Confidentiality, Access, and Security Policy

As an industry leader for health information exchange (HIE), MHIN takes the privacy and security of healthcare information very seriously. Not just because it’s the law, because it’s the right thing to do. Since MHIN’s inception, protecting the security, confidentiality, and privacy of information consistently remains a top priority. 

MHIN’s Health Information Exchange (HIE) and Electronic Health Record (EHR) applications are implemented with measures taken to ensure that users are limited to appropriate access and that access is monitored. System access is guarded by user sign-ons, passwords, and specific privileges for each application. A robust audit trail records all transactions, including attempted access. MHIN works closely with Cerner Corporation, our EHR and HIE vendor and a world class leader in healthcare technology, to assure that database design, interfaces, and application functionality support our initiatives to comply with Privacy and Security regulations, as well as the strict criteria of accrediting agencies.

Protecting Healthcare Information is the Law.

Since MHIN was formed in the 1990’s, policies and procedures have been in place to protect the privacy and security of patient data.  Security models built as the foundation for all products were based on federal laws for healthcare providers.  MHIN complies with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, along with any state laws pertaining to the privacy of medical information.

MHIN works with participating organizations to ensure that our activities support their policies and procedures related to their legal requirement to protect the privacy and security of patient information. These activities are balanced with providing rightful access to those who need it to provide care for their patients.  It is our mission to ensure that providers have complete health information available at the time they are caring for their patients.

MHIN products are designed so that users have appropriate access and that their access is monitored. System access is safeguarded by requiring unique user accounts with complex passwords, and by granting specific privileges for each application based on the individual user’s role.  Our products create audit trails that record all transactions and assist in monitoring access.

Many industry-standard security measures are in place at MHIN to support technical and physical protections designed to guard the privacy of health information. MHIN’s in-house privacy and security team is responsible for oversight of all aspects of our compliance program. Through MHIN’s use of a secure Class 4 Data Center, we’re able to implement strong security controls to constantly monitor information flowing in and out of the HIE, detect potential threats, and implement safeguards to protect the system from unauthorized access.

Below are some of the key elements of the MHIN compliance program:

  • Designated Privacy and Security Officer to oversee privacy and security activities
  • Participant education on MHIN privacy and security policies
  • HIPAA awareness and training for all MHIN employees
  • Technical safeguards requiring encryption of all machines storing health information
  • Destruction procedures for paper or hardware with protected health information
  • Routine audits of users who access data
  • Security management program for conducting and responding to regularly scheduled risk assessments and penetration testing

 

Accreditations

Long before HIPAA or HITECH, MHIN has been committed to protecting healthcare information because it is the right thing to do. Our voluntary participation in accreditation programs and constant attention to federal requirements and laws demonstrate our commitment to protecting health information.

 

EHNAC

In 2011, MHIN was one of the first organizations to earn voluntary accreditation of our HIE by the Electronic Healthcare Network Accreditation Commission (EHNAC). To date, MHIN has achieved and maintained full accreditation with EHNAC’s Health Information Exchange Accreditation Program (HIEAP) as well as the Direct Trusted Agent Accreditation Program (DTAAP) which is required for companies that offer Direct Messaging services. EHNAC is an independent accrediting body designed to improve quality, efficiency and data security in healthcare. Through an interactive review process, EHNAC evaluates MHIN in areas of privacy, security and confidentiality; technical performance; business practices and resources as it relates to MHIIN’s processes for managing and transferring protected health information.

 

eHealth Exchange

MHIN is a participant of The Sequoia Project’s eHealth Exchange. The eHealth Exchange is a community of public and private organizations who securely share health information as part of a growing national network.  As a member of the eHealth Exchange, MHIN has signed the Data Use and Reciprocal Support Agreement (DURSA).  The DURSA is a contract for health information exchange based on existing laws (federal, state, local) that apply to the privacy and security of health information. It supports the current national standards for health information exchange and requires participants to follow a common set of standards.

 

Direct Messaging

MHIN participates in the Direct Project, which is an initiative sponsored by the Office of the National Coordinator (ONC) for Health Information Technology to allow participants to send health information securely to known, trusted recipients over the Internet.  As a Health Information Service Provider (HISP) of Direct Messaging services, MHIN has taken steps to protect shared information and promote interoperability by using national standards. The MHIN HISP is a member of DirectTrust Accredited Trust Community and has contributed its trust anchor certificate to the DirectTrust Accredited Trust Bundle. This participation allows other members of the DirectTrust Accredited Trust Community to access the MHIN HISP trust anchor certificate from the DirectTrust Accredited Trust Bundle. The MHIN HISP does not exchange trust anchor certificates with other entities that are not members of the DirectTrust Accredited Trust Community. The MHIN HISP complies with the DirectTrust HISP Policy Version 1.1.1.

Organizations and individuals who use the Direct Messaging product undergo a strict vetting process to verify their identity, as required by DirectTrust.  MHIN protects the information gathered during this vetting process from unauthorized disclosure.  This information is stored on a secure network drive that is only accessible by a small number of authorized MHIN employees whose job duties require this access.

 

 

Protecting healthcare information is the right thing to do.

Privacy and Security – A Top Priority

MHIN goes to great lengths to adhere to government requirements, privacy and security regulations as well as to pursue voluntary accreditations to ensure that information is being shared in a secure and trusted system. These concepts boil down to a basic philosophy that guides us: If this were MY record, how would I want it handled? Who should have access to what – and when? This philosophy is carried out through a sophisticated security design, careful implementation planning, active security administration functions, along with comprehensive policies and procedures.