306
edits
Third Party Registry: Difference between revisions
m
→Policy
No edit summary |
Mhurlocker (talk | contribs) m (→Policy) |
||
| (4 intermediate revisions by one other user not shown) | |||
| Line 26: | Line 26: | ||
</table> | </table> | ||
<br /> | <br /> | ||
[[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Identification Card]] | [[Secure Area Card Access]] | [[Privacy/Confidentiality]] | [[Computer Use/Electronic Information]] | [[Retention and Destruction/Disposal of Private and Confidential Information]] | [[Use and Disclosure of Protected Health Information]] | [[Notice of Privacy Practices]] | [[Access to Designated Record Set]] | [[Accounting of PHI Disclosures]] | [[Patient/Consumer Complaints]] | [[Vendors]] | [[Fax Transmissions]] | [[Psychotherapy Notes]] | [[Facility Security]] | [[Conditions of Treatment Form]] | [[Informed Consent for UNMC Media]] | [[Transporting Protected Health Information]] | [[Honest Broker]] | [[Social Security Number]] | [[Third Party Registry]] | [[Information Security Awareness and Training]] | [[Patient Privacy Investigations and Levels of Violation]] | [[Use and Disclosure of PHI for Training Health Care Professionals]] | [[Disclosures of PHI as Permitted or Required by Law]] | [[Disclosure of PHI for Law Enforcement Purposes]] | ||
<br /><br /> | <br /><br /> | ||
Policy No.: '''6300'''<br /> | Policy No.: '''6300'''<br /> | ||
| Line 38: | Line 38: | ||
==Policy== | ==Policy== | ||
The following serve as the guiding principles to follow when selecting a third-party vendor: | The following serve as the guiding principles to follow when selecting a third-party vendor: | ||
#Organizational Goals - the envisioned goals of the submission | #Organizational Goals - the envisioned goals of the submission shall be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission should proceed. | ||
##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve. | ##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve. | ||
##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty. | ##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty. | ||
| Line 44: | Line 44: | ||
##Quality Objective - Quantifiable benefits due to specified quality goals | ##Quality Objective - Quantifiable benefits due to specified quality goals | ||
##Research Objective - Quantifiable benefits due to specified research goals | ##Research Objective - Quantifiable benefits due to specified research goals | ||
#Data is | #Data is efficiently collected. | ||
##Data quality | ##Data quality | ||
###The third-party vendor will provide a quality assurance process to ensure that the collected data is accurate prior to submission. | ###The third-party vendor will provide a quality assurance process to ensure that the collected data is accurate prior to submission. | ||
| Line 57: | Line 57: | ||
###Must comply with File Transfer of Confidential Information Guidelines | ###Must comply with File Transfer of Confidential Information Guidelines | ||
##Access to the system needs to use user authentication through integration with Active Directory or LDAP | ##Access to the system needs to use user authentication through integration with Active Directory or LDAP | ||
##Transferred and stored data shall not be portable and there | ##Transferred and stored data shall not be portable and there shall be restrictions on the usage of portable storage methods like USB drives or exports to flat files | ||
##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios: | ##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios: | ||
###Allowing, or failing to prevent, unauthorized access to the system | ###Allowing, or failing to prevent, unauthorized access to the system | ||
| Line 69: | Line 69: | ||
###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method | ###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method | ||
####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes). | ####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes). | ||
###Upon the event of terminating the relationship with a third party, all PHI data | ###Upon the event of terminating the relationship with a third party, all PHI data shall be removed from the system. | ||
###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party). | ###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party). | ||
###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party. | ###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party. | ||
| Line 77: | Line 77: | ||
==Definitions== | ==Definitions== | ||
===Affiliated Covered Entity (ACE)=== | ===Affiliated Covered Entity (ACE)=== | ||
Legally separate covered entities that designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE. | Legally separate covered entities that are affiliated and designate themselves as a single covered entity for the purpose of HIPAA Compliance. Current ACE members are: The Nebraska Medical Center, UNMC Physicians, UNMC, University Dental Associates, Bellevue Medical Center and Nebraska Pediatric Practice, Inc. d/b/a Children’s Specialty Physicians. ACE membership may change from time to time. The Notice of Privacy Practices lists current ACE members. Access and amendment rights apply to designated record sets throughout the ACE. | ||
===Data Elements=== | ===Data Elements=== | ||
The items collected by a third-party registry. | The items collected by a third-party registry. | ||