Carin Code of Conduct

The CARIN Code of Conduct is a set of guidelines that were created to keep your information safe and secure.

The code describes the guidelines we follow and the rights we guarantee you. The rules of the code are optional, yet we follow them in order to provide the best service and to protect all your privacy and information.

Illustration of a document with a seal on it.

Section I – Background and Overview

The CARIN Trust Framework and Code of Conduct

A foundational set of principles for how health care organizations can share data with consumer applications.

I. Who is the CARIN Alliance?

The CARIN Alliance is a multi-sector group of stakeholders representing numerous hospitals, thousands of physicians, and millions of consumers and caregivers. We are committed to enabling consumers and their authorized caregivers to get easy access to their personal health information. Specifically, we are promoting the ability for consumers and their authorized caregivers to gain digital access to their health information via the non-proprietary, open APIs included in recently proposed ONC and CMS proposed and final regulations to have their digital health information sent to any third-party application they choose.

Working collaboratively with government leaders, the group seeks to rapidly advance the ability for consumers and their authorized caregivers to easily obtain, use, and share their digital health information when, where, and how they want to achieve their goals. With a membership composed of patients and caregiver organizations, health care entities, health information exchanges, health information technology vendors and others, the CARIN Alliance is uniquely positioned at the intersection of public and private organizations to advance the development of person-centered, value-driven health care through the adoption of consumer-directed health information exchange.

II. What is consumer-directed exchange?

Consumer-directed exchange is when a consumer invokes their individual right of access under HIPAA to request a copy of their health information from a covered entity and then directs their health information to any third party of their choice. The CARIN Alliance believes that consumer-directed exchange is an essential piece of the interoperability equation. Despite significant public and private sector investments in standards-based EHRs, and provider-to-provider health information exchange in recent years, advances in consumer-directed exchange have been limited. Most consumers still lack the ability to easily obtain, use, and share their digital health information when, where, and how they want using third party applications they control. Barriers to consumer-directed exchange include a lack of:

  • Consensus trust, privacy and security frameworks for consumer-directed exchange.
  • Availability and adoption of technologies that facilitate consumer-directed exchange.
  • Understanding of existing policies supporting consumer-directed exchange.
  • Health care organizational policy or workflow barriers that may exist.
  • Availability of sustainable business models.
  • Widespread consumer education and awareness about consumer-directed exchange options.

The consumer-directed exchange has raised some concerns because it relies on sharing personally identifiable data with consumer-facing applications, many of which may not be regulated by HIPAA privacy and security rules. However, data held by consumer-facing applications is governed by Section 5(a) of the Federal Trade Commission Act, which makes it unlawful for companies to engage in “unfair or deceptive acts or practices in or affecting commerce” (15 U.S.C. Sec. 45(a)(1)). "Unfair" practices are defined as those that "cause or [are] likely to cause substantial injury to consumers, which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition" (15 U.S.C. Sec. 45(n))”.

The FTC Act provides the ability for the government to hold companies accountable for “unfair or deceptive acts or practices,” and for violating commitments made to consumers regarding how their personal data will be handled. Data held by consumer-facing applications also may be subject to state privacy and consumer protection laws.

Imagine a world where a consumer or authorized caregiver could download one or more mobile health applications to access their digital health information from any provider, hospital, health plan, health information exchange, or other covered entity of their choosing. These applications would endorse and agree to the code of conduct as part of the application registration process. The FTC, through its Section 5(a) authority, could then enforce that code of conduct against apps who publicly commit to following it. The CARIN Alliance code of conduct is intended to help address the concerns associated with sharing personal health information with consumer-facing apps.

The CARIN Alliance is focused on addressing the barriers associated with the consumer-directed exchange, helping organizations and individuals understand existing policies supporting consumer-directed exchange, assisting health care organizations to eliminate policy or workflow barriers that may exist for consumer-directed exchange, and educating consumers on their consumer-directed exchange options.

The CARIN Alliance is primarily focused on solving two use cases:

  1. How a consumer electronically requests access to their data using APIs, indicates where it should be sent, and is informed how their data will be used.
  2. How a covered entity electronically sends that data to the consumer.

III. Individual Right of Access request vs. HIPAA Authorization

The CARIN Alliance believes that when an individual makes a request for their data to be sent to an application of their choice it should be treated as an individual “right of access” request pursuant to the HIPAA Privacy Rule. We also believe that when an application makes a request for a consumer’s data at the direction of, and on behalf of, an individual, it should also be treated as an individual “right of access” request when it does the following:

  • Is submitted directly by a ‘personal health record’ (which HITECH says is an electronic record of personally identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual);
  • Meets the identity proofing and authentication requirements of the ONC’s common agreement (currently Identity Assurance Level (IAL) 2 and Authenticator Assurance Level (AAL) 2);
  • Clearly indicates the destination for sending the information; and
  • Is requesting data from the then-current US Core Data Interoperability Set (USCDI).

A HIPAA Authorization request is typically initiated by a provider or other entity to document consumer consent in order to exchange data with third parties within HIPAA in circumstances where the HIPAA Privacy Rule provides no other route for disclosure (for example, where the disclosure is not for treatment, payment or operations, or under the individual’s right of access).

More information on the difference between a HIPAA Authorization and an Individual Right of Access request can be found on the Office for Civil Rights website.

IV. Who is the audience for the CARIN code of conduct?

  1. Consumer Advocate Groups, Consumers, and their Authorized Caregivers: Those who are looking to understand how they can electronically access their health information from multiple systems.
  2. Entities covered by HIPAA: Organizations that are designated as covered entities under HIPAA including providers, payers, and clearinghouses and their business associates who operate on their behalf.
  3. Electronic Health Record Companies: Companies that provide the technology required for providers and hospitals to record clinical documentation, track workflows, and bill appropriately for care.
  4. Health Information Exchanges: Organizations that facilitate digital health information exchange on behalf of payers, providers, and consumers.
  5. Policymakers: Administration and congressional officials who are enacting health information exchange policies and procedures.
  6. Non-Covered Entities: Community-based organizations, consumer platform companies, and other entities not covered by HIPAA that develop health IT applications and/or services for the consumer to aggregate, analyze, and share their health information.

V. What is the purpose and structure of the CARIN Trust Framework?

Purpose: A consensus, voluntary framework by which applications used by the consumer agree to treat the individual’s health care information. 

Structure: There are three phases of the CARIN trust framework. The CARIN code of conduct is phase one. This is the foundational phase where third-party application and consumer platform companies will endorse and agree to the CARIN code of conduct as part of their registration process with the “application aggregators” or primary data holders (e.g., EHR application stores, iOS or Android Application stores, etc.). During phase two, applications will publicly endorse and agree to a set of questions regarding how they use, manage, and secure the consumer’s health data based on the principles in the code of conduct. This will include incorporating and expanding the ONC’s Model Privacy Notice to be consistent with the code of conduct. These structured questions will allow the consumer to filter and search for the applications that meet their individual preferences across platforms. Phase three is a potential future phase where independent, private-sector third parties could certify the applications based on the code of conduct, questionnaire, and possibly other criteria (e.g. validity of the application’s clinical guidelines, etc.).

VI. Who helped provide input to the CARIN code of conduct?

We are enormously indebted to the organizations who have provided valuable input to the CARIN Trust Framework and code of conduct. These are organizations that care deeply about consumers receiving electronic access to their health information and we are incredibly grateful for their ongoing support. For a list of those organizations, please access our website www.carinalliance.com under the section ‘Our Membership’.

VII. Can we provide input to the CARIN code of conduct?

We welcome and encourage comments and input from across the health care industry. Please submit your comments online at www.carinalliance.com. The CARIN Alliance board and membership will examine and carefully consider all comments to include in future releases of this document.

VIII. How does the CARIN Alliance plan on operationalizing the code of conduct?

The CARIN Alliance welcomes the opportunity to work with primary data holders of personally identifiable health information including health plans, the Federal Government, state Medicaid agencies, providers, hospitals, EHR vendors, HIEs, and other organizations who are implementing APIs for consumers to access their health information. We want to work with these organizations to include the code of conduct as part of their application registration process and ensure the data holders can inform consumers what applications have endorsed and agreed to the code of conduct so they can make an informed decision regarding the applications they would like to choose to access their health information.

Section II – The CARIN Alliance Code of Conduct

Background: The CARIN Alliance code of conduct represents the consensus view of a group of multi-sector stakeholders that include leading providers, payers, health IT companies, EHR companies, consumer platform companies, consumers, caregivers, and others focused on advancing consumer-directed exchange across the U.S. The Code is based on internationally recognized standards including the Code of Fair Information Practices (FIP) (See NCVHS report, “Health Information Privacy Around HIPAA: A 2018 Environmental Scan of Major Trends and Challenges", p.19) and numerous other information-sharing accepted principles and practices. The Alliance is working collaboratively with other stakeholders and leaders in government to overcome the policy, cultural, and technological barriers to advancing consumer-directed exchange. The CARIN Alliance envisions a future where any consumer can choose any application or service to retrieve both their complete health record and their complete claims information from any provider or health plan in the U.S. and have that information used, managed, and stored by a third-party application based on the individual’s consent and personal preferences. 

Application: The CARIN code of conduct is meant to apply to all consumer-facing applications (defined as technology-enabled platforms, services, and tools) that collect health information and are offered to and used by consumers in the United States, regardless of whether or not they are covered by HIPAA. 

The CARIN Alliance Code of Conduct 

The CARIN Alliance code of conduct is meant to provide consumers with transparency into how their health information is being used by their chosen consumer-facing application. 

As a company or organization that collects health care information on behalf of consumers, and facilitates the further use and sharing of that information as authorized by the consumer, we commit to the following: 

I. Transparency

The Principle of Openness, which provides that the existence of record-keeping systems and databanks containing data about individuals be publicly known, along with a description of the main purpose and uses of the data. 

We will:
  1. Have a privacy policy that is based on industry best practices and is prominent, publicly accessible, and easy to read (i.e., written in lay language) and that addresses all of the issues addressed in this Framework.
  2. Ensure our privacy policy specifies our Company’s data collection, consent, use, disclosure, access, security, and retention/deletion practices, including the use and sharing of de-identified, anonymized, or pseudonymized data.
  3. Address in our policy when data sharing could have an impact on others (such as the impact of sharing genetic or family history information on relatives).
  4. Proactively provide clear updates to users when privacy policies or practices have changed.
  5. Use the ONC’s Model Privacy Notice (MPN) and the CARIN questionnaire as a resource when developing the privacy policies of the application.
  6. Be clear with users regarding whether data is collected, or it is shared with third parties, on a one-time basis or persistently collected (and if so, for what duration) and allow the user rights to change those options consistent with our consent policies.
  7. Be clear with users regarding their rights (or lack thereof) to change or annotate data or to share portions of their health information and whether any such changes, annotations, or notices of lack of completeness are communicated to any downstream recipients authorized by the user.

II. Consent

The Principle of Collection Limitation, which provides that there should be limits to the collection of personal data, that data should be collected by lawful and fair means, and that data should be collected, where appropriate, with the knowledge or consent of the data subject.

The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority.

We will:
  1. Avoid default data sharing by obtaining informed, proactive consent from users in advance of data sharing, with such consent clearly describing how user data will be collected, used and shared.
  2. Obtain separate, informed, proactive opt-in consent to use or disclose data from any individual or other individual identified in the protected health information (PHI) for marketing purposes. (For example, Individual A’s consent does not extend to Individual B who may be referenced in Individual A’s PHI.)
  3. Comply with the Children’s Online Privacy Protection Act that is defined by applicable law.
  4. Provide users with advance notice of our privacy policy changes and allow the user to affirm their consent to the updated privacy policy changes in order to continue to share their data with the application or given the option to withdraw consent.
  5. Provide users with an easy process for how to withdraw their consent with the application used to access the health information and clearly communicate those processes.
  6. Allow the user to always indicate the destination for sending their health information.

III. Use & Disclosure

The Principle of Use Limitation, which provides that there must be limits to the uses of personal data and that the data should be used only for the purposes specified at the time of collection.

The Principle of Disclosure Limitation, which provides that personal data should not be communicated externally without the consent of the data subject or other legal authority.

We will:
  1. Contractually bind third-party vendors and contractors to our privacy policies and prohibit use or disclosure of user information (including de-identified, anonymized or pseudonymized data) for any undisclosed purposes without express consent from the user.
  2. Except for the contracted third-party vendors identified above, prohibit the use of sharing of user data without user consent.
  3. Limit the collection of health information to only what the user has expressly consented that the application can collect.
  4. Collect, use, and disclose health information in ways that are consistent with reasonable user expectations given the context in which the users provided (or authorized the provision of) the health information.

IV. Individual Access

The Principle of Individual Participation, which provides that each individual should have a right to see any data about himself or herself and to annotate any data that is not timely, accurate, relevant, or complete where the application has the ability to do so. 

We will: 
  1. Provide the ability for users to access all identifiable information about the user collected by the application and a clear, easy process for requesting corrections to any inaccurate information.
  2. Establish and clearly communicate to users clear policies for how the application will handle health information it collects that may not be timely, accurate, relevant or complete.
  3. Upon user request, securely dispose of the user’s identifiable health data completely and indefinitely to allow the user the “right to be forgotten” with respect to any future uses or disclosures of user data.

V. Security

The Principle of Security, which provides that personal data should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure.

We will:
  1. Follow safeguards consistent with the responsible stewardship associated with the protection of a user’s health information against risks such as loss or unauthorized access, use, alteration, destruction, unauthorized annotation, or disclosure.
  2. Store and retain health information in a manner consistent with the best practices associated with the protection of personally identifiable health information.
  3. Protect identifiable health information through a combination of mechanisms including, at a minimum: secure storage, encryption of digital records both in transit and at rest, data-use agreements and contractual obligations, and accountability measures (e.g., access controls and logs and independent audits) that could be made available to the user.
  4. Comply with applicable breach notification laws and provide meaningful remedies to address security breaches, privacy, or other violations incurred because of misuse of the user’s health information.
  5. On behalf of our users, request a copy of their health data from the HIPAA designated record set maintained by a health care provider, health plan, or health information exchange by 1) relying on a health care provider or health plan portal identity credential using SMART or accept a digital identity credential for the user that is at least NIST Identity Assurance Level 2 (IAL2) and Authenticator Assurance Level 2 (AAL2) and 2) clearly indicating the destination for sending the health information.
  6. Adopt internal policies and secure contractual commitments with third parties to prohibit the re-identification of de-identified or anonymized data.
  7. Establish and implement a policy for how to handle dormant user accounts.

VI. Provenance

The Principle of Data Quality, which provides that personal data should be relevant to the purposes for which they are to be used, and should be accurate, complete, and timely.

We will:
  1. Where possible, as data is changed continue to maintain the provenance of the data to provide users, their caregivers, and authorized recipients information about who or what entity originally supplied the data and, where relevant, who made changes to the data, and what changes were made.

VII. Accountability

The Principle of Accountability, which provides that record keepers should be accountable for complying with fair information practices.

We will:
  1. Comply with all applicable federal and state laws.
  2. Designate a responsible executive officer within the company who is committed to these health information principles and ensure these commitments are publicly facing to allow oversight enforcement by the Federal Trade Commission (FTC), State Attorneys General, or other applicable authorities.
  3. Establish and clearly communicate a process for collecting and responding to user complaints.
  4. Train our staff on these principles and ensure compliance by regularly evaluating our performance internally.
  5. Notify the public when we have received any certification or accreditation from any independent certifying organizations (and indicate the timing/duration of such certifications).

In addition to the above commitments that give meaning to the Code of Fair Information Practices, we agree to support the vision of the CARIN Alliance as follows: 

VIII. Education

  1. Inform users about their health information sharing choices and the consequences of those choices including the risks, benefits, and limitations of data sharing by providing educational materials ourselves or pointing to appropriate third-party resources.

IX. Advocacy

We will:
  1. Actively work with other industry stakeholders to expand the set of standardized individually identifiable health information that could be made “readily producible” for collection by consumer-facing applications.