Carin Code of Conduct 

The CARIN Code of Conduct serves as a blueprint designed to safeguard your information’s  integrity and security. 

It outlines the principles we adhere to and the entitlements we ensure for you. While adherence  to the code’s regulations is voluntary, we abide by them to deliver optimal service and  safeguard your privacy and data. 

Section I โ€“ Background  and Overview 

The CARIN Trust Framework and Code of Conduct 

A foundational set of principles for how health care organizations can share data with  consumer applications. 

Who is the CARIN Alliance? 

The CARIN Alliance is a multi-sector group of stakeholders representing numerous  hospitals, thousands of physicians, and millions of consumers and caregivers. We are  committed to enabling consumers and their authorized caregivers to get easy access to  their personal health information. Specifically, we are promoting the ability for  consumers and their authorized caregivers to gain digital access to their health  information via the non-proprietary, open APIs included in recently proposed ONC and  CMS proposed and final regulations to have their digital health information sent to any  third-party application they choose. 

Working collaboratively with government leaders, the group seeks to rapidly advance  the ability for consumers and their authorized caregivers to easily obtain, use, and share  their digital health information when, where, and how they want to achieve their goals.  With a membership composed of patients and caregiver organizations, health care  entities, health information exchanges, health information technology vendors and  others, the CARIN Alliance is uniquely positioned at the intersection of public and  private organizations to advance the development of person-centered, value-driven  health care through the adoption of consumer-directed health information exchange.

What is consumer-directed exchange? 

Consumer-directed exchange is when a consumer invokes their individual right of  access under HIPAA to request a copy of their health information from a covered entity  and then directs their health information to any third party of their choice. The CARIN  Alliance believes that consumer-directed exchange is an essential piece of the  interoperability equation. Despite significant public and private sector investments in  standards-based EHRs, and provider-to-provider health information exchange in recent  years, advances in consumer-directed exchange have been limited. Most consumers  still lack the ability to easily obtain, use, and share their digital health information when,  where, and how they want using third party applications they control. Barriers to  consumer-directed exchange include a lack of: 

โ€ข Consensus trust, privacy and security frameworks for consumer-directed  exchange. 

โ€ข Availability and adoption of technologies that facilitate consumer-directed  exchange. 

โ€ข Understanding of existing policies supporting consumer-directed exchange. โ€ข Health care organizational policy or workflow barriers that may exist. โ€ข Availability of sustainable business models. 

โ€ข Widespread consumer education and awareness about consumer-directed  exchange options. 

The consumer-directed exchange has raised some concerns because it relies on  sharing personally identifiable data with consumer-facing applications, many of which  may not be regulated by HIPAA privacy and security rules. However, data held by  consumer-facing applications is governed by Section 5(a) of the Federal Trade  Commission Act, which makes it unlawful for companies to engage in โ€œunfair or  deceptive acts or practices in or affecting commerceโ€ (15 U.S.C. Sec. 45(a)(1)). “Unfair”  practices are defined as those that “cause or [are] likely to cause substantial injury to  consumers, which is not reasonably avoidable by consumers themselves and not  outweighed by countervailing benefits to consumers or to competition” (15 U.S.C. Sec.  45(n))โ€. 

The FTC Act provides the ability for the government to hold companies accountable for  โ€œunfair or deceptive acts or practices,โ€ and for violating commitments made to  consumers regarding how their personal data will be handled. Data held by consumer facing applications also may be subject to state privacy and consumer protection laws. 

Imagine a world where a consumer or authorized caregiver could download one or more  mobile health applications to access their digital health information from any provider,  hospital, health plan, health information exchange, or other covered entity of their  choosing. These applications would endorse and agree to the code of conduct as part  of the application registration process. The FTC, through its Section 5(a) authority, could  then enforce that code of conduct against apps who publicly commit to following it. The 

CARIN Alliance code of conduct is intended to help address the concerns associated  with sharing personal health information with consumer-facing apps. 

The CARIN Alliance is focused on addressing the barriers associated with the  consumer-directed exchange, helping organizations and individuals understand existing  policies supporting consumer-directed exchange, assisting health care organizations to  eliminate policy or workflow barriers that may exist for consumer-directed exchange,  and educating consumers on their consumer-directed exchange options. 

The CARIN Alliance is primarily focused on solving two use cases: 

1. How a consumer electronically requests access to their data using APIs,  indicates where it should be sent, and is informed how their data will be used. 2. How a covered entity electronically sends that data to the consumer. 

Individual Right of Access request vs.  HIPAA Authorization 

The CARIN Alliance believes that when an individual makes a request for their data to  be sent to an application of their choice it should be treated as an individual โ€œright of  accessโ€ request pursuant to the HIPAA Privacy Rule. We also believe that when an  application makes a request for a consumerโ€™s data at the direction of, and on behalf of,  an individual, it should also be treated as an individual โ€œright of accessโ€ request when it  does the following: 

โ€ข Is submitted directly by a โ€˜personal health recordโ€™ (which HITECH says is an  electronic record of personally identifiable health information on an individual that  can be drawn from multiple sources and that is managed, shared, and controlled  by or primarily for the individual); 

โ€ข Meets the identity proofing and authentication requirements of the ONCโ€™s  common agreement (currently Identity Assurance Level (IAL) 2 and Authenticator  Assurance Level (AAL) 2); 

โ€ข Clearly indicates the destination for sending the information; and โ€ข Is requesting data from the then-current US Core Data Interoperability Set  (USCDI). 

A HIPAA Authorization request is typically initiated by a provider or other entity to  document consumer consent in order to exchange data with third parties within HIPAA  in circumstances where the HIPAA Privacy Rule provides no other route for disclosure  (for example, where the disclosure is not for treatment, payment or operations, or under  the individualโ€™s right of access). 

More information on the difference between a HIPAA Authorization and an Individual  Right of Access request can be found on the Office for Civil Rights website.

Who is the audience for the CARIN code of  conduct? 

1. Consumer Advocate Groups, Consumers, and their Authorized Caregivers:  Those who are looking to understand how they can electronically access their  health information from multiple systems. 

2. Entities covered by HIPAA: Organizations that are designated as covered entities  under HIPAA including providers, payers, and clearinghouses and their business  associates who operate on their behalf. 

3. Electronic Health Record Companies: Companies that provide the technology  required for providers and hospitals to record clinical documentation, track  workflows, and bill appropriately for care. 

4. Health Information Exchanges: Organizations that facilitate digital health  information exchange on behalf of payers, providers, and consumers. 5. Policymakers: Administration and congressional officials who are enacting health  information exchange policies and procedures. 

6. Non-Covered Entities: Community-based organizations, consumer platform  companies, and other entities not covered by HIPAA that develop health IT  applications and/or services for the consumer to aggregate, analyze, and share  their health information. 

What is the purpose and structure of the  CARIN Trust Framework? 

Purpose: A consensus, voluntary framework by which applications used by the  consumer agree to treat the individualโ€™s health care information. 

Structure: There are three phases of the CARIN trust framework. The CARIN code of  conduct is phase one. This is the foundational phase where third-party application and  consumer platform companies will endorse and agree to the CARIN code of conduct as  part of their registration process with the โ€œapplication aggregatorsโ€ or primary data  holders (e.g., EHR application stores, iOS or Android Application stores, etc.). During  phase two, applications will publicly endorse and agree to a set of questions regarding  how they use, manage, and secure the consumerโ€™s health data based on the principles  in the code of conduct. This will include incorporating and expanding the ONCโ€™s Model  Privacy Notice to be consistent with the code of conduct. These structured questions  will allow the consumer to filter and search for the applications that meet their individual  preferences across platforms. Phase three is a potential future phase where  independent, private-sector third parties could certify the applications based on the code 

of conduct, questionnaire, and possibly other criteria (e.g. validity of the applicationโ€™s  clinical guidelines, etc.). 

Who helped provide input to the CARIN  code of conduct? 

We are enormously indebted to the organizations who have provided valuable input to  the CARIN Trust Framework and code of conduct. These are organizations that care  deeply about consumers receiving electronic access to their health information and we  are incredibly grateful for their ongoing support. For a list of those organizations, please  access our website www.carinalliance.com under the section โ€˜Our Membershipโ€™. 

Can we provide input to the CARIN code of  conduct? 

We welcome and encourage comments and input from across the health care industry.  Please submit your comments online at www.carinalliance.com. The CARIN Alliance  board and membership will examine and carefully consider all comments to include in  future releases of this document. 

How does the CARIN Alliance plan on  operationalizing the code of conduct? 

The CARIN Alliance welcomes the opportunity to work with primary data holders of  personally identifiable health information including health plans, the Federal  Government, state Medicaid agencies, providers, hospitals, EHR vendors, HIEs, and  other organizations who are implementing APIs for consumers to access their health  information. We want to work with these organizations to include the code of conduct as  part of their application registration process and ensure the data holders can inform  consumers what applications have endorsed and agreed to the code of conduct so they  can make an informed decision regarding the applications they would like to choose to  access their health information.

Section II โ€“ The CARIN  Alliance Code of  

Conduct 

Background: The CARIN Alliance code of conduct represents the consensus view of a  group of multi-sector stakeholders that include leading providers, payers, health IT  companies, EHR companies, consumer platform companies, consumers, caregivers,  and others focused on advancing consumer-directed exchange across the U.S. The  Code is based on internationally recognized standards including the Code of Fair  Information Practices (FIP) (See NCVHS report, โ€œHealth Information Privacy Around  HIPAA: A 2018 Environmental Scan of Major Trends and Challenges”, p.19) and  numerous other information-sharing accepted principles and practices. The Alliance is  working collaboratively with other stakeholders and leaders in government to overcome  the policy, cultural, and technological barriers to advancing consumer-directed  exchange. The CARIN Alliance envisions a future where any consumer can choose any  application or service to retrieve both their complete health record and their complete  claims information from any provider or health plan in the U.S. and have that information  used, managed, and stored by a third-party application based on the individualโ€™s  consent and personal preferences. 

Application: The CARIN code of conduct is meant to apply to all consumer-facing  applications (defined as technology-enabled platforms, services, and tools) that collect  health information and are offered to and used by consumers in the United States,  regardless of whether or not they are covered by HIPAA. 

The CARIN Alliance Code of Conduct 

The CARIN Alliance code of conduct is meant to provide consumers with transparency  into how their health information is being used by their chosen consumer-facing  application. 

As a company or organization that collects health care information on behalf of  consumers, and facilitates the further use and sharing of that information as authorized  by the consumer, we commit to the following:

ITransparency 

The Principle of Openness, which provides that the existence of record-keeping  systems and databanks containing data about individuals be publicly known, along with  a description of the main purpose and uses of the data. 

We will: 

1. Have a privacy policy that is based on industry best practices and is prominent,  publicly accessible, and easy to read (i.e., written in lay language) and that  addresses all of the issues addressed in this Framework. 

2. Ensure our privacy policy specifies our Companyโ€™s data collection, consent, use,  disclosure, access, security, and retention/deletion practices, including the use  and sharing of de-identified, anonymized, or pseudonymized data. 

3. Address in our policy when data sharing could have an impact on others (such as  the impact of sharing genetic or family history information on relatives). 4. Proactively provide clear updates to users when privacy policies or practices  have changed. 

5. Use the ONCโ€™s Model Privacy Notice (MPN) and the CARIN questionnaire as a  resource when developing the privacy policies of the application. 

6. Be clear with users regarding whether data is collected, or it is shared with third  parties, on a one-time basis or persistently collected (and if so, for what duration)  and allow the user rights to change those options consistent with our consent  policies. 

7. Be clear with users regarding their rights (or lack thereof) to change or annotate  data or to share portions of their health information and whether any such  changes, annotations, or notices of lack of completeness are communicated to  any downstream recipients authorized by the user. 

II. Consent 

The Principle of Collection Limitation, which provides that there should be limits to the  collection of personal data, that data should be collected by lawful and fair means, and  that data should be collected, where appropriate, with the knowledge or consent of the  data subject. 

The Principle of Disclosure Limitation, which provides that personal data should not be  communicated externally without the consent of the data subject or other legal authority.

We will: 

1. Avoid default data sharing by obtaining informed, proactive consent from users  in advance of data sharing, with such consent clearly describing how user data  will be collected, used and shared. 

2. Obtain separate, informed, proactive opt-in consent to use or disclose data from  any individual or other individual identified in the protected health information  (PHI) for marketing purposes. (For example, Individual Aโ€™s consent does not  extend to Individual B who may be referenced in Individual Aโ€™s PHI.) 

3. Comply with the Childrenโ€™s Online Privacy Protection Act that is defined by  applicable law. 

4. Provide users with advance notice of our privacy policy changes and allow the  user to affirm their consent to the updated privacy policy changes in order to  continue to share their data with the application or given the option to withdraw  consent. 

5. Provide users with an easy process for how to withdraw their consent with the  application used to access the health information and clearly communicate those  processes. 

6. Allow the user to always indicate the destination for sending their health  information. 

III. Use & Disclosure 

The Principle of Use Limitation, which provides that there must be limits to the uses of  personal data and that the data should be used only for the purposes specified at the  time of collection. 

The Principle of Disclosure Limitation, which provides that personal data should not be  communicated externally without the consent of the data subject or other legal authority. 

We will: 

1. Contractually bind third-party vendors and contractors to our privacy policies and  prohibit use or disclosure of user information (including de-identified, anonymized  or pseudonymized data) for any undisclosed purposes without express consent  from the user. 

2. Except for the contracted third-party vendors identified above, prohibit the use of  sharing of user data without user consent. 

3. Limit the collection of health information to only what the user has expressly  consented that the application can collect. 

4. Collect, use, and disclose health information in ways that are consistent with  reasonable user expectations given the context in which the users provided (or  authorized the provision of) the health information.

IV. Individual Access 

The Principle of Individual Participation, which provides that each individual should have  a right to see any data about himself or herself and to annotate any data that is not  timely, accurate, relevant, or complete where the application has the ability to do so. 

We will: 

1. Provide the ability for users to access all identifiable information about the user  collected by the application and a clear, easy process for requesting corrections  to any inaccurate information. 

2. Establish and clearly communicate to users clear policies for how the application  will handle health information it collects that may not be timely, accurate, relevant  or complete. 

3. Upon user request, securely dispose of the userโ€™s identifiable health data  completely and indefinitely to allow the user the โ€œright to be forgottenโ€ with  respect to any future uses or disclosures of user data. 

V. Security 

The Principle of Security, which provides that personal data should be protected by  reasonable security safeguards against such risks as loss, unauthorized access,  destruction, use, modification or disclosure. 

We will: 

1. Follow safeguards consistent with the responsible stewardship associated with  the protection of a userโ€™s health information against risks such as loss or  unauthorized access, use, alteration, destruction, unauthorized annotation, or  disclosure. 

2. Store and retain health information in a manner consistent with the best practices  associated with the protection of personally identifiable health information. 3. Protect identifiable health information through a combination of mechanisms  including, at a minimum: secure storage, encryption of digital records both in  transit and at rest, data-use agreements and contractual obligations, and  accountability measures (e.g., access controls and logs and independent audits)  that could be made available to the user. 

4. Comply with applicable breach notification laws and provide meaningful remedies  to address security breaches, privacy, or other violations incurred because of  misuse of the userโ€™s health information.

5. On behalf of our users, request a copy of their health data from the HIPAA  designated record set maintained by a health care provider, health plan, or health  information exchange by 1) relying on a health care provider or health plan portal  identity credential using SMART or accept a digital identity credential for the user  that is at least NIST Identity Assurance Level 2 (IAL2) and Authenticator  Assurance Level 2 (AAL2) and 2) clearly indicating the destination for sending  the health information. 

6. Adopt internal policies and secure contractual commitments with third parties to  prohibit the re-identification of de-identified or anonymized data. 

7. Establish and implement a policy for how to handle dormant user accounts. VI. Provenance 

The Principle of Data Quality, which provides that personal data should be relevant to  the purposes for which they are to be used, and should be accurate, complete, and  timely. 

We will: 

1. Where possible, as data is changed continue to maintain the provenance of the  data to provide users, their caregivers, and authorized recipients information  about who or what entity originally supplied the data and, where relevant, who  made changes to the data, and what changes were made. 

VII. Accountability 

The Principle of Accountability, which provides that record keepers should be  accountable for complying with fair information practices. 

We will: 

1. Comply with all applicable federal and state laws. 

2. Designate a responsible executive officer within the company who is committed  to these health information principles and ensure these commitments are publicly  facing to allow oversight enforcement by the Federal Trade Commission (FTC),  State Attorneys General, or other applicable authorities. 

3. Establish and clearly communicate a process for collecting and responding to  user complaints. 

4. Train our staff on these principles and ensure compliance by regularly evaluating  our performance internally.

5. Notify the public when we have received any certification or accreditation from  any independent certifying organizations (and indicate the timing/duration of such  certifications). 

In addition to the above commitments that give meaning to the Code of Fair Information  Practices, we agree to support the vision of the CARIN Alliance as follows: 

VIII. Education 

1. Inform users about their health information sharing choices and the  consequences of those choices including the risks, benefits, and limitations of  data sharing by providing educational materials ourselves or pointing to  appropriate third-party resources. 

IX. Advocacy 

We will: 1. Actively work with other industry stakeholders to expand the set of standardized  individually identifiable health information that could be made โ€œreadily producibleโ€  for collection by consumer-facing applications.