Current through Register Vol. 46, No. 45, November 2, 2024
Section 300.4 - Qualified entities(a) Each qualified entity shall:(1) maintain and operate a network of SHIN-NY participants seeking to securely exchange patient information;(2) connect to the statewide data infrastructure to allow SHIN-NY participants to exchange information with SHIN-NY participants of other qualified entities and with the New York State Department of Health or its designated contractor to support statewide reporting and analytics for public health activities and Medicaid purposes;(3) submit to regular audits of qualified entity functions and activities by the New York State Department of Health or its designated contractor as necessary to ensure the quality, security, and confidentiality of data in the SHIN-NY;(4) ensure that data from SHIN-NY participants is only made available through the SHIN-NY in accordance with applicable law;(5) enter into agreements, including the statewide common participation agreement, with SHIN-NY participants that supply patient information to, or access patient information from, the qualified entity. A qualified entity must be the business associate, as defined in 42 USC § 17921, of any SHIN-NY participant that supplies patient information and is a health care provider, and must be a qualified service organization of any SHIN-NY participant that supplies patient information and is an alcohol or drug abuse program required to comply with Federal regulations regarding the confidentiality of alcohol and substance abuse patient records;(6) allow participation of all health care providers in the geographical area served by the qualified entity that are seeking to become SHIN-NY participants, list the names of such SHIN-NY participants on its website, and make such information available at the request of patients;(7) submit data, including patient information, using the statewide data infrastructure, to the New York State Department of Health or its designated contractor, according to specifications provided by the New York State Department of Health;(8) submit reports on health care provider participation and usage, system performance and data quality, in a format determined by the New York State Department of Health;(9) adopt policies and procedures to provide patients with access to their own patient information that is accessible directly from the qualified entity, except as prohibited by law;(10) implement policies and procedures to provide patients with information identifying SHIN-NY participants that have obtained access to their patient information using the qualified entity, except as otherwise prohibited by law.(b) Each qualified entity shall have procedures and technology:(1) to exchange patient information for patients of any age, consistent with all applicable laws regarding minor consent patient information;(2) to allow patients to approve and deny access to SHIN-NY participants; and(3) to honor a minor's consent or revocation of consent to access minor consent patient information.(c) Each qualified entity shall provide such core services to SHIN-NY participants as required by the SHIN-NY policy guidance under subdivision (b) of section 300.3 of this Part. Such core services shall include, but not be limited to: (1) allow SHIN-NY participants to search existing patient records on the network;(2) make available to SHIN-NY participants and public health authorities a clinical viewer to securely access patient information;(3) provide tracking of patient consent;(4) provide identity management services to authorize and authenticate users in a manner that ensures secure access;(5) submit data using the statewide data infrastructure, to the New York State Department of Health or its designated contractor, to support the aggregation of data, statewide reporting and analytics for public health activities and Medicaid, consistent with applicable law;(6) support Medicaid and public health reporting to public health authorities;(7) provide SHIN-NY participants with appropriate access to data using the statewide data infrastructure.(d) The New York State Department of Health shall certify qualified entities that demonstrate that they meet the requirements of this section to the satisfaction of the New York State Department of Health. The New York State Department of Health may, in its sole discretion, select a certification body to review applications and make recommendations to the New York State Department of Health regarding certification. The New York State Department of Health shall solely determine whether to certify qualified entities. To be certified, a qualified entity must demonstrate that it meets the following requirements: (1) The qualified entity is capable of supporting and advancing the use of health information technology in the public interest and has a board of directors and officers with such character, experience, competence and standing as to give reasonable assurance of its abilities in this respect.(2) The qualified entity has the capability and infrastructure to operationalize the requirements in this section.(3) The qualified entity has technical infrastructure, privacy and security policies and processes in place to: manage patient consent for access to health information consistent with section 300.5 of this Part and the SHIN-NY policy guidance under subdivision (b) of section 300.3 of this Part; support the authorization and authentication of users who access the system; audit system use; and implement remedies for breaches of patient information.(e) The New York State Department of Health shall periodically require qualified entities to demonstrate continued compliance with the certification standards required pursuant to subdivision (d) of this section through a process of audit and re-certification by the New York State Department of Health or a certification body designated by the New York State Department of Health.(f) The New York State Department of Health may, as it deems appropriate, audit qualified entities to ensure ongoing compliance with criteria and standards.N.Y. Comp. Codes R. & Regs. Tit. 10 § 300.4
Adopted New York State Register March 9, 2016/Volume XXXVIII, Issue 10, eff. 3/9/2016Amended New York State Register July 10, 2024/Volume XLVI, Issue 28, eff. 7/10/2024