3 Participation, Data Sharing, Data Use, Business … · Web viewSection 3 Select—Participation,...
Transcript of 3 Participation, Data Sharing, Data Use, Business … · Web viewSection 3 Select—Participation,...
Section 3.9 Select
Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and
EHRAs part of selecting a vendor for your electronic health record (EHR), health information exchange (HIE) service, or other health information technology (HIT) there will be various agreements you will need to execute.
Time needed: 2 hoursSuggested other tools: NA
How to Use 1. Identify the nature of legal agreements in which you must enter to acquire and use EHR, HIE,
and other HIT.
2. Ensure any EHR or HIT technology systems meet minimum certified, qualified or interoperability mandates required by your State or other mandated program initiatives
3. Consult with legal counsel to ensure that agreements meet your needs.
Identify Required legal or Mandated Program RequirementsIt’s important to understand and ensure the business relationships and legal requirements of all EHR and HIT technology system vendors participating in your data use and data sharing. The types of required legal agreements are outlined below.
In addition consideration should be given to ensure any system requirements for mandated program initiative(s) that you may be participating in – or State interoperability program requirements – are reviewed for standards compliance as a part of selecting an EHR/HIE or HIT vendor. Example of mandated program initiatives are provided in table below.
Program Mandate URLState of Minnesota Interoperability Mandate http://www.health.state.mn.us/e-health/hitimp/index.html
Meaningful Use Certified EHR Technology (CHPL)
http://www.cms.gov/Regulations-and-Guidance/Legislation/EHRIncentivePrograms/Certification.html
ONC Voluntary 2015 Edition EHR Certification Proposed Rule – Fact Sheet
http://healthit.gov/sites/default/files/final2015certedfactsheet.022114.pdf
ONC Policy, Regulation, & Strategy for Behavioral Health
http://healthit.gov/policy-researchers-implementers/behavioral-health
Behavioral Health Data Exchange http://healthit.gov/policy-researchers-implementers/behavioral-health-data-exchange
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR- 1
Types of Legal Agreements Business Associate Contract/Agreement (BAA)
Requirement of HIPAA Privacy and Security Rules when other businesses require access to protected health information (PHI) on a routine basis in the performance of work for a covered entity.
Under the Omnibus Rule that became effective 2013, business associates are now held directly accountable to the HIPAA Security Rule and certain provisions of the Privacy Rule. Although many business associates have in the past requested that their form of business associate agreement be signed by the provider receiving the services, this is likely to become even more prevalent as a result of this change. As a covered entity, however, you still have the right and responsibility to ensure that any BAA you sign conforms to the HIPAA requirements and that you are comfortable with any additional clauses included.
Data Use Agreement
A HIPAA requirement for a party to use a limited data set (data that are partially but not fully de-identified) for research, public health, or health care operations. The HIPAA Privacy Rule provides specific details of what must be in a data use agreement.
The federal government does not offer a sample data use agreement although additional explanations are cited and available within Health Information Privacy FAQ’s for further clarification.
Data Use and Reciprocal Support Agreement (DURSA)
The legal, multi-party trust agreement that is entered into voluntarily by all entities, organizations and federal agencies that want to engage in electronic HIE using an agreed upon set of national standards, services and policies developed in coordination with the Office of the National Coordinator for Health IT (ONC).
The DURSA describes the mutual responsibilities, obligations and expectations of all participants under the agreement. This creates a framework for safe and secure health information exchange, and is designed to promote trust among Participants and protect the privacy, confidentiality and security of health data that is shared.
The DURSA is based upon the existing body of federal, state and local law covering privacy and security of health information. It supports the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract. It reflects consensus among the government and private entities that developed DURSA regarding the following issues:
Each state or other entity establishing an HIO may opt to establish their own form of DURSA or Data Exchange Support Agreement (DESA) including additional clauses.
Ensure that you obtain legal counsel as you consider entering into such an agreement. Sample Minnesota Data Exchange and Support Agreement (DESA) is provided in table below.
Resource Name URLSample Business Associate Agreement http://www.hhs.gov/ocr/privacy/hipaa/understanding/
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR- 1
and Provisions coveredentities/contractprov.htmlHIPAA Privacy Rule – Data Use Agreement Definitions
http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html
Data Use and Reciprocal Support Agreement (DURSA) http://www.nationalehealth.org/dursa
DURSA – Current Version in Effect (2011)
http://www.nationalehealth.org/ckfinder/userfiles/files/Restatement%20I__DURSA_5_3_11_FINAL_for%20PARTICIPANT%20SIGNATURE.pdf
Sample State Data Exchange Support Agreement – Minnesota/CHIC
http://www.hiebridge.org/PDF/CHIC%20HIEBridge%20DESA%20Agreement%20-%20FINAL%2011-29-2011.pdf
Note: all types of agreements should be reviewed with your legal counsel prior to executing the agreement.
Copyright © 2014 Stratis Health. Updated 04-17-14
Section 3 Select—Participation, Data Sharing, Data Use, Business Associate Agreements for HIE and EHR- 1