Confidentiality, Access and Security Policy

As an industry leader of health information exchange and health information technology, MHIN takes the privacy and security of healthcare information very seriously. Not just because it’s the law, because it’s the right thing to do. Since MHIN’s inception, protecting the security, confidentiality and privacy of information being shared consistently remains a top priority.

MHIN’s Health Information Exchange (HIE) and Electronic Health Record (EHR) applications are implemented with measures taken to ensure that users are limited to appropriate access and that access is monitored. System access is guarded by user sign-ons, passwords, and specific privileges for each application. A robust audit trail records all transactions, including attempted access. MHIN works closely with Cerner Corporation, our EHR and HIE vendor and a world class leader in healthcare technology, to assure that database design, interfaces, and application functionality support our initiatives to comply with Privacy and Security regulations, as well as the strict criteria of accrediting agencies.

Protecting Healthcare Information is the Law.

Just like providers, MHIN follows and directly complies with federal privacy and security statutes that are subject to monetary, civil and criminal penalties, under both the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

As a Business Associate to organizations that supply data to MHIN and a community-based organization whose existence depends on a secure system, MHIN is committed to meeting or exceeding HIPAA regulations concerning security and privacy. Through MHIN’s Business Associate relationships with both covered entities and subcontractors, MHIN ensures that all business functions are being conducted within the legal framework of HIPAA.

Even before the advent of HIPAA, MHIN implemented robust policies and procedures related to confidentiality, privacy, and community access standards. The security model that MHIN developed prior to the enactment of HIPAA regulations created a strong foundation for compliance with privacy and security regulations.

MHIN works with participating organizations to ensure that our activities support their policies and procedures related to HIPAA. It is our mission to ensure that providers have complete health information available in the HIE and EHR at the time they are caring for their patients.

MHIN has many industry-standard security measures in place that support technical and physical safeguards designed to protect the confidentiality and privacy of information. MHIN’s in-house privacy and security team is responsible for oversight of policies and procedures pertaining to privacy and security of healthcare information. Through MHIN’s usage of a secure Class 4 Data Center, we’re able to implement strong security controls, that enable us to constantly monitor information flowing in and out of the HIE, detect potential threats and implement safeguards to protect the system from unauthorized access.

MHIN continuously enhances the tools that are utilized to monitor compliance with privacy and security regulations. MHIN uses FairWarning to centralize our privacy auditing efforts. FairWarning is a leading global provider of solutions for performing forensic investigations of applications, enforcing access policies, conducting legal investigations, and improving compliance effectiveness.

MHIN has strict policies and procedures for handling healthcare information that is obtained through the MHIN HIE, including (but not limited to):

  • Designated Security Officer for oversight of policies and procedures pertaining to the privacy of patient information.
  • Educating participants on MHIN policies and procedures pertaining to privacy and security
  • Destruction procedures for paper or hardware containing protected health information
  • Routine audits of participants and employees who access data
  • Risk management program including quarterly threat and vulnerability assessments
  • Annual HIPAA training for all MHIN employees and new employees

 

Protecting Healthcare Information is the Right Thing To Do.

Long before HIPAA or HITECH, MHIN has been committed to protecting healthcare information because it is the right thing to do.

Electronic Healthcare Network Accreditation Commission

In 2011, MHIN was one of the first organizations to earn voluntary accreditation of our HIE by the Electronic Healthcare Network Accreditation Commission (EHNAC). To date, MHIN has achieved and maintained full accreditation with EHNAC’s Health Information Exchange Accreditation Program (HIEAP) as well as the Direct Trusted Agent Accreditation Program (DTAAP) which is required for companies that offer Direct Mail services. EHNAC is an independent, federally recognized, standards development organization and accrediting body designed to improve transactional quality, operational efficiency and data security in healthcare. EHNAC is the premier accreditation authority promoting standards that support interoperability, stakeholder trust, regulatory compliance, quality service, innovation, and open competition within the healthcare industry.  Through a consultative review process, EHNAC evaluates MHIN in areas of privacy, security and confidentiality; technical performance; business practices and organizational resources as it relates to MHIIN’s processes for managing and transferring protected health information and has determined that MHIN meets or exceeds all EHNAC criteria and industry standards.

MHIN’s EHNAC DTAAP and HIEAP accreditations are natural and voluntary steps that we’ve taken as we strive to maintain our reputation as one of the most advanced HIEs in the country.

Healtheway

MHIN is also a participant of Healtheway’s eHealth Exchange, also known as the Sequoia Project. Healtheway’s eHealth Exchange is a community of public and private health information exchange organizations, like MHIN, who securely share health information as part of a growing national network. .As a member of Healtheway’s eHealth Exchange MHIN has agreed to the Data Use and Reciprocal Support Agreement (DURSA), a comprehensive, multi-party trust agreement that is entered into voluntarily by public and private organizations (eHealth Exchange Participants) that desire to engage in electronic health information exchange with each other as part of the eHealth Exchange.

The DURSA is based upon the existing body of law (Federal, state, local) applicable to the privacy and security of health information and is supportive of the current policy framework for health information exchange. The DURSA is intended to be a legally enforceable contract that represents a framework for broad-based information exchange among a set of trusted entities.

As a participant of Healtheway’s eHealth Exchange MHIN is able to continue to expand trusted, secure and interoperable exchange of health information across the nation by fostering cross-industry collaboration and by providing shared governance and necessary shared service to public and private organizations who wish to interconnect as a network of networks.

 

Privacy and Security – A Top Priority

MHIN goes to great lengths to adhere to strict government requirements, privacy regulations and voluntary accreditations to ensure that information is being shared within a secure and trusted framework. These concepts boil down to a basic philosophy that guides us: If this were MY record, how would I want it handled? Who should have access to what – and when? This philosophy is carried out through a sophisticated security design, careful implementation planning, an active security administration function, and comprehensive policies and procedures.