Third Party Registry: Difference between revisions

no edit summary
No edit summary
No edit summary
Line 38: Line 38:
==Policy==
==Policy==
The following serve as the guiding principles to follow when selecting a third-party vendor:
The following serve as the guiding principles to follow when selecting a third-party vendor:
#Organizational Goals - the envisioned goals of the submission should be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission should proceed.
#Organizational Goals - the envisioned goals of the submission shall be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission shall proceed.
##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve.
##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve.
##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty.
##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty.
Line 57: Line 57:
###Must comply with File Transfer of Confidential Information Guidelines  
###Must comply with File Transfer of Confidential Information Guidelines  
##Access to the system needs to use user authentication through integration with Active Directory or LDAP
##Access to the system needs to use user authentication through integration with Active Directory or LDAP
##Transferred and stored data shall not be portable and there should be restrictions on the usage of portable storage methods like USB drives or exports to flat files  
##Transferred and stored data shall not be portable and there shall be restrictions on the usage of portable storage methods like USB drives or exports to flat files  
##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios:
##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios:
###Allowing, or failing to prevent, unauthorized access to the system
###Allowing, or failing to prevent, unauthorized access to the system
Line 69: Line 69:
###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method
###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method
####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes).
####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes).
###Upon the event of terminating the relationship with a third party, all PHI data should be removed from the system.
###Upon the event of terminating the relationship with a third party, all PHI data shall be removed from the system.
###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party).
###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party).
###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party.
###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party.