Shared Health has implemented appropriate industry standard privacy and security safeguards, including:

 

• Defined Clinician Authorization
• Identification of Parties Receiving PHI
• Assignment of Unique User ID’s and Passwords (Authentication Safeguard)
• Industry Benchmark Security Encryption
• Audit Trail Capabilities
• Role-Based Access Controls
• Physical Safeguards in Data Center (access control, environmental control, emergency power, disaster recovery plan)
• Other Security Safeguards (workforce clearance and termination procedures, virus protection, data back-up, device and media controls)

 

Do Shared Health applications meet HIPAA privacy requirements?

 

Yes. Shared Health meets the definition of a health care clearing house under HIPAA, which means Shared Health is a covered entity directly regulated by HIPAA and must comply with the privacy requirements.

 

Many times, Shared Health will be a business associate as well as a covered entity under HIPAA. As a covered entity or business associate under HIPAA, Shared Health is allowed to use and disclose Protected Health Information (PHI) for treatment, payment, and health care operations without an authorization from the individual.

 

What is Shared Health’s position regarding employer and payer access to the Shared Health Clinical Health Record?

 

Shared Health recognizes public concern over patient privacy and confidentiality issues surrounding electronic health records. To help alleviate those fears, Shared Health has developed strict policies for the appropriate use of data.

 

The Shared Health CHR is designed for the purpose of improving patient care by providing relevant information to health care providers at the point of care. The system is not intended for use beyond the stated purpose of health care treatment, payment, and operations.

 

Payers, whether an insurer or a self-funded employer, are contractually obligated not to use Shared Health data for the purposes of underwriting, utilization review, coverage decisions, setting premiums or provider reimbursement rates, even though these functions may qualify as health care operations under HIPAA.

 

Aggregated claims data within Shared Health may be provided to payers for data quality assurance purposes only.

 

Shared Health does not disclose or make available patient data to any unaffiliated outside third party.

 

What type of technical safeguards does Shared Health have in place?

 

Shared Health’s top priority is patient-record privacy and security. Shared Health uses industry-standard safeguards to protect the collection, storage, and transmission of protected health information:

 

Encryption
All Shared Health user sessions utilize 128-bit SSL encryption, the accepted industry standard used today. Major banking institutions use the same encryption standard for online banking services.

 

Transmission
Shared Health’s data transmission is only permitted across a Virtual Private Network (VPN), https or disposable media via U.S. Postal Service.

 

Network
Shared Health utilizes a three-tier architecture for web, application, and database layers with multiple firewalls separating each. These technical safeguards are supplemented with multi-layer intrusion prevention and detection systems. Recurring security audits are performed by independent auditing entities.

 

How does Shared Health keep my employees’ health care information private?

 

Users (health care providers and office staff) must consent and agree to the Shared Health User Agreement and Privacy Policy before accessing information, and they are assigned various levels of access to information in order to safeguard that information.

 

Users must first go through a three-step authorization process. At the end, they will be given the degree of access that matches their roles and responsibilities. For example, clerical staff in a health care provider’s office can only have access to demographic and benefit limits information.

 

Another safeguard requires the authorized user to enter first name, last name, and either date of birth or Social Security number. Shared Health has implemented this safeguard as a security standard that prevents health care providers or their representatives from being able to randomly access patient information.

 

In addition to investigating and pursuing all reports of abuse, Shared Health audits system use in a number of ways, looking for unusual activity in patterns of use, geographic disparities, and clinician specialty disparities. Shared Health software immediately notifies the appropriate personnel if unusual network traffic patterns are detected.

 

Where is Shared Health’s member data stored/housed?

 

Patient data is collected by Shared Health and stored at an offsite location. Data is never housed on a payer server. Operational Shared Health data is stored in Kansas City, Missouri, and the data repository is located in Manchester, New Hampshire.

 

If I have a question about privacy and/or security, whom do I contact?

 

Shared Health’s top priority is patient-record privacy and security. If you have a specific question, you can contact Shared Health via phone, mail or the Web.