IHDE Privacy & Security Policy
The Idaho Health Data Exchange (IHDE) Privacy and Security Statement applies to the access, use and disclosure of protected health information by Participants through the Idaho Health Data Exchange.
“Participants” are those which provide data to IHDE and those which obtain, and use, data from IHDE – they are either health care providers, or health plans. All Participants are covered entities under HIPAA.
IHDE is a “Business Associate” (BA) of the Participants. IHDE accepts and agrees to follow terms applicable to the privacy of protected health information by its Business Associate Agreement (BAA) with each Participant.
Definitions
Authorization. “Authorization” shall mean permission from the patient to use or disclose protected health information required when the use or disclosure is not permitted under HIPAA.
Covered Entity. “Covered Entity” shall have the same meaning as the term “Covered Entity” in 45 CFR 160.103.
Health Care Provider. “Health Care Provider” shall mean any individual, institution, or agency that provides health services to health care consumers.
HIPAA. “HIPAA” shall mean the Health Insurance Portability and Accountability Act of 1996 and the HIPAA regulations promulgated at 45 CFR (Code of Federal Regulations) Parts 160, 162, and 164.
Idaho Health Data Exchange (IHDE). “Idaho Health Data Exchange (IHDE)” shall mean the secure electronic Health Information Network for the State of Idaho.
Organization. “Organization” shall mean any individual or group of individuals registered with and participating in the IHDE that may provide, make available, or request PHI through the IHDE.
Participant. “Participant” shall mean a member of Idaho Health Data Exchange including healthcare institutions, clinics, providers, labs and payers, that have current Participation Agreements with the IHDE.
Protected Health Information (PHI). “Protected Health Information” shall have the same meaning as the term “Protected Health Information” in 45 C.F.R.
- 160.103 and 164.501
Privacy
Individual Participation and Control of Information
Choice to Restrict Future Disclosures. Every patient has the right to limit Participants’ access to health information about him or her after the information is delivered to IHDE. Unless an individual completes the process to limit Participants’ access to information about the individual through IHDE, the information on that individual will be made accessible to Participants through IHDE.
Request to Restrict Notification. Participants have the responsibility to inform individuals how to Opt-Out of having their information shared in IHDE.
Submission of a Request to Restrict Access. An individual choosing to restrict Participants’ access to his or her IHDE information must submit an Opt-Out request directly to IHDE.
Effect of Choice. A decision to restrict access only affects the availability of the individual’s protected health information (PHI) through IHDE. A Participant who queries an individual who has Opted-Out will see only the name and date of birth of the individual along with a notification that the individual has “opted out” of sharing his or her information in IHDE.
A request for a restriction affects all Participants’ future access to the individual’s information not just with respect to a Participant or episode of care.
In the IHDE system, the consent status of an individual who has restricted access to his or her medical information will be set to “opt Out”.
Revocation. An individual may revoke a prior election to restrict data later. No information regarding an individual who has requested IHDE not share information with Participants shall be made accessible through IHDE unless or until the individual revokes his or her decision. The request to opt back in to allow IHDE to transmit information must be submitted to IHDE in writing. Information on the individual can be made accessible in IHDE, with effective date he or she requests to ed the restriction.
Withdrawing a restriction will result in information that was previously unavailable through IHDE becoming available to all IHDE Participants.
Provision of Coverage or Care. A Participant shall not withhold coverage or care from an individual based on that individual’s choice not to have information about him or her accessible through IHDE.
Uses and Disclosures of Health Information
All uses and disclosures of health information through IHDE shall be for the purpose of treatment, payment and health care operations, as permitted by applicable laws and regulations. Each Participant shall provide or request health information through IHDE only to the extent necessary. Information shall not be requested for marketing or marketing related purposes. Under no circumstances shall information be requested for a discriminatory purpose. Information contained in the Idaho Health Data Exchange shall not be used for setting rates or premium amounts.
- Access Logs. IHDE shall maintain an access log. The access log is a list of all individual files requested from IHDE.
- Individuals who are concerned about inappropriate access of their health information may request an access audit. Access audits are propriety information and will not be shared with any outside entity.
- Each Participant shall follow uniform minimum authentication requirements as specified in the IHDE Security Safeguards Policy for verifying and authenticating those within their organizations who shall have access to, as well as other Participants who request access to information through IHDE.
Information Subject to Special Protection
Certain health information may be subject to special protection under federal, state, and/or local laws and regulations such as substance abuse and mental health. Each Participant is responsible for complying with such laws and regulations. A minimum common list of special protection orders/results/codes/diagnosis codes, etc. will be identified for uniform use across IHDE. Participants are free to further restrict special protection health information as they desire.
Workforce, Agents, and Contractors
System Access. Each Participant shall request access to IHDE for only those workforce members, agents, and contractors who have a legitimate business need to use IHDE to release or obtain information. Prior to being granted access to IHDE, any workforce member, agent, or contractor must be trained on IHDE Policy.
Participants must adhere to the Security Safeguards Policy for IHDE and maintain appropriate administrative, technical, and physical safeguards to prevent any unauthorized use or disclosure of PHI pursuant to HIPAA standards.
Reporting of Non-Compliance. Each Participant shall have a mechanism for reporting any non-compliance of IHDE Policy, and shall require all workforce members, agents, and contractors to report any non-compliance to the Participant. Participants shall investigate and take appropriate corrective action on any internally reported non-compliance. Participants shall notify IHDE regarding instances of significant non-compliance
Discipline for Non-Compliance. The IHDE reserves the right to terminate Participant user access based on non-compliance with IHDE Policy.
Amendment of Data
Each Participant shall comply with applicable federal, state and local laws and regulations regarding individual rights to request amendment of health information. When a Participant accepts a request for an amendment of health information, the Participant shall contact IHDE to request a list of Participants who have accessed that data and the contact information for those Participants and notify those Participants within a reasonable time, if the recipient organization may have relied or could expect to rely on the information to the detriment of the individual.
Mitigation
The Participant is responsible to mitigate any breach or improper disclosure of PHI committed by the Participant, or its workforce members, agents, and contractors at the Participant’s office in accordance with laws, rules, regulations, or guidelines established by state or federal regulations.
IHDE is responsible to mitigate any unsecured (unencrypted) breach or improper disclosure of PHI committed by IHDE, its workforce members, agents, contractors and vendors in accordance with laws, rules, regulations, or guidelines established by state or federal regulations.
Security
Compliance with Law
This statement describes IHDE’s expectations in the areas of administrative, technical, and physical safeguards. HIPAA regulations provide some specifics regarding what the Federal Government requires in the area of safeguarding PHI.
The Participant is responsible to maintain appropriate administrative, technical, and physical safeguards to prevent unauthorized use or disclosure of PHI pursuant to HIPAA standards found at 45 C.F.R. § 164.530(c). Efforts to safeguard PHI must be appropriate to the situation and regarding effort and expense. Participants administratively responsible for handling PHI shall ensure their processes and practices are in compliance with the HIPAA security rule and IHDE policies and standards.
Responsibility. The Participant shall have appropriate organizational policies regarding protecting PHI. The direct responsibility to comply with this Policy resides with the Participant. Owners of the non-IHDE electronic and paper systems containing PHI bear the responsibility for any labor and/or expenses associated with bringing their systems and processes into compliance with these Policies and the HIPAA security rule.
Technical Requirements
Technical aspects associated with ensuring the privacy and security of PHI may require the expertise of information technology professionals. In those situations, the Participant is responsible for acquiring expertise to ensure the privacy and security of PHI.
Participant Responsibilities
User Authentication. Participants must have an account creation process to grant workforce members, agents and contractors’ access to the IHDE. Access to the IHDE or systems connected to the IHDE shall be granted only after the account creation process has been completed.
Components of the account creation process shall include positive identification of the individual, determination of the person’s roles and access requirements, training of the individual regarding proper use of the account and IHDE policies, as well as written acceptance of IHDE and Participant level policies regarding appropriate use of the resources.
Account Access. Every Participant user granted access to the IHDE shall have a unique username and password. Group logins are not allowed. Users must log out of or “lock” their computer systems when not in use to reduce the risk of improper access to the IHDE.
Security Audit Log. IHDE shall maintain a security audit log or chronological record of system activities to enable the reconstruction, review and examination of access to records in the IHDE. If the IHDE has reasonable cause to believe that the Participant user access of the system is not in compliance with these Policies, IHDE shall have the right to conduct an audit of transactions and access to records in the IHDE.
Data Transmission. Data transmitted via the Internet using the IHDE shall be encrypted according to industry-accepted methods.
Fax Machines. Fax machines used to receive information from the IHDE shall be placed in locations secured from the public.
Physical. Participants shall restrict access to the physical location of computers used to access the IHDE portal.
Discipline for Non-Compliance. Each Participant shall implement procedures to hold workforce members, agents, and contractors accountable for compliance with IHDE Security Safeguards policies. Such procedures shall also include disciplinary measures for non-compliance. Disciplinary measures may include verbal or written warnings, demotion, suspension or termination. The IHDE reserves the right to terminate Participant user access based on non-compliance with IHDE Policies.