What is the Health Information Security and Privacy Collaboration Toolkit?
This toolkit provides guidance for conducting organization-level assessments of business practices, policies, and State laws that govern the privacy and security of health information exchange (HIE).
The toolkit was developed as part of the Agency for Healthcare Research and Quality (AHRQ) and Office of the National Coordinator for Health Information Technology (ONC) joint-funded Health Information Security and Privacy Collaboration (HISPC) project.
For more information on the HISPC project, click here.
How Can a State or Region Use the Toolkit?
Assessing the variation in organization-level business practices enables regions, States, and territories to identify the variation in practices, policies, and laws that may present barriers to interoperable health information exchange. The assessment will help to identify specific practices that may pose challenges (e.g., the requirement for a wet signature), as well as practices that facilitate interoperable exchange (e.g., acceptance of digital signatures). This, in turn, will allow investigators to identify and propose practical solutions to barriers while preserving privacy and security requirements as defined by the local community and in applicable federal and State laws and will enable them to develop detailed plans for implementing solutions.
- Overview explaining each component of the toolkit, click here (PDF, 127 KB) .
- Complete toolkit (ZIP, 155 KB).
- To access individual components and their descriptions, scroll down the page or click on the links below.
Section 1: Tools
- Scenarios Guide
- Dimensions of Business Practices
- Data Collection Templates
- Guidelines for Describing Business Practices
- Example Business Practices
- Stakeholder Meeting Discussion Guide
- Stakeholder Meeting Checklist
- Stakeholder Meeting Debriefing Guide
Section 2: Reference Materials
- Reference Library
- Existing Guidance to Support HIE Implementation Opportunities
- Relevant Legal Requirements for Health Data Exchange for Health Care Organizations
- IT Privacy and Security Primer
Section 1: Tools
Section 1 presents the basic tools for assessing variation in business practices, as well as materials that facilitate productive meetings with stakeholders.
Use the scenarios guide to stimulate discussions with relevant stakeholders about business practices associated with privacy and security issues encountered in an array of health information exchanges.
2. Dimensions of Business Practices (PDF, 129 KB)
This document defines the 9 domains of privacy and security used by the state teams, describes the dimensions of business practices associated with each domain, and provides examples of business practices.
Use this tool to develop a thorough understanding of the scope of the project before holding meetings to collect business practice information. Understanding the dimensions of business practices that are relevant to the defined domains of privacy and security as explained here will help focus discussion on privacy and security issues. Although they are important, issues such as the adoption of health information technology and technology standards are not strictly within the scope of this effort.
3. Data Collection Templates (XLS, 88 KB)
This Excel file reproduces the data fields completed by the state teams. These data fields allow investigators to link business practices to scenarios, domains, and affected stakeholders and to capture descriptions of key business practice drivers, such as business policies and relevant laws.
Entering data into the spreadsheet ensures that all items have been captured for each business practice and allows investigators to sort information for analysis.
Understanding these guidelines prior to collecting data will help ensure the efficiency of the data collection process, limiting the need to retrieve missing data.
By comparing collected data with these examples of complete and useful data early in the assessment process, investigators can ensure the utility of the information they collect.
Use the discussion guide during meetings with stakeholders to ensure active and effective participation of all attendees.
Use the checklist to ensure that all materials needed for an effective meeting are on hand.
The core group of investigators should use this debriefing guide after stakeholder meetings to evaluate the effectiveness of meetings and make any necessary adjustments to improve the effectiveness of future meetings.
Section 2: Reference Materials
B. Existing Guidance to Support HIE Implementation Opportunities (PDF, 119 KB)
This document provides guidance regarding the implementation of solutions. While investigators should implement solutions that address circumstances in their own state or territory, inconsistent solutions in key areas may raise new barriers to interstate activities and transactions. Reference to and use of nationally recognized guidance to support implementation helps minimize the risk of this kind of inconsistent development.
C. Relevant Legal Requirements for Health Data Exchange for Health Care Organizations (PDF, 246 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document provides basic information about key legal issues affecting health information sharing.
D. IT Privacy and Security Primer (PDF, 301 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document provides helpful discussions of many dimensions of the HIPAA Privacy and Security Rules.
E. Glossary (PDF, 92 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document was compiled as a companion to reference materials C and D, to ensure consistent understanding of the terms used in those documents. It also serves as a useful guide to key concepts in the area of electronic health information exchange.