Sec. 10.25.18.07. Remedial Actions to Be Taken by an HIE  

A. An HIE shall immediately suspend a person’s access to the HIE when it is necessary to avoid serious harm to the privacy or security of health information accessed, used, or disclosed through or from the HIE.

(1) An HIE may, in its sole discretion, suspend a person’s access to the HIE pursuant to this section before an investigation under Regulation .07B of this chapter is completed.In addition, if the HIE determines that serious harm to the privacy or security of health information or an ongoing risk of improper use, access, maintenance, or disclosure of PHI may occur prior to conclusion of an investigation, it shall suspend a person’s access to the HIE pursuant to this section before an investigation is complete.

(2) Such suspension shall continue until the underlying threat to the privacy or security of health information is contained.

B. An HIE shall conduct an investigation if there is reason to believe that a breach or non-HIPAA violation has occurred.

(1) The HIE shall begin the investigation upon learning of the allegations giving rise to a potential breach or violation.

(2) The HIE shall conduct the investigation in a thorough, timely, professional manner and take all necessary actions to gather information concerning the potential breach or violation that reflects the size and scope of such potential breach or violation.

(3) If appropriate, an investigation shall include an audit under Regulation .06 of this chapter.

(4) Upon the completion of an investigation, which shall not exceed 14 business days, an HIE shall:

(a) Make a written finding describing the results of an investigation and provide a copy to the Commission; and

(b) Maintain records of each investigation (audits, complaints, breaches, non-HIPAA violations) for at least 5 years from the date of completion of such investigation or 5 years from the date a minor patient becomes an adult, whichever is longer.

C. If an HIE has a reasonable belief that a non-HIPAA violation or breach under HIPAA has occurred, either as a result of an investigation or otherwise, the HIE shall carry out the following actions. Unless another time period is set forth below, the HIE shall act within 10 business days after acquiring the reasonable belief.

(1) The HIE shall determine any remedial action necessary to address the breach or violation;

(a) The HIE may require that a remedial action include steps to correct an underlying problem.

(b) The HIE shall provide an appropriate and reasonable time frame for implementing the remedial action.

(2) The HIE shall provide the following to the Commission, to the participating organization, and to each person whom the investigation indicates may have committed a breach or violation:

(a) A copy of the findings of the investigation, excluding any sensitive health information;

(b) Each remedial action to be taken by each person and the associated time frame of the remedial action;

(c) Any action necessary to mitigate the harm that may be caused by the breach or the non-HIPAA violation;

(d) The person that is responsible for carrying out each action to mitigate harm; and

(e) Any future action that the HIE may take, including suspension, if the person does not comply with the remedial action.

(3) The HIE shall immediately suspend access for an authorized user or participating organization when one of the following occurs:

(a) Available information demonstrates a significant breach by a person;

(b) Available information demonstrates a significant non-HIPAA violation by a person;

(c) Available information demonstrates a violation of State or federal law relevant to privacy or security by a person;

(d) A person has sold health information accessed through the HIE in violation of these regulations;

(e) A person has failed to carry out the remedial actions identified by the HIE; or

(f) The Commission issues a request for suspension of a person as provided in Regulation .09 of this chapter.

(4) The HIE shall notify the health care consumer pursuant to Regulation .08 of this chapter, if such notification is required under applicable law, including HIPAA, or if so directed by the Commission due to the seriousness of the non-HIPAA violation.

D. After verifying that each remedial action is complete, an HIE may reinstate a person’s authorization to access information through the HIE provided that:

(1) The Commission has not revoked the person’s access to the HIE as provided in Regulation .09 of this chapter; and

(2) The HIE modifies the person’s access as needed to ensure compliance with this chapter.

E. A person may file a written notice or request with the Commission that the Commission review an HIE’s action under Regulation .07 of this chapter when the person has reason to believe that the HIE has acted inappropriately.

(1) A request for review shall be filed within 30 days after the person knew or had reason to know of the HIE’s action in question;

(2) The request for review shall set forth each reason why the person believes that the HIE’s action is inappropriate.

(3) The Commission may determine that no investigation is necessary or may take action under Regulation .09C.

F. An HIE shall provide notice of each suspension and each reinstatement of a person’s authorization to access information through an HIE in the following manner:

(1) The HIE shall send an electronic notice to the person who is the subject of the action within 24 hours of the suspension or the reinstatement and to the Commission on a monthly basis.

(2) The notice shall include:

(a) The name of the person who is the subject of the action;

(b) The name of any affected participating organization;

(c) The basis for the suspension or reinstatement; and

(d) The effective date of the suspension or reinstatement.

(3) The notice shall not include PHI.

(4) The notice shall not be considered confidential.