Electronic Health Information Policies are the existingstate and federal policies that establish a baseline for privacy and securityprotection for organizations engaging in the exchange of electronic healthinformation. The policies also serve as a basis for principles that forms thefoundation of making rules and also gives an organization a general sense ofdirection.
One of the policies is the Notice of Privacy Practices. Thepolicy narrates that each participant shall develop and maintain a notice ofprivacy practices that complies with the applicable law and electronic healthinformation exchange policies. That each participant shall have its ownpolicies and procedures governing distribution of notice to individuals, thatthe policies and procedures shall be consistent with the available privacypolicies.Individual Participation and Control of information Postedto the HIE.
The Policy dictates that Individuals will need to provide theirhealthcare provider with authorization to share their protected healthinformation on the health information exchange at each encounter with each oftheir healthcare providers. This authorization will apply for all providersparticipating in the health information exchange (HIE) and all protected healthinformation (PHI) permitted by applicable laws and regulations. It narrates onthe Patient Authorization of Opt-in and Opt-out policies. Compliance with law. The policy dictates that alldisclosures of health information through the health information exchange andthe use of information obtained from the HIE shall be consistent with allapplicable federal, state and local laws and regulations and shall not be usedfor any unlawful discriminatory purpose. That if the applicable law requiresthat certain documentation exists or that other conditions be met prior tousing or disclosing health information for a particular purpose, the requestingparticipant shall ensure that it has obtained the required documentation or metthe requisite conditions and shall provide evidence of such at the request ofthe disclosing participant.
Participant Choice. The policy requires that PHI collected,used or disclosed related to individuals will be supported by the participantsinternal policy on the care and access to PHI. These policies will include suchpolicies as; reasonable and appropriate processes to enable the exercise of an individual’schoice not to participate in the HIE data exchange, the right to request andreceive in a timely and intelligible manner information regarding who has thatindividuals PHI and what specific data the party has; to know any reason fordenial of such request; and the individual’s right to challenge or amend anypersonal information. The general use and disclosure policy. The policy stipulatesthat all individual Protected Health Information in the Health information exchangewill be available for public health and quality reporting. The rule of privacy permitscovered entities to disclose protected health information, withoutauthorization, to public health authorities who are legally authorized toreceive such reports for the purpose of preventing or controlling disease,injury or disability.
Amendment of data. This policy states that each participantshall comply with applicable federal, state and local laws and regulationsregarding individual rights to request amendment of PHI. A participant willtherefore require to permit an individual to request that the participant makean amendment to his or her health information maintained by the entity. That theentity may require individuals to make requests of amendments in writing and toprovide a reason to support a requested amendment, provided that it informsindividuals in advance of such requirements. The mitigation policy. The policy stipulates that eachindividual shall implement a process to mitigate and shall mitigate and take appropriateremedial action to the extent practicable, any harmful effect that is knownabout the use or disclosure of health information.
That an entity shall havethe capability to identify substantiated fraudulent activity within theirrecords and be able to view and provide records internally and extremely asthough the fraudulent activity had not occurred.