Data and Security

Data Privacy and Security Policy and Statement of Information Handling Practices

Background and Purpose
CommonWell Health Alliance, Inc. (“CommonWell”) is committed to defining and promoting a national infrastructure with common standards and policies that promote a vendor-neutral platform to break down the technological and process barriers that currently inhibit effective health data exchange.

We are committed to supporting a robust privacy and security standard for all data exchanges through the Alliance services. As such, our services and specifications are designed with privacy as a key consideration.

Services and specifications adopted by CommonWell will strive to improve transparency to enable providers and patients to understand permitted uses in a manner designed to protect the privacy of the patient.

Application
This Data Privacy and Security Policy (“Policy”) identifies the standards and requirements that are applicable to any party that accesses or uses the Services, including Members, Service Providers, and End Users (each defined below, collectively “Adopters”).

Compliance with Law
This Policy does not supersede or replace any Applicable Laws, including HIPAA, or any federal or state laws or regulations applicable to CommonWell or any Adopter. In their use of the Services, Adopters are obligated to remain compliant with all Applicable Laws. All parties are required to enter into Business Associate Agreements with other parties as required by law.

Use and Disclosure of Health Information
Health Data is required to be used by Adopters, or their contractors, only as necessary to provide or receive the benefit of the Services, including to carry out the following related to the Services: (a) submitting requests for Health Data relating to individual patients, (b) identifying whether other Adopters maintain Health Data relating to those patients, (c) requesting such Health Data from Adopters maintaining it, and (d) transmitting requested Health Data to the requesting Adopters. In addition, the Service Provider may de-identify PHI, as defined in 45 CFR § 164.514(b)(1) and 164.514(b)(2), and store Health Data and de-identified PHI for the sole purposes of performance testing, trouble shooting and improving the Services, and for no other purpose.

Requests for PHI made by or on behalf of an Adopter through the Services are required to be for treatment purposes, payment purposes, or otherwise as specifically approved by CommonWell, in accordance with the CommonWell Bylaws and Applicable Law.

In order to use the Services, Adopters are required to use or disclose data received from Members or other Adopters responsibly and in accordance with Applicable Laws.

Adopters are not permitted to request any data or information, including any Health Data, made available through the Services, except for treatment purposes (as defined in 45 C.F.R. § 164.501) or otherwise as specifically approved by CommonWell, and are required to access Health Data available through the Services, solely for treatment, payments, or otherwise as specifically approved by CommonWell, related to the individual to whom the data relates.

Patient Consent and Notification
Adopters are required to obtain all necessary patient consents and authorizations required under Applicable Law. Patient consents must be: (a) made with full transparency and education, (b) made only after the patient has had sufficient time to review any applicable educational material, (c) commensurate with circumstances for why Health Data is exchanged, (d) not used for discriminatory purposes or as a condition for receiving medical treatment, (e) consistent with patient expectations, and (f) revocable at any time.

Identity Management and Authentication
Each Adopter is fully responsible for all uses of Login Credentials issued to (or created by) its End Users, for authentication and identity management of each End User that accesses the Services, and for ensuring that such Login Credentials are unique to each End User and remain secure. Adopters are required to ensure that each End User accessing Health Data using the Services is properly identified, authenticated and authorized under Applicable Law to access such Health Data.

System and Security Requirements
Members are required to maintain a secure information technology environment and to use appropriate technical, administrative and physical safeguards to prevent the use or disclosure of PHI other than as permitted hereunder, including appropriate administrative, physical and technical safeguards that protect the confidentiality, integrity and availability of PHI accessed or disclosed through the Services. Adopters are required to develop, implement, maintain and use the safeguards identified in HIPAA Security Rule, 45 C.F.R. Part 160 and 164, Subparts A and C.

All Adopters are required to: (a) connect via secure web services connections or through virtual private network (VPN) connection between its local area network (LAN) and the Services, (b) implement, use and maintain commercially reasonable firewall technology, (c) implement, maintain and assume all costs for a business class virus protection solution on the Member’s and End User’s network and computers, (d) keep Login Credentials strictly confidential and take all reasonable precautions to prevent unauthorized use, misuse or compromise of Login Credentials, and (e) monitor and investigate fraudulent activity that involves the Services.

Breaches of Privacy or Security
Unless Applicable Laws require earlier notice, Adopters are required to report any Breach of Confidentiality or Security involving the Services, to CommonWell and any affected Member, no later than five (5) days after the Adopter first becomes aware of such breach.

Prohibited Uses
Adopters shall not use the Services to conduct any business or activity, or solicit the performance of any activity, which is prohibited by or would violate any Applicable Laws, or for purposes that may create civil or criminal liability, including: (a) uses which are defamatory, deceptive, obscene, or otherwise inappropriate; (b) uses that violate or infringe upon the rights of any other person, such as unauthorized distribution of copyrighted material; (c) “spamming,” sending unsolicited bulk e-mail or other messages on the Services or sending unsolicited advertising or similar conduct; (d) threats to or harassment of another; (e) impersonating another person or other misrepresentation of source; (f) copying, selling, reselling or exploiting any portion of the Services, except as expressly permitted by CommonWell; and (g) assisting or permitting any persons in engaging in any of the activities described in this paragraph.

Definitions
In addition to terms defined above, capitalized terms in this Policy have the following meanings:

Applicable Laws” means all applicable federal, state, and local laws, including privacy laws, and those governing sensitive conditions, and including regulations concerning the privacy and/or security of personal information or personal information breach notification, including HIPAA.

End User” means a healthcare provider facility, practice group, or physician (including any individual or legal entity), permitted by an Adopter to access the Services or any enrollment user interface to utilize the Services.

Health Data” means health information, including information and PHI that is received, transmitted, stored or maintained through the Services.

HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.

Member” means a person or legal entity that is a member of CommonWell.

Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. 160.103, as applied to the information created, received, transmitted or maintained through the Services by or on behalf of a Member, an Adopter, or an End User.

Breach of Confidentiality or Security” means the acquisition, access, use, or disclosure of unsecured PHI, in a manner not permitted by HIPAA, which poses a significant risk of financial, reputational, or other harm to the affected individual, of which an Adopter becomes aware, and which requires notice to individuals or government regulators under Applicable Law, or that is reasonably likely to adversely affect: (a) the viability or reputation of the Services, or (b) the legal liability of CommonWell or any Adopter.

Service Provider” means a service provider that provides services relating to the Services, on behalf of CommonWell.

Services” means the services approved by CommonWell, including but not limited to those related to patient registration, enrollment, linking, and retrieval of clinical healthcare record documents available through its offerings.

Version: August 18, 2017