Access Services should be transparent to the consumer Such practices should be part of the notice of policies See CP2 Policy Notice to Consumers Consumer Access Services and networked PHRs should develop and communicate unambiguous policies regarding the persistence of information they hold on behalf of consumers Such policies should be based on the principles of purpose specification use limitation and data minimization That is information should be retained based on its authorized purpose s and not retained after such purpose s are completed For inactive accounts preferred practices may

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp8 (2016-02-10)
    Open archived version from archive

  • CP6 | Markle | Advancing America's Future
    A Message from Zoë Baird Our Principles Our Impact Board of Directors Senior Team Our History Quick Links Conference Space Events Markle in the News Media Releases Past Initiatives President s Letters Rework America Page Sections About Rework America A Message from Rework America Opportunity for All Our Impact Initiative Members Expert Advisors Quick Links Rework America Connected Our Book America s Moment Initiative Overview Latest News Letters to Members Member Commentary Personal Stories Rework America Library Health Page Sections About Health Our Impact Steering Group Consumer Work Group HIE Committee Quick Links Blue Button Common Framework Health IT Health Library National Security Page Sections About National Security Post 9 11 Legacy Our Impact Task Force Quick Links National Security Library Reports and Recommendations Sharing and Collaboration The Lawfare Blog Library Quick Links Our Book America s Moment Archive Media Releases Member Commentary President s Letters Videos CP6 Purpose If they have concerns about their PHR or related services consumers should have a transparent and easy to use process to resolve questions or disputes such as Misuse or breach of data See CP5 Notification of Misuse or Breach Disputes about privacy or data collection handling uses or disclosures Disputes claiming unfair or deceptive business practices Data quality or matching errors Examples of trust building mechanisms include but are not limited to the following Online negotiation PayPal s online Resolution Center 1 is an example of a service that enables buyers and sellers to negotiate and resolve disputes If they fail the case escalates to a PayPal claim which the company investigates and resolves Ombudsman Used frequently in governments and industries such as journalism an ombudsman is designed to be a neutral office charged with hearing and investigating complaints from the public Call centers In some organizations existing call centers may serve to handle questions or disputes from consumers Consumers ideally will have a clear and logical pathway with effective options to raise and resolve disputes At minimum consumers should be provided with information to set realistic expectations about the service s practices for responding to complaints as well as let consumers know where else they might effectively address their concerns For example if a consumer believes there is an error in data imported into her PHR from a Health Data Source the consumer ideally will have easy access to information about how to contact that Health Data Source to request a correction and at minimum should be able to easily identify who that Health Data Source is See CP8 Consumer Obtainment and Control of Information Area 3 Requests to Amend or Dispute Entries Recommended Practice PHRs and Consumer Access Services should set clear expectations for how consumers may address complaints Ideally PHRs and Consumer Access Services will provide clear and logical pathways for consumers to address and resolve complaints Installing an ombudsman to accept and manage user disputes in a fair and convenient manner is one such mechanism Accessed online on August 22 2007 at the following URL https www

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp6 (2016-02-10)
    Open archived version from archive

  • CP4 | Markle | Advancing America's Future
    President s Letters Videos CP4 Purpose For personal health information to flow in or out of a consumer accessible application it may pass among two or more organizations Each participant in such consumer data streams may have its own legal and business interests to protect However consumers should be able to trust the entire chain of entities and business processes that handle their personal health data Contracts are one mechanism to bind partners to specified privacy and security policies regarding confidential information they exchange or share Like other policy areas in this framework chain of trust agreements are often necessary in certain relationships but not by themselves sufficient to create a privacy protective environment In practice such contracts have significant weaknesses including their lack of transparency to consumers and their inconsistent enforcement For one breaches may not be discovered because organizations may not rigorously monitor the behavior of all of their business partners Secondly if an accusation of breach occurs enforcement depends on one party engaging another party in a legal action most likely under contract law Organizations often seek to settle legal disputes out of court or avoid litigation altogether Still chain of trust agreements serve as important instruments in encouraging good network citizenship There are several possible relationships in which parties seek chain of trust agreements HIPAA Business Associate agreements are one example See CP1 Policy Overview There is a problem with scaling this chain of trust model however It is unreasonable for example for each doctor s office to negotiate and sign a chain of trust agreement with every Consumer Access Service or networked PHR provider Instead of each participant signing agreements with each other participant it may be more practical if all participants agreed to a basic set of network rules a set of common practices that each participant would sign and publicly commit to uphold Although there are no such large scale arrangements for Consumer Access Services or PHRs today such models should be explored The HIPAA regulations permit consumers to request their personal health information directly from Covered Entities Consumers may then store the information with any Consumer Access Service of their choice In this case the Consumer Access Service does not need a chain of trust agreement with the Covered Entity The consent agreement s between the consumer and the Consumer Access Service should spell out the information handling practices of the Consumer Access Service See CP4 Consumer Consent to Collections Uses and Disclosures of Information A Consumer Access Service may not be regulated under HIPAA and it may have unregulated relationships with many different types of third parties In such cases chain of trust agreements between the Consumer Access Service and its third parties are a prudent mechanism to discourage unacceptable actions Such agreements should prohibit activities that are inconsistent with fair information practice principles such as the surreptitious re identification of de identified data without the consumer s knowledge or consent The recommended practice language below is primarily intended for this

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp4 (2016-02-10)
    Open archived version from archive

  • CP9 | Markle | Advancing America's Future
    some of which may be rooted in a desire to avoid new regulation but which also seems to be a side effect of what some consider to be a history of divisiveness confusion and misinterpretation experienced in its creation and implementation most recently documented by HISPC 2 To date the capacity of the HHS Office for Civil Rights has not been adequate to meet the demand for guidance and enforcement Amending HIPAA to cover Consumer Access Services may re ignite old disagreements regarding the statutory constraints of HIPAA and may stifle rather than encourage the development of Consumer Access Services See CP1 Policy Overview for further discussion on the HIPAA Privacy Rule and emerging Consumer Access Services and PHRs Future Enforcement Option 3 Enact Separate Federal Laws Specifically to Govern Consumer Access Services Potential advantages Enacting separate laws for Consumer Access Services and PHRs may avoid the challenges involved in amending HIPAA and may provide an opportunity for a fresher more contemporary approach to regulating emerging health information products services and entities Potential disadvantages New laws separate from HIPAA may be interpreted as re inventing the wheel instead of building on the policies and practice framework already promulgated in the HIPAA Privacy and Security Rules Future Enforcement Option 4 Strengthen and Modernize State Laws to More Clearly Address Privacy Potential advantages States can be leaders in the innovation of privacy protections State laws could be updated to apply to changes in the health care and information environments A hybrid model which has been considered in other sectors would give state Attorneys General the authority to enforce federal rules thereby drawing on the resources of those offices Potential disadvantages Enacting new laws that vary from state to state will contribute to the uneven patchwork of protections that exist today Given that Consumer Access Services PHRs and other health information sharing efforts are not always geographically defined a geographically based regulatory approach may prove to be impractical expensive and confusing in a networked environment Future Enforcement Option 5 Leverage the Buying Power of Government and Employers by Requiring Adherence to Certain Policies as a Condition for Procurement Potential advantages Health care purchasers include the federal government and states with Medicare and Medicaid programs for citizens and health benefits packages for public employees as well as employers that contract for provider and payer services on behalf of employees Medicare and Medicaid alone account for more than one third all of health care expenses 3 It could potentially have a significant accelerating impact if government programs and employer coalitions required that their contractors adhere to certain practices to improve the consumer s ability to obtain electronic copies of their information as well as to protect personal information from misuse or abuse Of course the government has several tools to ensure compliance with its contracts ranging from withholding business or payment to regulatory action or even criminal prosecution presumably in egregious cases Potential disadvantages It is difficult for large federal agencies and employer coalitions to

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp9 (2016-02-10)
    Open archived version from archive

  • CP1 | Markle | Advancing America's Future
    thoughtful and carefully crafted practices to balance the need for consumer data streams to flow more readily with the need to protect privacy A comprehensive approach to privacy is warranted in light of the emerging environment See the Overview document for Nine Core Principles for addressing privacy in a networked environment Question 2 How do HIPAA treatment payment and operations TPO rules apply when Covered Entities act as Consumer Access Services or offer PHRs Answer To answer this question consider the case of a person named Millie First imagine that Millie goes to the doctor and receives a notice saying that her information can be used in various ways allowed under HIPAA A year later she visits the doctor s office and gets a treatment and the doctor sends a claim to Millie s health insurance company The insurance company then processes and pays the claim The event generates several transactions and copies of information about Millie none of which require Millie s specific consent This is because under HIPAA Covered Entities may make certain disclosures of personal health information for purposes of treatment payment and health care operations TPO without any consent from the consumer 10 Then imagine that the insurance company offers Millie an online PHR that lets her view copies of that claims history The mere fact that Millie is given an online account to view copies of claims does not change the nature of the health plan s permissible uses of the information under TPO rules 11 Now let s imagine that the PHR offers Millie a chance to add her own contributions of information For example she could fill out a patient diary or a health risk assessment or perhaps enter a past diagnosis of which the health plan had previously been unaware Or maybe Millie can connect her health plan PHR account to another source of health information about her such as a home monitoring device or even from her other doctors or pharmacies Do these new streams of information about Millie captured through a PHR from a Covered Entity fall under the TPO rules Can they be used or disclosed the same way the claim from her doctor s office might be Clearly such issues about HIPAA and TPO are clearly beyond the understanding of the average consumer A more relevant question therefore is whether people like Millie can make informed choices about new personal health information services Whether covered by HIPAA or not organizations that offer Consumer Access Services or PHRs must have sound and transparent practices for consumer notice and consent as well as the other areas of this framework Sound practices for obtaining consumer consent include making choices proportional That is the more unexpected or disclosing the activity the more specific the consent mechanism required to authorize it See CP2 Policy Notice to Consumers and CP3 Consumer Consent to Collections Uses and Disclosures of Information Question 3 Do state laws provide adequate protection of and support for consumer data streams Answer Existing state health privacy laws are generally directed at health care providers and health plans The vast majority are virtually silent on emerging developments such as regional health information exchanges or networked PHRs 12 The result is that state law may restrict the circumstances under which a Health Data Source may send data to a PHR such as by requiring patient consent but does not protect the information once it has been transferred to the PHR Furthermore to the extent that state laws may protect health information in consumer data streams they often do so inconsistently HIPAA sets a floor of protections and does not displace state laws that are more stringently privacy protective Many states have more stringent safeguards in place to impose condition or issue specific safeguards i e HIV AIDS mental health genetic information or to address consumer access to their own records e g requiring health care entities to respond more rapidly to consumer requests for records than HIPAA requires These state laws may impose differing standards on different Health Data Sources and impact their ability to transfer health information to a PHR The National Council of State Legislatures NCSL and the National Governor s Association have launched an initiative to explore the need for new and consistent policies Efforts are also underway at the federal level in the Health Information Privacy and Security Collaboration and in legislative proposals to harmonize state health privacy laws to avoid variations that some believe impede interoperability and data sharing However a number of studies suggest that most variations in state law can be addressed through policy and technical solutions 13 Overall however the lack of federal and state regulation as well as the evolving interplay of state and federal laws results in an uncertain regulatory environment This can be chilling to the nascent market of Consumer Access Services Fundamental questions about consumer consent for uses and disclosures notice enforcement and chain of trust agreements are being determined outside of the regulatory environment and many companies are uncertain how to proceed in their early products and services Question 4 Will business practices evolve to enhance consumer data streams and foster consumer trust Answer Perhaps but certainly not yet and not consistently across the industry There is some hope that vendors recognition of public concern about safeguarding personal information will drive competition to produce services with stronger and more responsive privacy components Today in the absence of regulatory clarity most PHR ventures develop and adopt their own privacy and security policies either as individual companies or through trade and professional associations However such policies are inconsistent and often confusing Because consumers do not have simple or foolproof ways to distinguish good privacy practices from bad organizations may not be motivated to compete on the basis of privacy protection and or determine that mining personal data is more profitable than investing in stronger privacy protections It is not clear there is a market for privacy since many of the practices that

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/cp1 (2016-02-10)
    Open archived version from archive

  • Acknowledgements | Markle | Advancing America's Future
    Steering Group Consumer Work Group HIE Committee Quick Links Blue Button Common Framework Health IT Health Library National Security Page Sections About National Security Post 9 11 Legacy Our Impact Task Force Quick Links National Security Library Reports and Recommendations Sharing and Collaboration The Lawfare Blog Library Quick Links Our Book America s Moment Archive Media Releases Member Commentary President s Letters Videos Acknowledgements This framework proposes a set of practices that when taken together encourage appropriate handling of personal health information as it flows to and from personal health records PHRs and similar applications or supporting services This framework is a collaborative work of the Markle Connecting for Health Work Group on Consumer Access Policies for Networked Personal Health Information a public private collaboration operated and financed by the Markle Foundation Markle Connecting for Health thanks Work Group Chair David Lansky PhD Pacific Business Group on Health for leading the consensus development process for this framework and Josh Lemieux Markle Foundation for drafting and editing the documents We thank Carol Diamond MD MPH managing director at the Markle Foundation for developing the conceptual structure for this approach to networked personal health information We particularly thank the members of the Work Group whose affiliations are listed below for identification purposes only for reviewing several drafts of these documents and improving them invaluably each time Jim Dempsey JD Center for Democracy and Technology Janlori Goldman JD Health Privacy Project and Columbia University School of Public Health Joy Pritts JD Center on Medical Record Rights and Privacy Health Policy Institute Georgetown University and Marcy Wilder JD Hogan Hartson LLP made important contributions to the policy framework Matt Kavanagh independent contractor and Clay Shirky New York University Graduate Interactive Telecommunications Program made important contributions to the technology framework Stefaan Verhulst of Markle Foundation provided excellent research and Jennifer DePasquale and Michelle Maran of Markle contributed to this framework s final proofreading and production respectively Connecting for Health Work Group on Consumer Access Policies for Networked Personal Health Information Lead David Lansky PhD Pacific Business Group on Health Chair Staff Matt Kavanagh Independent Contractor Josh Lemieux Markle Foundation Members Wendy Angst MHA CapMed A Division of Bio Imaging Technologies Inc Annette Bar Cohen MPH National Breast Cancer Coalition Jeremy Coote InterComponentWare Inc Maureen Costello Ingenix Diane Davies MD University of Minnesota James Dempsey JD Center for Democracy and Technology Stephen Downs SM Robert Wood Johnson Foundation Joyce Dubow AARP Thomas Eberle MD Intel Corporation and Dossi Lisa Fenichel Health Care For All Stefanie Fenton Intuit Inc Steven Findlay Consumers Union Mark Frisse MD MBA MSc Vanderbilt Center for Better Health Gilles Frydman Association of Cancer Online Resources ACOR org Melissa Goldstein JD School of Public Health and Health Services Department of Health Sciences The George Washington University Medical Center Philip T Hagen MD Mayo Clinic Health Solutions Robert Heyl Aetna Inc David Kibbe MD MBA American Academy of Family Physicians Jerry Lin Google Health Kathleen Mahan MBA SureScripts Ken Majkowski PharmD RxHub LLC Philip

    Original URL path: http://www.markle.org/health/markle-common-framework/connecting-consumers/acknowledgements (2016-02-10)
    Open archived version from archive

  • Survey Finds Americans Want Electronic Personal Health Information to Improve Own Health Care | Markle | Advancing America's Future
    Quick Links National Security Library Reports and Recommendations Sharing and Collaboration The Lawfare Blog Library Quick Links Our Book America s Moment Archive Media Releases Member Commentary President s Letters Videos About Markle Page Sections About Markle A Message from Zoë Baird Our Principles Our Impact Board of Directors Senior Team Our History Quick Links Conference Space Events Markle in the News Media Releases Past Initiatives President s Letters Rework America Page Sections About Rework America A Message from Rework America Opportunity for All Our Impact Initiative Members Expert Advisors Quick Links Rework America Connected Our Book America s Moment Initiative Overview Latest News Letters to Members Member Commentary Personal Stories Rework America Library Health Page Sections About Health Our Impact Steering Group Consumer Work Group HIE Committee Quick Links Blue Button Common Framework Health IT Health Library National Security Page Sections About National Security Post 9 11 Legacy Our Impact Task Force Quick Links National Security Library Reports and Recommendations Sharing and Collaboration The Lawfare Blog Library Quick Links Our Book America s Moment Archive Media Releases Member Commentary President s Letters Videos Survey Finds Americans Want Electronic Personal Health Information to Improve Own Health Care Publication Date Wednesday November 1 2006 Lake Research Partners LRP and American Viewpoint conducted a survey among 1 003 Americans nationwide November 11 15 2006 for the Markle Foundation The survey examined public opinion toward electronic personal health records including consumers level of interest the benefits of and concerns about online health information and the role of the government in encouraging health information exchange networks and establishing privacy protections Survey results reveal a few key attitudinal themes regarding electronic personal health information First Americans want access to their personal health information electronically because they believe that the online services enabled by such access is likely to increase their quality of care Additionally the public sees online records as a way to increase health care efficiency by reducing unnecessary and repeated tests and procedures A desire for more control over their health care also seems to be behind the public s interest in electronic personal health information However identity theft and privacy risks are still top concerns for the public and they believe there is a role for government to play in ensuring the security of electronic personal health information Specific findings include Two thirds of the public 65 is interested in accessing their own personal health information electronically This interest spans demographic groups with a majority 53 of Americans 60 and older and high proportions of minority groups including African Americans and Latinos expressing interest Large majorities see a number of benefits of accessing information online which could lead to a reduction in health care costs For example nearly nine in 10 Americans 88 say online records would be important in reducing the number of unnecessary or repeated tests and procedures they undergo Americans express strong concern that their information may be used for purposes other than their own care Eight in 10

    Original URL path: http://www.markle.org/publications/1214-survey-finds-americans-want-electronic-personal-health-information-improve-own-hea (2016-02-10)
    Open archived version from archive



  •