Wyo. Code R. 048-0074-1
Wyoming Frontier Health Information Exchange (WYFI) Program
Chapter 1: Wyoming Frontier Health Information Exchange
Effective Date: 11/13/2019 to 09/15/2022
Rule Type: Superceded Rules & Regulations
Reference Number: 048.0074.1.11132019
Section 1. Authority. This rule is promulgated by the Wyoming Department of Health (the Department) under the authority granted in Wyoming Statute § 9-2-106(a)(vii).
(a) This Chapter shall apply to and govern the establishment and operation of the Data Exchange by the Wyoming Frontier Health Information Program (herein referred to as “WYFI”). This Chapter shall establish how Data is used, stored, and exchanged between Participants and Authorized Users. It also governs the Department’s use and participation in the Data Exchange.
(b) The Department may issue manuals and bulletins to participating providers and other affected third parties to interpret the provisions of this Chapter. Such manuals and bulletins shall be consistent with and reflect the provisions contained in this Chapter. The provisions contained in manuals or bulletins shall clarify information provided in this rule but shall not override or supersede it.
(a) Except as otherwise specified, the terminology used in this Chapter is the standard terminology and has the standard meaning used in healthcare, including the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH).
(b) For the purpose of these rules and regulations, the following definitions shall apply:
“Authorized User” means an individual authorized by a Participant or the WYFI to use the Data Exchange for a Permitted Use as outlined in the WYFI Policy and Procedure Manual.
(ii) “Data” means protected health information, or information that identifies a patient that is used, stored, or exchanged between Participants and Authorized Users with the Data Exchange.
“Data Exchange” means the system operated by the WYFI that allows Participants and Authorized Users to electronically use, store, or exchange Data.
“Participant” means an entity that has entered into a Participant Agreement with the WYFI to use the Data Exchange.
(v) “Patient” means an individual who has received or will receive treatment for healthcare services from a Participant, Authorized User, authorized users of other health information exchanges, or whose records are stored in a public health registry.
(a) This Chapter is intended to implement and be read in conjunction with applicable Wyoming Statute and federal law.
(b) The incorporation by reference of any external standard is intended to be the incorporation of that standard as it appears on the effective date of this Chapter, including applicable amendments, corrections, or revisions.
(a) The Data Exchange is established as a federated data repository that facilitates the exchange of Data between Participants, Authorized Users, and other health information exchanges. Participation in the Data Exchange begins when a Participant, Authorized User, other health information exchange, or public health registry executes the required agreement with the WYFI.
(b) All Data will be securely stored, maintained, and exchanged in accordance with federal and state laws. This includes the HIPAA, HITECH, and Wyoming Enterprise Technology Services Agency (ETS) policies as outlined in W.S. 9-2-2906(g).
(c) All Data used, stored, or exchanged by the Data Exchange under this Chapter is exempt from disclosure under the Wyoming Public Records Act, Wyoming Statute §16-4-201. This includes information accessible by the Department and assigned contractors.
(a) Access and participation in the Data Exchange by Participants, Authorized Users, and other health information exchanges, including their authorized users is voluntary.
(i) Participants and other health information exchanges may elect to participate in the Data Exchange by submitting a Data Exchange Connection Request to the Department and entering into a Participant Agreement with the WYFI.
(ii) Authorized Users, excluding a Participant’s Authorized Users, may elect to participate in the Data Exchange by submitting an Authorized User Access Request to the Department and entering into an Authorized User Access Agreement with WYFI.
(b) Participants and Authorized Users that elect to participate in the Data Exchange shall notify their patients in writing and provide the opportunity for patients to opt-out of their Data being used or exchanged with the Data Exchange.
(a) Data will be stored in a secure hosting facility provided by the Department's WYFI contractor, with access regulated and controlled in accordance with HIPAA Privacy and Security regulations and state and federal laws.
(b) The Data Exchange will include all Data from Participants unless a Participant's Patient has opted-out.
(c) Participants may only use the Data Exchange and Data for treatment, payment, and healthcare operations, as defined by HIPAA; any other use that is permitted or required under HIPAA, the WYFI Policy and Procedure Manual, or other applicable law governing the use and disclosure of Data; and to facilitate the implementation of meaningful use criteria as required under the American Recovery and Reinvestment Act of 2009 and its related federal regulations, as permitted by HIPAA.
(d) Participants cannot modify information submitted to the Data Exchange by other Participants.
(e) The Department will manage Patient requests to opt-out as outlined in the WYFI Policy and Procedure Manual.
(f) The Department may use de-identified Data for the purpose of analysis to inform policy and program funding needs, public health activities, and to conduct population health reporting.
(g) The Department may use Data for treatment, payment, healthcare operations, public health activities, or patient safety.
(h) Use or disclosure of Data not otherwise authorized by this Chapter requires a signed authorization from the Patient or a court order.
(a) Patients may choose to opt-out of the Data Exchange using the opt-out process provided to them by one of their healthcare providers participating in the Data Exchange. Participants shall inform the Department of the Patient's request to opt-out by using the process established by the Department. If a Patient elects to opt-out, Participants and Authorized Users cannot access Data pertaining to that Patient by using the Data Exchange.
(b) A Patient who has opted-out of the Data Exchange may elect to opt back in at any time by submitting a written request directly to the Department.
(a) A Patient who believes his or her information is incorrectly included or displayed in the Data Exchange after opting-out may submit a request to the Department for verification that their Data is properly excluded from the Data Exchange.
(b) The written request shall be submitted to the Department and shall contain:
(i) The name of the individual filing the request;
(ii) A statement requesting the Department review information and certify the individual's data exclusion;
(iii) The date of the individual's initial request to opt-out and any related communication from the Department or their healthcare provider;
(iv) Information showing why the individual believes his or her information is still included in the Data Exchange.
(c) Upon receipt of such a request, the Department shall respond within twenty (20) days with certification of exclusion of the individual's Data from the Data Exchange.