Our consent management and auditing technologies enable healthcare organizations and health information exchange organizations (HIOs) to implement, enforce and audit privacy policies established by consumers, organizations and jurisdictions.


On July 21st, the U.S. HIT Standards Committee’s Privacy and Security Workgroup identified consent management as “the widest, and perhaps most urgent, gap” in interoperability standards, recognizing consumers are becoming more involved in defining how their information is shared.

The HHS Office for Civil Rights also recognizes the importance of consumer choice:

“Individuals should be provided a reasonable opportunity and capability to make informed decisions about the collection, use, and disclosure of their individually identifiable health information.”

Individual Choice Principle, Office for Civil Rights’ Nationwide Privacy & Security Framework


Optimizing the Standards

HIPAAT has taken a leadership position to enable consumer privacy to be implemented now. We participate in the development of industry standards through organizations such as Organization for the Advancement of Structured Information Standards (OASIS).

Version 3.0 of our consent management and auditing software, released July 20th, follows – and optimizes – Healthcare Information Technology Standards Panel (HITSP)-recommended standards for access control and auditing, including OASIS XACML, OASIS XSPA, and IHE-ATNA.

V3.0 extends the standards’ current capabilities to enable comprehensive, flexible and granular consent management. As an example, we’ve added the capability to accommodate and audit emergency override ('break the glass') access to restricted protected/personal health information (PHI). This enables proper patient care in a privacy-conscious environment.

Our commitment is to adapt our technologies
as the standards evolve, while satisfying
patient privacy concerns now.


ARRA / HIPAA Requirements

V3.0 was designed to help healthcare organizations meet privacy provisions of the Health Insurance Portability and Accountability Act (HIPAA) and the American Recovery and Reinvestment Act (ARRA).

We support organizations in their efforts to meet provisions such as:

protecting sensitive PHI from disclosure so that patients aren’t reluctant to seek treatment or provide important medical information

allowing patients to restrict certain disclosures of PHI when paying for treatment out-of-pocket

producing an accounting of disclosures made from EHRs

HIPAAT's Software

The solution includes:

Privacy eSuite (SOA)
'Consent engine’ that stores privacy policies, converts them into access rules and adjudicates requests to access PHI

Web application where consumers record their privacy preferences using simple Web templates

Privacy Manager
Point-of-service application that enforces privacy policies

Universal Audit Repository (UAR)
Central repository of IHE-ATNA audit events that provides immediate breach alerts of override access to PHI

Java Consent Validation Interface (JCVI)
Toolkit allowing any EHR to receive adjudicated PHI access requests from a standards-based access control service

V3.0 Benefits

EHRs / HIT applications

leverage our JCVI to eliminate the need to embed consent-based access control

address ARRA / HIPAA privacy provisions while maintaining focus on core functionality

Healthcare organizations / HIOs

leverage existing HIT investments while addressing PHI privacy

balance patient privacy with provider access to PHI


are more willing to share health information electronically

specify privacy preferences using simple Web templates or with the guidance of a provider

click to request more informationclick to request a demonstration
Date: July 30, 2009

HIPAAT provides consent management and security auditing solutions to healthcare. Our SOA-based software balances consumer information privacy with the clinical need to access personal health information, supporting effective health information exchange. Our interoperable, standards-based approach enables stakeholders at all levels of health data sharing to implement, audit and enforce patient, organizational and jurisdictional privacy policies. For more information, visit www.hipaat.com