2,654
edits
Third Party Registry: Difference between revisions
no edit summary
No edit summary |
No edit summary |
||
| Line 38: | Line 38: | ||
==Policy== | ==Policy== | ||
The following serve as the guiding principles to follow when selecting a third-party vendor: | The following serve as the guiding principles to follow when selecting a third-party vendor: | ||
#Organizational Goals - the envisioned goals of the submission | #Organizational Goals - the envisioned goals of the submission shall be clearly documented and communicated to assess the benefits versus risks to form a recommendation on why the submission shall proceed. | ||
##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve. | ##Incentive Bonus - The amount the payer will increase payment if organization participates in the registry and the date required to submit to achieve. | ||
##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty. | ##Penalty Avoidance - The amount payer will decrease payment if organization does not participate in the registry and date required to submit to avoid penalty. | ||
| Line 57: | Line 57: | ||
###Must comply with File Transfer of Confidential Information Guidelines | ###Must comply with File Transfer of Confidential Information Guidelines | ||
##Access to the system needs to use user authentication through integration with Active Directory or LDAP | ##Access to the system needs to use user authentication through integration with Active Directory or LDAP | ||
##Transferred and stored data shall not be portable and there | ##Transferred and stored data shall not be portable and there shall be restrictions on the usage of portable storage methods like USB drives or exports to flat files | ||
##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios: | ##The vendor shall provide appropriate cyber liability coverage that covers the Organization in the event of a security or privacy breach and shall provide coverage for the following scenarios: | ||
###Allowing, or failing to prevent, unauthorized access to the system | ###Allowing, or failing to prevent, unauthorized access to the system | ||
| Line 69: | Line 69: | ||
###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method | ###Compliance with section 164.514(a) of the HIPAA Privacy Rule which provides the standard for de-identification of protected health information by usage of either the “Expert Determination” method or the “Safe Harbor” method | ||
####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes). | ####The system shall apply the standard for de-identification method to both discrete and non-discrete data sets (e.g. narrative notes). | ||
###Upon the event of terminating the relationship with a third party, all PHI data | ###Upon the event of terminating the relationship with a third party, all PHI data shall be removed from the system. | ||
###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party). | ###The third party does not have the right to use PHI data in any manner outside the explicit purpose of the submission (e.g. cannot re-sell PHI data to another party). | ||
###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party. | ###The system shall be able to remove a patient’s PHI data in the event the patient wants to be excluded from the registry after we begin submitting data to the third party. | ||