ONC to revise model privacy notice for personal health records

The Office of the National Coordinator for Health IT (ONC) is proposing to revise its current model privacy notice for personal health records (PHRs), according to a proposed information collection request posted this week in the Federal Register.

According to ONC's website, the PHR Model Privacy Notice is designed to be a standardized template that a web-based PHR company can use to inform consumers about its privacy and security policies. The current Office of Management and Budget-approved model privacy for PHRs is applicable through September 30, 2012. ONC proposes to revise the model notice using focus group and cognitive usability interview testing, and will recruit participants through a screening program.

ONC began developing a model privacy notice for PHRs in 2008, and acknowledges on its website that this first model is merely version 1.0; in the proposed information collection request, ONC states that "[i]f patients cannot adequately understand the notice because of its length or complexity, then the use and disclosure of their health information is not open and transparent."

However, the proposed information request is a little confusing. ONC states in the request that 45 C.F.R. § 164.520 of HIPAA requires covered entities to make available a Notice for Privacy Practices (NPP) for protected health information to their patients or health plan members, which must include certain information in plain language, such as "the purposes for which the covered entity is permitted to use and disclose health information, the rights of individuals with respect to their health information, the entities' duties to protect that information, and the process for filing a complaint concerning possible violations of the HIPAA Privacy Rule, such as an improper use or disclosure of information."  

What the proposed information collection request doesn't say is that 45 C.F.R. § 164.520 only applies to PHRs being offered by plans and providers. PHRs offered by a PHR vendor aren't subject to that regulation; "in these cases, it is the privacy and security policies of the PHR company as well as any other applicable laws, which govern how information in the PHR is protected," according to ONC's background document on its website. The proposed information request doesn't clarify if the potential revisions are geared to covered entities, PHR vendors not subject to HIPAA, or both.   

Comments and recommendations must be received by October 27, 2012.

To learn more:
- here's the request
- check out ONC's PHR privacy notice template
- read section 164.520