The purpose of this policy is to 1) describe the commitment of One Trial, its Participants and Authorized Users to protect the privacy and confidentiality of Confidential Information (definition) that is sent to, included in, accessed through or stored on the health information exchange operated by One Trial; and 2) describe the steps taken by One Trial, the Participants and Authorized Users to protect the privacy and confidentiality of Personal Health Information and Confidential Information.
It is the policy of One Trial to comply with State and Federal laws regarding the privacy of Confidential Information and to assist and support its Participants and Authorized Users in meeting their privacy requirements under applicable law and accreditation standards.
One Trial has implemented privacy safeguards and policies regarding Confidential Information and requires the Participants and/or Authorized users to implement policies and safeguards that comply with the minimum standards established in the One Trial Policies.
Each Participant and Authorized User is required to exhibit the same care and diligence in safeguarding Confidential Information obtained through the One Trial System as the Participant or Authorized User would for patient information that it otherwise generates or maintains.
Participants and Authorized Users must acknowledge acceptance of this One Trial Policy prior to participating in, or using, the One Trial System.
One Trial will continue to remain in compliance with the Statewide Collaborative Process and the Privacy and Security Policies and Procedures for Regional Health Information Organizations (RHIOs) and their Participants in New York State.
A. Requirements for exchanging data via the One Trial System
In order to become a participant in One Trial ("Participant") and access and exchange Confidential Information via One Trial, a Participant must:
- Be a Covered Entity or part of a Covered Entity, or otherwise be authorized by One Trial.
- Complete a One Trial application and enter into a RHIO Services Agreement, Data Access agreement or other agreement authorized by One Trial.
- Be approved by One Trial.
- Enter into a Business Associate Agreement with One Trial, if applicable.
- Limit use of Personal Health Information and Confidential Information obtained through One Trial to patient care (i.e. treatment and care coordination), Quality Improvement, case management, public health purposes, other Acceptable Uses and other uses specifically authorized by the applicable patient.
B. Authorized Users
- Access to the One Trial System will be limited to Authorized Users. In order to be an Authorized User, and individual must:
- Be an employee, Professional Staff member, or agent of a Participant of One Trial, who:
- Meet the definition of an Authorized User.
- Complete One Trial Identification Procedures.
- Receive approval, a unique user identifier and a password from One Trial to access the One Trial system
- Agree to training regarding access to, and use and disclosure of Personal Health Information and Confidential Information available through the One Trial System.
- Sign (or electronically sign) a confidentiality agreement in regard to the terms and conditions of his/her access to the One Trial System, and
- Be entered into the One Trial System as an Authorized User.
- Access by an Authorized User shall be based upon the Authorized Users job functions (i.e. a role-based access control).
- Third parties that are not Authorized Users shall not be permitted to access the One Trial System.
- One Trial staff shall be permitted to access Personal Health Information and Confidential Information to test and support the functionality of the One Trial System and to review participant compliance with One Trial Policies. Such access shall be limited only to such information as may be reasonably necessary for such compliance review and/or testing functions and/or other reasons required by One Trial.
C. Acceptable Information in the One Trial System
Unless specifically authorized by One Trial, the One Trial System may not be used by a Participant and/or an Authorized User to transmit any information other than Personal Health Information and Confidential Information and system operation data.
D. Patient Consent
- Except as otherwise specifically authorized in the One Trial Consent Policy (defined later in this document), Participants shall be required to obtain a written (or authorized electronic) consent from each patient (or the patient's legal representative) prior to accessing the information on the One Trial System, except in the case of an emergency. Consent shall be in effect until revoked.
- If Patient Consent is not obtained or a patient revokes his/her Patient Consent, a Participant is not permitted to access the applicable patient's Confidential Information through the One Trial System. Participants shall be required to implement policies and procedures to ensure that the consent statuses of a patient, including patient refusals or revocations of consents, are accurately conveyed to the One Trial System.
- Prior to obtaining Patient consent, Participant must offer each patient an explanation of health information exchange, in general, and about One Trial, its Participants and its responsibilities.
- The actual document used to capture Patient consent will be approved by the New York State Department of Health unless a waiver is otherwise sought by the Participant.
- The process for disseminating the required information to a patient and the process for obtaining Patient consent shall be determined by the individual Participant in conjunction with One Trial, but shall comply with the minimum requirements set forth in the One Trial Consent Policy.
E. Business Associate Agreements
One Trial shall be considered a Business Associate of the Participants that supply data to One Trial and shall enter into Business Associate Agreements with each of these Participants. One Trial will be required to comply with the terms of the Business Associate Agreement, including requirements to ensure in writing, that all of its vendors and subcontractors comply with the HIPAA Business Associate requirements.
One Trial and its Participants and/or Data Suppliers shall implement physical, technical and administrative safeguards to protect the privacy and security of Personal Health Information and Confidential Information. Such safeguards shall comply with One Trial Policies. Specifically, One Trial and participants and/or Data Suppliers shall:
- Securely transmit information between the Participant's edge servers and the data center hub housing the web server.
- Encrypt all transmitted information. Encryption is required when transferring One Trial restricted and confidential information over insecure networks. Insecure networks include the Internet and any network that is not under the administration of One Trial. Generally accepted security guidelines are to be used for encrypting files, e-mail, User ID's, passwords, and any information that is considered One Trial restricted or confidential.
- Require unique user identifiers and passwords in order to access the One Trial System. Authorized Users are required to change their passwords at least every 90 calendar days and are prohibited from re-using the most recent password.
- Prohibit Authorized Users from sharing passwords and/or unique user identifiers.
- Perform Compliance Reviews regarding access to the One Trial System by Authorized Users.
- Comply with Information Security Architecture Standards in accordance with the specifications and schedule provided by the New York State Health Information Network (SHIN-NY).
G. Secondary Use of the Information in One Trial
Confidential Information viewed and/or used by an Authorized user for treatment purposes may be included or referenced in the Authorized User's or applicable Participant's clinical record; provided that such record specifies the source of the information. Once Confidential Information is included or referenced in a clinical record, the Confidential Information can be disclosed in accordance with that Participant's or Authorized User's policies, subject to applicable law.
As One Trial functions to transmit Confidential Information, it shall certify that it does not maintain any medical records in response to subpoenas and court orders for Personal Health Information or Confidential Information.
I. Retention of Confidential Information
Participants and/or Authorized Users shall be required to establish policies regarding maintenance of records in accordance with applicable Federal and State law.
One Trial and the Participants shall implement policies regarding discipline and sanctions for failure to comply with applicable privacy and confidentiality laws, and One Trial and Participant Policies. Participant policies shall, at a minimum, comply with the One Trial Sanctions policy. Participant and One Trial Sanctions Policies (defined below) shall allow for revocation of access to One Trial for an Authorized User's intentional disregard of applicable law or One Trial or Participant Policies. One Trial shall also have the authority to terminate RHIO Services Agreements for substantive failure of a Participant to comply with applicable law or One Trial Policies. Authorized Users that are not affiliated with a participant will also be required to comply with this Section.
K. Compliance Reviews and Response to Confidentiality Breaches
One Trial and its Participants will perform Compliance Reviews and respond to confidentiality Breaches in accordance with the One Trial Compliance Review and Confidentiality Breach policies.