- (a) Scope and applicability. This policy applies to the Office of Health Information Technology and all participating entities.
(b) Compliance with law.
- (1) All disclosures of protected health information through the State Health Alliance for Records Exchange and the use of information obtained through the State Health Alliance for Records Exchange shall be consistent with all applicable federal, state, and local laws and rules and shall not be used for any unlawful discriminatory purpose.
- (2) If applicable law requires that certain documentation exist or that other conditions be met prior to using or disclosing protected health information for a particular purpose, the requesting institution shall ensure that it has obtained the required documentation or met the requisite conditions and shall provide evidence of such at the request of the disclosing institution.
- (c) Reliance. Each access and use of protected health information by a participating entity is a representation to every other participating entity whose protected health information is being accessed and used that all prerequisites under state and federal law for such disclosure by the disclosing participating entity have been met.
(d) Purposes.
- (1) A participating entity may request health information through the State Health Alliance for Records Exchange only for purposes permitted by applicable law.
(2)
- (A) Each participating entity shall provide or request health information through the State Health Alliance for Records Exchange only to the extent necessary and only for those purposes that are permitted by applicable federal, state, and local laws and rules and these policies.
- (B) Information may not be requested for marketing-related purposes without specific patient authorization.
- (C) Under no circumstances may information be requested for a discriminatory purpose.
- (3) In the absence of a permissible purpose, a participating entity may not request information through the State Health Alliance for Records Exchange.
- (e) Office policies. Uses and disclosures of and requests for protected health information via the State Health Alliance for Records Exchange shall comply with all office policies, including, but not limited to, the office policy on minimum necessary, 25 CAR § 20-108, and the office policy on information subject to special protection, 25 CAR § 20-107.
- (f) Participating entity policies. Each participating entity shall refer to and comply with its own internal policies and procedures regarding disclosures of health information and the conditions that shall be met and documentation that shall be obtained, if any, prior to making such disclosures.
(g) Accounting of disclosures.
- (1) Each participating entity disclosing protected health information through the State Health Alliance for Records Exchange shall work toward implementing a system to document the purposes for which such disclosures are made, as provided by the requesting institution, and any other information that may be necessary for compliance with the HIPAA privacy rule’s accounting of disclosures requirement.
- (2) Each participant is responsible for ensuring its compliance with such requirement and may choose to provide individuals with more information in the accounting than is required.
- (3) Each requesting institution shall provide information required for the disclosing institution to meet its obligations under the HIPAA privacy rule’s accounting of disclosures requirement.
- (h) Audit logs. Participating entities and the office shall develop an audit log capability to document which participating entities posted and accessed the information about an individual through the State Health Alliance for Records Exchange and when such information was posted and accessed.
(i) Authentication.
- (1) The office shall follow a uniform authentication process for verifying and ' authenticating the identity and authority of each authorized user and participating entity.
- (2) Individuals whose identities and authority have been authenticated by this process are referred to in these policies as "authorized users".
- (3) Participating entities shall be entitled to rely on the State Health Alliance for Records Exchange’s user access and authorization safeguards and may assume an authorized user making a request for protected health information on behalf of a participating entity is authorized to do so.
- (4) This process is described in greater detail in the OHIT Security Policies and Security Framework.
- (j) Application to BAs and contractors. Participating entities shall make this policy applicable to their BAs and to the contractors and subcontractors of their BAs as they deem appropriate through the terms of their BA agreements.
Codification Notes: This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(b)(2) as follows: “See 45 C.F.R. § 164.5300)”. This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(d)(2)(A) as follows: "45 C.F.R. § 164.502(a),(b)". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(e) as follows: "45 C.F.R. § 164.502(b)". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(g)(1) as follows: "See 45 C.F.R. § 164.528. For HIPAA Covered Entities, this is currently required by law". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(h) as follows: "See 45 C.F.R. § 164.316, 164.308(a)(1)(i)". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(i)(1) as follows: "45 C.F.R. §§ 164.514(h), 164.312(d)". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-107(i)(1) as follows: "See Connecting for Health, "Authentication of System Users." "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. "BA" means business associate.