Florida Health Information Exchange Patient Look-Up Service Gateway of Gateway Partners Questionnaire 6/24/2015 1
Table of Contents Introduction... 3 Florida Public Records Law... 4 General Information... 5 Primary Points of Contact Information... 5 Organization Information... 6 Logistics Information... 6 Health Information Exchange (HIE) Questions... 7 Security Implementation Questions... 7 Privacy Implementation Questions... 8 Consent Exchange Implementation Questions... 9 Attachment A: Consent Form SSA... 9 Attachment B: Florida Consent Form for Full Disclosure... 9 2
Introduction The Florida Health Information Exchange (Florida HIE) Patient Look-Up (PLU) service enables an authorized health care provider to search for and retrieve his/her patient s clinical data from other network participants at the point of care for treatment purposes. This Gateway of Gateway Partner Readiness Questionnaire is focused on prospective provider networks who wish to participate in the Florida HIE PLU service via the ehealth Exchange. The Florida HIE deploys a federated data architecture model. This model provides centralized services connected through a Florida HIE gateway at each participant site s edge system and includes integration engine/data connectors that leverage the site s local Master Patient Index (MPI). The Florida HIE is a participant in the ehealth Exchange providing a gateway to our federated HIE. Due to requirements in Florida law for obtaining explicit patient authorization to release certain sensitive conditions, the Florida HIE currently limits Gateway Partner health information exchange to organizations obtaining consent to query. With consent to query, the querying organization obtains the patient s on-going permission to search for and retrieve health information about the patient. To assist Harris Corporation s (Harris) team in assessing your organization s readiness to be a Florida HIE Gateway Partner, please complete and submit this questionnaire and e-mail it to FLHII@ahca.myflorida.com. A Florida HIE representative will contact you for follow-up. Gateway Partners are expected to understand and exchange in accordance with the gateway policies of the Florida HIE which reflect the laws of Florida and similarly provide such information about the destination state of the Partner if outside Florida. Gateway policies include: Outbound requests must be supported by documentation of explicit patient consent ( consent to query ) unless staff of an emergency department of a licensed hospital performed the query and it was not possible to obtain consent from the patient or family; Documentation of explicit patient consent or medical emergency documentation (name of medical personnel to whom disclosure was made, his/her affiliation with the hospital, date and time of query, and the nature of the emergency) will be securely transmitted to the PLU privacy manager within 72 hours of a request using Direct Messaging or another means mutually agreed upon; The Florida HIE reserves the right to cease exchange with a partner which does not exchange in accordance with these policies. 3
Florida Public Records Law Answers to this questionnaire are subject to Florida public records law. If your organization will be disclosing trade secret information, you will need to designate which sections are considered trade secrets by marking each page upon which such information appears, Trade Secret as defined in Section 812.081, Florida Statutes. Information specifically identified as a trade secret under Section 812.081, Florida Statutes, will be kept confidential to the extent provided by law. Designating material simply as proprietary will not necessarily protect it from disclosure under Chapter 119, Florida Statutes. 4
General Information Organization Name: Click here to enter organization name Mailing Address: Click here to enter organization mailing address Primary Points of Contact Information 1. Who is your Program Management Point of Contact? (This person will be responsible for ensuring mutual vision of exchange is realized.) Name: Title: Phone Number: office Phone Number: cell Email: Click here to enter name Click here to enter title. Click here to enter e-mail. 2. Who is your Technical Point of Contact? (This person will be responsible for operational requirements for exchange.) Name: Title: Phone Number: office Phone Numbers: cell Email: Click here to enter name. Click here to enter title Click here to enter e-mail. 3. Who is your Privacy/HIPAA Compliance Officer Point of Contact? (This person will be responsible for the sending and receiving documentation of consent.) Name: Title: Phone Number: office Phone Number: cell Email: Click here to enter name. Click here to enter title. Click here to enter e-mail. 5
Organization Information 1. Is your organization a legal entity? Yes/No. 2. Type of Legal Entity (C Corporation, S Corporation, LLC, limited partnership, general partnership)? Click here to enter type. 3. Date of incorporation or legal formation: Click here to enter date. 4. Are you a not-for-profit organization under the IRS tax code? Yes/No. 5. Are you licensed to do business in the State of Florida? Yes/No. 6. Please describe what type of industry organization you are (e.g., integrated delivery network, health system, regional health information organization): Click here to enter type. 7. Are you considered a covered entity under HIPAA? Yes/No. 8. Are you considered a business associate of one or more covered entities under HIPAA and have written business associate agreements with those covered entities? Yes/No. Logistics Information 1. When would you be interested in becoming an exchange partner with the Florida HIE PLU service? (e.g., As soon as possible, within 6 months, within 1 year, or within 2 years) Click here to enter timeframe. 2. Are you willing to obtain patient authorizations/consents and other documentation as required by Florida HIE policy to assure compliance with Florida law? Yes/No. If yes, please attach a copy of the consent form you will use. See examples of acceptable explicit consent forms in Appendix A and B. 3. Are you willing to send documentation to the Florida HIE regarding authorizations/consents and other documentation when requested as required by Florida HIE policy to assure compliance with Florida law? Yes/No. 4. Are you able to send and receive consent documents using a Direct Trust accredited Direct Messaging service? Yes/No. Please indicate other modes of secure transport if Direct Messaging is not available: Click here to enter option. 6
Please answer the following questions to the best of your ability. If a specific section or question is not applicable to your organization, please leave it blank. Health Information Exchange (HIE) Questions 1. 2. 3. 4. 5. Does your HIE exchange data using a Continuity of Care Document (CCD) XML payload? Do you support the Consolidated Clinical Document Architecture (C- CDA)? What type of patient matching do you support? Please describe and indicate whether deterministic or probabilistic. How many unique patients do you estimate have clinical data contained and accessible within your network (i.e., unique patients in MPI?) What other types of data formats do you support that could potentially be used to generate a payload (e.g., PDF,.doc,.rtf, TIFF, JPEG, ebxml, etc.)? Security Implementation Questions 1. 2. Do you fully comply with the HIPAA Security Rule? Have you performed a HIPAA compliant assessment of the current potential security risks and vulnerabilities to the confidentiality, integrity, and availability of Electronic Protected Health Information (EPHI) held by your organization and your business associates? 7
3. 4. Do you have an updated Risk Management Plan addressing the implementation of security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level? Have you had any security breaches in the last 5 years? If so, please describe the cause of the breach and what steps were taken to address any issues. Privacy Implementation Questions What procedures and tools do you use to grant and deny access to PHI by 1. your users? How often to you audit them? When registering your users for accounts that can access PHI, do you identity proof them at NIST Level 1, 2, 2. 3, or 4? (Please see: http://nvlpubs.nist.gov/nistpubs/special Publications/NIST.SP.800-63-2.pdf) Please describe any emergency (breakthe-glass) access procedure for users to 3. access PHI. How is Patient Consent (if any) to 4. 2 access PHI administered within your. system? Please describe. Does your organization employ an optin, opt-out or consent to query model 5. of patient authorizations of HIE? Please describe how your organization uses the model employed. Does your organization use consent to 6. query for all exchanges? Please explain exceptions. 8
7. Do you have any federally funded substance abuse treatment programs that are subject to 42 CFR Part 2 in your HIE? If so, can you filter the data? Consent Exchange Implementation Questions Issue Question Response and Discussion 1. What is your estimated number of monthly queries to the Florida HIE for treatment? 2. What is your estimated number of monthly queries to the Florida HIE for emergency treatment? 3. Do you currently have test patient data? 4. Additional comments? Thank you for completing the Florida HIE Gateway Readiness Questionnaire. Please e-mail your responses to FLHII@ahca.myflorida.com (e.g., use the send option within Microsoft Word). A Florida HIE representative will contact you for follow-up information, as needed. Attachment A: Consent Form SSA http://www.socialsecurity.gov/forms/ssa-827.pdf http://ssa.gov/disability/professionals/ssa827_informationpage.htm Attachment B: Florida Consent Form for Full Disclosure http://www.fhin.net/privacyregulations/index.shtml 9