I. Purpose. Applicability of Policies. NATE-Policy #3.c.1

Transcription

1 Subject: NATE-QE Eligibility Criteria for: Policy #: 3.c.1 Provider to Provider for Treatment Trust Profile (P2P4Tx) Status: Approved Approved/Authorized By: NATE Board of Directors Date Approved: 10/29/2013 Effective Date:10/29/2013 Version: 1.1 Pages: 9 I. Purpose This Policy defines the Provider to Provider for Treatment Purposes (P2P4Tx) eligibility criteria for inclusion of a NATE-Qualified Entity (NATE-QE) into this NATE Trust Profile. II. Applicability of Policies This profile applies to the following: Member states responsible for promoting HIOs that implement Direct (HISPs) in their state that satisfy the criteria of the P2P4Tx profile. HIOs (HISPs) that implement Direct as a mode of exchange interested in being promoted to the NATE P2P4Tx Trust Bundle. The NATE Trust Bundle Coordinator and others involved in related functions. III. Policy NATE-QE (P2P4Tx) eligibility criteria are grouped into two sets: The first set are found in section A Policies for Trust Profiles using Direct ; and The second set are found in section B Obligations of the Parties to the NATE-QE s (P2P4Tx) Participant Agreement A Member State shall confirm that candidate NATE-QEs satisfy each and all Eligibility Criteria of both sets A & B prior to causing the NATE-QE to be added to the NATE Trust Community conforming to this Trust Profile. Page 1

2 A. Policies for Trust Profiles using Direct 1 1) Conform to all of the Direct Project requirements specified in Direct Project s Applicability Statement for Secure Health Transport version Rationale This is the authoritative reference for the Direct Mode of exchange. Method of Verification Several methods of testing for compliance to the applicability have been made available by federal agencies. 3 A method of conformance testing is recommended to Member States to verify that the NATE-QE s Direct Implementation conforms to the technical specifications. In addition to evidence of conformance testing the NATE Board of Directors 4 currently permits self-attestation as sufficient evidence to be added to this Trust Bundle. 2) Implement a Business Associate Agreement 5 as a component of contracting with their Participant Organizations. Verify that the applicant HISP implements a Business Associate Agreement as a component of their contract with a Participant Organization. Rationale Required based on applicable law and evidentiary that the HISP holds itself to the provisions of the HIPAA Security Rule. Method of Verification Collect from HISP as component of Application Package. Noteworthy: If the Applicant provides exchange services to any non-covered Entities the Applicant s Participants Agreement must require that such Participant Organizations comply with the terms and conditions of HIPAA as if they were in fact a Covered Entity to be eligible to participate in NATE 6. 3) Have contractually binding legal agreements with their Participant Organizations. 1 These criteria were originally derived from the State HIE Implementation Guidelines for Direct Security and Trust published by the ONC. See: Implementation-Guidelines-for-Direct-Security-and-Trust_ pdf 2 See: direct_project/ See and 4 It is anticipated as more Member States leverage these conformance testing tools that the NATE Board of Directors may update this obligation to no longer permit self-attestation. 5 If the candidate NATE-QE is a Conduit model the Governance Body may elect to exempt the HISP from the requirement to implement a BAA. The NATE Board of Directors will evaluate this consideration in the future if a NATE-QE that is a true Conduit model HISP is identified by a Member State. 6 It is outside the scope of NATE to determine a verification method to test the ability of an Applicant to selectively exclude non-covered Entities from use of the Trust Bundle and Directory Services. Page 2

3 The Participants Agreement of a NATE Qualified-Entity should include all of the terms and conditions required in a Business Associates Agreement per item # 2 above and the terms and conditions necessary to effect the obligations identified in section B below. Rationale The obligations of the parties to a HISP s Participants Agreement are a critical component of a Trust Profile Method of Verification Collect from HISP as component of Application Package and verify that the obligations are satisfied contractually. Noteworthy: The analysis to be performed by the Member State may require clarification with the candidate. Best practices in performing this verification need to be developed and may include guidelines in how to collaborate with the candidate to index the obligations against the HISP s Participants Agreement. 4) Demonstrate conformance with industry standard practices related to meeting privacy and security regulations in terms of both technical performance and business processes. Through either availability of a written security audit report or formal third party accreditation provided by an established, independent third-party. Rationale HISPs operate services on behalf of many Participant Organizations and on a risk basis should provide sufficient evidence to justify trust. Method of Verification There is more to learn about the method by which this component shall be verified and what evidence will suffice for a candidate NATE-QE to demonstrate conformance. Candidate methods include: Formal accreditation provided by an established, independent third-party entity or, Availability of a written security audit report or, Completed EHNAC self-assessment tool. Noteworthy: HISPs that manage private keys should perform specific risk assessment mitigation to ensure that the private keys have the strongest protection from unauthorized use. HISPs that manage trust anchors on behalf of their customers should have well defined, publicly available policies that permit customers and other parties to evaluate the certificate issuance policies of those trust anchors. 5) Minimize data collection, use, retention and disclosure. Page 3

4 The HISP should only collect the minimum required to meet the level of service required. To the extent that HISPs support multiple functions with different requirements for data use, they must separate those functions such that more extensive data use or disclosure is not required for more basic (direct) exchange models. Rationale This component encompasses at least two obligations. o That the HISP should only collect, use, retain or support the disclosure of the minimum data necessary based on the Purpose of Use; and o If the HIO offers services in addition to its HISP service, when an Authorized User is using the Direct Project offering the functions of the HIO with regards to that use should be separated from those of other modes of exchange that may have more extensive disclosure requirements (such as query retrieve where the Patient s Data may be accessible by Authorized Users without the Decision of a Provider with an existing Patient relationship asserting that the disclosure is appropriate). Method of Verification Attestation Data received via Direct Project shall not be captured and made accessible by any party other than the one that the sender addressed the message to. 6) HISP shall encrypt all edge protocol communications: that enable last mile exchange between end-users systems and an STA/HISP s Direct Project infrastructure by using SSL/TLS or similar industry standard. Rationale For HISPs that enable messages to be transported across the Internet on behalf of Participant Organizations that do not encrypt data content prior to transporting messages to the HISP the pipe between the Participant Organization and the HISP must be secured. Method of Verification Self-Attestation HISP shall ensure data in motion and at rest is properly encrypted. Noteworthy: In the future as evidence is acquired demonstrating that alternative technologies or methods satisfy the objectives of this component the NATE Board of Directors OF DIRECTORS may approve the new alternatives. 7) HISP shall have a process to manage digital certificates. The process for issuing and managing digital certificates shall only facilitate Direct messages which 7 : o Utilize X509 v3 digital certificates. 7 NATE removed the requirement that HISPs Have been cross-certified to the Federal Bridge Certification Authority (FBCA). Page 4

5 o Meet or exceed NIST level 3 level of assurance and FBCA basic (or equivalent) policies and practices for certificates. o Do not have the non-repudiation flag set 8. o Conform to other requirements set forth in the Direct Project s Applicability Statement for Secure Health Transport. o Have been issued to a health care related organization or more granular component of an organization (e.g., department, individual). The HISP will obligate the Participant Organization to safeguard the integrity of the Authorized User Maintenance Process. Rationale All NATE-QEs must meet or exceed this minimum in order to be part of the NATE Trust Community. The NATE Board of Directors has established this minimum. Method of Verification Self-Attestation Member State s shall document NATE-QE attestation. Noteworthy: The NATE Board of Directors may modify this component as regulations change or new technologies emerge that are equivalent or exceed the protections of the method described. B. Obligations of the Parties to the NATE-QE s (P2P4Tx) The following section outlines the relationships between the parties and attempts to identify the Obligations or responsibilities of the parties to one another established by the NATE-QE s Participants Agreement that the NATE Trust Profile has identified to date as being instrumental to establishing trust for the Direct Mode of Exchange. It is the intention of the NATE Member States to refine the Eligibility Criteria described in this section, updating the specifics that follow based on future experience. The Obligations described below are to be evidenced by the terms and conditions found in the Participants Agreement of the candidate NATE-QE. As there are many ways that the obligations of the parties to the Participants Agreement may be drafted in contract the description of obligations have been mapped to the hierarchical framework that follows to facilitate indexing of the NATE-QE s Participant Agreement to the obligations. The contract language and framework of specific NATE-QE s Participants Agreement addressing these obligations will vary. For example, some PAs may implement an End Users Agreement that all authorized users are required to sign as part of creating the Authorized End Users account which would simplify this identification by the Member State - while other Participant Agreements may require additional analysis to verify conformance of the Obligations of Authorized End Users. 1) Obligations of the HISP 8 Because the certificate is at the Organization level the question of which individual actually signed the payload cannot be answered, therefore it is not sufficient to satisfy a digital signature legal requirement but it still ensures the integrity and privacy of the content. Page 5

6 i. Obligations of the HISP NATE Facing a. The HISP shall commit to complying with all applicable federal and state laws and regulations in their Participants Agreement. b. All Participant Organizations of the HISP that are given access to the NATE Offering will be required to be signatories to the HISP s Participants Agreement. c. It is an obligation of the HISP to ensure that Participant Organizations that have been terminated are no longer able to use the services of NATE. d. HISP s shall not make PHI exchanged as part of NATE accessible to anyone other than the specified recipient in the Direct message. For example: The HISP shall not make it part of a portal that is accessible to other Participant Organizations. The HISP shall not de-identify the data and make it available. The HISP shall not allow the data to be used for marketing purposes. e. Material Changes to HISP s Participants Agreement must be submitted to the Member- State. The Member State shall evaluate if the change would result in the HISP NATE- Qualified Entity status being changed. f. The HISP shall maintain appropriate auditing of its usage of NATE service offerings. g. The HISP shall use reasonable efforts to ensure that its connection to and use of NATE offerings do not introduce malware which will disrupt the proper operation of NATE services or any part thereof. h. A HISP shall notify the Member State that approved it for inclusion in NATE of a breach if the HISP (or one of its Participant Organizations) is required to make notification of a breach pursuant to applicable state and/or federal law. i. A HISP shall Monitor NATE Trust Certificate expiration date, and ensure that the Trust Bundle Coordinator receives a new NATE Trust Certificate prior to expiration. j. The HISP shall continue to satisfy the requirements of NATE s Policy #3.c Policy for Trust Profiles using Direct for the duration of their participation in the Trust Bundle; and k. The HISP shall acknowledge that the NATE Member States may modify these requirements as the needs of NATE change and acknowledge that a condition of ongoing Qualified Entity Status may depend on submitting additional information or evidence that the HISP satisfies eligibility criteria of NATE as approved by the governance body. ii. Obligations of the HISP Participant Organization Facing a. The Participant Agreement of the HISP shall disclose how governance decisions are made to its Participant Organizations in its Participants Agreement regarding but not limited to: Remedies of the Participant Organization when changes to the Participants Agreement are approved. Page 6

7 What are the types of parties that are eligible to use the service? Dispute management process. The process by which the HISP safeguards compliance of Participant Organizations to the terms of the Participants Agreement. The process by which the HISP terminates Participant Organizations. b. The Participant Agreement of the HISP shall have terms that survive beyond termination of the contract including: Participant Organization shall continue to safeguard the Privacy and Security of Patient Data received even after termination of the PA. Participant Organization shall continue to be responsible for the Conduct of Participant Organization and its Authorized End Users. Those T&Cs that are required to survive of a Business Associates Agreement. c. HISP shall obligate the Participant Organization to prohibit non-authorized users access to the system. d. HISP shall make appropriate training materials regarding Participant Organization s rights and obligations and the proper access and use of the system available to each Participant Organization and its Authorized End Users. e. HISP shall make its monitoring of Participant Organizations transparent to the Participant Organization. f. HISP shall have a process to terminate Participant Organizations who fail to satisfy the Participant obligations described below. 2) Obligations of the Participant Organization a. The Participant Organization shall comply with all applicable federal and state laws and regulations. b. The Participant Organization shall maintain sufficient safeguards and procedures to maintain the security and privacy of data received through the HISP. c. The Participant Organization shall use best and reasonable efforts to ensure appropriate security measures are in place to protect PHI. d. Participant Organization s Authorized Representative of the Participating Organization or his/her designee shall be responsible for the accounts created for the Participant Organizations Authorized End Users and ensuring that all of them meet the following criteria: Participant Organizations shall only create Authorized End User Accounts for users permitted to handle PHI according to the local policy of the Organization. Participant Organization shall have a policy prohibiting the sharing of account information among permitted users. Page 7

8 Participant Organization shall not permit non-authorized users to access the HISP s system. e. The Participant Organization shall use best and reasonable efforts to ensure that Authorized Users are trained in the secure and appropriate use of the HISP s System. f. A Participant Organization shall notify its HISP of any breach notifications that the Participant Organization must report to comply with applicable state or federal law. g. In the event of a termination of the Participants Agreement, Participant Organization shall use best and reasonable efforts to ensure that any Authorized User (in the role of sender or receiver) of the Participant Organization s will no longer share or acquire data through the HISP. 3) Obligations of Authorized End Users i. In role of Data Recipient a. The Authorized End User in the role of Data Receiver shall comply with all applicable federal and state laws and regulations. b. An Authorized End User in the role of Data Receiver shall use the HISP s service only for purposes of treatment as defined in HIPAA. c. An Authorized End User in the role of Data Receiver shall not provide data to third parties and shall only use data received by the system in the performance of its permitted purposes. d. An Authorized End User in the role of Data Receiver shall not use PHI received via the HISP in any manner prohibited by law. e. An Authorized End User in the role of Data Receiver shall not aggregate data to compare the performance or outcomes of Authorized Users not associated with the Participant Organization. f. An Authorized End User in the role of Data Receiver shall limit its use and disclosure of Patient Data acquired through the HISP to the extent permitted by applicable law. g. An Authorized End User in the role of Data Receiver shall not disclose data that they receive via the HISP without appropriate authority 9. ii. In role of Data Sender a. The Authorized End User in the role of Data Sender shall comply with all applicable federal and state laws and regulations. b. An Authorized End User in the role of Data Sender shall use the HISP s service only for purposes of treatment as defined in HIPAA This is to say if a consent is required to re-disclose data that the Authorized End User is obligated to have that consent in place prior to sharing data using the HISPs (or secondarily via NATE offerings). 10 At this time we are only permitting Authorized end-users from Participants that are a type = Provider so we don t anticipate that at this time the system will be utilized for Payment Purposes. Page 8

9 c. The Authorized End User in the role of Data Sender shall use the HISP s services to send only the amount of Patient Data that the data recipient is permitted to receive pursuant to applicable laws and regulations 11. d. The Authorized End User in the role of Data Sender shall use reasonable care with respect to the accuracy and completeness of the data sent. e. The Authorized End User in the role of Data Sender is obligated to only send data that they have the authority to send (if consent required sender attest that they have it). f. The Authorized End User in the role of Data Sender grants right to use data sent to a receiver for the permitted purpose it was intended to be use in a fully-paid, non-exclusive royalty free right and license of the Patient Data released to the recipient. g. The Authorized End User in the role of Data Sender will use best and reasonable efforts to ensure that they will maintain all appropriate consent to disclose data as required by applicable federal & state law 12. IV. Related Procedures NATE Procedure 3.d.1 V. Version History Date Author Comment 1 10/29/2013 Aaron Seib Approved version /27/14 Aaron Seib Corrected typo in bullet at top of page 5 11 For treatment purposes there are no minimum data use requirements. With regards to Payment and Operations there may be. It is the obligation of the Authorized user to decide if the data they are sending meets minimum data requirements when the intended receiver is for purposes of use related to Payment or Operations 12 The consent requirements that apply are based on the state in which the sender provides care. Page 9