Skip to Content


Office of the National Coordinator for Health Information Technology; American Health Information Community Confidentiality, Privacy, and Security Workgroup Meeting

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble


Announcement of meeting.


This notice announces the 15th meeting of the American Health Information Community Confidentiality, Privacy, and Security Workgroup in accordance with the Federal Advisory Committee Act (Pub. L. 92-463, 5 U.S.C., App.).


November 8, 2007, from 1 p.m. to 5 p.m. [Eastern Time].


Mary C. Switzer Building (330 C Street, SW., Washington, DC 20201), Conference Room 4090 (please bring photo ID for entry to a Federal building).

Start Further Info

FOR FURTHER INFORMATION CONTACT:​healthit/​ahic/​confidentiality/​.

End Further Info End Preamble Start Supplemental Information


The American Health Information Community Confidentiality, Privacy, and Security (CPS) workgroup is seeking public feedback on the following. To submit comments via e-mail (preferred), please send them to (to ensure that your e-mail is received and appropriately filed, we ask that you put “CPS Public Comment” in the subject line of your e-mail) or mail your comments to Steven Posnack, Office of the National Coordinator (ONC), 330 C Street, SW., Suite 4090, Washington, DC 20201. Written testimony submitted by the public is not required to address all of the questions listed below, and answers to any or all of the questions will be accepted so long as they comply with the following guidelines. Comments should be double-spaced and submitted via e-mail or mail by 5 p.m. Eastern Standard Time on November 30, 2007 in order to receive consideration by the CPS workgroup.

On June 12th, 2007 the AHIC accepted for recommendation to the Secretary of HHS the following recommendation made by the CPS Workgroup: All persons and entities, excluding consumers, that participate directly in, or comprise, an electronic health information exchange network, through which individually identifiable health information is stored, compiled, transmitted, modified or accessed should be required to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements (45 CFR Parts 160 and 164). Furthermore, any person or entity that functions as a Business Associate (as described in 45 CFR 160.103) and participates directly in, or comprises, an electronic health information exchange network should be required to meet enforceable privacy and security criteria at least equivalent to any relevant HIPAA requirements, independent of those established by contractual arrangements (such as a Business Associate Agreement as provided for in HIPAA).

Over the past several months the CPS workgroup has been evaluating, at a more granular level, two key questions raised by the recommendation above. What constitutes a “relevant” HIPAA requirement for particular “direct participants” and what, if any, additional confidentiality, privacy, security protections may be needed beyond those already contained in the HIPAA Privacy and Security Rules (the Rules) in order to ensure trust in electronic health information exchange.

Given that the Rules were written to be applicable to health plans, healthcare clearinghouses, and health care provides conducting certain electronic health care transactions, we understand that some persons or entities may have an appropriate reason for not needing to meet a particular requirement. To date, the CPS Workgroup is considering recommendations regarding the relevancy of the following HIPAA requirements: (1) § 164.520 Notice of privacy practices for protected health information; (2) § 164.52 Access of individuals to protected health information; and (3) § 164.526 Amendment of protected health information, with respect to organizations such as health information exchanges (HIEs) and regional health information organizations (RHIOs). The Workgroup would like to encourage HIEs, RHIOs and other similar organizations to submit answers to the following questions in order for the Workgroup to validate or refine our current thinking.

(1) Please describe your electronic health information exchange model.

a. What type(s) of health information do you exchange and for what purpose(s)?

b. Who participates in your network (e.g., providers, patients, insurers, labs)?

c. How do you exchange health information?

i. Do you maintain a “repository” where records/health information is stored in one location? If so, is it by provider or as one comprehensive record?

ii. Do you use a record locator (where records reside in numerous locations)?

iii. If neither, please describe.

(2) Have you established business associate contracts or data sharing agreements? If so, with whom (by category of entity)? Have you established contracts or data sharing agreements with all of the participants in your network? If not, why not?

(3) What level of participation do you provide to individuals (e.g. patients/consumers)?

a. Do you provide individuals with a phone number and contact person?Start Printed Page 57946

b. Do you permit individuals to access/review/obtain copies of their health information via your network?

c. Do you provide individuals information about who has viewed or exchange their health information?

d. Do you permit individuals to change/amend health information via your network? If so, what type(s) of health information?

e. Do patients of providers or insurers who participate in the network have the right not to have their information shared with you? If so, how is the right exercised? Do individuals who participate have the right to specify certain restrictions with respect to the information that is shared (for example, who can access and what can be accessed)? If so, please describe.

(4) Does our organization have a notice of privacy practices or privacy policy? If so, do you send it out, when, and to whom do you send it to? Do you have it posted on your Web site?

(5) Do you have a policy on notification in the event of a security breach? Do you notify companies/entities participating in your network? Do you ever notify individuals (patients)? If so, in what circumstances?

The meeting will be available via Web cast. For additional information, go to:​healthit/​ahic/​cps_​instruct.html.

Start Signature

Dated: October 2, 2007.

Judith Sparrow,

Director, American Health Information Community, Office of Programs and Coordination, Office of the National Coordinator for Health Information Technology.

End Signature End Supplemental Information

[FR Doc. 07-5010 Filed 10-10-07 8:45 am]