Part 300 - Statewide Health Information Network for New York (SHIN-NY)

Effective Date: 
Wednesday, March 9, 2016
Statutory Authority: 
Public Health Law, Sections 201, 206(1) and (18-a)(d), 2800, 2803, 2816, 3600, 3612, 4000, 4010, 4400, 4403, 4700 and 4712

Section 300.1 - Definitions

Section 300.1 Definitions. For the purposes of this Part, these terms shall have the following meanings:

(a) “Statewide Health Information Network for New York” or “SHIN-NY” means the technical infrastructure and the supportive policies and agreements that make possible the electronic exchange of clinical information among qualified entities and qualified entity participants for authorized purposes to improve the quality, coordination and efficiency of patient care, reduce medical errors and carry out public health and health oversight activities, while protecting patient privacy and ensuring data security.

(b) “Qualified entity” means a not-for-profit regional health information organization or other entity that has been certified under section 300.4 of this Part.

(c) “Qualified entity participant” means any health care provider, health plan, governmental agency or other type of entity or person that has executed a participation agreement with a qualified entity, pursuant to which it has agreed to participate in the SHIN-NY.

(d) “Health care provider” means a health care provider as defined in paragraph (b) of subdivision one of section 18 of the Public Health Law entitled “Access to patient information.”

(e) “Statewide collaboration process” means an open, transparent process within which multiple SHIN-NY stakeholders contribute to recommendations for SHIN-NY policy guidance.

(f) “SHIN-NY policy guidance” means the set of policies and procedures, including technical standards and SHIN-NY services and products that are approved by the New York State Department of Health.

(g) “Patient information” means health information that is created or received by a qualified entity participant and relates to the past, present, or future physical or mental health or condition of an individual or the provision of health care to an individual, and that identifies the individual or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

(h) “Minor consent patient information” means patient information relating to health care of a patient under 18 years of age for which the patient provided his or her own consent as permitted by law, without a parent’s or guardian’s permission.

(i) “Health oversight agency” means an agency or authority of the United States, or New York State, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is authorized by law to oversee the health care system (whether public or private) or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

(j) “Public health authority” means an agency or authority of the United States, the New York State Department of Health, a New York county health department or the New York City Department of Health and Mental Hygiene, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

(k) “Written authorization” means a signed consent that complies with the requirements for written authorizations in this Part. A written authorization may be an electronic record with an electronic signature, as provided by State Technology Law Article 3 (Electronic Signatures and Records Act).

(l) “Law” means a federal, state or local constitution, statute, regulation, rule, common law, or other governmental action having the force and effect of law, including the charter, administrative code and rules of the city of New York. Required by law means a mandate contained in law that compels a person or entity to make a use or disclosure of patient information and that is enforceable in a court of law.
 

Effective Date: 
Wednesday, March 9, 2016

Section 300.2 - Establishing the SHIN-NY

Section 300.2 Establishing the SHIN-NY. The New York State Department of Health shall:

(a) Oversee the implementation and ongoing operation of the SHIN-NY.

(b) Implement the infrastructure and services to support the private and secure exchange of health information among qualified entities and qualified entity participants.

(c) Administer the statewide collaboration process and facilitate the development, regular review and update of SHIN-NY policy guidance.

(d) Perform regular audits, either directly or through contract, of qualified entity functions and activities as necessary to ensure the quality, security and confidentiality of data in the SHIN-NY.

(e) Provide technical services, either directly or through contract, to ensure the quality, security and confidentiality of data in the SHIN-NY.

(f) Assess qualified entity participation in the SHIN-NY and, if necessary, suspend a qualified entity’s access to or use of the SHIN-NY, when it reasonably determines that the qualified entity has created, or is likely to create, an immediate threat of irreparable harm to the SHIN-NY, to any person accessing or using the SHIN-NY, or to any person whose information is accessed or transmitted through the SHIN-NY.

(g) Publish reports on health care provider participation and usage, system performance, data quality, the qualified entity certification process, and SHIN-NY security.

(h) Take such other actions as may be needed to promote development of the SHIN-NY.
 

Effective Date: 
Wednesday, March 9, 2016

Section 300.3 - Statewide collaboration process and SHIN-NY policy guidance

Section 300.3 Statewide collaboration process and SHIN-NY policy guidance.

(a) SHIN-NY policy guidance. The New York State Department of Health shall establish SHIN-NY policy guidance as set forth below:

(1) The New York State Department of Health shall establish or designate a policy committee to make recommendations on SHIN-NY policy guidance and standards.

(2) Policy committee agendas, meeting minutes, white papers and recommendations shall be made publicly available.

(3) The New York State Department of Health shall consider SHIN-NY policy guidance recommendations made through the statewide collaboration process and may accept or reject SHIN-NY policy guidance recommendations at its sole discretion.

(b) Minimum contents of SHIN-NY policy guidance. SHIN-NY policy guidance standards shall include, but not be limited to policies and procedures on:

(1) privacy and security;

(2) monitoring and enforcement;

(3) minimum service requirements;

(4) organizational characteristics of qualified entities; and

(5) qualified entity certification. 

Effective Date: 
Wednesday, March 9, 2016

Section 300.4 - Qualified entities

Section 300.4 Qualified entities.

(a) Each qualified entity shall:

(1) Maintain and operate a network of qualified entity participants seeking to securely exchange patient information.

(2) Connect to the statewide infrastructure to allow qualified entity participants to exchange information with qualified entity participants of other qualified entities.

(3) Submit to regular audits of qualified entity functions and activities by the New York State Department of Health as necessary to ensure the quality, security, and confidentiality of data in the SHIN-NY.

(4) Ensure that data from qualified entity participants is only made available through the SHIN-NY in accordance with applicable law.

(5) Enter into agreements with qualified entity participants that supply patient information to, or access patient information from, the qualified entity. A qualified entity must be the “business associate,” as defined in 42 USC § 17921, of any qualified entity participant that supplies patient information and is a health care provider, and must be a qualified service organization of any qualified entity participant that supplies patient information and is an alcohol or drug abuse program required to comply with federal regulations regarding the confidentiality of alcohol and substance abuse patient records.

(6) Allow participation of all health care providers in the geographical area served by the qualified entity that are seeking to become qualified entity participants, list the names of such qualified entity participants on its website, and make such information available at the request of patients.

(7) Submit reports on health care provider participation and usage, system performance and data quality, in a format determined by the New York State Department of Health.

(8) Adopt policies and procedures to provide patients with access to their own patient information that is accessible directly from the qualified entity, except as prohibited by law.

(9) Implement policies and procedures to provide patients with information identifying qualified entity participants that have obtained access to their patient information using the qualified entity, except as otherwise prohibited by law.

(b) Each qualified entity shall have procedures and technology:

(1) to exchange patient information for patients of any age, consistent with all applicable law regarding minor consent patient information;

(2) to allow patients to deny access to specific qualified entity participants; and

(3) to honor a minor’s consent or revocation of consent to access minor consent patient information.

(c) Each qualified entity shall provide the following minimum set of core services to qualified entity participants:

(1) Allow qualified entity participants to search existing patient records on the network.

(2) Make available to qualified entity participants and public health authorities a clinical viewer to securely access patient information.

(3) Permit secure messaging among health care providers.

(4) Provide tracking of patient consent.

(5) Provide notification services to establish subscriptions to pre-defined events and receive notifications when those events occur.

(6) Provide identity management services to authorize and authenticate users in a manner that ensures secure access.

(7) Support public health reporting to public health authorities.

(8) Deliver diagnostic results and reports to health care providers.

(d) The New York State Department of Health shall certify qualified entities that demonstrate that they meet the requirements of this section to the satisfaction of the New York State Department of Health. The New York State Department of Health may, in its sole discretion, select a certification body to review applications and make recommendations to the New York State Department of Health regarding certification. The New York State Department of Health shall solely determine whether to certify qualified entities. To be certified, a qualified entity must demonstrate that it meets the following requirements:

(1) The qualified entity is capable of supporting and advancing the use of health information technology in the public interest and has a board of directors and officers with such character, experience, competence and standing as to give reasonable assurance of its abilities in this respect.

(2) The qualified entity has the capability and infrastructure to operationalize the requirements in this section.

(3) The qualified entity has technical infrastructure, privacy and security policies and processes in place to: manage patient consent for access to health information; support the authorization and authentication of users who access the system; audit system use; and implement remedies for breaches of patient information.

(e) The New York State Department of Health shall periodically require qualified entities to demonstrate continued compliance with the certification standards required pursuant to subdivision (d) of this section through a process of audit and re-certification by the New York State Department of Health or a certification body designated by the New York State Department of Health.

(f) The New York State Department of Health may, as it deems appropriate, audit qualified entities to ensure ongoing compliance with criteria and standards.

 

Effective Date: 
Wednesday, March 9, 2016

Section 300.5 - Sharing of Patient Information

Section 300.5 Sharing of Patient Information.

(a) General standard. Qualified entity participants may only exchange patient information as authorized by law and consistent with their participation agreements with qualified entity participants. Under subdivision six of section 18 of the Public Health Law, individuals who work for a qualified entity are deemed personnel under contract with a health care provider that is a qualified entity participant. As such, a qualified entity participant may disclose to such a qualified entity necessary patient information without a written authorization from the patient of the qualified entity participant. Qualified entity participants may, but shall not be required to, provide patients the option to withhold patient information, including minor consent patient information, from the SHIN-NY. Except as set forth in subdivision (b)(2) or (c) of this section, a qualified entity shall only allow access to patient information by qualified entity participants with a written authorization from:

(1) the patient; or

(2) when the patient lacks capacity to consent, from:

(i) another qualified person under section 18 of the Public Health Law;

(ii) a person with power of attorney whom the patient has authorized to access records relating to the provision of health care under General Obligations Law Article 5, Title 15; or

(iii) a person authorized pursuant to law to consent to health care for the individual.

(b) Written authorization.

(1) Written authorizations must specify to whom disclosure is authorized.

(i) Patient information may not be disclosed to persons who, or entities that, become qualified entity participants subsequent to the execution of a written authorization unless:

(a) the name or title of the individual or the name of the organization are specified in a new written authorization; or

(b) the patient’s written authorization specifies that disclosure is authorized to persons or entities becoming qualified entity participants subsequent to the execution of the written authorization and the qualified entity has documented that it has notified the patient, or the patient has declined the opportunity to receive notice, of the persons or entities becoming qualified entity participants subsequent to the execution of the written authorization.

(ii) Any written authorization shall remain in effect until it is revoked in writing or explicitly superseded by a subsequent written authorization. A patient may revoke a written authorization in writing at any time by following procedures established by the qualified entity.

(2) A minor’s parent or legal guardian may authorize the disclosure of the minor’s patient information, other than minor consent patient information.

(3) Minor consent patient information.

(i) In general, a minor’s minor consent patient information may be disclosed to a qualified entity participant if the minor’s parent or legal guardian has provided authorization for that qualified entity participant to access the minor’s patient information through the SHIN-NY. Such access shall be deemed necessary to provide appropriate care or treatment to the minor. However, if federal law or regulation requires the minor’s authorization for disclosure of minor consent patient information or if the minor is the parent of a child, has married or is otherwise emancipated, the disclosure may not be made without the minor’s authorization.

(ii) In no event may a qualified entity participant disclose minor consent patient information to the minor’s parent or guardian without the minor’s authorization.

(4) Minor consent patient information includes, but is not limited to patient information concerning:

(i) treatment of such patient for sexually transmitted disease or the performance of an abortion as provided in section 17 of the Public Health Law;

(ii) the diagnosis, treatment or prescription for a sexually transmitted disease as provided in section 2305 of the Public Health Law;

(iii) medical, dental, health and hospital services relating to prenatal care as provided in section 2504(3) of the Public Health Law;

(iv) an HIV test as provided in section 2781 of the Public Health Law;

(v) mental health services as provided in section 33.21 of the Mental Hygiene Law;

(vi) alcohol and substance abuse treatment as provided in section 22.11 of the Mental Hygiene Law;

(vii) any patient who is the parent of a child or has married as provided in section 2504 of the Public Health Law or an otherwise legally emancipated minor;

(viii) treatment that a minor has a Constitutional right to receive without a parent’s or guardian’s permission as determined by courts of competent jurisdiction;

(ix) Treatment for a minor who is a victim of sexual assault as provided in section 2805-i of the Public Health Law;

(x) Emergency care as provided in section 2504(4) of the Public Health Law.

(c) Access without written authorization. A qualified entity shall, where permitted by law, allow access to patient information without written authorization when:

(1) Prior consent has already been obtained for the disclosure as required by subdivision 23 of section 6530 of the Education Law, and no provision of law requires any additional written authorization.

(2) Disclosure to the individual entity accessing the patient information is:

(i) required by law; or

(ii) authorized by law:

(a) to a public health authority for public health activities;

(b) to a health oversight agency for health oversight activities; or

(c) to a federally designated organ procurement organization for purposes of facilitating organ, eye or tissue donation and transplantation.

(3) The health care provider treating the patient, a person acting at the direction of such health care provider, or other professional emergency personnel has documented that an emergency condition exists and the patient is in immediate need of medical attention, and an attempt to secure consent would result in delay of treatment which would increase the risk to the patient’s life or health.
 

 

Effective Date: 
Wednesday, March 9, 2016

Section 300.6 - Participation of health care facilities

Section 300.6 Participation of health care facilities.

(a) One year from the effective date of this regulation, general hospitals as defined in subdivision ten of section two thousand eight hundred one of the Public Health Law, and two years from the effective date of this regulation, all health care facilities as defined in paragraph (c) of subdivision one of section eighteen of the Public Health Law, including those who hold themselves out as urgent care providers, utilizing certified electronic health record technology under the federal Health Information Technology for Economic and Clinical Health Act (HITECH), must become qualified entity participants in order to connect to the SHIN-NY through a qualified entity, and must allow private and secure bi-directional access to patient information by other qualified entity participants authorized by law to access such patient information. Bi-directional access means that a qualified entity participant has the technical capacity to upload its patient information to the qualified entity so that it is accessible to other qualified entity participants authorized to access the patient information and that the qualified entity participant has the technical capacity to access the patient information of other qualified entity participants from the qualified entity when authorized to do so.

(b) The New York State Department of Health may waive the requirements of subdivision (a) of this section for health care facilities that demonstrate, to the satisfaction of the New York State Department of Health:

(1) economic hardship;

(2) technological limitations or practical limitations to the full use of certified electronic health record technology that are not reasonably within control of the health care provider; or

(3) other exceptional circumstances demonstrated by the health care provider to the New York State Department of Health as the Commissioner may deem appropriate.
 

Effective Date: 
Wednesday, March 9, 2016