CamdenHIE Policies and Procedures Overview€¦ · To present an overview of each of the Camden HIE...
36
Camden HIE Policies and Procedures Overview Updated 2/26/2015
Transcript of CamdenHIE Policies and Procedures Overview€¦ · To present an overview of each of the Camden HIE...
Camden HIEPolicies and Procedures
OverviewUpdated 2/26/2015
Agenda• Purpose of Presentation
• Development of Policies and Procedures
• Policies (1-17)
• Authorized User Agreement
Purpose of Presentation
• To present an overview of each of the Camden HIE Policies and Procedures
• To encourage discussions of the policies and procedures to foster better
understanding
• To give Authorized Users an understanding of which policy to reference in
response to a given situation
Development of Policies and Procedures
Research
• Reached out to Virtua Hospital and Trenton Health Team for copies of Policies & Procedures
• Conducted research internally at state level and national level
• Borrowed some language from areas of research in addition to creating some of the language
Drafts
• Presentations at Oversight Committee meetings
• Enhanced/ updated drafts based on feedback
• Working group in October 2014
Approval
• Final draft put together based on additional agreed-upon revisions
• Each hospital reviewed for vote and approval
Policies are approved with the understanding that additional policies or amendments will be added to accommodate
Health care IT
Governance and Oversight
• Consists of representatives from Participants that are Health Care Providers
• Strives to operate through consensus
• Must be unanimous on:
• Approval/ amendments
• Use Cases
• Examples of Areas of Oversight:
• Development and approval of Policies, Participation Agreement and Use Cases
• Addition of new Participants and Data types
• Camden HIE Technology
• Camden HIE Services
• Involvement in efforts to connect Camden HIE to other HIEs
• To establish and define the responsibilities of a decision-making and governing body for the Camden HIE
Policy 17
Policy 1- Scope and Definitions
• Data
• Protected Health Information (PHI) and Individually Identifiable Health Information (IIHA) as defined under HIPAA
• Pushing vs. Pulling Data
• To “push” data means that data within the Participant is sent to the Camden HIE
• To “pull” data means that the data within the Camden HIE is accessed, viewed or copied either onto a viewing screen or into a Participant’s EMR or own repository
• The policies and procedures described in the Camden HIE Policy Manual apply to all Participants and Authorized Users accessing the Camden Health Information Exchange
• Intended to ensure that the Camden HIE is used in an effective, efficient, ethical and lawful manner
Scope
Policy 1- Scope and Definitions• Authorized User
• An individual designated by a Participant who has signed an Authorized User Agreement
• Authorized to access and use Data
• Participant
• A party at entity level that has entered into a Participation Agreement with the Camden HIE
• Health Care Provider
• A physician, group practice, hospital or health system, or other health care organization or professional that provides treatment to Patients
• Covered Entity
• Health place, a health care clearinghouse, or a health care provider who transmits any health information in electronic form in connection with a transaction
Policy 2- Patient Participation and Choice
• All Patient Data made available to the Participant may be included in the Camden HIE, but it does not automatically permit Participants and Authorized Users’ access
• Patients can choose to be excluded from the Camden HIE by opting out
• The request must be made in writing
• Participants are required to develop workflows to ensure that the Patient’s Data is not accessible to the Camden HIE
• “All or none”- a patient cannot choose to include certain data and omit other data
• Health Care Providers who are also Authorized Users must educate the Patient on the Camden HIE and the Opt-Out process
• To define procedures ensuring that Patients understand how their information will be used through the Camden HIE and must be given the right to “Opt-out” of having their information in the Camden HIE made available for access
Purpose of Policy 2
Policy 3- Participants and Authorized Users
• Examples of eligible Participants
• Physicians/Physician Practices
• Hospitals
• Clinical Laboratories
• Affiliated HIEs
• Governmental agencies
• Other licensed Health Care Providers (e.g., Home Health Agencies)
• Examples of eligible Authorized Users
• Physicians/Physician Practices
• Clinical staff
• IT staff
• Administrative staff with HIE responsibilities
• To define the agreements and necessary procedures required of a Health Care Provider or other organization to become a Participant in the Camden HIE
• Only Health Care Providers and organizations found eligible and approved by the Coalition may be Participants in the Camden HIE
• Authorized Users must be authorized by a Participant to qualify to use the Camden HIE
Purpose of Policy 3
Policy 3 (continued)• Each Participant shall appoint a point of contact for all matters related to
the Camden HIE
• Each individual authorized by a Participant to be an Authorized User must execute an Authorized User agreement
• The Coalition approves/rejects all those who seek to become a Participant
• Each Authorized User must undergo annual training
Policy 4- Compliance with Law
• Reasonable effort should be made to stay abreast of changes/updates to all applicable federal, state and local laws/regulations related to Data
• Camden HIE policies may be updated; notice of change will be made to Participants
• Participants are responsible for appropriate internal policies and procedures to ensure compliance
• The more restrictive/protective standards will apply to conduct by Participants and Authorized Users in regards to the Camden HIE
• To ensure that each Participant and Authorized User shall, at all times, comply with all this Camden HIE Policy Manual, Camden HIE standards and requirements, and applicable federal, state, and local laws and regulations
• Include but are not limited to: those protecting the confidentiality and security of individually identifiable health info and establishing certain individual privacy rights
Purpose of Policy 4
Policy 5- HIPAA Notice of Privacy Practices
• Each Participant that is a Covered Entity shall develop, distribute and maintain an NPP that complies with federal and state laws, and the Camden HIE Policy Manual
• Required to obtain a Patient’s written acknowledgment of the NPP, lasting 6 years from date
• Participants may choose a more proactive and/or detailed NPP so long as it does not otherwise conflict with or fall below the minimum requirements
• The NPP shall include:
• A description of the Camden HIE
• What information may be included and accessible
• Who is able to access information
• Permitted Uses for which PHI can be accessed
• Opt-out process
• To ensure that Patients have the opportunity to review a HIPAA Notice of Privacy Practices that adequately addresses a Participant’s specific privacy practices with respect to the exchange of Data through the Camden HIE
Purpose of Policy 5
Policy 6- Patient Rights
• Patient’s Rights:
• Access to data, through a formal process
• Accounting of Disclosure, through a formal process
• Amendment of Data- if Participant accepts, reasonable efforts must be made to inform other Participants
• Restriction to data, through opt-out process
• Participant’s Responsibilities:
• Authorizing use/disclosure of data
• Limiting Patient access to Data to that Participant’s respective medical records maintained on the Patient
• Receive requests for Data from the Camden HIE
• To ensure that the Coalition shall afford Patients the full scope of rights in accordance with HIPAA, HITECH, and other federal and state laws
Purpose of Policy 6
Policy 7- Access
• Access to the Camden HIE shall be granted only to individuals with a legitimate need to access Data based upon their role
• All Authorized Users must sign an Authorized User Agreement and all Participants must execute a Business Associates Agreement
• Access can be removed or disabled as appropriate
• Participants are responsible for notifying the Coalition if an Authorized User’s access has been removed, suspended or modified
• Authorized Users are not permitted to enter or access Data using another person’s password
• To set forth standards for verifying and authenticating the identity and the authority of an Authorized User requesting Data through the Camden HIE
Purpose of Policy 7
Policy 8- Authentication
• The identity of Authorized Users shall be authenticated before access to the Camden HIE is granted
• Each Participant shall verify and authenticate the identity of their Authorized Users who shall have access to Data through the Camden HIE
• Initial identity-proofing procedures will require Authorized Users to provide identifying materials and information upon registration as an Authorized User
• To implement minimum standards for authentication of Authorized Users prior to their accessing Data through the Camden HIE
Purpose of Policy 8
Policy 9- Permitted Uses
• All disclosures of Data and use of the information shall be consistent with all applicable federal, state and local laws and regulations
• Participants are responsible to ensure that certain documentation exist or that other conditions be met prior to using or disclosing Data if applicable to law
• Authorized Users shall send any Data through any properly encrypted means
• Five (5) agreed-upon Use Cases, fully detailed in policy manual
• To ensure that Data is used and accessed only as permitted under federal and state law and these Camden HIE Policies
• To ensure that Participants and Authorized Users have proper measures and safeguards in place to assure that Data is used only for Permitted Uses
Purpose of Policy 9
Policy 9- HIE Permitted Use Cases
For the provision, coordination, or management of health care and related services
#1: Treatment
• Outpatient clinical provider accesses Data for Patient’s follow-up office visit
• Care Coordination teams reviews to determine whether hospitalized Patient is a candidate for care coordination intervention
• Clinical provider at county jail reviews records contained in HIE for incarcerated Patient at jail’s health clinic
• Emergency room physician reviews Data when Patient presents at ED
• Managed care organization’s care coordinator accesses HIE Data in connection with developing care coordination plan for MCO member
• Coalition’s care coordination team records medication reconciliation and care coordination activities in HIE
Policy 9- HIE Permitted Use Cases
For the creation of an Accountable Care Registry (ACR) to track Patients by primary care practice and payer. Includes practices’ Patient records, Patient capitation lists from MCOs, and hospital records.
#2: Population Health and
ACO
• Primary Care Practice receives daily report of ED and inpatient admission and contacts Patient and hospital to coordinate care
• Care coordination team uses data for outreach and follow up appointments
Policy 9- HIE Permitted Use Cases
• Coalition staff analyzes data for better understanding of patient population
• Evaluate impact of clinical intervention
#3: Health Care Operations
• A publicly available website that allows users to observe real-time hospital-utilization and other population health trends in anonymized Data
• Coalition and analysts transfer HIE Data to the Coalition’s securer server, which then will be cleaned, analyzed, and de-identified by Coalition staff and its business associate, BlueLabs, before becoming part of the Health Explorer
#4: Population Health- Camden Health Explorer
• If approved by the Institutional Review Board, researchers may use HIE Data to perform health care research
• Coalition may construct a limited data set of Emergency Department and inpatient encounters for treatment and control groups in the Randomized Control Test to be shared with researchers
#5: Health Care Research
Policy 10- Breach Notification
• The Coalition is required to report any breach of PHI to the relevant HIE Participants
• Any Participant or Authorized User that has reason to believe that a Breach has or may have occurred shall promptly report such information to the Coalition
• Coalition will activate the Breach Investigation Committee, made up of representatives from each Health Care Provider that contributes Data, to conduct the investigation
• Coalition will retain all documentation regarding breaches, including copies of breach notifications sent in accordance with this policy
• Note: Refer to example Press Statement in full Policies and Procedures document
• To establish the Coalition’s policy and procedure regarding reporting to Camden HIE Participants Breaches of Protected Health Information (PHI) relating to the Camden HIE, when such reporting is required under HITECH and the Coalition’s Participation Agreements with Participants
Purpose of Policy 10
Policy 10- Breach Timeline
Discovery of the Breach-
Coalition and relevant
Participants conduct initial
assessment
Coalition notifies relevant Participants within 48 hours
• Breach Investigation Committee comes together
Breach Investigation Committee
conducts a full risk assessment within 10 days
of discovery
Coalition submits final
written report to Participants within 15 days
of discovery
Recipients of full report submit comments within 24 hours of receiving report
• Allowing anyone to add “their side of the story”
Policy 10- Actions related to Breach• Committee will presume that a potential Breach is a Breach unless it
determines that there was a low probability that PHI was/will be compromised
• Possible temporary actions to mitigate risk of harm:
• Preventing an otherwise Authorized User from accessing the Camden HIE
• Preventing a specific Participant from accessing the Camden HIE
• Preventing all Participants from accessing the Camden HIE
• Depending on the outcome of the investigation, temporary actions may become permanent
Policy 10- Documents related to Breach• Written report
• Brief description of what happened, including date of breach and date of discovery
• Type of unsecured PHI involved in the breach
• Brief description of what the Coalition/CareEvolution is doing to investigate the breach and mitigate any harmful effects
• Brief description of any corrective action the Coalition has taken or will take to prevent future similar unauthorized uses or disclosures
• Risk Assessment
• Nature and extent of the PHI involved
• Unauthorized person who used the PHI or to whom the disclosure was made
• Whether PHI was actually acquired or viewed
• Extent to which the risk to the PHI has been mitigated
Policy 11- Special Protection
• Example categories of Sensitive Information:
• HIV/AIDS
• Venereal Diseases
• Drug or Alcohol Addiction Treatment Records
• Mental Health Facility Records, Behavioral Health Information
• “Psychotherapy Notes”
• Genetic Information
• Minor’s Emancipated Treatment
• Data related to services paid for “out of pocket” in full by a Patient or representative on behalf of Patient
• To ensure that certain Data subject to “Special Protection” is not accessed or disclosed except in strict accordance with State and federal law
• Camden HIE shall ensure such Data is afforded specific procedural, technological and/or other safeguards as may be necessary and appropriate
Purpose of Policy 11
Policy 11 (continued)• Must comply with standards and requirements in the Camden HIE Policy Manual
and with applicable federal/state laws before allowing access of Sensitive Information
• Required to obtain Patients’ written consent that includes explicit reference to access of Sensitive Information prior to accessing records
• Consent must be obtained for each episode of treatment, lasting no more than 6 months
• Copies of Patient consent must be maintained by the Participant
• Participants and Authorized Users shall not re-disclose Sensitive Information that is under Special Protection
• Sanctions for non-compliance with this policy will be imposed in accordance with the Camden HIE “Enforcement and Penalties” policy (policy #15)
Policy 12- Minimum Use Necessary
• Participants and Authorized Users will only access the minimum amount of Data necessary
• As allowed under HIPAA, access to Data for Treatment of a patient is not subject to minimum necessary requirements
• A Participant or Authorized User must not disclose an entire medical record except when specifically justified and necessary
• To promote the privacy principles of collection limitation, use limitation, data integrity and quality and security safeguards and controls
Purpose of Policy 13
Policy 13- Auditing and Education
• Periodic audits shall be conducted by representatives of the Coalition
• Coalition and affiliated Authorized Users shall be subject to the same audit requirements, conducted by an external party
• Coalition representatives will perform mandatory ad hoc audits in response to complaints
• Authorized Users shall cooperate with and participate in periodic and ad hoc audit procedures
• Includes site visits and required documentation within ten (10) calendar days of notification
• To ensure proper access, use and confidentiality of PHI accessed through the Camden HIE by Authorized Users
• To verify compliance with access controls and administrative and other safeguards
• To provide appropriate education, mitigation, monitoring and reporting of inappropriate access, use or disclosure
Purpose of Policy 13
Policy 13A- HIE Audit Elements
Level Report Frequency
Community # of Participants (i.e., clinics) Quarterly
Community # of Authorized Users Quarterly
User # of logins Monthly
User # of Patient records accessed Monthly
Clinic Number of Patients opted out and associated Authorized User
Monthly
Clinic Patient consents Semi-annually
Enterprise # of orphan entries Semi-annually
Enterprise # of MPI duplicates Semi-annually
Enterprise Regression testing Ad hoc
Policy 13B- Education Schedule
Level Description Frequency
All Users HIPAA and security protocols Annually
Registration Patient consenting Annually
All Users Updates to HIE Policy Manual Ad hoc
All Users Updates to HIE system and/or new functionality Ad hoc
Policy 14- Data Quality and Integrity
• Participants and Authorized Users must take reasonable steps to ensure that Data shared through the Camden HIE is accurate, complete and up-to-date
• Each Participant’s EMR must have technical capacity to push updates or allow Participant updates
• Data errors will be resolved by the Camden HIE, the Coalition and CareEvolution staff through discussions with Participants
• Periodic audits of Camden HIE Data can include:
• Accuracy of data available to Authorized Users
• Completeness of the data available to Authorized Users
• Timeliness of data available to Authorized Users
http://www.camdenhealth.org/hie-error-tracking/
• To ensure that Patient Data accessed through the HIE is complete, accurate and available to Participants and Authorized Users
• To ensure that this Data has not been altered or destroyed in an unauthorized manner
Purpose of Policy 14
Policy 15- Enforcement and Penalties
• Participant responsibilities:
• Require compliance by all Authorized Users, employees, agents and contractors
• Require Authorized Users to report suspected violations to Participant
• Take disciplinary action when violation occurs
• Report suspected violations to the Camden HIE Staff Director
• Coalition responsibilities:
• Conduct an inquiry if there is reason to suspect a violation
• Present findings to Oversight Committee
• Oversight Committee responsibilities:
• Take further action regarding violation inquiry
• Record decision in a Determination Letter within 48 hours of final vote
• Follow all federal and state laws regarding reporting legal violations to proper authorities
• To provide a response process for when a Camden HIE Participant or its users are suspected of or determined to be violating any Camden HIE Policy, or any federal or state law governing the use and disclosure of Patient Data
Purpose of Policy 15
Policy 15- Penalties• Examples of sanctions:
• Extended period of suspension from the Camden HIE
• Established probationary period for restricted use of the Camden HIE
• Termination of use of the Camden HIE
• In its discretion, the Oversight Committee may issue a sanction against a Participant and its entire staff of Authorized Users, or an individual Authorized User with regard to accessing the Camden HIE
• Any Authorized User or Participant shall have the opportunity to appeal a Determination that imposes sanctions
Policy 16- Complaints
• Procedures for complaint process will be made known through education materials and online resources: http://www.camdenhealth.org/feedback/
• Any general complaint will be forwarded to the Coalition for handling
• Complaint process DOES NOT limit or change rights that a Patient has to file a HIPAA complaint regarding a Health Care Provider’s privacy practices
• Complaints may be submitted anonymously
• Copies of complaints and outcomes will be documented in the Camden HIE Complaint log
• To ensure that there is a process by which Patients may complain and/or make suggestions or comments about practices or activities related to the Camden HIE and/or its Participants and Authorized Users
Purpose of Policy 16
Next Steps- Authorized User Agreement• All individuals with access to the Camden HIE must sign an Authorized User
Agreement
• Binds individual to policies, procedures and standards of the Camden HIE
• Includes 24 terms and conditions
• References Participation Agreement between employer and Coalition
• Authorized User Agreement electronic signature when accessing the Camden HIE
Contact information• Christine McBride, Program Assistant, HIE
• 856-365-9510 ext. 2082
• Abigail Fallen, Sr. Program Manager, HIE
• 856-365-9510 ext. 2010
Appendix
