Health Information Security and Privacy Collaboration Toolkit
What is the Health Information Security and Privacy Collaboration Toolkit?
This toolkit provides guidance for conducting organization-level assessments of business practices, policies, and State laws that govern the privacy and security of health information exchange (HIE).
The toolkit was developed as part of the Agency for Healthcare Research and Quality (AHRQ) and Office of the National Coordinator for Health Information Technology (ONC) joint-funded Health Information Security and Privacy Collaboration (HISPC) project.
For more information on the HISPC project, click here.
How Can a State or Region Use the Toolkit?
Assessing the variation in organization-level business practices enables regions, States, and territories to identify the variation in practices, policies, and laws that may present barriers to interoperable health information exchange. The assessment will help to identify specific practices that may pose challenges (e.g., the requirement for a wet signature), as well as practices that facilitate interoperable exchange (e.g., acceptance of digital signatures). This, in turn, will allow investigators to identify and propose practical solutions to barriers while preserving privacy and security requirements as defined by the local community and in applicable federal and State laws and will enable them to develop detailed plans for implementing solutions.
Download the Toolkit
- Overview explaining each component of the toolkit, click here (PDF, 127 KB)
- Complete toolkit (ZIP, 155 KB).
- To access individual components and their descriptions, scroll down the page or click on the links below.
Section 1: Tools
- Scenarios Guide
- Dimensions of Business Practices
- Data Collection Templates
- Guidelines for Describing Business Practices
- Example Business Practices
- Stakeholder Meeting Discussion Guide
- Stakeholder Meeting Checklist
- Stakeholder Meeting Debriefing Guide
Section 2: Reference Materials
- Reference Library
- Existing Guidance to Support HIE Implementation Opportunities
- Relevant Legal Requirements for Health Data Exchange for Health Care Organizations
- IT Privacy and Security Primer
Section 1: Tools
Section 1 presents the basic tools for assessing variation in business practices, as well as materials that facilitate productive meetings with stakeholders.
Scenarios Guide (PDF, 188 KB)
This document includes the text of the 18 health information exchange scenarios, along with suggested areas for discussion associated with each scenario. The scenarios were developed by the American Health Information Management Association (AHIMA). Scenarios describe different purposes for health information exchange, including treatment, education, research, marketing, public health, and biosurveillance, to ensure a thorough review of relevant business practices.
Use the scenarios guide to stimulate discussions with relevant stakeholders about business practices associated with privacy and security issues encountered in an array of health information exchanges.
- Dimensions of Business Practices (PDF, 129 KB)
This document defines the 9 domains of privacy and security used by the state teams, describes the dimensions of business practices associated with each domain, and provides examples of business practices.
Use this tool to develop a thorough understanding of the scope of the project before holding meetings to collect business practice information. Understanding the dimensions of business practices that are relevant to the defined domains of privacy and security as explained here will help focus discussion on privacy and security issues. Although they are important, issues such as the adoption of health information technology and technology standards are not strictly within the scope of this effort.
- Data Collection Templates (XLS, 88 KB)
This Excel file reproduces the data fields completed by the state teams. These data fields allow investigators to link business practices to scenarios, domains, and affected stakeholders and to capture descriptions of key business practice drivers, such as business policies and relevant laws.
Entering data into the spreadsheet ensures that all items have been captured for each business practice and allows investigators to sort information for analysis.
- Guidelines for Describing Business Practices (PDF, 126 KB)
This document provides detailed instructions for collecting complete and useful data in each of the fields in the data collection template. By following these guidelines, investigators can ensure that business practices are thoroughly discussed and described and that results comparable with those achieved by the state teams are obtained.
Understanding these guidelines prior to collecting data will help ensure the efficiency of the data collection process, limiting the need to retrieve missing data.
- Example Business Practices (XLS, 25 KB)
The examples provided here demonstrate the principles described in Tool 4, Guidelines for Describing Business Practices. The top two rows in the example spreadsheet, "Description of Data Item" and "Specific Notes and Comments," provide additional explanations of each data item and the processes by which they may be collected.
By comparing collected data with these examples of complete and useful data early in the assessment process, investigators can ensure the utility of the information they collect.
- Stakeholder Meeting Discussion Guide (PDF, 214 KB)
This guide was developed by RTI expressly for this toolkit to enable users to reproduce the process used by the state teams. It is designed to help meeting facilitators elicit business practices and link them to drivers (policies and laws), domains, and affected stakeholders.
Use the discussion guide during meetings with stakeholders to ensure active and effective participation of all attendees.
- Stakeholder Meeting Checklist (PDF, 82 KB)
This document describes procedures that will help meeting facilitators prepare for effective stakeholder meeting discussions.
Use the checklist to ensure that all materials needed for an effective meeting are on hand.
- Stakeholder Meeting Debriefing Guide (PDF, 106 KB)
This document is designed to help meeting facilitators evaluate the effectiveness of stakeholder meetings.
The core group of investigators should use this debriefing guide after stakeholder meetings to evaluate the effectiveness of meetings and make any necessary adjustments to improve the effectiveness of future meetings.
Section 2: Reference Materials
Reference Library (PDF, 116 KB)
This document was created by the Privacy and Security Project's Technical Advisory Panel as background material for participants on the state teams. It provides references and links to relevant publications.
Existing Guidance to Support HIE Implementation Opportunities (PDF, 119 KB)
This document provides guidance regarding the implementation of solutions. While investigators should implement solutions that address circumstances in their own state or territory, inconsistent solutions in key areas may raise new barriers to interstate activities and transactions. Reference to and use of nationally recognized guidance to support implementation helps minimize the risk of this kind of inconsistent development.
Relevant Legal Requirements for Health Data Exchange for Health Care Organizations (PDF, 246 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document provides basic information about key legal issues affecting health information sharing.
IT Privacy and Security Primer (PDF, 301 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document provides helpful discussions of many dimensions of the HIPAA Privacy and Security Rules.
Glossary (PDF, 92 KB)
Created by the Privacy and Security Project's Technical Advisory Panel as background material and provided to state teams at the outset of the project, this document was compiled as a companion to reference materials C and D, to ensure consistent understanding of the terms used in those documents. It also serves as a useful guide to key concepts in the area of electronic health information exchange.