Camden HIE Policies and Procedures Overview · Camden HIE Policies and Procedures Overview ... HIE...
34
Transcript of Camden HIE Policies and Procedures Overview · Camden HIE Policies and Procedures Overview ... HIE...
Agenda
• Purpose of Presentation • Policies (1-17) • Authorized User Agreement • Contact information
Purpose of Presentation
• To present an overview of each of the Camden HIE Policies and
Procedures
• To encourage discussions of the policies and procedures to foster
better understanding
• To give Authorized Users an understanding of which policy to
reference in response to a given situation
Governance and Oversight
• Consists of representatives from Participants that are Health Care Providers
• Strives to operate through consensus
• Must be unanimous on: • Approval/ amendments
• Use Cases
• Examples of Areas of Oversight: • Development and approval of
Policies, Participation Agreement and Use Cases
• Addition of new Participants and Data types
• Camden HIE Technology
• Camden HIE Services • Involvement in efforts to
connect Camden HIE to other HIEs
• Toestablishanddefinetheresponsibili2esofadecision-makingandgoverningbodyfortheCamdenHIEPolicy17
Policy 1- Scope and Definitions
• Data • Protected Health Information (PHI) and Individually Identifiable Health
Information (IIHA) as defined under HIPAA • Pushing vs. Pulling Data
• To “push” data means that data within the Participant is sent to the Camden HIE
• To “pull” data means that the data within the Camden HIE is accessed, viewed or copied either onto a viewing screen or into a Participant’s EMR or own repository
• ThepoliciesandproceduresdescribedintheCamdenHIEPolicyManualapplytoallPar*cipantsandAuthorizedUsersaccessingtheCamdenHealthInforma2onExchange
• IntendedtoensurethattheCamdenHIEisusedinaneffec2ve,efficient,ethicalandlawfulmanner
Scope
Policy 1- Scope and Definitions
• Authorized User • An individual designated by a Participant who has signed an Authorized
User Agreement
• Authorized to access and use Data
• Participant • A party at entity level that has entered into a Participation Agreement with
the Camden HIE
• Covered Entity • Health place, a health care clearinghouse, or a health care provider who
transmits any health information in electronic form in connection with a transaction
Policy 2- Patient Participation and Choice
• All Patient Data made available to the Participant may be included in the Camden HIE, but it does not automatically permit Participants and Authorized Users’ access
• Patients can choose to be excluded from the Camden HIE by opting out • The request must be made in writing • Participants are required to develop workflows to ensure that the Patient’s
Data is not accessible to the Camden HIE
• “All or none”- a patient cannot choose to include certain data and omit other data
• Health Care Providers who are also Authorized Users must educate the Patient on the Camden HIE and the Opt-Out process
• TodefineproceduresensuringthatPa2entsunderstandhowtheirinforma*onwillbeusedthroughtheCamdenHIEandmustbegiventherightto“Opt-out”ofhavingtheirinforma2onintheCamdenHIEmadeavailableforaccess
PurposeofPolicy2
Policy 3- Participants and Authorized Users
• Examples of eligible Participants • Physicians/Physician
Practices • Hospitals • Clinical Laboratories • Affiliated HIEs • Governmental agencies • Other licensed Health Care
Providers (e.g., Home Health Agencies)
• Examples of eligible Authorized Users • Physicians/Physician
Practices • Clinical staff • IT staff • Administrative staff with HIE
responsibilities
• TodefinetheagreementsandnecessaryproceduresrequiredofaHealthCareProviderorotherorganiza2ontobecomeaPar*cipantintheCamdenHIE
• OnlyHealthCareProvidersandorganiza2onsfoundeligibleandapprovedbytheCoali2onmaybePar2cipantsintheCamdenHIE
• AuthorizedUsersmustbeauthorizedbyaPar2cipanttoqualifytousetheCamdenHIE
PurposeofPolicy3
Policy 3 (continued)
• Each Participant shall appoint a point of contact for all matters related to the Camden HIE
• Each individual authorized by a Participant to be an Authorized User must execute an Authorized User agreement
• The Coalition approves/rejects all those who seek to become a Participant
• Each Authorized User must undergo annual training
Policy 4- Compliance with Law
• Reasonable effort should be made to stay abreast of changes/updates to all applicable federal, state and local laws/regulations related to Data
• Camden HIE policies may be updated; notice of change will be made to Participants
• Participants are responsible for appropriate internal policies and procedures to ensure compliance
• The more restrictive/protective standards will apply to conduct by Participants and Authorized Users in regards to the Camden HIE
• ToensurethateachPar*cipantandAuthorizedUsershall,atall*mes,complywithallthisCamdenHIEPolicyManual,CamdenHIEstandardsandrequirements,andapplicablefederal,state,andlocallawsandregula2ons
• Includebutarenotlimitedto:thoseprotec2ngtheconfiden2alityandsecurityofindividuallyiden2fiablehealthinfoandestablishingcertainindividualprivacyrights
PurposeofPolicy4
Policy 5- HIPAA Notice of Privacy Practices
• Each Participant that is a Covered Entity shall develop, distribute and maintain an NPP that complies with federal and state laws, and the Camden HIE Policy Manual
• Required to obtain a Patient’s written acknowledgment, lasting 6 years from date
• Participants may choose a more proactive and/or detailed NPP so long as it does not otherwise conflict with or fall below the minimum requirements
• The NPP shall include: • A description of the Camden
HIE • What information may be
included and accessible • Who is able to access
information • Permitted Uses for which PHI
can be accessed • Opt-out process
• ToensurethatPa2entshavetheopportunitytoreviewaHIPAANo*ceofPrivacyPrac*cesthatadequatelyaddressesaPar2cipant’sspecificprivacyprac2ceswithrespecttotheexchangeofDatathroughtheCamdenHIE
PurposeofPolicy5
Policy 6- Patient Rights
• Patient’s Rights: • Access to data, through a
formal process • Accounting of Disclosure,
through a formal process • Amendment of Data- if
Participant accepts, reasonable efforts must be made to inform other Participants
• Restriction to data, through opt-out process
• Participant’s Responsibilities: • Authorizing use/disclosure of
data • Limiting Patient access to
Data to that Participant’s respective medical records maintained on the Patient
• Receive requests for Data from the Camden HIE
• ToensurethattheCoali2onshallaffordPa2entsthefullscopeofrightsinaccordancewithHIPAA,HITECH,andotherfederalandstatelaws
PurposeofPolicy6
Policy 7- Access
• Access to the Camden HIE shall be granted only to individuals with a legitimate need to access Data based upon their role
• All Authorized Users must sign an Authorized User Agreement and all Participants must execute a Business Associates Agreement
• Access can be removed or disabled as appropriate • Participants are responsible for notifying the Coalition if an Authorized
User’s access needs to change • Authorized Users are not permitted to enter or access Data using
another person’s password
• Tosetforthstandardsforverifyingandauthen*ca*ngtheiden2tyandtheauthorityofanAuthorizedUserreques2ngDatathroughtheCamdenHIE
PurposeofPolicy7
Policy 8- Authentication
• The identity of Authorized Users shall be authenticated before access to the Camden HIE is granted
• Participant to verify identify of user • Initial identity-proofing procedures will be required upon registration as
an Authorized User • Creating your own password • Setting up your security questions
• Toimplementminimumstandardsforauthen*ca*onofAuthorizedUserspriortotheiraccessingDatathroughtheCamdenHIE
PurposeofPolicy8
Policy 9- Permitted Uses
• All disclosures of Data and use of the information shall be consistent with all applicable federal, state and local laws and regulations
• Participants are responsible to ensure that certain documentation exist or that other conditions be met prior to using or disclosing Data if applicable to law
• Authorized Users shall send any Data through any properly encrypted means
• Five (5) agreed-upon Use Cases, fully detailed in policy manual
• ToensurethatDataisusedandaccessedonlyaspermiXedunderfederalandstatelawandtheseCamdenHIEPolicies
• ToensurethatPar2cipantsandAuthorizedUsershavepropermeasuresandsafeguardsinplacetoassurethatDataisusedonlyforPermiXedUses
PurposeofPolicy9
Policy 9- HIE Permitted Use Cases
Fortheprovision,coordina2on,ormanagementofhealthcareandrelatedservices
#1Treatment
• Outpa2entclinicalprovideraccessesDataforPa2ent’sfollow-upofficevisit• CareCoordina2onteamsreviewstodeterminewhetherhospitalizedPa2entisacandidateforcarecoordina2oninterven2on
• ClinicalprovideratcountyjailreviewsrecordscontainedinHIEforincarceratedPa2entatjail’shealthclinic
• EmergencyroomphysicianreviewsDatawhenPa2entpresentsatED• Managedcareorganiza2on’scarecoordinatoraccessesHIEDatainconnec2onwithdevelopingcarecoordina2onplanforMCOmember
• Coali2on’scarecoordina2onteamrecordsmedica2onreconcilia2onandcarecoordina2onac2vi2esinHIE
Policy 9- HIE Permitted Use Cases
Forthecrea2onofanAccountableCareRegistrytotrackPa2entsbyprimarycareprac2ceandpayer.Includesprac2ces’Pa2entrecords,Pa2entcapita2onlistsfromManagedCareOrganiza2ons,andhospitalrecords
#2Popula2onHealthandACO
• PrimaryCarePrac2cereceivesdailyreportofEDandinpa2entadmissionandcontactsPa2entandhospitaltocoordinatecare
• Carecoordina2onteamusesdataforoutreachandfollowupappointments
Policy 9- HIE Permitted Use Cases
• Coali2onstaffanalyzesdataforbeXerunderstandingofpa2entpopula2on• Evaluateimpactofclinicalinterven2on
#3HealthCareOpera2ons
• Apubliclyavailablewebsitethatallowsuserstoobservereal-2mehospital-u2liza2onandotherpopula2onhealthtrendsinanonymizedData
• Coali2onandanalyststransferHIEDatatotheCoali2on’ssecurerserver,whichthenwillbecleaned,analyzed,andde-iden2fiedbyCoali2onstaffanditsbusinessassociate,BlueLabs,beforebecomingpartoftheHealthExplorer
#4Popula2onHealth-CamdenHealthexplorer
• IfapprovedbytheIns2tu2onalReviewBoard,researchersmayuseHIEDatatoperformhealthcareresearch
• Coali2onmayconstructalimiteddatasetofEmergencyDepartmentandinpa2entencountersfortreatmentandcontrolgroupsintheRandomizedControlTesttobesharedwithresearchers
#5HealthCareResearch
Policy 10- Breach Notification
• The Coalition is required to report any breach of PHI to the relevant HIE Participants
• Any Participant or Authorized User that has reason to believe that a Breach has or may have occurred shall promptly report such information to the Coalition
• Coalition will activate the Breach Investigation Committee, made up of representatives from each Health Care Provider that contributes Data, to conduct the investigation
• Coalition will retain all documentation regarding breaches, including copies of breach notifications sent in accordance with this policy
• Note: Refer to example Press Statement in full Policies and Procedures document
• ToestablishtheCoali2on’spolicyandprocedureregardingrepor2ngtoCamdenHIEPar2cipantsBreachesofProtectedHealthInforma*on(PHI)rela2ngtotheCamdenHIE,whensuchrepor2ngisrequiredunderHITECHandtheCoali2on’sPar2cipa2onAgreementswithPar2cipants
PurposeofPolicy10
Policy 10- Breach Timeline
DiscoveryofBreachand
ini2alasessment
Coali2onno2fiesrelevantPar2cipantswithin48hours• Breachinves2ga2oncommiXeecomestogether
BreachInves2ga2onCommiXeeconductsafullrisk
assessmentwithin10daysofdiscovery
Coali2onsubmitsfinalwriXenreport
toPar2cipantswthin15daysofdiscovery
Recipientsoffullreportsubmit
commentswithin24hoursofreceivingreport
Policy 10- Actions related to Breach
• Committee will presume that a potential Breach is a Breach unless it determines that there was a low probability that PHI was/will be compromised
• Possible temporary actions to mitigate risk of harm: • Preventing an otherwise Authorized User from accessing the Camden HIE • Preventing a specific Participant from accessing the Camden HIE • Preventing all Participants from accessing the Camden HIE
• Depending on the outcome of the investigation, temporary actions may become permanent
Policy 10- Information related to Breach
• Risk Assessment • Nature and extent of the PHI
involved
• Unauthorized person who used the PHI or to whom the disclosure was made
• Whether PHI was actually acquired or viewed
• Extent to which the risk to the PHI has been mitigated
• Written report • Brief description of what
happened, including date of breach and date of discovery
• Type of unsecured PHI involved in the breach
• Brief description of what the Coalition/CareEvolution is doing to investigate the breach and mitigate any harmful effects
• Brief description of any corrective action the Coalition has taken or will take to prevent future similar unauthorized uses or disclosures
Policy 11- Special Protection
• Example categories of Sensitive Information: • HIV/AIDS • Venereal Diseases • Drug or Alcohol Addiction Treatment Records • Mental Health Facility Records, Behavioral Health Information • “Psychotherapy Notes” • Genetic Information • Minor’s Emancipated Treatment • Data related to services paid for “out of pocket” in full by a Patient or
representative on behalf of Patient
• ToensurethatcertainDatasubjectto“SpecialProtec*on”isnotaccessedordisclosedexceptinstrictaccordancewithStateandfederallaw
• CamdenHIEshallensuresuchDataisaffordedspecificprocedural,technologicaland/orothersafeguardsasmaybenecessaryandappropriate
PurposeofPolicy11
Policy 11 (continued)
• Must comply with standards and requirements in the Camden HIE Policy Manual and with applicable federal/state laws before allowing access of Sensitive Information
• Required to obtain Patients’ written consent that includes explicit reference to access of Sensitive Information prior to accessing records
• Consent must be obtained for each episode of treatment, lasting no more than 6 months
• Copies of Patient consent must be maintained by the Participant • Participants and Authorized Users shall not re-disclose Sensitive
Information that is under Special Protection • Sanctions for non-compliance with this policy will be imposed in
accordance with the Camden HIE “Enforcement and Penalties” policy (policy #15)
Policy 12- Minimum Use Necessary
• Participants and Authorized Users will only access the minimum amount of Data necessary
• As allowed under HIPAA, access to Data for Treatment of a patient is not subject to minimum necessary requirements
• A Participant or Authorized User must not disclose an entire medical record except when specifically justified and necessary
• Topromotetheprivacyprinciplesofcollec*onlimita*on,uselimita*on,dataintegrityandqualityandsecuritysafeguardsandcontrols
PurposeofPolicy12
Policy 13- Auditing and Education
• Periodic audits shall be conducted by representatives of the Coalition • Coalition and affiliated Authorized Users shall be subject to the same
audit requirements, conducted by an external party • Coalition representatives will perform mandatory ad hoc audits in
response to complaints • Authorized Users shall cooperate with and participate in periodic and
ad hoc audit procedures • Includes site visits and required documentation within ten (10)
calendar days of notification
• Toensureproperaccess,useandconfiden2alityofPHIaccessedthroughtheCamdenHIEbyAuthorizedUsers
• Toverifycompliancewithaccesscontrolsandadministra2veandothersafeguards• Toprovideappropriateeduca*on,mi2ga2on,monitoringandrepor2ngofinappropriateaccess,useordisclosure
PurposeofPolicy13
Policy 13A- HIE Audit Elements
Level Report Frequency Community # of Participants (i.e., clinics) Quarterly Community # of Authorized Users Quarterly User # of logins Monthly User # of Patient records accessed Monthly Clinic Number of Patients opted out and
associated Authorized User Monthly
Clinic Patient consents Semi-annually Enterprise # of orphan entries Semi-annually Enterprise # of MPI duplicates Semi-annually Enterprise Regression testing Ad hoc
Policy 13B- Education Schedule
Level Description Frequency
All Users HIPAA and security protocols Annually
Registration Patient consenting Annually
All Users Updates to HIE Policy Manual Ad hoc
All Users Updates to HIE system and/or new functionality
Ad hoc
Policy 14- Data Quality and Integrity
• Participants and Authorized Users must take reasonable steps to ensure that Data shared through the Camden HIE is accurate, complete and up-to-date
• Each Participant’s EMR must have technical capacity to push updates or allow Participant updates
• Data errors will be resolved by the Camden HIE, the Coalition and CareEvolution staff through discussions with Participants
• Periodic audits of Camden HIE Data can include: • Accuracy of data available to
Authorized Users • Completeness of the data
available to Authorized Users • Timeliness of data available to
Authorized Users
http://www.camdenhealth.org/hie-error-tracking/
• ToensurethatPa2entDataaccessedthroughtheHIEiscomplete,accurateandavailabletoPar2cipantsandAuthorizedUsers
• ToensurethatthisDatahasnotbeenalteredordestroyedinanunauthorizedmanner
PurposeofPolicy14
Policy 15- Enforcement and Penalties
• Participant responsibilities: • Require compliance by all
Authorized Users, employees, agents and contractors
• Require Authorized Users to report suspected violations to Participant
• Take disciplinary action when violation occurs
• Report suspected violations to the Camden HIE Staff Director
Coalition responsibilities: • Conduct an inquiry if there is
reason to suspect a violation • Present findings to Oversight
Committee
Oversight Committee responsibilities:
• Take further action regarding violation inquiry
• Record decision in a Determination Letter within 48 hours of final vote
• Follow all federal and state laws regarding reporting legal violations to proper authorities
• ToprovidearesponseprocessforwhenaCamdenHIEPar2cipantoritsusersaresuspectedofordeterminedtobeviola2nganyCamdenHIEPolicy,oranyfederalorstatelawgoverningtheuseanddisclosureofPa2entData
PurposeofPolicy14
Policy 15- Penalties
• Examples of sanctions: • Extended period of suspension from the Camden HIE • Established probationary period for restricted use of the Camden HIE • Termination of use of the Camden HIE
• In its discretion, the Oversight Committee may issue a sanction against a Participant and its entire staff of Authorized Users, or an individual Authorized User with regard to accessing the Camden HIE
• Any Authorized User or Participant shall have the opportunity to appeal a Determination that imposes sanctions
Policy 16- Complaints
• Procedures for complaint process will be made known through education materials and online resources: http://www.camdenhealth.org/feedback/
• Any general complaint will be forwarded to the Coalition for handling • Complaint process DOES NOT limit or change rights that a Patient
has to file a HIPAA complaint regarding a Health Care Provider’s privacy practices
• Complaints may be submitted anonymously • Copies of complaints and outcomes will be documented in the
Camden HIE Complaint log
• ToensurethatthereisaprocessbywhichPa*entsmaycomplainand/ormakesugges*onsorcommentsaboutprac2cesorac2vi2esrelatedtotheCamdenHIEand/oritsPar2cipantsandAuthorizedUsers
PurposeofPolicy16
Authorized User Agreement
• All individuals with access to the Camden HIE must sign an Authorized User Agreement • Binds individual to policies, procedures and standards of the Camden HIE
• Includes 25 terms and conditions
• References Participation Agreement between employer and Coalition
Contact Information
• Christine McBride, Program Manager • 856-365-9510 ext. 2082 • [email protected]
• Abigail Fallen, Senior Program Manager • 856-365-9510 ext. 2010 • [email protected]
