Iowa Admin. Code r. 657-37.17 - Integrated systems

A practitioner or a health care system may integrate its electronic health record system or a pharmacy may integrate its automated data processing system with the PMP using an application programming interface. Use of an integrated system shall comply with all of the following:

(1) The integrated system shall log each user's access to PMP information. Access logs shall be retained by the practitioner, health care system, or pharmacy for a minimum of four years from the date of access and shall be provided to the board upon request.

(2) If the user identified in access logs is not the practitioner, the integrated system shall clearly identify on which practitioner's behalf the user was accessing PMP information. A practitioner's delegate using an integrated system is required to maintain active PMP registration.

(3) The integrated system shall maintain appropriate administrative, technical, and physical security measures to safeguard against unauthorized access, disclosure, or theft of PMP information and shall meet all HIPAA requirements for safeguarding protected health information.

(4) The practitioner, health care system, or pharmacy shall notify the PMP administrator of any breach in the electronic health record system that may have included PMP information within 72 hours of making the determination that a breach occurred.

(5) An integrated system shall comply with all requirements in subchapter VI of Iowa Code chapter 124 and all requirements of this chapter.

Notes

Iowa Admin. Code r. 657-37.17

Adopted by IAB April 10, 2019/Volume XLI, Number 21, effective 5/15/2019