What provisions should  be included in a model privacy and security policy that patients might  use in making decisions related to their privacy and the security of  their PHRs?

The following should be included in a patient privacy and security policy:

• A comprehensive description of how personal data is collected, stored, processed and used by the healthcare provider.
• Clear guidelines on the responsibilities that both patient and provider must adhere to when it comes to protecting private information.
• A detailed overview of security measures such as encryption technologies or other safeguards employed in order to protect personal health records against unauthorized access/disclosure.
• Notification procedures outlining what steps need to be taken if there is a breach in confidentiality (i.e., who needs to be notified and when etc.).
• Consent forms detailing how individuals agree to have their medical information handled by providing electronic signatures or similar methods.
• An instruction manual explaining how patients can manage their own PHRs (e.g., create an account with a secure password, review & update personal settings, opt-out of certain features etc.).

By having these policies included in a single document it helps ensure that all parties – both healthcare providers & patients – are aware of their rights & obligations when it comes to protecting the privacy & security of sensitive health data.