Statutes, codes, and regulations
West Virginia Administrative Code
Agency 65 - Health Care AuthorityTitle 65 - LEGISLATIVE RULE HEALTH CARE AUTHORITY
Series 65-28 - West Virginia Health Information Network Rule
Section 65-28-12 - Business Associates; De-Identification of protected health information

W. Va. Code R. § 65-28-12

Download
PDF
Current through Register Vol. XLI, No. 50, December 13, 2024
Section 65-28-12 - Business Associates; De-Identification of protected health information
12.1. Under the HITECH Act, the Network's operation of a health information exchange qualifies it as a business associate of its various participating organizations, data suppliers, and WVDirect subscribers. Accordingly, the Network shall enter into a valid and binding business associate agreement with each participating organization, data supplier, and WVDirect subscriber. The business associate agreement shall comply with any and all of the requirements of HIPAA and the HITECH Act.
12.2. If the Network uses subcontractors and vendors to assist it with the development, implementation, and operation of the health information network, and the subcontractors and vendors fall within the definition of a business associate under HIPAA and the HITECH Act, then the Network shall enter into a valid and binding business associate agreement with each subcontractor or vendor. The business associate agreement shall comply with all of the requirements of HIPAA and the HITECH Act.
12.3. The HIPAA privacy rules identify the means by which protected health information may be deidentified. To be considered as deidentified, the remaining data shall not identify a patient, and there shall be no reasonable basis to believe that the information can be used to identify a patient. The Network may deidentify protected health information, and may disclose or use the deidentified data for any public health or research purpose approved by the Network board.

W. Va. Code R. § 65-28-12