Authorized. User Agreement

Transcription

1 Authorized User Agreement

2 CareAccord Health Information Exchange (HIE) Table of Contents Authorized User Agreement... 3 CareAccord Health Information Exchange (HIE) Polices and Procedures... 5 SECTION 1: DEFINITIONS... 5 SECTION 2: AUTHORIZATION... 8 SECTION 3: AUTHENTICATION... 9 SECTION 4: ACCESS... 9 SECTION 5: AUDIT...11 SECTION 6: BREACH...12 SECTION 7: MISCELLANEOUS...13 CareAccord Health Information Exchange (HIE) Security Best Practices... 14

3 Authorized User Agreement Terms of Access to Oregon Health Authority Health Information Exchange The Oregon Health Authority (OHA) facilitates the electronic availability of protected health information through the CareAccord health information exchange (the HIE). Access to the HIE is granted to organizations that have entered into an Organizational Participation Agreement with OHA and to individuals affiliated with these organizations. You have been identified by Participant (the hospital, clinic, physician s office, health plan or other entity with whom you are affiliated) as needing access to the HIE. OHA agrees to provide you with access to the HIE only if you agree to the terms and conditions of this Agreement, which are intended to maintain the confidentiality, security and integrity of protected health information and other patient information (Patient Data) accessed via the HIE. You are being provided with a user name and the ability to select a unique password (your Login Credentials) that will provide you with access to Patient Data available through the HIE. In order to be provided this access, you must agree to abide by the following rules: You will never reveal your Login Credentials to anyone. You will not allow others, including other staff members with whom you work, to access the HIE using your Login Credentials. You will log out of the HIE before leaving your workstation to prevent others from accessing the HIE. You will not fax/print/ /download/copy/photograph or otherwise provide Patient Data to any third parties except in accordance with HIE Policies and Procedures and applicable law. You will not make unauthorized copies of the Patient Data. You will not save Patient Data to portable media devices (such as CDs, USB drives, or handheld devices) except in accordance with the HIE Policies and Procedures. You will not use the HIE or access or view any Patient Data except as required for your job with Participant. You will only access information as necessary to perform your professional obligations to a patient. You will notify your point of contact designated by the Participant immediately if you have reason to believe that your Login Credentials have been compromised. You will maintain the confidentiality of all information in accordance with state and federal laws governing the privacy and security of health information, including HIPAA, and in accordance with Participant s privacy and security policies and procedures as well as the HIE Policies and Procedures. This includes but is not limited to obtaining the necessary patient consent or authorizations for disclosing Patient Data. 3

4 You will not access the HIE via public use workstations or devices. Public-use workstations and devices are those where general public access is allowed. HIPAA administrative, technical and physical security requirements cannot be applied and controlled on such devices. Failure to comply with these terms and conditions may result in disciplinary actions against you, which may include without limitation, denial of your privileges to access Data and other actions in accordance with Participant s policies and the HIE Policies and Procedures. OHA and Participant have the right at all times to review and audit your use of the HIE and compliance with the terms of this Agreement. Participant or OHA may terminate this Agreement at any time. This Agreement grants you a nonexclusive, nontransferable right to use the HIE. This right is specific to you. You may not share, sell or sublicense this right with or to anyone else. THIS IS A BINDING AGREEMENT. By indicating that you agree on the CareAccord website, you agree to comply with all terms and conditions for access to Patient Data under this Agreement and all HIE policies and procedures. 4

5 CareAccord Health Information Exchange (HIE) Polices and Procedures The scope of these HIE Policies and Procedures includes the full range of privacy and security policies for interoperable health information exchange, including: authorization, authentication, access, audit, and breach. The State of Oregon, acting by and through its Oregon Health Authority (the OHA ) has developed these HIE Policies and Procedures. Who Must Comply with the HIE Policies and Procedures All Participating Entities that have signed an Organizational Participation Agreement ( Agreement ) and wish to participate in the State of Oregon s Health Information Exchange program must comply with these HIE Policies and Procedures. A Participating Entity s failure to comply with these HIE Policies and Procedures stated below constitutes a breach of the Agreement and may result in termination of the Agreement, denial of access to the System, or other sanctions as may be designated in the Agreement and in these HIE Policies and Procedures. All the Authorized Users of a Participating Entity that have signed an Authorized User Agreement and wish to participate in the State of Oregon s Health Information Exchange program must comply with the provisions of these HIE Policies and Procedures that are applicable to Authorized Users. An Authorized User s failure to comply with the provisions of these HIE Policies and Procedures applicable to Authorized Users constitutes a breach of the Authorized User Agreement and may result in termination of the Authorized User Agreement, denial of access to the System by the Authorized User, or other sanctions as may be designated in the Authorized User Agreement and in these HIE Policies and Procedures. Process for Amending the HIE Policies and Procedures The HIE Policies and Procedures are as follows: OHA may implement any new HIE Policies and Procedures, or amend, or repeal and replace any existing HIE Policies and Procedures, at any time by providing all Participating Entities with notice of the change at least thirty days prior to the effective date of the change. Within fifteen days of receiving notice of the change, a Participant may request that OHA delay implementation of the change based on unforeseen complications or other good cause. OHA shall respond to a request to delay implementation within seven days of receiving the request. OHA may establish a process for receiving Participating Entity and/or public comments on material changes, at OHA s discretion. SECTION 1: DEFINITIONS 1. Authorized Users shall mean those persons who have been authorized by Participant to access Patient Data through the System. Authorized Users may include, but are not limited to, health care providers and employees, staff, contractors, or agents of the Participant. 2. Business Associate shall mean any person that is a business associate of a Covered Entity Participant under 45 CFR

6 OHA acts as a Business Associate pursuant to this Agreement when it, (i) on behalf of a Covered Entity Participant, performs or assists in the performance of any function or activity involving the disclosure of Protected Health Information, or any other function or activity regulated by the HIPAA Regulations, or (ii) provides consulting, data aggregation (as defined in 45 CFR ), management, administrative, or other services to or for a Covered Entity Participant, where the provision of the service involves the disclosure of Protected Health Information from such Covered Entity Participant, or from another business associate of the Covered Entity Participant to the Business Associate. 3. Covered Entity Participant shall mean a Participating Entity that is a health care provider that transmits any health information in electronic form in connection with a transaction covered by 45 CFR Parts 160, 162, or 164, or a health plan as that term is defined at 45 CFR Part , in connection with its functions or activities to which this Agreement applies. 4. Documentation shall mean all materials, documentation, technical manuals, operator and user manuals, flow diagrams, file descriptions, and other written information made generally available by OHA to users of the System, including all updates thereto, that describe the functions, operational characteristics, and specifications and use of the System. 5. Effective Date shall mean the date the Agreement was signed by Participant. 6. Health Information Exchange or ( HIE ) shall mean the process of exchanging health information electronically among Participating Entities in accordance with established standards. 7. HIPAA shall mean the Health Insurance Portability and Accountability Act of 1996, Public Law , as amended by HITECH and as otherwise may be amended. 8. HIPAA Regulations shall mean the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic Protected Health Information (45 CFR Parts 160, 162 and 164) promulgated by the U.S. Department of Health and Human Services under HIPAA, as may be amended. 9. HITECH shall mean the Health Information Technology for Economic and Clinical Health Act of 2009 (which is part of the American Recovery and Reinvestment Act of 2009 (ARRA)), as may be amended, and any of its implementing regulations. 10. HIE Policies and Procedures shall mean OHA s written policies and procedures pertaining to the use of the System and participation in the HIE program, as may be amended. 11. OHA Software shall mean any software provided in or as an element of the System for the Participant s use of the System, including any upgrades of or modifications to such software, or new versions of such software. 12. Participating Entity shall mean the Participant and any other individual or organization that (i) meets the requirements for participation in the Health Information Exchange as set forth in the HIE Policies and Procedures, (i) is accepted by the OHA for participation, and (iii) is a signatory to a Participation Agreement similar to this Agreement. 6

7 13. Participant shall mean the organization that is a signatory to this Agreement. 14. Party shall mean either OHA or Participant, and they will collectively be referred to as the Parties. 15. Patient Data shall mean all data requested, disclosed, stored on, made available on, or sent by a Participating Entity, or requested or sent by OHA through the System. Patient Data includes (i) Protected Health Information; (ii) patient information locator data comprised of domain location, date, type of medical service, class of medical services, URL associated with location of information derived from the patient information made available by a Participating Entity; (iii) patient demographic data and organization domain information that is derived from the patient information made available by a Participating Entity; and (iv) clinical data, medical records, registration information and such other information as shall be consistent with the HIE Policies and Procedures and made available by a Participating Entity in accordance with this Agreement. 16. Protected Health Information or PHI, as defined under 45 CFR is health information, including demographic information collected from an individual, maintained or transmitted by a covered entity and: (1) is created or received by a health care provider, health plan, employer or health care clearinghouse; and (2) relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment information or billing records pertaining to the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 17. Qualified Service Organization or QSO shall have the same meaning as 42 CFR Registered Sub-Organization shall mean an affiliated function or department of the Participant s organization that Participant has designated to OHA as a Sub-Organization and that has been approved by OHA to participate in the Health Information Exchange. 19. System shall mean the web-based electronic information exchange network provided by OHA, including the OHA Software and Documentation, for exchange of health information pursuant to this Agreement. 20. System Operating Policies and Technical Requirements shall mean the technical requirements, policies and procedures that Participant must meet or have in place to exchange information through the System. System Operating Policies and Technical Requirements are set forth in the Service Level Attachment(s) to this Agreement. 7

8 21. Unauthorized Users shall mean individuals who accessed the System by use of any password, identifier or log-on received or obtained, directly or indirectly, lawfully or unlawfully without authority. 22. URL shall mean Universal Resource Locator. 23. Vendor shall mean a vendor who provides software and/or services to OHA for the System, including but not limited to: Health Information Exchange vendors; vendors providing software to facilitate patient identification, record location, authentication or similar services; vendors providing clinical information services software; EHR and patient health record vendors; other health information technology vendors; and vendors providing environmental support services and adoption services or other services to OHA in carrying out its Health Information Exchange operations. SECTION 2: AUTHORIZATION Purpose Authorization is the process of determining whether a particular Authorized User within a Participant has the right to access Protected Health Information via the System. Authorization is based on role-based access standards that take into account an individual s job function and the information needed to successfully carry out a role within the Participant. This Section 2 sets forth minimum requirements that Participants shall follow when establishing role-based access standards and authorizing individuals to access information about a patient via the System. They are designed to limit exchange of information to the minimum necessary for accomplishing the intended purpose of the exchange, thereby allowing patients to have confidence in the privacy of their health information as it moves among Participating Entities. Policies and Procedures 2.1 Role-Based Access Standards Participants shall establish and implement policies and procedures that: a. Establish categories of Authorized Users; b. Define the purposes for which Authorized Users in those categories may access Patient Data via the System, consistent with the limitations set forth in the Organizational Participation Agreement; and c. Define the types of Patient Data that Authorized Users within such categories may access (e.g., demographic data only, clinical data) The purposes for which an Authorized User may access information via the System and the types of information an Authorized User may access shall be based, at a minimum, on the Authorized User s job function and relationship to the patient. 8

9 SECTION 3: AUTHENTICATION Purpose Authentication is the process of verifying that an Authorized User who has been authorized and is seeking to access information via the System is who he or she claims to be. This is accomplished by providing proof of identity. This Section 3 sets forth minimum requirements that Participants shall follow when authenticating Authorized User prior to allowing them to access information via the System. These Policies and Procedures represent an important technical security safeguard for protecting a patient s information from various internal and external risks, including unauthorized access. Policies and Procedures 3.1 Obligation to Authorize and Authenticate Identity of Authorized Users Prior to Access. The Participant s Organizational Liaison or Point of Contact is responsible for authorizing and authenticating Participant s Authorized Users. Participant may delegate this responsibility to a Registered Sub-Organization and its Point of Contact. The process of authorizing and authenticating Authorized Users must include verifying the identity of the individual, his/her affiliation with the Participant and functional role with the Participant, and whether it is appropriate for the individual to send or receive Patient Data using the System. The Organizational Liaison or designated Point of Contact will attest to performing these functions and must inform OHA whether an individual is approved for a Direct Secure Messaging account in order for OHA to establish an Authorized User account. The Organizational Liaison or designated Point of Contact must inform OHA if at any point an Authorized User s approval has been or should be revoked, in accordance with the procedures set forth in Section 4.7. SECTION 4: ACCESS Purpose Access controls govern when and how a patient s information may be accessed by Authorized Users. This Section 4 sets forth minimum controls Participating Entities shall implement to ensure that: (1) only Authorized Users access information via the System; and (2) they do so only in accordance with the requirements (specified herein) that limit their access to specified information (e.g., that which is relevant to a patient s treatment). These access policies are designed to minimize unauthorized access and ensure that Patient Data is used for authorized purposes. Policies and Procedures 4.1 General. OHA requires that each Participating Entity enter into an Organizational Participation Agreement or substantially similar agreement prior to being granted access to and use of the System. 4.2 Authorized Users. Participant shall be responsible for facilitating Authorized Users access to the System Participant will identify individuals within its organization that need access to the System to carry out their professional responsibilities. 9

10 This may include, but are not limited to, health care providers, employees, staff, contractors, or agents of Participant Participant will identify an individual responsible for granting access to Authorized Users, including requiring that Authorized Users sign an Authorized User Agreement and take the steps necessary to obtain a user name and password. Participant may request that each Registered Sub-Organization designate an individual responsible for managing all Authorized Users affiliated with the Registered Sub-Organization. Authorized Users shall be informed of the individual point of contact within Participant or the Registered Sub-Organization responsible for all questions, training, and to whom reports of any potential unauthorized access shall be made. This contact information shall be readily available to all Authorized Users within the organization. 4.3 Access Specifications. OHA shall provide each Authorized User with a unique System user name and the ability to select a unique password to access Patient Data via the System Authorized Users shall be authenticated in accordance with the provisions of Section Group or temporary user names shall be prohibited Authorized Users shall be prohibited from sharing their user names and/or passwords with others and from using the user names and/or passwords of others. 4.4 Authorized Purposes. Participants shall permit Authorized Users to access Patient Data via the System only for purposes consistent with the Participant Agreement, these HIE Policies and Procedures, and the Authorized User Agreement. 4.5 Access Limited to Minimum Necessary Information. Participants shall ensure that reasonable efforts are made, except in the case of access for treatment, to limit the information accessed via the System to the minimum amount necessary to accomplish the intended purpose for which the information is accessed. 4.6 Training. The access controls set forth above will only be effective if: (1) a Participant s privacy and security policies and procedures are clear; (2) Authorized Users understand the HIE Policies and Procedures, and (3) Authorized Users understand their responsibilities to comply with both the Participant s policies and procedures and these HIE Policies and Procedures OHA will provide training materials for Participant use in training Authorized Users in the technical aspects of use of the System Participants shall provide on-site training, web-based training, or comparable training tools to ensure that Authorized Users are familiar with these HIE Policies and Procedures governing access to information via the System. This training may be provided in conjunction with the Participant s regular HIPAA training activities. 10

11 4.6.3 Participants shall ensure that each Authorized User undergoes the training specified in section Participants shall ensure that each Authorized User signs a certification that he or she has received training and will comply with the HIE Policies and Procedures and the Authorized User Agreement, and with Participant s own privacy and security policies and procedures. Such certification shall be retained by Participants for at least six years Participants may, but shall not be required to, ensure that each Authorized User undergo continuing and/or refresher training on a periodic basis as a condition of maintaining authorization to access Patient Data via the System. At a minimum, Participant will provide updated training for any new HIE service for which Participant enters into a new Service Level Attachment with OHA. 4.7 Termination of Access and Other Sanctions. Participants shall develop policies and procedures to terminate the access of Authorized Users and/or to impose sanctions as necessary Participants shall ensure that an Authorized User s access to the System is terminated in the following situations and in accordance with the processes described: a. Immediately or as promptly as reasonably practicable but in any event within one business day of termination of a Participant s Organizational Participation Agreement with the OHA; b. Immediately following an Authorized User s breach of the Authorized User Agreement; and/or c. Immediately or as promptly as reasonably practicable but in any event within one business day of notification of termination of an Authorized User s employment or affiliation with the Participant Participants shall notify OHA immediately via upon termination of an Authorized User s access to the System. SECTION 5: AUDIT Purpose Audits are useful oversight tools for recording and examining access to information through the System (e.g., who accessed what data and when) and are necessary for verifying compliance with access controls, like those specified in Section 4, developed to prevent/limit inappropriate access to information. This Section 5 sets forth minimum requirement that Participants shall follow for audits regarding access to health information via the System. Policies and Procedures 5.1 OHA Audits. OHA (or a third party engaged by OHA) may audit Participating Entities on a periodic basis. The purpose of these audits will be to confirm compliance with and proper use of the System in accordance with this Agreement and the HIE Policies and Procedures. 11

12 5.2 Conduct of Audits. Audits will take place during normal business hours and at mutually agreeable times and shall be limited to such records, personnel and other resources of Participant as are necessary to determine proper use of the System, compliance with this Agreement, or the HIE Policies and Procedures, or to comply with applicable state or federal requirements. Such audits will be performed at the expense of OHA, and in a manner designed to reasonably minimize interference with Participant s day-to-day operations. SECTION 6: BREACH Purpose This Section 6 sets forth minimum standards OHA and Participating Entities shall follow in the event of a breach. These standards are designed to hold violators accountable for violations, assure patients about the HIE s commitment to privacy, and mitigate any harm that privacy violations may cause. Policies and Procedures 6.1 Obligation of Participants to Report Actual or Suspected Breaches. Participants shall notify the OHA in the event that a Participant becomes aware of any actual or suspected Breach of Unsecured Protected Health Information accessed via the System Notification shall be made in the most expedient time possible and without unreasonable delay Notification shall be made in writing. 6.2 Responsibilities of OHA. OHA shall be required to develop a Breach plan as part of its policies and procedures. The plan shall provide that, in the event OHA becomes aware of any actual or suspected Breach of Unsecured Protected Health Information, either through notification by a Participant or otherwise, OHA must, at a minimum: Notify any Participants whose data is affected by the Breach In the most expedient time possible and without unreasonable delay, investigate (or require the applicable Participant to investigate) the scope and magnitude of such actual or suspected Breach, and identify the root cause of the Breach Mitigate (or require the applicable Participant to mitigate) to the extent practicable, any harmful effect of such Breach that is known to OHA or the Participant. OHA s mitigation efforts shall correspond with and be dependent upon their internal risk analyses Notify (or require the applicable Participant to notify) the patient and any applicable regulatory agencies as required by and in accordance with applicable federal, state and local laws and regulations, including but not limited to HITECH. 12

13 6.3 Sanctions OHA may impose sanctions that apply to Participants and their Authorized Users in the event of a Breach of Unsecured Protected Health Information and may impose, or may require its Participants to impose, such sanctions. Such sanctions may include but shall not be limited to temporarily restricting an Authorized User s access to the System; requiring Authorized Users to undergo additional training in the use of the System; terminating the access of an Authorized User to the System; or terminating a Participant s participation in the Health Information Exchange program. SECTION 7: MISCELLANEOUS Purpose This section 7 addresses miscellaneous topics pertaining to the operation and administration of the Health Information Exchange program. Policies and Procedures 7.1 Notification of New Participants. The provider directory will contain a listing of all Participants that are participating in the Health Information Exchange program. OHA will notify Participating Entities of new Participating Entities by updating the Participating Entity directory in a timely manner when new Participants are accepted into the Health Information Exchange program. The Participating Entity directory is available to Authorized Users via the program web site. 7.2 Best Practices. The Participant shall review and require each of its Authorized Users to review, the CareAccord Health Information Exchange Security Best Practices document. 13

14 CareAccord Health Information Exchange (HIE) Security Best Practices The following are recommended best practices for user-controlled activities related to the use of the CareAccord Health Information Exchange Services and Direct Secure Messaging. These practices are designed to promote safeguards and controls to ensure the security of electronic protected health information (EPHI). In addition, health care organizations and individuals who participate in Oregon s CareAccord Direct Secure Messaging should follow their organization s policies, procedures and practices for health information security and privacy, and must comply with the Oregon Health Authority s HIE Policies and Procedures. The following practices alone do not ensure that a user is fully compliant with HIPAA Security and Privacy requirements as defined in Security Standards for the Protection of Electronic Protected Health Information (45 CFR Part 164, Subpart C), commonly known as the Security Rule and in Privacy of Individually Identifiable Health Information (45 CFR Part 164, Subpart E), commonly known as the Privacy Rule. Accessing CareAccord Direct Messaging Service via Mobile Devices Appropriate security measures are necessary to protect against the risks associated with the use of mobile computing and communication devices. Each participating organization and Direct Secure Messaging user should examine the risks associated with sharing and accessing patient data and potentially storing Electronic Protected Health Information (EPHI) on mobile devices. Special care should be taken to ensure that protected health information is not compromised in what can be considered unprotected environments. The following controls should be applied to mobile computing devices such as notebooks, palmtops, laptops, smartcards, smart phones, tablets, thumb drives, etc.: a. All mobile devices should have up-to-date anti-virus software in use at all times. b. Mobile devices should use encryption and a password to access the device. Encryption schemes that use strong encryption methods such as AES, RSA, WPA2, etc. are preferable. c. Device password lockout should be activated after five minutes of inactivity. d. Users should be aware of their surroundings in order to ensure that protected health information cannot be easily viewed by unauthorized persons (aka shoulder surfing.) e. All mobile computing devices should be secured and out of view when not in use. Equipment and media taken off the premises should not be left unattended in public places. f. Notebook computers should be carried as hand luggage and disguised where possible when traveling and should be locked out of sight in the trunk of a car when not in use. g. Notebooks and mobile devices should not connect to public networks without appropriate transmission encryption controls in place to protect the device s data. 14

15 h. Organizations should have established policies for protecting EPHI mobile devices including: 1. data deletion policies and media disposal procedures for mobile devices; 2. maintenance of an accurate mobile device tracking and asset management program; and 3. policies for the proper use or restriction of personal mobile devices for access to any system that provides access to EPHI. Confidentiality Each CareAccord Direct Secure Messaging user has a responsibility to ensure the protection of EPHI that is viewed, shared or discussed through Direct Secure Messaging consistent with the HIPAA Privacy Rule, including prohibiting disclosures to unauthorized individuals. Each Direct Secure Messaging user must ensure that communications involving patient data are between authorized individuals. It is recommended that users: a. renew their account password periodically or as needed; b. log out of the HIE before switching to another tab in a Browser session to prevent others from accessing the HIE; c. lock your computer before leaving your workstation to prevent others from accessing the HIE; and d. include signatures containing wording similar to the following: The information contained in this message may be privileged and confidential. If you are NOT the intended recipient, please notify the sender immediately and delete this message. 15