Data Privacy and Security Policy and Statement of Information Handling Practices

Background and Purpose

CommonWell Health Alliance, Inc. (“Alliance”) is committed to defining and promoting a national infrastructure with common standards and policies that promote a vendor-neutral platform to break down the technological and process barriers that currently inhibit effective health data exchange.

We are committed to supporting a robust privacy and security standard for all data exchanges through the Alliance Services. As such, the Services and Alliance Specifications are designed with privacy as a key consideration.

Definitions used in this Policy that are not defined elsewhere in the Policy are defined in the Definitions section.

This Data Privacy and Security Policy (“Policy”) identifies the standards and requirements that are applicable to any party that accesses or uses the Services, including Customers, End Users, Members, Service Providers, and patients (each defined below, collectively “Adopters”).

Compliance with Laws
This Policy does not supersede or replace any Applicable Laws, including HIPAA, or any federal or state laws or regulations applicable to Alliance, or any Adopter. In their use of the Services, Adopters represent and warrant that they shall remain compliant with all Applicable Laws related to the use of the Services. All parties are required to enter into Business Associate Agreements with other parties as required by law.

Use and Disclosure of Health Information
Adopters shall request, access, use, and disclose Health Data made available through the Services only in accordance with all Applicable Laws, in compliance with all Alliance Policies, and only as specifically authorized and approved by Alliance, and for no other purposes.

Health Data shall be used by or on behalf of Adopters only as necessary to provide or receive the benefit of the Services, including to carry out the following related to the Services: (a) submitting requests for Health Data relating to individual patients, (b) identifying whether other Adopters maintain Health Data relating to those patients, (c) requesting such Health Data from Adopters maintaining it, (d) transmitting requested Health Data to the requesting Adopters, or (e) as otherwise specifically approved by Alliance, and for no other purposes. In addition, Alliance or Service Provider may de-identify PHI, as defined in 45 CFR § 164.514(b)(1) and 164.514(b)(2), and store Health Data and de-identified PHI for the sole purposes of providing the Services in accordance with the terms of the applicable service agreement between Alliance and Service Provider, and for no other purpose.

Patient Consents and Notification
Adopters are required to obtain all necessary patient consents and authorizations required under Applicable Law. Patient consents must be: (a) made with full transparency and education, (b) made only after the patient has had sufficient time to review any applicable educational material, (c) commensurate with the circumstances for which the Health Data is exchanged, (d) not used for discriminatory purposes or as a condition for receiving medical treatment, (e) consistent with patient expectations, and (f) revocable at any time.

Identity Management and Authentication
Each Adopter is fully responsible for all uses of any applicable Login Credentials issued to it or created by it or its users, and for authentication and identity management of each user accessing the Services on behalf of Adopter, and for ensuring that such Login Credentials are unique to each user, and that such credentials remain secure. Adopters are required to ensure that each of its users accessing Health Data using the Services is properly identified, authenticated and authorized under Applicable Law to access such Health Data.

System and Network Security Requirements
Members are required to maintain a secure information technology environment and to use appropriate technical, administrative and physical safeguards to prevent the use or disclosure of PHI other than as permitted hereunder, including appropriate administrative, physical and technical safeguards that protect the confidentiality, integrity and availability of PHI accessed or disclosed through the Services. Adopters are required to develop, implement, maintain and use the safeguards identified in HIPAA Security Rule, 45 C.F.R. Part 160 and 164, Subparts A and C.

Adopters are required to: (a) connect via secure web services connections or through virtual private network (VPN) connection between its local area network (LAN) and the Services, (b) implement, use and maintain commercially reasonable firewall technology, (c) implement, maintain and assume all costs for a business class virus protection solution on the Member’s and End User’s network and computers, and (d) monitor and investigate potential or actual fraudulent activity that involves the Services.

Breach and Notification
Unless Applicable Laws require earlier notice, Adopters are required to report any Breach or Breach of Confidentiality and Security involving the Services to Alliance no later than three (3) days after the Adopter first becomes aware of such breach.

Prohibited Uses

Adopters shall not use the Services to conduct any business or activity, or solicit the performance of any activity, which is prohibited by or would violate any Applicable Laws, or for purposes that may create civil or criminal liability, including: (a) uses which are defamatory, deceptive, obscene, or otherwise inappropriate; (b) uses that violate or infringe upon the rights of any other person, such as unauthorized distribution of copyrighted material; (c) “spamming,” sending unsolicited bulk e-mail or other messages using the Services or sending unsolicited advertising or similar conduct; (d) threats to or harassment of another; (e) impersonating another person or other misrepresentation of source; (f) copying, selling, reselling or exploiting any portion of the Services, including Health Data, except as expressly permitted by Alliance; and (g) assisting or permitting any persons in engaging in any of the activities described in this paragraph. Adopters shall not expose or introduce or facilitate the exposure or introduction of any Malicious Code into the Services, or any Alliance system or network, or the systems or networks of any Adopter.

In addition to terms defined above, capitalized terms in this Policy have the following meanings:

“Alliance Policies” means all policies approved by the Alliance relating to the Alliance or the Services.

“Alliance Specification” means each document designated as a “CommonWell Health Alliance Specification” as finally adopted and approved by the Alliance.

“Applicable Laws” means all applicable federal, state, and local laws, including but not limited to privacy laws, HIPAA, and those concerning the use of PHI related to minors, personally identifiable information, and sensitive personal information.

“Breach” has the meaning provided for in 45 CFR 164.402 (Definitions, effective March 26, 2013; 78 Federal Register 5695) or its successor.

“Breach of Confidentiality or Security” means an incident that is reasonably likely to adversely affect: (a) the viability, security, or reputation of the Services, or (b) the legal liability of Alliance or any Adopter.

“Customer” means a customer or user of a Member that receives the benefits of the Services.

“End User” means a healthcare provider facility, practice group, or physician (including any individual or legal entity), permitted by an Adopter to access the Services or any enrollment user interface to utilize the Services.

“Health Data” means health information, including information and PHI that is received, transmitted, stored or maintained through the Services.

“HIPAA” means the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations.

“Malicious Code” means any viruses, worms, unauthorized cookies, trojans, malicious software, malware or other program, script, routine, subroutine or data that may disrupt, or is designed to disrupt, the proper operation of software, hardware, networks or systems.

“Member” means a person or legal entity that is a member of Alliance.

“Protected Health Information” or “PHI” has the meaning set forth in 45 C.F.R. 160.103, as applied to the information created, received, transmitted or maintained through the Services by or on behalf of a Member, an Adopter, or an End User.

“Service Provider” means a service provider that provides services relating to the Services, on behalf of Alliance.

“Services” means the services approved by Alliance, including but not limited to those related to patient registration, enrollment, linking, and retrieval of clinical healthcare record documents available through its offerings.

Effective Date: December 17, 2018