RULE 220.00.11-001 - Privacy Policies

RULE 220.00.11-001. Privacy Policies

OHIT wishes to express its gratitude to Connecting for Health and the Markel Foundation for their work in developing the Common Foundation: Resources for Implementing Private and Secure Health Information Exchange and NEHII, Inc. This work incorporates some of the concepts set forth in those resources.

OHIT Privacy Policies

INTRODUCTION

The following policies apply to the access, use and disclosure of protected health information by Participating Entities through the Office of Health Information Technology (OHIT) State Health Alliance for Records Exchange ("SHARE") and other data exchange services being made available to Participating Entities. SHARE and these other services are collectively referred to as the 'System." These policies are designed for use as SHARE and its Participating Entities exchange health information. It is anticipated these policies will be reviewed and revised as needed based on the experience of OHIT and Participating Entities.

STATUS OF OHIT AND PARTICIPATING ENTITIES

The following terms used throughout the policies are defined as follows:

Participating Entities means those entities which provide data to SHARE and those entities which obtain and use data from SHARE as health care providers, health plans, or health care clearinghouses (collectively "Covered Entities" as defined by HIPAA1). All Participating Entities are Covered Entities under HIPAA or have signed Participation Agreements with OHIT. Participating Entities should not be confused with Individuals whose protected health information is exchanged using SHARE.

Business Associate means one who acts for, or on behalf of a Participating Entity to perform a function or activity involving the use or disclosure of protected health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and re-pricing; or any other function or activity, See 45 CFR § 160.103.

OHIT is a business associate ("BA") of the Participating Entities who are Covered Entities under HIPAA. OHIT accepts and agrees to follow terms applicable to the privacy of protected health information by virtue of its business associate agreements with Participating Entities and these privacy policies.

Individual(s) means those persons whose protected health information is transmitted using SHARE.

PRIVACY PRINCIPLES

These OHIT Privacy Policies ("Privacy Policies") are rooted in nine privacy principles discussed in the Connecting for Health"The Architecture for Privacy in a Networked Health Information Environment" and a tenth adapted from NeHII, Inc. by OHIT that, taken together with privacy policies and procedures already deployed by Participating Entities as Covered entities under HIPAA form a comprehensive array of administrative safeguards addressing privacy of protected health information. OHIT has modeled its Privacy Policies on the Connecting For Health"Model Privacy Policies and Procedures for Health Information Exchange," with a number of differences based on state law, physical and technical safeguards available through SHARE, and SHARE's unique operating environment.

These core privacy principles and the policies that flow from them promote balance between consumer control of and access to health information and the operational need of covered entities to ensure that information uses and disclosures are not overly restricted, such that consumers would be denied many of the benefits and improvements that information technology can bring to the health care system. The policies are intended to reflect a carefully balanced view of all of the principles and avoid emphasizing some over others in any way that would weaken the overall approach. The guiding OHIT privacy principles are as follows:

Openness and Transparency. Clarity about procedures, policies, developments, and technology concerning the handling of protected health information is vital to protecting privacy. Individuals should be able to understand what information exists about them, how the protected health information is used, and how they can control use of that information. Openness and transparency helps promote privacy practices and gives individuals confidence with regard to privacy of protected health information, which in turn can help increase consumer participation in health information networks.

Purpose Specification and Minimization. Access to and use of patient health information must be limited to the type and amount necessary to accomplish specified permitted purposes. Minimizing the use of protected health information will help decrease the amount of privacy violations, which may occur when data is collected for one legitimate reason and then reused for different or unauthorized purposes.

Disclosure Limitation. Protected health information should be made available through SHARE to OHIT and Participating Entities only by lawful means, and, if applicable, with the knowledge and permission of the individual. Electronic collection of protected information may be confusing to most individuals. It is important that individuals are aware of how information concerning them is being collected in an electronic networked environment. Individuals should be educated about the potential health and treatment benefits as well as risks to their protected health information that are associated with participation in SHARE. Individuals deciding not to participate should have the opportunity to know the System-wide effect of such decision and the potential disadvantages.

Access and Use Limitation. Protected health information should be obtained by one Participating Entity from another only pursuant to mutual agreement that the information is being accessed for qualifying treatment or payment purposes of the requesting Participating Entity or for other purposes permitted by law. Participating Entities may use and disclose protected health information obtained through SHARE only for purposes and uses consistent with their permitted access and consistent with their obligations as covered entities under HIPAA. Certain exceptions, such as for law enforcement or public health reporting, may warrant disclosure of information for other purposes. However, when information obtained by a Participating Entity through SHARE is used for purposes other than those for which the information was originally obtained, the Participating Entity so using or disclosing the information should first apply the rules applicable to it as a Covered Entity under HIPAA and as a contracting Participating Entity.

Individual Participation and Control. Consistent with the scope of individual rights in HIPAA, individuals should have the right to request and receive in a timely and intelligible manner information regarding various parties that may have that individual's specific health information; to know any reason for a denial of such request; to request to amend any protected health information that the individual believes is inaccurate; and to request not to have his or her information made available through SHARE. Individuals have a vital stake in their protected health information, such rights enable individuals to make informed decisions about participation and provide another means to monitor for inappropriate access, use and disclosure of protected health information. Individual participation promotes information quality, privacy, and confidence in privacy practices.

Data Integrity and Quality. Health information should be detailed, complete, appropriate, and current to guarantee its value to the various parties. The effective delivery of quality health care depends on complete health information. In addition, individuals can be negatively affected by inaccurate health information in other contexts, such as insurance and employment. Therefore, SHARE must maintain the integrity of protected health information and individuals must be allowed to view information about them and request to amend such health information so that it is accurate and complete.

Security Safeguards and Controls. In an era of increased computer and Internet-related crime, security safeguards are vital to privacy protection. Networked environments could be susceptible to cyber-crime without adequate controls. Such controls are put in place to prevent information loss, corruption, unauthorized use, modification, and disclosure. Methods of precaution that can be implemented include information scrubbing, identity management tools, hashing, auditing, authenticating, and other means to ensure information privacy. Privacy and security safeguards should be coordinated for the protection of patient health information.

Accountability and Oversight. Privacy protections have less value to an individual if privacy violators are not held accountable for failing to follow procedures relating to such privacy protections. Potential Participating Entities, such as those who will provide data to SHARE, are unlikely to fully trust SHARE and fully participate, if they believe other Participating Entities are not applying the same rules and being held to the same standard of accountability. User and workforce training, privacy audits, and other oversight tools can help to identify and address privacy violations and security breaches by conditioning participation and access authority on compliance with these and the individual Participating Entity's privacy policies, by excluding from participation those who violate privacy requirements, and by identifying and correcting weaknesses in privacy and security safeguards.

Remedies. To ensure privacy protection there must be legal and financial remedies that hold violators accountable for failing to comply with OHIT policies. Such remedies will give individuals confidence in the organization's commitment to keeping protected health information private, and mitigate any harm that privacy violations may cause individuals. As a condition of continued participation, all Participating Entities in SHARE must have a common duty to participate in investigation, mitigation and remediation steps for the integrity of SHARE.

Reliance on Covered Entity Policies and Enforcement. While OHIT should have a number of core policies and procedures for the benefit and confidence of all Participating Entities, OHIT should not try to replace policies, procedures and methods already adopted by Participating Entities as covered entities under HIPAA. OHIT should identify, disseminate and enforce only those policies and procedures necessary for coordination of privacy response, but should recognize that existing Participating Entity policies govern in all other areas.

OHIT policies incorporate the principles outlined in the preceding ten principles as well as basic requirements set forth in HIPAA. The OHIT policies seek to achieve a balance between maintaining the confidentiality of health information and maximizing the benefits of such information.

EFFECT OF LEGISLATION AND RULE CHANGES

OHIT and Participating Entities need to remain flexible in approach in order to adapt to the uncertainty of state and federal legislation and regulations that will affect design, safeguards, rights and responsibilities over time. This shall include monitoring and implementing design components and safeguards mandated in the Health Information Technology for Economic and Clinical Health Act or "HITECH" as enacted in P.L 111-5 and regulations to be issued thereunder.

SAFEGUARDS IN AN ELECTRONIC NETWORKED ENVIRONMENT

HIPAA permits covered entities that hold protected health information to disclose such information to other covered entities both for their own treatment and payment purposes and for the treatment and payment purposes of such third parties, without written authorization.2 HIPAA limits authority to disclose without authorization in other situations and attaches conditions. HIPAA thus places a duty on Participating Entities holding protected health information to determine that each proposed disclosure is permitted.

In a non-electronic health care environment, Participating Entities subject to this duty would have the opportunity to examine third party requests for information beforehand and make an individual determination whether a disclosure is a permitted disclosure for the treatment or payment purposes of the requesting Participating Entity. In an electronic health care environment, such as SHARE, the disclosing Participating Entity will not receive or "process" a request for access. Other Participating Entities using SHARE can simply locate the Participating Entity's record and access it as needed. The human element of analyzing individual requests is absent.

Accordingly, to permit Participating Entities that furnish information to meet their obligation to disclose protected health information only for a qualifying purpose, and to meet certain other conditions during the initial phase of SHARE, including the responsibility to do the following:

* Access information from another Participating Entity's records only for a qualifying treatment or payment use by the requesting Participating Entity. A qualifying treatment or payment use is one that would permit the Participating Entity from whose records the information is accessed to disclose such information to the requesting Participating Entity under §§ 164.506(c)(2) and (3) of the Privacy Rule.

* Access information by applying the minimum necessary standards as defined by HIPAA.

To support this approach, OHIT and the Participating Entities will ensure that the all Participating Entities must be covered entities under HIPAA or have signed a Participation Agreement with OHIT and therefore are individually subject to regulation and penalties.

* During its initial phase, all Participating Entities commit to accessing PHI only for their treatment and payment purposes. While § 164.506(c)(4) permits limited disclosure for the health care operations of another Participating Entity, SHARE is only to be used by Participating Entities to access protected health information for treatment and payment purposes or for public health reporting purposes. As SHARE matures, OHIT is authorized to develop Privacy and Security Procedures to address uses and disclosures which are not for treatment, payment, operations or public health reporting including requests for research purposes in accordance with state and federal regulations.

"Treatment" and "payment," as used in these policies and explanations, have the meaning given in Section § 164.501 off the Privacy Rule.

OHIT Privacy

Policy 100: Compliance with Law and Policy

Scope and Applicability: This Policy applies to OHIT and all Participating Entities.

Policy:

1. Laws. Each Participating Entity must, at all times, comply with all federal, state, and local laws and regulations, including, but not limited to, those protecting the confidentiality and security of protected health information and establishing certain individual privacy rights. Each Participating Entity must use reasonable efforts to stay up-to-date of any changes or updates to and interpretations of such laws and regulations to ensure compliance.3

2. OHIT Policies. Each Participating Entity shall, at all times, comply with these OHIT Policies ("OHIT Policies"). These OHIT Policies may be changed and updated from time to time upon reasonable written notice to Participating Entities. Amendments shall be effective when adopted by the OHIT with review by the SHARE Health Information Exchange Council and promulgated as required by the Arkansas Administrative Procedures Act. OHIT shall notify Participating Entities of all policy changes. Each Participating Entity is responsible for ensuring it has, and is in compliance with, the most recent version of these OHIT Policies.

3. Participating Entity Policies. Each Participating Entity is responsible for establishing internal policies that are necessary to comply with applicable laws and these OHIT Policies.

4. Participating Entity Criteria. Each Participating Entity shall itself be a HIPAA Covered Entity or have executed a Participation Agreement with SHARE. Therefore, each Participating Entity will have either a legal duty as a regulated Covered Entity under HIPAA or have contractually assumed obligations under its Participation Agreement. Each Participating Entity must commit to be a data provider to the extent possible in order to become a data user.

5. User Criteria. Authorized users are individuals who have been granted access authority. Each authorized user derives his or her permission to access and use SHARE from a Participating Entity. Therefore each authorized user must maintain a current relationship to a Participating Entity in order to use SHARE. Authorized users must therefore be:

(i) Participating Entities (for example, an individual physician) or workforce of a Participating Entity,

(ii) an individual Business Associate (BA) or workforce of such BA, or

(iii) an individual contractor or subcontractor of a BA or workforce of such contractor or subcontractor. Additionally, a Participating Entity that is a covered health plan may also be an authorized user in its role as a third party administrator and BA for self-funded group health plans that are covered entities under HIPAA but are not themselves Participating Entities.

6. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 200: Notice of Privacy Practices

Scope and Applicability: This Policy applies to all Participating Entities.

Policy:

Each Participating Entity who is a Covered Entity under HIPAA shall develop and maintain a notice of privacy practices (the "Notice"). The Notice must describe the uses and disclosures of protected health information contemplated through the Participating Entity's participation in SHARE.

1. Content. The Notice must meet the content requirements set forth under the HIPAA Privacy Rule4 and comply with applicable laws and regulations. Participating Entities shall individually determine whether their current Notice requires amendment to reflect their contemplated uses and disclosure of protected health information through SHARE. OHIT provides the following sample language for Participating Entities who elect to amend their Notice:

"We may make your protected health information available electronically through an electronic health information exchange to other health care providers and health plans that request your information for their treatment and payment purposes. Participation in an electronic health information exchange also lets us see their information about you for our treatment and payment purposes. "

2. Dissemination and Individual Awareness. Each Participating Entity shall have its own policies and procedures governing distribution of the Notice to individuals, and, where applicable, acknowledgment of receipt by the individual, 5 which policies and procedures shall comply with applicable laws and regulations.

3. Participating Entity Choice. Participating Entities may choose a more proactive Notice distribution or patient awareness process than provided herein and may include more detail in their Notice, so long as any expanded detail does not misstate the safeguards supporting SHARE.

OHIT Privacy

Policy 300: Individual Control of Information Available Through SHARE

Scope and Applicability: This Policy applies to OHIT, SHARE, and all Participating Entities.

Policy:

1. Choice Whether to Have Information Included in SHARE. All individuals will have the opportunity to allow their protected health information to be exchanged using SHARE as well as the opportunity to opt out of allowing their protected health information to be exchanged using SHARE. A request to opt out will be treated as a request to withhold any use and disclosure of the individual's protected health information unless there is an emergency or disaster as described below. Participating Entities agree to approve such requests, subject to qualifications and limitations as described in the informational brochure referred to below or in these policies.

1.1. Individuals shall be afforded the opportunity to exercise this choice periodically at the time of any service at a Participating Entity that is a health care provider or thereafter through a uniform opt-out process. This process will be fully developed by OHIT in its Privacy and Security Procedures.

1.2. OHIT will, from time to time, furnish Participating Entities that are health care providers with an informational brochure about SHARE for distribution to individuals and for use in explaining the meaning and effect of participation or opting out. Participating Entities may customize the informational brochure as they deem appropriate to fit their circumstances. The brochure will also contain a link to the OHIT website where OHIT will provide an explanation of the meaning and effect of participation or opting out and a tool for opting out or revoking a prior opt-out election.

1.3. The brochure shall explain the scope of an opt-out decision, the risks to the individual's data privacy and security if the individual participates, the effect and benefits of participation, and the effect and disadvantages of opting out. The brochure will explain that a Participating Entity's policies continue to govern access, use and disclosure in all other contexts.

1.4. The brochure shall state that the Participating Entity (and other Participating Entities) will not withhold coverage or care from an individual on the basis of that individual's choice not to exchange his or her protected health information through SHARE or her included in SHARE.

1.5. Participating Entities should furnish the brochure to individuals at the initiation of an episode of care and explain for individuals the opportunity to opt-out or ask questions. Each Participating Entity will have one or more persons designated to answer questions about SHARE or about opting out or revoking a prior opt-out election.

1.6. Participating Entities may also direct individuals to the OHIT website and to a help line at OHIT where the individual can ask additional questions and obtain additional information about participation in OHIT and opt-out. OHIT as a business associate of the Participating Entities is authorized to provide information and answer individual questions about OHIT and the opt-out alternative on behalf of Participating Entities.

1.7. Participating Entities that are health plans provide only limited enrollment and eligibility information through SHARE and have limited or no face-to-face contact with individuals. Participating Entities that are health plans shall provide a description of SHARE, an explanation of the right to opt out, a link to the OHIT website and a phone number individuals can use to obtain additional information about SHARE, insurer access, and the right to opt out in their annual Notice and otherwise as they determine necessary.

1.8. An individual's election to opt out of participation in SHARE shall be communicated to OHIT in the manner provided by OHIT and be of System-wide effect once so communicated and processed. This means that once an individual has opted out of SHARE, no previously entered record will be made available other than as required by law or as permitted in an emergency or natural disaster. Individuals choosing to opt out may not have direct access to their Protected Health Information contained in SHARE as described in Policy 400, item 11.

2. Change to Prior Election. An individual may opt out or revoke a prior election to opt out at a later date as set out in the OHIT Privacy and Security Procedures. The brochure and information on the OHIT website should inform the individual that withdrawing a prior opt-out election will result in information that was previously unavailable through SHARE becoming available to all Participating Entities using SHARE.

3. Effect of Choice. An individual who opts out of SHARE opts out as to all of his or her records made available through SHARE, not just with respect to a particular Participating Entity or episode of care. The effect is System-wide. An individual's election to opt out, whether made at the time of service or subsequently, will have prospective effect only and will not impact access, use and disclosure occurring before the decision is received and communicated through SHARE.

4. Limited Effect of Opt-Out. A decision to opt out only affects the availability of the individual's protected health information through SHARE. Each Participating Entity's policies continue to govern access, use and disclosure in all other contexts and via all other media. Although an individual may opt-out, in the event of an emergency or disaster their protected health information may be made available through SHARE as described in the OHIT Privacy and Security Procedures.

5. Documentation. Each Participating Entity shall document and maintain documentation that information about SHARE and about the ability to opt out of SHARE has been provided to the Participating Entity.

6. Participating Entity's Choice. Participating Entities shall develop and implement the necessary processes to allow an individual to choose not to have information about him or her included in SHARE. The uniform processes described in this Policy are not exclusive, and Participating Entities may adopt additional, not inconsistent, mechanisms.

7. Provision of Coverage or Care. A Participating Entity shall not withhold coverage or care from an individual on the basis of that individual's choice to opt out.

8. Reliance.Participating Entities will be entitled to assume that an individual has not opted-out if the individual's protected health information is available through SHARE.

OHIT Privacy

Policy 400: Access to and Use and Disclosure of Information

Scope and Applicability: This Policy applies to OHIT and all Participating Entities.

Policy:

1. Compliance with Law. Participating Entities shall access, use and disclose protected health information through SHARE only in a manner consistent with all applicable federal, state, and local laws and regulations and not for any unlawful or discriminatory purpose.

2. Documentation and Reliance. If applicable law requires that certain documentation exist or that other conditions be met prior to disclosing protected health information for a particular purpose, the requesting institution shall ensure that it has obtained the required documentation or met the requisite conditions. Each access and use of protected health information by a Participating Entity is a representation to every other Participating Entity whose protected health information is being accessed and used that all prerequisites under state and federal law for such disclosure by the disclosing Participating Entity have been met.6

3. Purposes. During its initial phase, a Participating Entity may request and use protected health information through SHARE only for the Participating Entity's treatment and payment purposes or for public health reporting purposes, and only to the extent necessary and permitted by applicable federal, state, and local laws and regulations and these Policies.7 A Participating Entity may request and use protected health information through SHARE only if the Participating Entity has or has had the requisite relationship to the individual whose protected health information is being accessed and used.

4. Prohibitions. Information may not be requested for marketing or marketing related purposes without specific patient authorization. Under no circumstances may information be requested for a discriminatory purpose. In the absence of a permissible purpose, a Participating Entity may not request or access information through SHARE.

5. Participating Entity Policies. Participating Entity uses and disclosures of, and requests for, protected health information through SHARE shall comply with OHIT's policies on Minimum Necessary and Information Subject to Special Protection.8

6. Participating Entity Policies. Each Participating Entity shall reference and maintain compliance with its own internal policies and procedures regarding disclosures of protected health information and the conditions that shall be met and documentation that must be obtained, if any, prior to making such disclosures.

7. Subsequent Use and Disclosure. A Participating Entity that has accessed information through SHARE and merged the information into its own record shall treat the merged information as part of its own record and thereafter use and disclose the merged information only in a manner consistent with its own information privacy policies and laws and regulations applicable to its own record. A Participating Entity shall not access protected health information through SHARE for the purpose of disclosing that information to third parties, other than for the Participating Entity's qualifying treatment and payment purposes.

8. Accounting of Disclosures. Each Participating Entity shall be responsible to account only for its own disclosures. OHIT shall provide a means by which each Participating Entity requesting information will indicate the purpose and use for such request so that Participating Entities that disclose information may document the purposes for which they have made disclosures for use in an accounting as required by HIPAA.9 Unless a Participating Entity requesting information notes otherwise:

(i) each request by a Participating Entity that is a provider is deemed to be for such Participating Entity's treatment purposes,

(ii) each request by a Participating Entity that is a health plan is deemed to be for such Participating Entity's payment purposes, and

(iii) each request by a Participating Entity that is acting as a plan administrator of one or more other health plans covered by HIPAA is deemed to be for the payment purposes of such other health plans. Each Participating Entity requesting information shall provide information required for the disclosing institution to meet its obligations under the HIPAA Privacy Rule's accounting of disclosures requirement.

9. Audit Logs. Participating Entities and OHIT shall develop an audit log capability to document which Participating Entities posted and accessed the information about an individual through SHARE and when such information was posted and accessed.10

10. Authentication. OHIT shall follow a uniform authentication process for verifying and authenticating the identity and authority of each authorized user and Participating Entity.11,12 Individuals whose identities and authority have been authenticated by this process are referred to in these policies as an "authorized users." Participating Entities shall be entitled to rely on SHARE's user access and authorization safeguards and may assume an authorized user making a request for protected health information on behalf of a Participating Entity is authorized to do so. This process is described in greater detail in the OHIT Security Policies.

11. Access. Each Participating Entity should have a formal process through which it permits individuals to view their Protected Health Information that has been posted by the Participating Entity to SHARE.13 Participating Entities and OHIT shall consider and work towards providing patients direct access to their Protected Health Information contained in SHARE.14 This capability will not be available at the SHARE launch date.

12. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 500: Information Subject to Special Protection

Scope and Applicability: This Policy applies to OHIT and all Participating Entities.

Policy:

1. Special Protection. The operation of SHARE and these policies are intended to comply with the HIPAA Privacy Standards. The disclosure and use of some health information may be prohibited by special protections under federal, state, and/or local laws and regulations. Other health information may be deemed so sensitive that a Participating Entity has made special provision to safeguard the information, even if not legally required to do so. Each Participating Entity shall be responsible to identify what information is prohibited from use or disclosure under applicable law and what information (if any) is subject to special protection under that Participating Entity's policies, prior to disclosing any information through SHARE. Participating Entities should not make protected health information requiring special protection available to SHARE. Each Participating Entity is responsible for complying with laws and regulations and its own policies prior to disclosing this information on SHARE.

2. Information Not Furnished. For SHARE to be useful, the Participating Entities accessing health records must know if a patient's health record is complete or whether certain information has been withheld due to more stringent state and federal laws or Participating Entity policies.

1.1. Accordingly, Participating Entities accessing and using another Participating Entity's information obtained through SHARE should assume that the information made available does not include any of the following:

(a) Alcohol and substance abuse treatment program records; 42 CFR Part 2

(b) Records of predictive genetic testing performed for genetic counseling purposes; GINA

(c) Certain records of minors if under state law only the minor's consent to treatment is needed, the minor has consented to the care, but the minor is not the party electing not to opt out. In Arkansas, this may include the following records:

* Diagnosis and treatment of suspected abuse by a parent, guardian or personal representative;

1.2. This list is suggestive only. Other records may be added to the list. Participating Entities should assume the above listed records are not included in SHARE.

2. Application to Business Associates and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 600: Minimum Necessary

Scope and Applicability: This Policy applies to OHIT, all Participating Entities and their BAs and contractors.

Policy:

1. Requests. Each Participating Entity shall request only the minimum amount of health information through SHARE as is necessary for the intended purpose of the request.

2. Disclosures. A Participating Entity may rely on the scope of a requesting Participating Entity's request for information as being consistent with the requesting Participating Entity's minimum necessary policy and needs.

3. Workforce, BAs and Contractors. Each Participating Entity shall adopt and apply policies to limit access to SHARE to members of its workforce who qualify as authorized users and only to the extent needed by such authorized users to perform their job functions or duties for the Participating Entity.

4. Entire Medical Record. A Participating Entity shall not use, disclose, or request an individual's entire medical record unless necessary and justified to accomplish the specific purpose of the use, disclosure, or request.

5. Application to Health Plans. A Participating Entity that is a health plan shall access and use PHI of another Participating Entity only for "payment" purposes as defined in 42 C.F.R. § 164.501. Participating Entities that are health plans shall initiate a search through SHARE only:

(i) to obtain premiums or to determine or fulfill its responsibility for coverage and provision of benefits under the health plan;

(ii) to obtain or provide reimbursement for the provision of health care;

(iii) to determine eligibility or coverage (including coordination of benefits or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;

(iv) to risk adjust amounts due based on enrollee health status and demographic characteristics;

(v) for billing, claims management, collection activities, obtaining payment under a contract for reinsurance, including stop-loss insurance and excess of loss insurance, and related health care data processing;

(vi) to review health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and

(vii) for utilization review activities, including pre-certification and pre-authorization of services, concurrent and retrospective review of services. All Participating Entities shall access and use only the minimum information necessary when accessing and using information for payment purposes.

6. Application to Providers and Treatment Purposes. While this minimum necessary policy is not required by HIPAA for providers accessing, using and disclosing health information for treatment purposes, they are encouraged to follow it when consistent with treatment needs.

7. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 700: Workforce, Agents, and Contractors

Scope and Applicability:This Policy applies to OHIT and all Participating Entities and their BAs and contractors.

Policy:

1. Participating Entity Responsibility. Each Participating Entity is responsible to establish and enforce policies designed to comply with its responsibilities as a Covered Entity under HIPAA and a Participating Entity in SHARE, and to train and supervise its authorized users to the extent applicable to their job responsibilities.

2. Authorized Users. All authorized users, whether members of a Participating Entity's workforce or member of the workforce of a BA or contractor shall execute an individual user agreement and acknowledge familiarity with and acceptance of the terms and conditions on which their access authority is granted. This shall include familiarity with applicable privacy and security policies of the Participating Entity, BA, or contractor, as applicable. Participating Entities shall determine to what extent members of their workforce or the workforce of BAs and contractors require additional training on the Participating Entity's obligations under their participation agreement and these policies, and arrange for and document such training. OHIT shall have the authority under the Participation Agreement to suspend, limit or revoke access authority to SHARE for any authorized user or Participating Entity for violation of OHIT's privacy and security policies or any federal or state law.

3. Access to System. Each Participating Entity shall allow access to SHARE only by authorized users who have a legitimate need to use SHARE and release or obtain information through SHARE. No workforce member, agent, or contractor shall have access to SHARE, except as an authorized user on behalf of a Participating Entity and subject to the Participating Entity's privacy and security policies and procedures and the terms of the individual's user agreement.

4. Discipline for Non-Compliance. Each Participating Entity shall implement disciplinary policies to hold authorized users, BAs and contractors accountable for following the Participating Entity's policies and procedures and for ensuring that they do not use, disclose, or request health information except as permitted by these Policies.15 Examples of disciplinary measures include verbal and written warnings, demotion, and termination and may provide for retraining in certain circumstances.

5. Reporting of Non-Compliance. Each Participating Entity shall have a procedure, and shall encourage all workforce members, BAs and contractors to report any non-compliance with the Participating Entity's policies or the policies applicable to authorized users.16 Each Participating Entity also shall establish a mechanism for individuals whose health information is included in SHARE to report any non-compliance with these Policies or concerns about improper disclosures of protected health information.

6. Enforcing BAAs and Contractor Agreements. Each Participating Entity shall implement policies for its workforce, BAs, contractors, or other third parties to designate authorized users of SHARE. Participating Entities must adhere to the following:

(i) authorized users shall be subject to these Policies when accessing, using or disclosing information through SHARE;

(ii) authorized users may have their access suspended or terminated for violation of these Policies or other terms and conditions of the authorized user agreement; and

(iii) BAs, contractors and agents may have their contract with the Participating Entity terminated for violation of these Policies or for failure to enforce these policies.

OHIT Privacy

Policy 800: Amendment of Data

Scope and Applicability: This Policy applies to OHIT and all Participating Entities.

Policy:

1. Accepting Amendments. Each Participating Entity shall comply with applicable federal, state and local laws and regulations regarding individual rights to request amendment of health information.17 If an individual requests and the Participating Entity accepts an amendment to the health information about the individual, the Participating Entity, assisted by OHIT, shall make reasonable efforts to inform other Participating Entities that accessed or received such information through SHARE of the amendment within a reasonable time. Only the Participating Entity responsible for the record being amended may accept an amendment. If one Participating Entity believes there is an error in the record of another Participating Entity, it shall contact the responsible Participating Entity.

2. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 900: Requests for Restrictions

Scope and Applicability: This Policy applies to all Participating Entities.

Policy:

1. Recipient Responsibility. A Participating Entity, when accessing SHARE shall not be expected to know of or comply with a restriction on use or disclosure agreed to by a Participating Entity that provides data.

2. Data Provider Responsibility. If a Participating Entity agrees to an individual's request for restrictions,18 as permitted under the HIPAA Privacy Rule, such Participating Entity shall ensure that it complies with the restrictions. This shall include not exchanging the individual's protected health information through SHARE, including opting the individual out of SHARE, if required by the restriction. Participating Entities should advise individuals that opting out only affects access, use and disclosure of their protected health information through SHARE. When evaluating a request for a restriction, the Participating Entity shall consider the implications that agreeing to the restriction would have on the accuracy, integrity and availability of information through SHARE.

OHIT Privacy

Policy 1000: Mitigation

Scope and Applicability: This Policy applies to OHIT, all Participating Entities and their BAs and contractors.

Policy:

1. Duty to Mitigate. Each Participating Entity shall implement a process to mitigate, and shall mitigate to the extent practicable, the harmful effects that are known to the Participating Entity of an access, use or disclosure of protected health information through SHARE that is in violation of applicable laws or regulations or these Policies and that is caused or contributed to by the Participating Entity or its workforce members, agents, and contractors. Steps to mitigate could include, but are not limited to, Participating Entity notification to the individual or Participating Entity request to the party who improperly received such information to return or destroy impermissibly disclosed information.

2. Duty to Cooperate. A Participating Entity that has caused or contributed to a privacy breach or that could assist with mitigation of the effects of a breach shall cooperate with OHIT and with another Participating Entity that has the primary obligation to mitigate a breach. This obligation exists whether the Participating Entity is directly responsible or whether the breach was caused or contributed to by members of the Participating Entity's workforce or by its BAs or contractor or their workforce.

3. Notification to OHIT. A Participating Entity primarily responsible to mitigate shall notify the OHIT compliance officer of all events requiring mitigation and of all actions taken to mitigate. OHIT may facilitate the mitigation process if asked. OHIT shall provide training on breach mitigation.

4. Application to BAs and Contractors.Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 1100: Investigations; Incident Response System

Scope and Applicability:This Policy applies to OHIT, all Participating Entities and their BAs and contractors.

Policy:

1. Duty to Investigate. Each Participating Entity shall promptly investigate reported or suspected privacy breaches implicating privacy or security safeguards deployed by OHIT (or its contractors) according to its own policies. Upon learning of a reported or suspected breach, the Participating Entity shall notify OHIT within five business days and any other Participating Entity whom the notifying Participating Entity has reason to believe is affected or may have been the subject of unauthorized access, use or disclosure. OHIT shall participate in the investigation and remedial actions taken. OHIT need not be notified of specific workforce disciplinary actions. Each investigation shall be documented. At the conclusion of an investigation, a Participating Entity shall document its findings and any action taken in response to an investigation. A summary of the findings shall be sent to OHIT.

2. Incident Response. OHIT shall implement an incident response system in connection with known or suspected privacy breaches, whether reported by Participating Entities or discovered by OHIT. The incident response system shall include the following features, each applicable as determined by the circumstances:

2.1 Cooperation in any investigation conducted by the Participating Entity or direct investigation by OHIT;

2.2 Notification of other Participating Entities or authorized users as needed to prevent further harm or to enlist cooperation in the investigation and/or mitigation of the breach;

2.3 Cooperation in any mitigation steps initiated by the Participating Entity;

2.4 Furnishing audit logs and other information helpful in the investigation;

2.5 Developing and disseminating remediation plans to strengthen safeguards or hold Participating Entities or authorized users accountable;

2.6 Any other steps mutually agreed to as appropriate under the circumstances; and

2.7 Any other step required under the incident reporting and investigation system contained in the OHIT Security Policies.

3. OHIT Cooperation. OHIT shall cooperate with a Participating Entity in any investigation of the Participating Entity's privacy and security compliance, whether conducted by an agency of state or federal government or conducted as a self- investigation by the Participating Entity, when the investigation implicates OHIT conduct, or the conduct of another Participating Entity or authorized user, or the adequacy or integrity of System safeguards.

4. Participating Entity Cooperation. Each Participating Entity shall cooperate with OHIT in any investigation of OHIT or of another Participating Entity into OHIT's or such other Participating Entity's privacy and security compliance, whether conducted by an agency of state or federal government or conducted as a self-investigation by OHIT or the other Participating Entity, when the investigation implicates such Participating Entity's compliance with OHIT policies or the adequacy or integrity of System safeguards.

5. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

OHIT Privacy

Policy 1200: Authorized User Controls

Scope and Applicability: This Policy applies to OHIT, all Participating Entities and their BAs and contractors. This Policy is to be read and applied in conjunction with the OHIT Security Policy.

Policy:

1. Participating Entity Responsibilities. Each Participating Entity is responsible to:

1.1 Designate its responsible contact person who shall be initially responsible on behalf of the Participating Entity for compliance with these policies and to receive notice on behalf of the Participating Entity. For Participating Entities that have their own system administrator, this shall ordinarily be the SHARE administrator.

1.2 Designate its own authorized users from among its workforce, and designate BAs and contractors authorized to act as (or designate from among their workforce) authorized users on its behalf.

1.3 Train and supervise its authorized users and require any BA or contractor to train and supervise its authorized users consistent with the Participating Entity's and OHIT's privacy policies and with the terms of the Participating Entity's privacy policies and the BA Agreement as applicable.

1.4 In the case of Participating Entities with a System Administrator, immediately suspend, limit or revoke access authority upon a change in job responsibilities or employment status of an authorized user. Revocation shall occur prior to, contemporaneously with, or immediately following such a change so as to prohibit continued access authority for individuals who no longer need it on behalf of the Participating Entity.

1.5 For Participating Entities without their own System Administrator, immediately notify OHIT or OHIT's designee of the change so that OHIT may revoke access authority. Notification shall occur prior to, contemporaneously with, or immediately following such a change so as to prohibit continued access authority for individuals who no longer need it on behalf of the Participating Entity.

1.6 Hold their authorized users accountable for compliance with OHIT and the Participating Entity's policies and, as applicable, the terms of any BA Agreement.

2. OHIT Responsibilities. OHIT or OHIT's designee is responsible to:

2.1 Grant access authority to individuals designated by a Participating Entity, subject to reserved authority to suspend, limit, or revoke such access authority as described later.

2.2 Train and supervise its own authorized users on these policies and the standard terms required by its BA Agreement with Participating Entities.

2.3 Suspend, limit or revoke access authority for its own authorized users or any authorized user who is a member of the workforce of any subcontractor of OHIT as required by these policies or the terms of its BA Agreement in the event of breach or non-compliance.

2.4 Immediately revoke access authority upon a change in job responsibilities or employment status of its own authorized users or the authorized user of its contractor.

2.5 Suspend, limit, or revoke the access authority of an authorized user on its own initiative upon a determination that the authorized user has not complied with the Participating Entity's privacy policies, OHIT policies or the terms of the user agreement, if OHIT determines that doing so is necessary for the privacy of individuals or the security of SHARE.

2. OHIT Security Policy. The details of how to grant and revoke access authority are contained in the OHIT Privacy and Security Procedures.

3. Application to BAs and Contractors. Participating Entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their business associate agreements.

(8/15/2011)

The following state regulations pages link to this page.