101 CMR, § 20.11 - Statewide Event Notification Service Framework

(1) General. The statewide event notification service framework is a HIway-facilitated service composed of EOHHS-certified ENS vendors. Certified ENS vendors must:
(a) collect ADT feeds from required submitters;
(b) reflect ADT feeds to all other certified ENS vendors;
(c) conduct a patient matching process with the ADT feeds; and
(d) produce notifications to their respective ENS subscribers in a secure method that protects patient privacy in accordance with applicable state and federal law.
(2) ENS Certification Process. EOHHS sets reasonable objective criteria, including applicable privacy and security standards for certified ENS vendors. The certification will be for a term as specified in the certification process but in no event for more than three years, at which time the term may be renewed upon successful recertification.
(3) Reflect ADTs. A certified ENS vendor must reflect ADTs to all other certified ENS vendors for the purposes of treatment or care coordination by ENS recipients.
(a) Certified ENS vendors must match all inbound reflected ADTs using their patient matching process to determine positive or negative matches.
(b) All inbound reflected ADTs that achieve a positive result in the patient matching process must be routed to the appropriate ENS recipients in accordance with the contract between the ENS vendor and ENS recipient.
(c) All inbound reflected ADTs that achieve a negative result in the patient matching process must be destroyed in accordance with the requirements of the certification process; however, a record of the transaction must be kept, as required, to meet minimal audit standards and retention periods for audit purposes consistent with 45 CFR § 164.312(b). Certified ENS vendors must keep a log of inbound reflected ADTs in auditable information.
(4) Data Security. Data shall be transmitted and held in accordance with industry-accepted practices, which at a minimum shall include the Health Insurance Portability and Accountability Act (HIPAA) Rules, and any other requirements EOHHS may deem necessary for certification.
(5) Audit Rights. EOHHS retains the right to conduct data integrity, privacy, and security audits of certified ENS vendors to comply with the framework of 101 CMR 20.12. EOHHS, upon finding unauthorized access or disclosure of data, may suspend the certification until corrective action is taken, and/or rescind the certification.

Notes

101 CMR, § 20.11
Adopted by Mass Register Issue 1332, eff. 2/10/2017. Amended by Mass Register Issue 1336, eff. 2/10/2017. Amended by Mass Register Issue 1401, eff. 10/4/2019.

State regulations are updated quarterly; we currently have two versions available. Below is a comparison between our most recent version and the prior quarterly release. More comparison features will be added as we have more versions to compare.


No prior version found.