Title: Section 300.4 - Qualified entities
Section 300.4 Qualified entities.
(a) Each qualified entity shall:
(1) Maintain and operate a network of qualified entity participants seeking to securely exchange patient information.
(2) Connect to the statewide infrastructure to allow qualified entity participants to exchange information with qualified entity participants of other qualified entities.
(3) Submit to regular audits of qualified entity functions and activities by the New York State Department of Health as necessary to ensure the quality, security, and confidentiality of data in the SHIN-NY.
(4) Ensure that data from qualified entity participants is only made available through the SHIN-NY in accordance with applicable law.
(5) Enter into agreements with qualified entity participants that supply patient information to, or access patient information from, the qualified entity. A qualified entity must be the “business associate,” as defined in 42 USC § 17921, of any qualified entity participant that supplies patient information and is a health care provider, and must be a qualified service organization of any qualified entity participant that supplies patient information and is an alcohol or drug abuse program required to comply with federal regulations regarding the confidentiality of alcohol and substance abuse patient records.
(6) Allow participation of all health care providers in the geographical area served by the qualified entity that are seeking to become qualified entity participants, list the names of such qualified entity participants on its website, and make such information available at the request of patients.
(7) Submit reports on health care provider participation and usage, system performance and data quality, in a format determined by the New York State Department of Health.
(8) Adopt policies and procedures to provide patients with access to their own patient information that is accessible directly from the qualified entity, except as prohibited by law.
(9) Implement policies and procedures to provide patients with information identifying qualified entity participants that have obtained access to their patient information using the qualified entity, except as otherwise prohibited by law.
(b) Each qualified entity shall have procedures and technology:
(1) to exchange patient information for patients of any age, consistent with all applicable law regarding minor consent patient information;
(2) to allow patients to deny access to specific qualified entity participants; and
(3) to honor a minor’s consent or revocation of consent to access minor consent patient information.
(c) Each qualified entity shall provide the following minimum set of core services to qualified entity participants:
(1) Allow qualified entity participants to search existing patient records on the network.
(2) Make available to qualified entity participants and public health authorities a clinical viewer to securely access patient information.
(3) Permit secure messaging among health care providers.
(4) Provide tracking of patient consent.
(5) Provide notification services to establish subscriptions to pre-defined events and receive notifications when those events occur.
(6) Provide identity management services to authorize and authenticate users in a manner that ensures secure access.
(7) Support public health reporting to public health authorities.
(8) Deliver diagnostic results and reports to health care providers.
(d) The New York State Department of Health shall certify qualified entities that demonstrate that they meet the requirements of this section to the satisfaction of the New York State Department of Health. The New York State Department of Health may, in its sole discretion, select a certification body to review applications and make recommendations to the New York State Department of Health regarding certification. The New York State Department of Health shall solely determine whether to certify qualified entities. To be certified, a qualified entity must demonstrate that it meets the following requirements:
(1) The qualified entity is capable of supporting and advancing the use of health information technology in the public interest and has a board of directors and officers with such character, experience, competence and standing as to give reasonable assurance of its abilities in this respect.
(2) The qualified entity has the capability and infrastructure to operationalize the requirements in this section.
(3) The qualified entity has technical infrastructure, privacy and security policies and processes in place to: manage patient consent for access to health information; support the authorization and authentication of users who access the system; audit system use; and implement remedies for breaches of patient information.
(e) The New York State Department of Health shall periodically require qualified entities to demonstrate continued compliance with the certification standards required pursuant to subdivision (d) of this section through a process of audit and re-certification by the New York State Department of Health or a certification body designated by the New York State Department of Health.
(f) The New York State Department of Health may, as it deems appropriate, audit qualified entities to ensure ongoing compliance with criteria and standards.
VOLUME C (Title 10)