The purpose of this policy is to 1) describe the commitment of Company, its Participants and Authorized Users to protect the privacy and confidentiality of Confidential Information (definition) that is sent to, included in, accessed through or stored on the health information exchange operated by Company; and 2) describe the steps taken by Company, the Participants and Authorized Users to protect the privacy and confidentiality of Personal Health Information and Confidential Information.
It is the policy of Company to comply with State and Federal laws regarding the privacy of Confidential Information and to assist and support its Participants and Authorized Users in meeting their privacy requirements under applicable law and accreditation standards.
Company has implemented privacy safeguards and policies regarding Confidential Information and requires the Participants and/or Authorized users to implement policies and safeguards that comply with the minimum standards established in the Company Policies.
Each Participant and Authorized User is required to exhibit the same care and diligence in safeguarding Confidential Information obtained through the Company System as the Participant or Authorized User would for patient information that it otherwise generates or maintains.
Participants and Authorized Users must acknowledge acceptance of this Company Policy prior to participating in, or using, the Company System.
Company will continue to remain in compliance with the Statewide Collaborative Process and the Privacy and Security Policies and Procedures for Regional Health Information Organizations (RHIOs) and their Participants in New York State.
A. Requirements for exchanging data via the Company System
In order to become a participant in Company ("Participant") and access and exchange Confidential Information via Company, a Participant must:
- Be a Covered Entity or part of a Covered Entity, or otherwise be authorized by Company.
- Complete a Company application and enter into a RHIO Services Agreement, Data Access agreement or other agreement authorized by Company.
- Be approved by Company.
- Enter into a Business Associate Agreement with Company, if applicable.
- Limit use of Personal Health Information and Confidential Information obtained through Company to patient care (i.e. treatment and care coordination), Quality Improvement, case management, public health purposes, other Acceptable Uses and other uses specifically authorized by the applicable patient.
B. Authorized Users
- Access to the Company System will be limited to Authorized Users. In order to be an Authorized User, and individual must:
- Be an employee, Professional Staff member, or agent of a Participant of Company, who:
- Meet the definition of an Authorized User.
- Complete Company Identification Procedures.
- Receive approval, a unique user identifier and a password from Company to access the Company system
- Agree to training regarding access to, and use and disclosure of Personal Health Information and Confidential Information available through the Company System.
- Sign (or electronically sign) a confidentiality agreement in regard to the terms and conditions of his/her access to the Company System, and
- Be entered into the Company System as an Authorized User.
- Access by an Authorized User shall be based upon the Authorized Users job functions (i.e. a role-based access control).
- Third parties that are not Authorized Users shall not be permitted to access the Company System.
- Company staff shall be permitted to access Personal Health Information and Confidential Information to test and support the functionality of the Company System and to review participant compliance with Company Policies. Such access shall be limited only to such information as may be reasonably necessary for such compliance review and/or testing functions and/or other reasons required by Company.
C. Acceptable Information in the Company System
Unless specifically authorized by Company, the Company System may not be used by a Participant and/or an Authorized User to transmit any information other than Personal Health Information and Confidential Information and system operation data.
D. Patient Consent
- Except as otherwise specifically authorized in the Company Consent Policy (defined later in this document), Participants shall be required to obtain a written (or authorized electronic) consent from each patient (or the patient's legal representative) prior to accessing the information on the Company System, except in the case of an emergency. Consent shall be in effect until revoked.
- If Patient Consent is not obtained or a patient revokes his/her Patient Consent, a Participant is not permitted to access the applicable patient's Confidential Information through the Company System. Participants shall be required to implement policies and procedures to ensure that the consent statuses of a patient, including patient refusals or revocations of consents, are accurately conveyed to the Company System.
- Prior to obtaining Patient consent, Participant must offer each patient an explanation of health information exchange, in general, and about Company, its Participants and its responsibilities.
- The actual document used to capture Patient consent will be approved by the New York State Department of Health unless a waiver is otherwise sought by the Participant.
- The process for disseminating the required information to a patient and the process for obtaining Patient consent shall be determined by the individual Participant in conjunction with Company, but shall comply with the minimum requirements set forth in the Company Consent Policy.
E. Business Associate Agreements
Company shall be considered a Business Associate of the Participants that supply data to Company and shall enter into Business Associate Agreements with each of these Participants. Company will be required to comply with the terms of the Business Associate Agreement, including requirements to ensure in writing, that all of its vendors and subcontractors comply with the HIPAA Business Associate requirements.
Company and its Participants and/or Data Suppliers shall implement physical, technical and administrative safeguards to protect the privacy and security of Personal Health Information and Confidential Information. Such safeguards shall comply with Company Policies. Specifically, Company and participants and/or Data Suppliers shall:
- Securely transmit information between the Participant's edge servers and the data center hub housing the web server.
- Encrypt all transmitted information. Encryption is required when transferring Company restricted and confidential information over insecure networks. Insecure networks include the Internet and any network that is not under the administration of Company. Generally accepted security guidelines are to be used for encrypting files, e-mail, User ID's, passwords, and any information that is considered Company restricted or confidential.
- Require unique user identifiers and passwords in order to access the Company System. Authorized Users are required to change their passwords at least every 90 calendar days and are prohibited from re-using the most recent password.
- Prohibit Authorized Users from sharing passwords and/or unique user identifiers.
- Perform Compliance Reviews regarding access to the Company System by Authorized Users.
- Comply with Information Security Architecture Standards in accordance with the specifications and schedule provided by the New York State Health Information Network (SHIN-NY).
G. Secondary Use of the Information in Company
Confidential Information viewed and/or used by an Authorized user for treatment purposes may be included or referenced in the Authorized User's or applicable Participant's clinical record; provided that such record specifies the source of the information. Once Confidential Information is included or referenced in a clinical record, the Confidential Information can be disclosed in accordance with that Participant's or Authorized User's policies, subject to applicable law.
As Company functions to transmit Confidential Information, it shall certify that it does not maintain any medical records in response to subpoenas and court orders for Personal Health Information or Confidential Information.
I. Retention of Confidential Information
Participants and/or Authorized Users shall be required to establish policies regarding maintenance of records in accordance with applicable Federal and State law.
Company and the Participants shall implement policies regarding discipline and sanctions for failure to comply with applicable privacy and confidentiality laws, and Company and Participant Policies. Participant policies shall, at a minimum, comply with the Company Sanctions policy. Participant and Company Sanctions Policies (defined below) shall allow for revocation of access to Company for an Authorized User's intentional disregard of applicable law or Company or Participant Policies. Company shall also have the authority to terminate RHIO Services Agreements for substantive failure of a Participant to comply with applicable law or Company Policies. Authorized Users that are not affiliated with a participant will also be required to comply with this Section.
K. Compliance Reviews and Response to Confidentiality Breaches
Company and its Participants will perform Compliance Reviews and respond to confidentiality Breaches in accordance with the Company Compliance Review and Confidentiality Breach policies.