Policy Revisions

Please take note that the Operating Committee of HEALTHeLINK has approved revisions to the HEALTHeLINK Privacy and Security Policies effective July 29, 2019.  This Notice is given pursuant to Sections 2.3, 3.4, and 3.5 of the Participation Agreement Terms & Conditions, which, among other requirements, provides for 30 days’ notice to all HEALTHeLINK participants prior to the effective date of any changes to the Privacy and Security Policies.  A copy of the current and revised Privacy and Security Policies are available for review below.

Current Privacy and Security Policies

Revised Privacy and Security Policies Effective July 29, 2019

For convenience, the following is a summary of some of the more substantive changes to the policies

  • Glossary – Changes to align with SHIN-NY definitions
  • Most HEALTHeLINK Policies – Policies now have defined terms for “Access,” “Disclosure” and “Transmittal.”  Revision makes clear that Participants are permitted to view data in the SHIN-NY (access) and receive data files (transmittals).
  • P02 Amendment of Data – Archived as it was redundant with P15 Patient Engagement and Access § 3.E-G
  • P04 Patient Consent – A number of changes to align HEALTHeLINK consent policies with the SHIN-NY Policy. These include:
  • Disclosures to NYSDOH Regarding Medicaid Beneficiaries – Affirmative Consent shall not be required for HEALTHeLINK to Disclose Protected Health Information of Medicaid beneficiaries to NYSDOH or Business Associate of NYSDOH to the extent such Disclosure is necessary to (i) calculate performance under quality measures adopted by the New York State Medicaid program; or (ii) determine payments to be made under the New York State Medicaid program.
  • Research Involving Protected Health Information – Affirmative Consent shall not be required for HEALTHeLINK to review Protected Health Information on behalf of a researcher to determine which individuals may qualify for a Research study.
  • Transmittals to Non-Participants
    • A Participant may request that HEALTHeLINK Transmit Protected Health Information to a Business Associate of the Participant.
    • HEALTHeLINK may Transmit a patient’s Protected Health Information from HEALTHeLINK to a health care provider or other entity that is not a Participant or a Business Associate of a Participant.
  • P06 Breach Response – HEALTHeLINK and/or Participant where breach occurred will apply sanctions to their respective staff members involved in the breach, as appropriate in accordance with their respective Privacy and Security policies and procedures and HEALTHeLINK Policy P09, Sanctions for Failure to Comply with HEALTHeLINK Privacy and Security Policies.
  • P13 Release of Data for Research – Archived section 3.B as it was redundant with P04 Patient Consent § 3.7.1-2
  • P15 Patient Engagement and Access – HEALTHeLINK will not provide Personal Representatives of minors between the ages 10 and 17 with access to any of the minor’s Protected Health Information.
  • P16 Audit – Added information on the requirements of Audit Logs.
  • Security Policies – Added policy statements to comply with HITRUST/MARS-E requirements