- (a) Scope and applicability. This policy applies to the Office of Health Information Technology and all participating entities and their BAs and contractors.
- (b) Participating entity responsibility. Each participating entity is responsible to establish and enforce policies designed to comply with its responsibilities as a covered entity under HIPAA and a participating entity in the State Health Alliance for Records Exchange, and to train and supervise its authorized users to the extent applicable to their job responsibilities.
(c) Authorized users.
(1)
- (A) All authorized users, whether members of a participating entity’s workforce or members of the workforce of a BA or contractor shall execute an individual user agreement and acknowledge familiarity with and acceptance of the terms and conditions on which their access authority is granted.
- (B) This shall include familiarity with applicable privacy and security policies of the participating entity, BA, or contractor, as applicable.
- (2) Participating entities shall determine to what extent members of their workforce or the workforce of BAs and contractors require additional training on the participating entity’s obligations under their participation agreement and these policies, and arrange for and document such training.
- (3) The office shall have the authority under the participation agreement to suspend, limit, or revoke access authority to the State Health Alliance for Records Exchange for any authorized user or participating entity for violation of the office’s privacy and security policies or any federal or state law.
(d) Access to system.
- (1) Each participating entity shall allow access to the State Health Alliance for Records Exchange only by those workforce members, agents, and contractors who have a legitimate and appropriate need to use the State Health Alliance for Records Exchange and/or release or obtain information through the State Health Alliance for Records Exchange.
- (2) No workforce member, agent, or contractor shall be provided with access to the State Health Alliance for Records Exchange without first having been trained on these policies, as set forth below.
(e) Training.
- (1) Each participating entity shall develop and implement a training program for its workforce members, agents, and contractors who will have access to the State Health Alliance for Records Exchange to ensure compliance with these policies.
- (2) The training shall include a detailed review of applicable policies and each trained workforce member, agent, and contractor shall sign a representation that he or she received, read, and understands these policies.
(f) Discipline for noncompliance.
- (1) Each participating entity shall implement procedures to discipline and hold workforce members, agents, and contractors accountable for ensuring that they do not use, disclose, or request health information except as permitted by these policies and that they comply with these policies.
- (2) Such discipline measures shall include, but not be limited to, verbal and written warnings, demotion, and termination and provide for retraining where appropriate.
(g) Reporting of noncompliance.
- (1) Each participating entity shall have a mechanism for, and shall encourage, all workforce members, agents, and contractors to report any noncompliance with these policies to the participating entity.
- (2) Each participating entity also shall establish a process for individuals whose health information is included in the State Health Alliance for Records Exchange to report any noncompliance with these policies or concerns about improper disclosures of information about them.
(h) Enforcing BA agreements and contractor agreements. Each participating entity shall require in any relationship with a BA, contractor, or other third party, which may include staff physicians that will result in such third party becoming an authorized user on behalf of the participating entity, or that will result in members of the workforce of such third party becoming an authorized user on behalf of the participant, that:
- (1) Such third party and any member of its workforce shall be subject to these policies when accessing, using, or disclosing information through the system;
- (2) Such third parties and/or authorized users on its workforce may have their access suspended or terminated for violation of these policies or other terms and conditions of the authorized user agreement; and
- (3) Such third party may have its contract with the participant terminated for violation of these policies or for failure to enforce these policies among its workforce.
Codification Notes: This section, as promulgated prior to the codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-110(e)(1) as follows: “See 45 C. F. R. § 164.530(b)”. This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-110(f)(1) as follows: "45 C. F. R. § 164.530 (e)". This section, as promulgated prior to codification in the Code of Arkansas Rules contained a footnote to 25 CAR § 20-110(g)(1) as follows: "45 C.F.R. § 164.530(a),(d)". "HIPAA" means the Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191. "BA" means business associate.