Please take note that the Operating Committee of HEALTHeLINK has approved revisions to the HEALTHeLINK Privacy and Security Policies effective June 28, 2021. This notice is given pursuant to Sections 2.3, 3.4, and 3.5 of the Participation Agreement Terms & Conditions, which, among other requirements, provides for 30 days’ notice to all HEALTHeLINK participants prior to the effective date of any changes to the Privacy and Security Policies. A copy of the current and revised Privacy and Security Policies are linked below. 

Current Policies
Policies effective June 28, 2021
For convenience, the following is a summary of some of the more substantive changes to the policies:
  • Glossary – Changes to align with SHIN-NY definitions
  • P03 Authorized User Access – A number of changes to align HEALTHeLINK Policies with the SHIN-NY Policy
    • The addition of:
      • Community-Based Organizations Not Subject to HIPAA – Community-based organizations that are not covered entities may participate in the SHIN-NY so long as they follow several requirements, including compliance with the HIPAA security rule and obtaining SHIN-NY information based solely on written consent.
  • P04 Patient Consent – A number of changes to align HEALTHeLINK policies with the SHIN-NY Policy.
    • The change of:
      • Disclosures to Payer Organizations for Quality Reporting (Formerly Disclosures to NYSDOH Regarding Medicaid Beneficiaries) – Provision that permits disclose to DOH’s Medicaid program without written consent would be expanded to disclosures to any payer for purposes of HEDIS/QARR reporting.
      • Compliance with Business Associate Agreement with Data Suppliers – Government agencies may be data suppliers to the SHIN-NY. Such agencies are not required to enter into business associate agreements with the SHIN-NY if they are not HIPAA covered entities.
      • Waivers During a Public Health Emergency – DOH has the authority to waive provisions of the SHIN-NY Policies during a public health emergency if waiver assists QEs or Participants in responding to the emergency and DOH provides public notice of the waiver.
    • The addition of:
      • Telehealth – Participants engaging in telehealth may access SHIN-NY data based on a verbal consent under certain circumstances.
      • P15 Patient Engagement and Access – A number of changes to align HEALTHeLINK Policies with the SHIN-NY Policy.
        • The disclosures to patients section is changed in several important ways. Barriers to disclosures from HEALTHeLINK directly to patients would be removed. In addition, disclosures to a patient’s third-party app would be permitted once certain safeguards are followed, in expectation of complying with the ONC Information Blocking Rules.
  • Security Policies – Modified policy statements to comply with HITRUST/MARS-E requirements.