Sec. 10.25.18.05. Requirements for Accessing, Using, or Disclosing Health Information Through an HIE  


Latest version.
  • A. As a requirement of participation in an HIE, the HIE shall require each participating organization to enter into a binding participation agreement that:

    (1) Requires the participating organization and each authorized user to comply with this chapter;

    (2) Requires the participating organization and each authorized user to comply with all applicable federal and State privacy and security laws; and

    (3) Includes a business associate agreement:

    (a) In compliance with 45 CFR §164.504; and

    (b) If the participating organization will maintain Part 2 information, the business associate agreement shall comply with the additional requirements that apply to a qualified service organization under 42 C.F.R. §2.11.

    (4) Permits PHI disclosed through the HIE to the authorized user of a participating organization to be incorporated into the patient’s medical record kept by such participating organization, and requires compliance with all applicable federal and State laws.

    B. An HIE shall only disclose PHI through an HIE for a primary use consistent with the following:

    (1) The disclosure shall be only to an authorized user for the specific purpose for which that authorized user is given access to the PHI; and

    (2) All disclosures shall be in full compliance with these regulations.

    C. The Commission may suspend the registration, in accordance with Regulation .09 of this chapter, of a registered HIE that inappropriately discloses to any person any PHI, or health information derived from PHI, that is available through the HIE’s infrastructure, except as consistent with or otherwise permitted by this chapter and applicable federal or State law.

    D. To assure that only an authorized user accesses, uses, or discloses PHI through or from an HIE, an HIE shall:

    (1) Develop and maintain an HIE access matrix that includes the defined HIE access levels available to each authorized user.

    (a) The HIE access matrix shall be used for the following purposes:

    (i) To assign an HIE access level to each staff member of the HIE or its contractor that allows only the minimum necessary access to PHI to perform that staff member’s authorized purpose; and

    (ii) To assist each participating organization and its system administrator in assigning the appropriate HIE access level to each authorized user of that participating organization.

    (b) The HIE shall review its HIE access matrix annually and revise it as necessary to reflect relevant changes in technology, standards, or law; and

    (c) The HIE shall have the necessary technological capabilities in its core infrastructure to limit an authorized user’s access to the HIE according to the then currently assigned access level of its access matrix.

    (2) Provide technical assistance and guidance to the system administrator of each participating organization in assigning the appropriate HIE access level to each of its authorized users;

    (3) Comply, at a minimum, with the most recent Level 2 requirements set by the National Institute of Standards and Technology (NIST), as set forth in April 2006 in Special Publication 800-63 (Version 1.0.2): Electronic Authentication Guideline for both Registrations and for Registration Record Retention; and

    (4) Adopt and implement an authentication process that:

    (a) Requires the authentication of an authorized user at each “log in” prior to allowing that individual access to the HIE;

    (b) Requires a single factor authentication with two characteristics that include a user name and a password, along with an additional security precaution, which may include a security question or a device registration.

    (c) Ensures that the data stored in the HIE that is used to authenticate an authorized user is encrypted to the level set by industry best practices; and

    (5) Accept as valid a third party system’s authentication of an authorized user accessing the HIE through that third party system, as long as such access and third party system:

    (a) Permits the HIE to audit and monitor the user’s HIE activities; and

    (b) The HIE has received written assurances from the third party system that it is compliant with these regulations and all applicable federal and State privacy and security regulations.

    (6) If an HIE learns or has reason to believe that the third party system is not compliant, then it shall immediately cease acceptance of such third party system’s authentication of authorized users until the third party system demonstrates compliance to the reasonable satisfaction of the HIE.

    E. To assure that only an authorized user accesses, uses, or discloses PHI through or from an HIE, a participating organization shall comply with each of the following.

    (1) A participating organization shall designate a system administrator who is capable of carrying out the requirements set forth in §F of this regulation on behalf of the participating organization prior to exchanging any PHI through the HIE.

    (2) A participating organization shall promptly inform its system administrator of any circumstances that require any of the actions described under §F of this regulation;

    (3) A participating organization shall ensure that any third party system it uses appropriately authenticates an authorized user prior to allowing that individual access to the HIE through the third party system.

    (a) The third party system shall authenticate an authorized user at each “log in.”

    (b) The third party system shall ensure that the data stored in the system which is used to authenticate an authorized user is encrypted to the level set by industry best practices.

    (c) A participating organization shall adopt and implement a protocol to be followed by a third party system that requires a user name, a password, and an additional security precaution which may include a security question or a device registration.

    (4) A participating organization shall inform the HIE concerning the following:

    (a) The designation of the system administrator, or any change in such designation, within 5 business days of any such designation or change;

    (b) A breach or non-HIPAA violation by a person who had or has access to the HIE through the participating organization; or

    (c) An act or event that it has a reasonable basis to believe is or may be a significant violation of this chapter.

    F. The system administrator of a participating organization shall carry out each of the following measures on behalf of the participating organization.

    (1) The system administrator shall identify each authorized user within the participating organization and shall note the individual’s assigned unique user name in accordance with the most recent applicable standards issued by NIST, or other comparable standards generally adopted by the health care and HIE industry.

    (2) The system administrator and HIE shall coordinate with the Commission to determine a methodology for assigning each authorized user with a unique user name and password and to assure that all HIEs use a commonly accepted protocol to avoid the possibility of duplicate user names and passwords.

    (3) The system administrator, in coordination with the HIE, shall assign to each authorized user an access level that appropriately corresponds to that individual’s role within the participating organization and the permitted access to PHI available through the HIE on behalf of the participating organization.

    (4) The system administrator shall modify in a timely manner an authorized user’s access level as appropriate to reflect any change in that individual’s role within the participating organization; and

    (5) The system administrator shall immediately terminate access through an HIE in accordance with Regulation .07 of this chapter for any authorized user:

    (a) Who is suspended by the participating organization;

    (b) Who is no longer associated with the participating organization; or

    (c) Who no longer requires access to the HIE.

    (6) The system administrator shall attest to the HIE regarding the appropriateness of a staff member to be an authorized user and that the HIE access level assigned to that staff member corresponds to the authorized user’s role within the participating organization.