The purpose of this policy is to 1) describe the commitment of Care52, its Participants and Authorized Users to protect the privacy and confidentiality of Confidential Information (definition) that is sent to, included in, accessed through or stored on the health information exchange operated by Care52; and 2) describe the steps taken by Care52, the Participants and Authorized Users to protect the privacy and confidentiality of Personal Health Information and Confidential Information.
It is the policy of Care52 to comply with State and Federal laws regarding the privacy of Confidential Information and to assist and support its Participants and Authorized Users in meeting their privacy requirements under applicable law and accreditation standards.
Care52 has implemented privacy safeguards and policies regarding Confidential Information and requires the Participants and/or Authorized users to implement policies and safeguards that comply with the minimum standards established in the Care52 Policies.
Each Participant and Authorized User is required to exhibit the same care and diligence in safeguarding Confidential Information obtained through the Care52 System as the Participant or Authorized User would for patient information that it otherwise generates or maintains.
Participants and Authorized Users must acknowledge acceptance of this Care52 Policy prior to participating in, or using, the Care52 System.
Care52 will continue to remain in compliance with the Statewide Collaborative Process and the Privacy and Security Policies and Procedures for Regional Health Information Organizations (RHIOs) and their Participants in New York State.
A. Requirements for exchanging data via the Care52 System
In order to become a participant in Care52 ("Participant") and access and exchange Confidential Information via Care52, a Participant must:
- Be a Covered Entity or part of a Covered Entity, or otherwise be authorized by Care52.
- Complete a Care52 application and enter into a RHIO Services Agreement, Data Access agreement or other agreement authorized by Care52.
- Be approved by Care52.
- Enter into a Business Associate Agreement with Care52, if applicable.
- Limit use of Personal Health Information and Confidential Information obtained through Care52 to patient care (i.e. treatment and care coordination), Quality Improvement, case management, public health purposes, other Acceptable Uses and other uses specifically authorized by the applicable patient.
B. Authorized Users
- Access to the Care52 System will be limited to Authorized Users. In order to be an Authorized User, and individual must:
- Be an employee, Professional Staff member, or agent of a Participant of Care52, who:
- Meet the definition of an Authorized User.
- Complete Care52 Identification Procedures.
- Receive approval, a unique user identifier and a password from Care52 to access the Care52 system
- Agree to training regarding access to, and use and disclosure of Personal Health Information and Confidential Information available through the Care52 System.
- Sign (or electronically sign) a confidentiality agreement in regard to the terms and conditions of his/her access to the Care52 System, and
- Be entered into the Care52 System as an Authorized User.
- Access by an Authorized User shall be based upon the Authorized Users job functions (i.e. a role-based access control).
- Third parties that are not Authorized Users shall not be permitted to access the Care52 System.
- Care52 staff shall be permitted to access Personal Health Information and Confidential Information to test and support the functionality of the Care52 System and to review participant compliance with Care52 Policies. Such access shall be limited only to such information as may be reasonably necessary for such compliance review and/or testing functions and/or other reasons required by Care52.
C. Acceptable Information in the Care52 System
Unless specifically authorized by Care52, the Care52 System may not be used by a Participant and/or an Authorized User to transmit any information other than Personal Health Information and Confidential Information and system operation data.
D. Patient Consent
- Except as otherwise specifically authorized in the Care52 Consent Policy (defined later in this document), Participants shall be required to obtain a written (or authorized electronic) consent from each patient (or the patient's legal representative) prior to accessing the information on the Care52 System, except in the case of an emergency. Consent shall be in effect until revoked.
- If Patient Consent is not obtained or a patient revokes his/her Patient Consent, a Participant is not permitted to access the applicable patient's Confidential Information through the Care52 System. Participants shall be required to implement policies and procedures to ensure that the consent statuses of a patient, including patient refusals or revocations of consents, are accurately conveyed to the Care52 System.
- Prior to obtaining Patient consent, Participant must offer each patient an explanation of health information exchange, in general, and about Care52, its Participants and its responsibilities.
- The actual document used to capture Patient consent will be approved by the New York State Department of Health unless a waiver is otherwise sought by the Participant.
- The process for disseminating the required information to a patient and the process for obtaining Patient consent shall be determined by the individual Participant in conjunction with Care52, but shall comply with the minimum requirements set forth in the Care52 Consent Policy.
E. Business Associate Agreements
Care52 shall be considered a Business Associate of the Participants that supply data to Care52 and shall enter into Business Associate Agreements with each of these Participants. Care52 will be required to comply with the terms of the Business Associate Agreement, including requirements to ensure in writing, that all of its vendors and subcontractors comply with the HIPAA Business Associate requirements.
Care52 and its Participants and/or Data Suppliers shall implement physical, technical and administrative safeguards to protect the privacy and security of Personal Health Information and Confidential Information. Such safeguards shall comply with Care52 Policies. Specifically, Care52 and participants and/or Data Suppliers shall:
- Securely transmit information between the Participant's edge servers and the data center hub housing the web server.
- Encrypt all transmitted information. Encryption is required when transferring Care52 restricted and confidential information over insecure networks. Insecure networks include the Internet and any network that is not under the administration of Care52. Generally accepted security guidelines are to be used for encrypting files, e-mail, User ID's, passwords, and any information that is considered Care52 restricted or confidential.
- Require unique user identifiers and passwords in order to access the Care52 System. Authorized Users are required to change their passwords at least every 90 calendar days and are prohibited from re-using the most recent password.
- Prohibit Authorized Users from sharing passwords and/or unique user identifiers.
- Perform Compliance Reviews regarding access to the Care52 System by Authorized Users.
- Comply with Information Security Architecture Standards in accordance with the specifications and schedule provided by the New York State Health Information Network (SHIN-NY).
G. Secondary Use of the Information in Care52
Confidential Information viewed and/or used by an Authorized user for treatment purposes may be included or referenced in the Authorized User's or applicable Participant's clinical record; provided that such record specifies the source of the information. Once Confidential Information is included or referenced in a clinical record, the Confidential Information can be disclosed in accordance with that Participant's or Authorized User's policies, subject to applicable law.
As Care52 functions to transmit Confidential Information, it shall certify that it does not maintain any medical records in response to subpoenas and court orders for Personal Health Information or Confidential Information.
I. Retention of Confidential Information
Participants and/or Authorized Users shall be required to establish policies regarding maintenance of records in accordance with applicable Federal and State law.
Care52 and the Participants shall implement policies regarding discipline and sanctions for failure to comply with applicable privacy and confidentiality laws, and Care52 and Participant Policies. Participant policies shall, at a minimum, comply with the Care52 Sanctions policy. Participant and Care52 Sanctions Policies (defined below) shall allow for revocation of access to Care52 for an Authorized User's intentional disregard of applicable law or Care52 or Participant Policies. Care52 shall also have the authority to terminate RHIO Services Agreements for substantive failure of a Participant to comply with applicable law or Care52 Policies. Authorized Users that are not affiliated with a participant will also be required to comply with this Section.
K. Compliance Reviews and Response to Confidentiality Breaches
Care52 and its Participants will perform Compliance Reviews and respond to confidentiality Breaches in accordance with the Care52 Compliance Review and Confidentiality Breach policies.