NOTICE TO HEALTHeLINK PARTICIPANTS

Policy Revisions

Please take note that the Operating Committee of HEALTHeLINK has approved revisions to the HEALTHeLINK Privacy and Security Policies effective November 27, 2017. This Notice is given pursuant to Sections 2.3, 3.4, and 3.5 of the Participation Agreement Terms & Conditions, which, among other requirements, provides for 30 days' notice to all HEALTHeLINK participants prior to the effective date of any changes to the Privacy and Security Policies. A copy of the current and revised Privacy and Security Policies are available for review.

Current Privacy and Security Policies

Privacy and Security Policies in effect November 27, 2017

For convenience, the following is a summary of some of the more substantive changes to the policies:

  • Glossary - A number of changes to align HEALTHeLINK definitions with the SHIN-NY Policy definitions
  • P04 Patient Consent - A number of changes to align HEALTHeLINK consent policies with the SHIN-NY Policy. These include:
    • Alternative consent forms: Allow for the use of alternative consent forms.  The model consent forms can still be used, but QEs would no longer be required to use the model forms or forms that are substantially similar to the model forms.
    • Patient care alerts: Allow for the sending of patient care alerts containing limited patient information without written patient consent if recipient provides, or is responsible for providing, treatment or care management to the patient, subject to restrictions on alerts coming from facilities subject to the mental hygiene law or 42 C.F.R. Part 2. 
    • One-to-one exchange: Clarify one-to-one exception to make clear that the patient must give implicit or explicit consent for a one-to-one exchange
    • Part 2 compliance: Clarify that even if an exception to the affirmative consent requirement applies, a QE is still responsible for ensuring compliance with 42 C.F.R. Part 2.  For example, public health disclosures that involve information subject to 42 C.F.R. Part 2 can only be made if an exception to 42 C.F.R. Part 2 applies
  • P12 - Request for Account of Disclosures - This policy has been archived as the elements of this former policy are now included in P16 - Audit
  • P14 Alerts - This policy has been archived as the elements of this former policy are now included in P04 Patient Consent and updated to align with the SHIN-NY policies.
  • P15 Patient Engagement and Access - This is a new HEALTHeLINK policy that aligns HEALTHeLINK policies with the SHIN-NY policies related to patient access to their data contained in the SHIN-NY
  • P16 Audit - This is a new HEALTHeLINK policy that aligns HEALTHeLINK policies with the SHIN-NY policies related audit requirements.
  • S02 - Security Program- Added language where by HEALTHeLINK shall, upon request, provide to a Participant a certification or attestation of data security controls.

Terms & Conditions Revisions

In addition to the policy revisions, HEALTHeLINK has also revised the Participation Agreement Terms & Conditions and Business Associate Agreement. These revisions become effective November 27, 2017. This Notice is given pursuant to Sections 2.3, 3.4, and 3.5 of the Participation Agreement Terms & Conditions, which, among other requirements, provides for 30 days' notice to all HEALTHeLINK participants prior to the effective date of any changes to the Terms & Conditions or Business Associates Agreement. A copy of the current and revised Terms & Conditions and the Business Associates Agreement, including a red-lined comparison version, are available for review.

For convenience, the following is a summary of some of the more substantive changes to the Participation Agreement Terms and Conditions as well as the Business Associates Agreement:

Terms and Conditions

  • Section 1.14 ("Personal Representative" Definition): We decided to keep the term "Personal Representative" as defined in Version 3.4 because the term is used in Section 18 of the Public Health Law and under HIPAA.  HEALTHeLINK will flesh out the process for verifying a "Personal Representative" as a "qualified person" in its policies.
  • New Section 7.10 (Disclosure to Business Associates):  A new section was added to Version 3.4 which allows QEs to disclose information to the business associate of Participants under certain circumstances.  We incorporated these conditions into the Terms and Conditions at Section 7.10.
  • Section 9.2/9.3 (Vendor Terms): Sections 9.2 and 9.3 were confusing.  The intent of Section 9.3 was to get at the limited rights of Authorized Users. We added a reference to Authorized Users in Section 9.2 and deleted 9.3, which covers the concern in a less confusing manner.

BAA

  • Section 1(g) ("Individual" Definition): For the sake of consistency in the documents, we cross-referenced the term "Personal Representative" as defined in Section 1.14 of the Terms and Conditions.
  • Section 2.1(g) (Direct Requests for Access to PHI):  HEALTHeLINK policy draft contains language on handling direct requests for access to PHI.

Current Terms & Conditions

Terms & Conditions in effect November 27, 2017

Red-lined comparison of Terms & Conditions

Current Business Associate Agreement

Business Associate Agreement in effect  November 27, 2017

Red-lined comparison of Business Associate Agreement

The current version of the Participation Agreement was last updated in June 30, 2016. Since that time, there have been developments in the health information exchange industry, particularly at the State level, with the development of new regulations and policies governing the Statewide Health Information Network of New York (SHIN-NY). Our proposed updates are in response to these regulatory and industry changes and includes requirements relating to participation in the SHIN-NY.