CONNECTING YOU TO BETTER CARE!
Agenda HealtheConnections Overview HIPAA NYS RHIO Policies and Procedures 2
Health e Connections RHIO Formed as the highest priority of Health Advancement Collaborative of Central New York (HAC-CNY) What is a RHIO? Non-governmental, multi-stakeholder organization that enables and oversees the business and legal issues involved in the exchange and use of health information, in a secure manner, for the purpose of promoting the improvement of health quality, safety and efficiency. What is a Health Information Exchange (HIE)? The transmission and sharing of medical records among healthcare entities in accordance with national and state technology and security standards. HIEs are an integral component of the health information technology infrastructure under development in the United States through HealtheWay (formerly Nationwide Health Information Network). 3
Guiding Principles Deliver Value Services / Functionality / Cost Drive Usage Increase Participation and Use Develop and Maintain Regional Provider and Patient Trust Provide Valued Services to all Regional Participants, With or Without an EMR 4
Regional Participants Hospitals Practices Public Health FQHCs Labs and Radiology Centers Other Healthcare Providers Cayuga, Cortland, Herkimer, Jefferson, Lewis, Onondaga, Oneida, Oswego, Madison, Tompkins, St. Lawrence 5
HIE Services Patient Lookup Consolidated View of Patient Health Records Image Exchange Diagnostic Quality Image Viewer Image Enabled Results Delivery myalerts Patient ED Admit Patient Inpatient Admit Patient Discharge Direct Mail Exchange Clinical Data through Secure Mail Results Access & Delivery Automated Delivery of Patient Records where Provider is Named To Connected EHRs Summary View of Clinical Results where Provider is Named Query Based Exchange EHR-to-HIE Patient Query SHIN-NY Statewide Patient Lookup NYS Public Health Immunization Syndromic Surveillance National Network VA, DoD emolst (Advanced Directives) 6
HIPAA First and foremost, HIPAA privacy and security rules must be followed for using the Health Information Exchange (HIE) including, but not limited to, rules such as: Minimum Necessary Do not share your login credentials with anyone Do not look up yourself, family members, or friends For more information on HIPAA, visit: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html 7
Consent HealtheConnections requires an informed consent, with a signed form by the patient or their representative for each Participating Organization where s/he is a patient The form can be either paper or electronic The patient can change their selection at any time by completing a new form at the Participating Organization Consent is required to access and view a patient s PHI in the HIE Consent is not required for: Data sources to upload patient medical records to the HIE One to One Exchanges Emergency Situations De-identified Data Public Health Reporting Break-the-Glass access is for emergency situations only! 8
Audits All Participants are subject to periodic auditing including, but not limited to: Patient Consent Forms o Retained by Participant for 6 years o HeC provides sample size file of patient consents to Participant for validation o Participant to submit proof of signed consent forms, as requested o Participants complete attestation form to validate consents and return to HeC within one (1) week Patient Accesses o HeC provides a report of a patients whose Protected Health Information (PHI) was accessed, type of PHI accessed, user who accessed PHI, date and time of access o Participants complete attestation form to validate accesses and return to HeC within one (1) week Break-the-Glass (BTG) Reports o HeC provides daily BTG reports to Participants o Participants complete attestation form to confirm proper use of BTG and return to HeC within one (1) week Authorized User Application Forms o Retained by Participant for 6 years o Participant to submit proof of signed forms, as requested Annual Refresher Training Forms o Retained by Participant for 6 years o Participant to submit proof of signed forms, as requested 9
Participant Audit Requests A participating organization may request an audit in the event of a suspected breach The request may be made by the RHIO Administrator or the Audit Recipient The Audit includes: Authorized user who accessed the patient s Protected Health Information (PHI) in the last 6 years The Participant through which the Authorized User accessed the PHI Date and Time of the access Type of PHI accessed A patient s affirmative consent must be on file The Audit Report will be provided within 10 days of receipt of the request 10
Patient Audit Requests A patient may request an audit of their records accessed in the HIE by: Visiting the HealtheConnections office, with proof of identity Having their provider, an HeC Participant, make the request on their behalf The Audit includes: Authorized user who accessed the patient s Protected Health Information (PHI) in the last 6 years The Participant through which the Authorized User accessed the PHI Date and Time of the access Type of PHI accessed The Audit Report will be provided to the patient within 10 days of receipt of the request 11
Breaches HeC and its Participants must notify each other of any actual or suspected breaches HeC (and the Participant) will investigate the incident If a breach has occurred, HeC will: Notify any Participants whose PHI was subject of the breach Notify (or require Participant) to notify the patient(s) whose PHI was breached Notify any applicable regulatory agencies, as appropriate Determine disciplinary and/or other sanctions, as appropriate 12
Sensitive Data Consent allows access to sensitive health conditions, including but not limited to: Alcohol or drug use problems/treatment Birth control and abortion (family planning) Genetic (inherited) diseases or tests Any mention of HIV/AIDS Mental health conditions Sexually transmitted diseases 13
Access at Multiple Facilities Many users have access to the HIE for treating patients at different facilities The user will only need one* login and password; however, when logging in, the user must select the facility for which patient records are being accessed Remember that a patient s consent only applies to that facility * Public Health users may require 2 logins if they use the HIE as a clinical user (consent is required) and as a Public Health user (consent is not required) 14
Other Accesses Public Health Organizations May access Protected Health Information without consent to: o Investigate cases of communicable diseases o Ascertain sources of infection o Conduct investigations to assist in reducing morbidity and mortality o Investigate suspected or confirmed cases of lead poisoning Organ Procurement May access Protected Health Information without consent for the purposes of facilitating organ, eye or tissue donation and transplant These organizations, while not required to consent, are still subject to Auditing 15
Sending PHI PHI should be handled in one of the following ways: Via Direct Mail Via FAX Via email only if the PHI file is encrypted and/or password-protected 16
Your RHIO Administrator Participant RHIO Administrators are an important asset and assist HealtheConnections in the following ways: Approve and request HIE accounts for authenticated Authorized Users and notify HeC to terminate accesses Key contact point for updates and notifications, especially for HeC Policy and Procedure changes Ensure compliance of policies Report breaches and coordinate investigation May be the designated Audit Report recipient for their organization 17
Reminders HealtheConnections Support: Email: support@healtheconnections.org Phone: 315.671.2241 x5 Fax: 315.407.0053 Forms are available at: http://www.healtheconnections.org/what-wedo/hie-services/training-materials/ Use Forgot Password on the myconnections login page for quick and easy password resets 18
Congratulations! Visit us www.healtheconnections.org