- (a) Scope and applicability. This policy applies to the Office of Health Information Technology and all participating entities.
(b) Laws. Each participating entity shall:
- (1) At all times comply with all applicable federal, state, and local laws and regulations, including, but not limited to, those protecting the confidentiality and security of individually identifiable health information and establishing certain individual privacy rights; and
- (2) Use reasonable efforts to stay up-to-date on any changes or updates to and interpretations of such laws and regulations to ensure compliance.
(c) Office policies.
- (1) Each participating entity shall, at all times, comply with these office policies, or “Office of Health Information Technology Policies”.
- (2) These office policies may be revised and updated from time to time.
- (3) Amendments shall be effective when adopted by the office with review by the State Health Alliance for Records Exchange Health Information Exchange Council and promulgated as required by the Arkansas Administrative Procedure Act, Arkansas Code § 25-15-201 et seq.
- (4) The office shall notify participating entities of all policy changes by posting the updated policy on the office website.
- (5) Each participating entity is responsible for ensuring it has, and is in compliance with, the most recent version of these office policies.
(d) Participating entity policies.
- (1) Each participating entity is responsible for ensuring that it has the requisite, appropriate, and necessary internal policies for compliance with applicable laws and these office policies.
- (2) In the event of a conflict between these office policies and an institution's own policies and procedures, the participating entity shall comply with the policy that is more protective of individual privacy and security.
(e) Participating entity criteria.
(1)
- (A) Each participating entity shall itself be a HIPAA covered entity or have executed a participation agreement with the State Health Alliance for Records Exchange.
- (B) Therefore, each participating entity will have either a legal duty as a regulated covered entity under HIPAA or have contractually assumed obligations under its participation agreement.
- (2) Each participating entity must commit to be a data provider to the extent possible in order to become a data user.
(f) User criteria.
- (1) Authorized users are individuals who have been granted access authority.
(2)
- (A) Each authorized user derives his or her permission to access and use the State Health Alliance for Records Exchange from a participating entity.
- (B) Therefore, each authorized user must maintain a current relationship to a participating entity in order to use the State Health Alliance for Records Exchange.
- (C) Authorized users must therefore be:
(i) Participating entities, such as an individual physician or workforce of a participating entity;
(ii) An individual business associate (BA) or workforce of such BA; or
- (iii) An individual contractor or subcontractor of a BA or workforce of such contractor or subcontractor.
- (3) Additionally, a participating entity that is a covered health plan may also be an authorized user in its role as a third party administrator and BA for self-funded group health plans that are covered entities under HIPAA but are not themselves participating entities.
- (g) Application to BAs and contractors. Participating entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their BA agreements.
Codification Notes: This section, as promulgated prior to the codification of the Code of Arkansas Rules provided a footnote to 25 CAR § 20-104(b)(2) as follows: “The participants acknowledge the need to revise policies and contain other technical and administrative features to conform to HITECH and regulations to be promulgated thereunder”. "HITECH" means the Health Information Technology for Economic and Clinical Health Act, which was enacted as Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5.