Trust Framework and Code of Conduct
The CARIN Alliance Code of Conduct

Background: The CARIN Alliance Code of Conduct represents the consensus view of a group of multi-sector stakeholders that include leading providers, payers, health IT companies, EHR companies, consumer platform companies, consumers, caregivers and others focused on advancing consumer-directed exchange across the U.S. The Code is based on internationally recognized standards including the Code of Fair Information Practices (FIP) (indicated in italics below) and numerous other consumer information sharing accepted principles and practices. The Alliance is working collaboratively with other stakeholders and leaders in government to overcome the policy, cultural, and technological barriers to advancing consumer-directed exchange.

The CARIN Alliance Code of Conduct

The CARIN Alliance vision is to rapidly advance the ability for consumers and their authorized caregivers to easily get, use, and share their digital health information when, where, and how they want to achieve their goals. Specifically, we are promoting the ability for consumers and their authorized caregivers to gain digital access to their health information via open APIs. We envision a future where any consumer can choose any application to retrieve both their complete health record and their complete claims information from any provider or plan in the country.

As an organization that handles personally identifiable health care information outside of HIPAA, we commit to the following regarding how we will handle personally identifiable consumer health care data.

Download Code of Conduct

I. Consent

The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the subject.

We will:

  1. Avoid default data sharing and obtain informed, proactive consent from users, with such consent clearly describing how user data will be collected, used and shared.
  2. Obtain separate consent (either opt-in or opt-out) to uses or disclosures for marketing purposes.
  3. Comply with the Children’s Online Privacy Protection Act with respect to collection, use or disclosure of data from and about individuals under the age of 13 including any applicable state laws.
  4. Provide users with advanced notice of our privacy policy changes.
  5. Be clear with users on how they can withdraw consent to use our service and what will happen to their data after withdrawal.
  6. On behalf of our users, request a copy of their health data from the HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by
    1. Requiring as an option the consumer uses technology that supports the NIST IAL2 and AAL2 standards
    2. Clearly indicating the destination for sending the health information
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

II. Use & Disclosure

The Principle of Use Limitation, which provides that there must be limits to the internal uses of personal data and that the data should be used only for the purposes specified at the time of collection. The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority.

We will:

  1. Via contracts bind third-party vendors to our privacy policies and prohibit use or disclosure of user information for independent purposes absent express consent from the user.
  2. Limit the collection of health information to only what the user has expressly consented that the service can collect
  3. Collect, use, and disclose health information in ways that are consistent with reasonable user expectations given the context in which users provided (or authorized the provision of) the health information.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

III. Individual Access

The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to correct or remove any data that is not timely, accurate, relevant, or complete.

We will:

  1. Provide the ability for a consumer to access their health information on their own and/or assign access to caregivers (defined as an unpaid family member, foster parent, or other unpaid adult who provides in-home monitoring, management, supervision, or treatment of a child or adult with a special need, such as a disease, disability, or the frailties of old age) or other third-parties.
  2. Establish and communicate to users clear policies with respect to health information collected by the service that may not be timely, accurate, relevant or complete.
  3. Upon consumer request, securely dispose of the consumer’s relevant identifiable health data completely and indefinitely to allow the consumer the right to be forgotten.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

IV. Security

The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

We will:

  1. Store and retain health information in a manner consistent with industry-leading best practices that includes the highest levels of security and confidentiality.
  2. Protect health information through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements, and contractual obligations, and accountability measures (e.g. training, access controls and logs, and independent audits).
  3. Follow industry-leading safeguards for how to protect a consumer’s health information against such risks as loss or unauthorized access, use, destruction, annotation, or disclosure.
  4. Provide meaningful remedies for all participants involved in consumer-directed health information exchange to address security breaches, privacy, or other violations incurred because of misuse of the consumer’s health information.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

V. Transparency

The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of main purpose and uses of the data

We will:

  1. Have a privacy policy that is prominent, publicly accessible, and easy to read.
  2. In that policy specify the Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including with respect to de-identified, pseudonymized or anonymized data.
  3. Provide clear updates when those practices have changed.
  4. Develop privacy policies based on industry best practices to manage health data.
  5. Specify in the privacy policy what will happen to a consumer’s data in the event of a transfer of ownership or in the case of a company ending or selling its business, either: (i) provide users with clear option to either securely dispose of, or transmit or download their health information securely, or (ii) ensure successor entity commitments are consistent with the then-existing privacy policy.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

VI. Provenance

The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely.

We will:

  1. Where possible, provide consumers and their caregivers with data provenance to identify who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

VII. Accountability

The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.

We will:

  1. Designate a responsible officer within the company who is committed to these health information principles and to ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.
  2. Train our employees on these principles and ensure compliance by regularly evaluating our performance internally.
  3. Be transparent with the public whether or not we have obtained independent third-party certification
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

VIII. Education

We will:

  1. Inform consumers about their health information sharing choices and the consequences of those choices including the risks, benefits, and limitations of data sharing by providing educational materials ourselves or pointing to appropriate third-party resources.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *

IX. Availability

We will:

  1. Actively work with data holders to expand the set of consumer health information available for reliable, consistent electronic access and to exchange with individuals, caregivers, and clinicians.
  2. Actively work to expand the amount of machine-readable data to ensure a consumer can electronically access all of their health information when, where, and how they want to achieve their goals.
Leave a Comment +Hide Comment Box -

Leave a Reply

Your email address will not be published. Required fields are marked *