PPR:

The Coalition for Patient Privacy, led by Patient Privacy Rights, developed the following privacy principles to serve as standards for legislation in Congress. Without these ironclad privacy protections, consumers will not trust or participate in any electronic health system.

ACCOUNTABILITY - Hold every entity with access to health information accountable.
We have learned the painful lessons of letting industry set its own rules. Consumers no longer trust that corporations will use personal health information only as directed or guard it from theft or loss.
- Those who collect, store or use personal health information should help ensure that the data is accurate, reliable and secure. Minimum standards should include: encrypting data at rest and in transit, limiting access to specific individuals via informed, electronic
  consent and audit trails of all electronic transactions.
- Authorize and fund Health & Human Services and the Federal Trade Commission to increase their oversight of industry practices including random audits of contracts.
- Require breach notification, privacy safeguards and whistleblower protections, including meaningful enforcement of privacy rights.
CONTROL - Ensure individuals control the use of their personal health information.
Fundamental to the Code of Fair Information Practices and most professional Codes of Ethics is an individual’s right to control how their personal information is used.
- Codify a federal right to health information privacy.
- Ensure individuals can segment sensitive information and that safeguards for medical information are built in up front before problems arise.
- Provide incentives for health IT systems to use electronic informed consent, innovative consumer privacy controls and for user interfaces to be accessible for patients with disabilities.
TRANSPARENCY - Protect consumers from abusive practices.
Personal health information should not be sold and shared as a typical commodity. Health information is different; it is extremely sensitive and can directly impact jobs, credit, and insurance coverage. Commercial transfers undermine routine privacy safeguards, including transparency and accountability.
- Prohibit direct or indirect remuneration for the sharing, disclosure or use of personal health information with limited exceptions for research and public health.
- Ensure that corporations cannot obtain exclusive or contractual rights to own or control personal health information. We have evidence that selling of this data is happening at major companies (details available upon request).
- Personal health information obtained for one purpose must not be used for other purposes without informed consent. Even when consent is obtained, privacy obligations such as security and prevention of misuse, continue.

View the full letter including in depth descriptions of these principles here.

More Patient Privacy Principles

The following Patient Privacy Principles should be included in all Health IT legislation:

Recognize that patients own their health data
Give patients control over who can access their electronic health records
Give patients the right to opt-in and opt-out of electronic systems
Give patients the right to segment sensitive information
Require audit trails of every disclosure of patient information
Require that patients be notified of suspected or actual privacy breaches
Provide meaningful penalties and enforcement for privacy violations
Require that health information disclosed for one purpose may not be used for another purpose without informed consent
Insure that consumers can not be compelled to share electronic health records to obtain employment, insurance, credit, or admission to schools
Deny employers access to employees’ medical records
Preserve stronger privacy protections in state laws