DistilGovHealth

DistilNFO GovHealth Advisory

CARIN Alliance Code of Conduct

The CARIN Alliance Code of Conduct represents the consensus view of a group of multi-sector stakeholders that include leading providers, payers, health IT companies, EHR companies, consumer platform companies, consumers, caregivers and others focused on advancing consumer-directed exchange across the U.S

See DistilINFO GOVHEALTH’s editor Tony Trenkle’s observation on what the Code of Conduct signals.

The CARIN Alliance Code of Conduct

The CARIN Alliance vision is to rapidly advance the ability for consumers and their authorized caregivers to easily get, use, and share their digital health information when, where, and how they want to achieve their goals. Specifically, we are promoting the ability for consumers and their authorized caregivers to gain digital access to their health information via open APIs. We envision a future where any consumer can choose any application to retrieve both their complete health record and their complete claims information from any provider or plan in the country.

As an organization that handles personally identifiable health care information outside of HIPAA, we commit to the following regarding how we will handle personally identifiable consumer health care data.

I. Consent

The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the subject.

Want to publish your own articles on DistilINFO Publications?

Send us an email, we will get in touch with you.

We will:

  1. Avoid default data sharing and obtain informed, proactive consent from users, with such consent clearly describing how user data will be collected, used and shared.
  2. Obtain separate consent (either opt-in or opt-out) to uses or disclosures for marketing purposes.
  3. Comply with the Children’s Online Privacy Protection Act with respect to collection, use or disclosure of data from and about individuals under the age of 13 including any applicable state laws.
  4. Provide users with advanced notice of our privacy policy changes.
  5. Be clear with users on how they can withdraw consent to use our service and what will happen to their data after withdrawal.
  6. On behalf of our users, request a copy of their health data from the HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by
  • Requiring as an option the consumer uses technology that supports the NIST IAL2 and AAL2 standards
  • Clearly indicating the destination for sending the health information

II. Use & Disclosure

The Principle of Use Limitation, which provides that there must be limits to the internal uses of personal data and that the data should be used only for the purposes specified at the time of collection. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority.

We will:

  1. Via contracts bind third-party vendors to our privacy policies and prohibit use or disclosure of user information for independent purposes absent express consent from the user.
  2. Limit the collection of health information to only what the user has expressly consented that the service can collect
  3. Collect, use, and disclose health information in ways that are consistent with reasonable user expectations given the context in which users provided (or authorized the provision of) the health information.

III. Individual Access

The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to correct or remove any data that is not timely, accurate, relevant, or complete.

We will:

  1. Provide the ability for a consumer to access their health information on their own and/or assign access to caregivers (defined as an unpaid family member, foster parent, or other unpaid adult who provides in-home monitoring, management, supervision, or treatment of a child or adult with a special need, such as a disease, disability, or the frailties of old age) or other third-parties.
  2. Establish and communicate to users clear policies with respect to health information collected by the service that may not be timely, accurate, relevant or complete.
  3. Upon consumer request, securely dispose of the consumer’s relevant identifiable health data completely and indefinitely to allow the consumer the right to be forgotten.

IV. Security

The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

We will:

  1. Store and retain health information in a manner consistent with industry-leading best practices that includes the highest levels of security and confidentiality.
  2. Protect health information through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements, and contractual obligations, and accountability measures (e.g. training, access controls and logs, and independent audits).
  3. Follow industry-leading safeguards for how to protect a consumer’s health information against such risks as loss or unauthorized access, use, destruction, annotation, or disclosure.
  4. Provide meaningful remedies for all participants involved in consumer-directed health information exchange to address security breaches, privacy, or other violations incurred because of misuse of the consumer’s health information.

V. Transparency

The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data

We will:

  1. Have a privacy policy that is prominent, publicly accessible, and easy to read.
  2. In that policy specify the Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including with respect to de-identified, pseudonymized or anonymized data.
  3. Provide clear updates when those practices have changed.
  4. Develop privacy policies based on industry best practices to manage health data.
  5. Specify in the privacy policy what will happen to a consumer’s data in the event of a transfer of ownership or in the case of a company ending or selling its business, either: (i) provide users with clear option to either securely dispose of, or transmit or download their health information securely, or (ii) ensure successor entity commitments are consistent with the then-existing privacy policy.

VI. Provenance

The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely.

We will:

  1. Where possible, provide consumers and their caregivers with data provenance to identify who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.

VII. Accountability

The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.

We will:

  1. Designate a responsible officer within the company who is committed to these health information principles and to ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.
  2. Train our employees on these principles and ensure compliance by regularly evaluating our performance internally.
  3. Be transparent with the public whether or not we have obtained independent third-party certification

VIII. Education

We will:

  1. Inform consumers about their health information sharing choices and the consequences of those choices including the risks, benefits, and limitations of data sharing by providing educational materials ourselves or pointing to appropriate third-party resources.

IX. Availability

We will:

  1. Actively work with data holders to expand the set of consumer health information available for reliable, consistent electronic access and to exchange with individuals, caregivers, and clinicians.
  2. Actively work to expand the amount of machine-readable data to ensure a consumer can electronically access all of their health information when, where, and how they want to achieve their goals.

Date: December 4, 2018

Source: CarinAlliance

Coffee with DistilINFO's Morning Updates...

Sign up for DistilINFO e-Newsletters.

Just a little bit more about you...
PROCEED

Related Stories

Trending This Week

Sorry. No data so far.

About Us

DistilINFO is media company that publishes Industry news, views and Interviews. We distil the information for you – saving time and keeping you up to date on your interest areas.

More About Us

Follow Us


Useful Links

All Publications