HLT-44-15-00020-A Statewide Health Information Network for New York (SHIN-NY)  

This regulation makes clear that, consistent with 42 USC § 17938, Qualified entities (QEs) may, without patient authorization, make patient information available among SHIN-NY participants or other entities otherwise serving the patient so long as the QEs enter into and adhere to participation agreements that comply with federal requirements under HIPAA and 42 CFR Part 2 for business associates and qualified service organizations. This regulation specifies consent requirements to access patient information made available through the QEs. This regulation incorporates legal requirements related to disclosure of patient information without consent, as well as laws that specifically authorize disclosure of patient information for health care purposes, including public health and health oversight purposes, without the type of written, signed authorization that contains all of the elements that would be required for a health care provider to get permission to disclose patient information to a third party for purposes other than health care.

In order to participate in the SHIN-NY, regional health information organizations will need to be certified as QEs by the Department and satisfy certification requirements on an ongoing basis under the procedures established by this regulation.

Changes made to the last published rule do not necessitate revision to the previously published summary of the RIS, RFA, RAFA and JIS.

Comment: One commenter recommended that there be greater transparency in how SHIN-NY policy guidance is developed and that the Department should publish qualified entity performance data.

Response: The regulation will continue the statewide collaboration process. Additionally, the Department intends to publish information on the performance of the SHIN-NY, qualified entities, participant adoption, and usage.

Comment: One commenter recommended that the Department recognize a state designated entity in the regulation.

Response: Although the regulation does not mention a state designated entity, the regulation does not preclude the Department from designating one in the future.

Comment: Two commenters expressed concern that the regulation does not require the Department to carry out specific activities to establish the SHIN NY or issue SHIN NY policy guidance.

Response: Section 300.2 of the proposed regulation stated that the Department “may” carry out activities to establish the SHIN-NY, and section 300.3 of the proposed regulation stated that the Department “may” establish SHIN NY policy guidance. The final regulation changes “may” to “shall” in both 300.2 and 300.3 to clarify that the Department will carry out activities to establish the SHIN NY and issue policy guidance. The SHIN NY policy guidance under section 300.3(b) of the regulation is posted on the Department’s website at this link: http://www.health.ny.gov/technology/regulations/shin-ny/.

Comment: Multiple commenters stated that qualified entities should be required to train providers and educate the public about the SHIN-NY and, specifically, minor consent information in the SHIN-NY.

Response: The Department recognizes the need for qualified entities to train their participants on the functionality of the SHIN-NY, SHIN-NY policies, and requirements to ensure privacy and confidentiality of patient information. The SHIN-NY policy guidance specifies appropriate training and education procedures.

Comment: One commenter was concerned that the regulation would allow a previous consent, given through the Medicaid enrollment process, to serve as prior consent under section 300.5(c)(1) of the regulation, thereby allowing Medicaid managed care health plans to access data via the SHIN-NY.

Response: The Access NY Health Care health insurance application form (DOH-4220all) includes conditions for receiving public welfare benefits under Title XIX of the Social Security Act (Grants to States for Medical Assistance Programs). The Department is currently evaluating whether this would serve as prior consent under section 300.5(c)(1).

Comment: Some commenters stated that the proposed regulation should require that qualified entities withhold information from the SHIN NY unless a patient consents to upload information to the SHIN-NY.

Response: Under section 300.5(a) of the regulation, qualified entity participants “may, but shall not be required to, provide patients the option to withhold patient information, including minor consent patient information, from the SHIN NY.” Thus, providers will be able to offer the option for patients to withhold patient information as necessary and appropriate.

Comment: Some commenters suggested that the Department should include a section on patient rights.

Response: Although the regulation does not have a specific section labeled “patient rights,” section 300.4(a)(8) requires qualified entities to provide patients with access to patient information and section 300.4(a)(9) requires qualified entities to provide an accounting of access by qualified entity participants. The regulation also incorporates by reference patient rights in federal and state law.

Comment: Some commenters suggested that the regulations do not go far enough to restrict access to information derived from minor consented services.

Response: Qualified entities and the SHIN-NY policy committee, through the statewide collaboration process, have identified technical and policy solutions that will allow those providing minor consented services to access patient data based on a minor’s consent. SHIN-NY policies also ensure that minor consented services are kept confidential, through the implementation of technology and education of providers who might access data from an encounter when a patient receives minor consented services. Section 300.5(a) allows qualified entity participants to provide patients receiving minor consented services the option to withhold patient information from the SHIN-NY. Also, a qualified entity participant may not may not disclose minor consent patient information to a parent or guardian without the minor’s authorization.

Comment: One commenter suggested that the SHIN-NY consent model is burdensome and decreases participation in the SHIN-NY.

Response: The SHIN-NY consent model has been structured in a way to adhere to all relevant federal and state laws about data sharing, including regulations that govern the sharing of data from alcohol and substance abuse treatment facilities, at 42 CFR Part 2. The Substance Abuse and Mental Health Services Administration (SAMHSA) proposed rule that would amend 42 CFR Part 2 (81 Fed. Reg. 6988-7024, February 9, 2016) may allow implementation of a less burdensome consent model in the future.

Comment: Multiple commenters cited the need to segment or segregate data as a means to control what data may be accessed by qualified entity participants.

Response: Section 300.5(a) allows qualified entity (QE) participants to provide patients the option to withhold patient information from the SHIN-NY. If implemented by a QE participant, this would allow a patient to request that some or all of their information not be available on the SHIN-NY.

Comment: Some commenters suggested that public health authorities should not be able to access patient data without consent.

Response: HIPAA allows public health authorities and others responsible for ensuring public health and safety to have access to protected health information in order to carry out their public health mission. See 42 USC § 1320d-7(b). The HIPAA Privacy Rule also permits covered entities to disclose protected health information to public health authorities without a written authorization for public health activities authorized by law. Therefore, the regulation and the SHIN-NY policy guidance allow public health access for public health activities authorized by law.

Comment: Some commenters stated that the proposed regulation contains an overly broad authorization of disclosure to a health care provider without patient consent in an emergency.

Response: “Break the Glass,” or emergency access to patient information, is a significant component of the SHIN-NY and current patient consent model. Requirements outlined for audit in section 6.1 of the privacy and security SHIN-NY policy guidance under section 300.3(b)(1) of the regulation provide for the maintenance of audit logs. In the case of “break the glass” access, the audit logs contain information on the type of patient information accessed and the nature of the emergency as attested by the practitioner.

Comment: Some commenters suggested there was ambiguity in the requirement of notice for community-wide consent under section 300.5(b)(1)(i)(b) of the regulation and that it should be clarified to describe exactly what the notice should consist of.

Response: The Department intends that patients who sign a community-wide consent form have the opportunity to receive a notification if the patient chooses to receive one. The Department emphasizes that qualified entities have the flexibility to determine the form and manner in which that notice is provided.

Comment: One commenter suggested that some providers who provide sensitive services and minor consented services should be exempt from the requirement to connect their facilities given that data segmentation is not widely available.

Response: Section 300.6(b) of the regulation gives the Commissioner the ability to waive requirements under extenuating circumstances. Section 300.5(a) of the regulation allows, but does not require, health care facilities subject to the regulation to limit the release of health information at the request of the patient. The Department recognizes that some providers may not have technology available through their electronic health record to support providing patients with the option to withhold patient information, and it may be too expensive to implement this. Providers in this situation could request a waiver under section 300.6(b).

Comment: One commenter recommended that the exemption in section 300.6(b) of the regulation should specifically exempt long-term/post-acute care facilities from the requirement to connect to the SHIN-NY.

Response: All health care facilities under Public Health Law § 18(1)(c) that use a certified electronic health record under the federal HITECH Act are required to connect to the SHIN-NY, including long term/post-acute care facilities. Such facilities may apply for a waiver under section 300.6(b).

Comment: One commenter appreciated that the Department is encouraging non-regulated entities to participate in the SHIN-NY and encourages the Department to align data contribution requirements with other Department programs such as the Delivery System Reform Incentive Payment (DSRIP) program.

Response: The true value of the SHIN-NY will not be achieved until all providers are connected to the network. The Department is working to align data contribution requirements with multiple programs across the Department.