Current through Register Vol. XLI, No. 50, December 13, 2024
Section 65-28-2 - Definitions2.1. Authentication Information - means the method of authentication assigned to each authorized user of the Network by his or her participating organization in accordance with minimum Network requirements. Authentication Information may be based upon information known only by and unique to an authorized user, such as a password and username. The Network may impose a second authentication factor that is based upon something that an authorized user has, such as a smart card or token, or something unique to the authorized user, such as an electronic signature or fingerprint.2.2. Authorized User - means a member of the workforce of a participating organization who has been designated by that participating organization to access the Network's health information exchange pursuant to the concept of role-based access control. An authorized user may also be a patient who has registered for access to the Network's patient portal to obtain direct access to his or her protected health information from a cooperating participating organization; a member of the Network's workforce; or a member of the workforce of a business associate of the Network.2.3. Business Associate - means a person or entity that performs a function, activity, or service to a health care provider, health plan, health care clearinghouse, or another business associate involving the disclosure of protected health information or personal demographic information to the business associate. The Network is a business associate to each of its participating organizations. Subcontractors and vendors to the Network may be business associates of the Network. The term "business associate" has the same meaning as the term is defined in 45 C.F.R. Part 160.2.4. Business Associate Agreement - means a contract between a covered entity under HIPAA and a business associate, or between a pair of business associates, which obligates the business associate to maintain the privacy and security of protected health information in accordance with the requirements of 45 C.F.R. Part 164.2.5. Breach - means the acquisition, access, use, or disclosure of a patient's unsecured protected health information by an unauthorized person or entity in a manner not permitted under the HIPAA privacy rules, and in a manner that otherwise satisfies all other requirements imposed by the rules governing breach notification for unsecured protected health information in 45 C.F.R. Part 164.2.6. Clinical Messaging - means the exchange of protected health information from one participating organization to another through the Network in the form of test results or other clinical information. Test results can be generated by clinical laboratories, imaging providers, and other like providers. Other clinical information may consist of discharge summaries, consultation reports, and patient referral data. For purposes of the Network's health information exchange, clinical messaging is a point-to-point transaction.2.7. Consent - means the decision of a patient to participate in the Network's health information exchange. No affirmative action is required from a patient to establish his or her consent. A patient shall be considered to have given his or her consent to participate until and unless the patient affirmatively opts-out of the health information exchange.2.8. Covered Entity - means a health care provider, a practitioner licensed under the provisions of Chapter 30 of the West Virginia Code or some equivalent law of another state, a health care clearinghouse, or a health plan that transmits any protected health information in electronic form. The term "Covered Entity" has the same meaning as the term defined in 45 C.F.R. Part 160.2.9. Data Supplier - means any organization approved by the Network that has entered into a data supplier agreement and discloses or otherwise makes available protected health information for access through the Network's health information exchange for a permissible purpose. 2.10. Data User - means a participant that has entered into a data user agreement and whose authorized users will access, receive, and use protected health information through the health information exchange for a permissible purpose. By entering into a data user agreement, participant may access and use the WV e-Directive Registry.2.11. Deidentify or Deidentification - means the process of rendering protected health information into a form that does not identify a patient, and there is no reasonable basis to believe that the information can be used to identify a patient. In order to deidentify protected health information properly, the requirements of 45 C.F.R. Part 164 must be fully satisfied.2.12. Designated Record Set - means any grouping of medical or billing records maintained by a covered entity and used to make treatment or payment decisions about a patient. A designated record set shall have the same meaning as the term is defined in 45 C.F.R. Part 164, Subpart E.2.13. Drug or Alcohol Abuse Information - means information related to the treatment and care of a patient suffering from alcohol or drug abuse, or both, including any information that would specifically identify a patient as receiving drug or alcohol abuse treatment and care. The term "Drug or Alcohol Abuse Information" has the same meaning as the term "Drug or Alcohol Abuse Patient Records" is defined in 42 C.F.R. Part 2. Drug or alcohol abuse information, for purposes of this rule, shall arise only in connection with care and treatment provided in a federally assisted program as defined in 42 C.F.R. Part. 2.2.14. Emergency Treatment - means a condition which poses an immediate threat to the health of a patient (for example, death or serious impairment to one or more bodily systems, organs, or parts), and which requires immediate medical intervention.2.15. Encryption - means a technology or methodology approved by the United States Secretary of Health and Human Services that can render protected health information unusable, unreadable, or indecipherable to unauthorized individuals or entities.2.16. E-Prescribing - means the transmission, using electronic media, of prescription or prescription-related information between a licensed practitioner and a pharmacy, pharmacy benefit manager, or health plan, including any communication related to the prescription.2.17. Full Service Participant - means a participant that has entered into a full service agreement and that functions as both a data supplier and a data user within the health information exchange. By entering into a full service agreement, participant may access and use the WV e-Directive Registry.2.18. Health Care Clearinghouse - means any entity, including a billing service, repricing company, or other similar organization that processes health information in a nonstandard format into standard data elements or a standard transaction, or vice versa. The term "Health Care Clearinghouse" has the same meaning as such term is defined in 45 C.F.R. Part 160.2.19. Health Care Provider - means a provider of medical or health services, and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. The term "Health Care Provider" has the same meaning as the term is defined in 45 C.F.R. Part 160.2.20. Health Plan - means an individual or group plan that provides, or pays the cost of medical or health services. The term "health plan" has the same meaning as such term is defined in 45 C.F.R. Part 160.2.21. Health Care Operations - means any of those activities identified by federal regulations at 45 C.F.R. Part 164, including but not limited to, quality assessment and improvement activities, case management and care coordination, reviewing the competence of licensed practitioners, underwriting, and business planning and management activities.2.22. Health Information Exchange - means a system for the electronic transfer of protected health information between participating organizations for a permissible purpose based upon requirements of federal and state law. A health information exchange shall seek to achieve interoperability between and among its participating organizations.2.23. HIPAA - means the Health Insurance Portability and Accountability Act of 1996, and its implementing rules promulgated in 45 C.F.R. Parts 160, 162, and 164.2.24. HIPAA Privacy Rules - means those privacy rules described in 45 C.F.R. Part 164, Subpart E, as modified and enlarged by the Health Information Technology for Economic and Clinical Health (HITECH) Act and any other subsequent amendments as of the effective date of this rule.2.25. HIPAA Security Rules - means those security rules described in 45 C.F.R. Part 164, Subpart C, as modified and enlarged by the HITECH Act and any other subsequent amendments as of the date of this rule.2.26. HITECH Act - means the Health Information Technology for Economic and Clinical Health Act of 2009, and its implementing rules promulgated at 45 C.F.R. Parts 160, 162, and 164.2.27. Inquiry - means a request directed by a participating organization to the Network for the disclosure of a patient's protected health information for a permissible purpose. Inquiry involves the potential exchange of protected health information between multiple participating organizations.2.28. Licensed Practitioner - means an individual licensed to provide health care items or services by a West Virginia board identified in Chapter 30 of the West Virginia Code, or by an equivalent board of another state.2.29. Master Patient Index - means the index wherein personal demographic information of patients is securely maintained by the Network to record their decision to opt-out of the health information exchange. For those patients who have not elected to opt-out, the master patient index shall be used to match the patients with any inquiries seeking the exchange of protected health information for a permissible purpose. The Network shall maintain personal demographic information regarding all potential patients in this master patient index, even if the decision is made to opt-out, in order to minimize the possibility of improperly matching patients.2.30. Mental Health Information - means any information obtained in the course of treatment or evaluation of any patient suffering from a mental or behavioral disorder, including but not limited to, diagnosis and treatment information, and any information that would specifically identify a patient as receiving mental health services. The term "Mental Health Information" has the same meaning as the term "confidential information" is defined in W. Va. Code § 27-3-1et seq.2.31. Minimum Necessary - means that when requesting, using, or disclosing protected health information for a permissible purpose other than treatment or emergency treatment, a covered entity or a business associate shall limit protected health information to the minimum amount needed to accomplish the intended purpose of the request, use, or disclosure. The term "Minimum Necessary' has the same meaning as such term is defined in 45 C.F.R. Part 164, Subpart E.2.32. Out-Of-Pocket Goods and Services - means any goods and services for which the participating organization has been paid out-of-pocket in full by the patient, and the patient has requested the participating organization to restrict the disclosure of those goods and services to an insurance company, group health plan, or other third party payor for payment or health care operations. The term "Out-of-Pocket-Goods and Services" has the same meaning as such term is defined in the HITECH Act.2.33. Opt-Out - means a process under which any patient who does not consent to the use and disclosure of his or her protected health information with other participating organizations pursuant to the Network's health information exchange may affirmatively express his or her decision not to participate.2.34. Participant or Participating Organization - means any health care provider, licensed practitioner, public health agency, health care clearinghouse, health plan, or other organization approved by the Network that establishes a contractual relationship with the Network in accordance with a standard participation agreement. A participant or participating organization must be a covered entity under HIPAA, a public health agency, or a business associate of a covered entity. Multiple covered entities operating as a single organized health care arrangement under 45 C.F.R. Part 160, may constitute a single participating organization upon approval of the Network. A participant or participating organization may be a full service participant, a data user, or a WV e-Directive Registry subscriber.2.35. Patient - means the individual whose personal demographic information or protected health information is subject to electronic storage and transfer by the health information exchange. The term "Patient" includes a personal representative who has the authority to consent or authorize the disclosure of a patient's protected health information pursuant to 45 C.F.R. § 164.502 (g) and any other applicable state or federal laws. A patient may also register as an authorized user for access to the Network's patient portal through a cooperating participating organization.2.36. Patient Notice - means a written notice prepared and approved by the Network, and supplied to its participating organizations for distribution to patients. The patient notice shall be provided to all patients during their first visit or encounter with a participating organization after it enrolls in the Network, and where possible, before the date of anticipated enrollment. The participating organization may provide the patient with an electronic version of the patient notice if the patient has specifically agreed to electronic notice as permitted by the HIPAA privacy rules. The patient may obtain a paper copy of the patient notice from the participating organization upon request. This patient notice shall explain the function of the Network; the permissible purposes for which a patient's protected health information may be shared with other participating organizations through the Network; the types of protected health information which may be shared with other participating organization; the need for the patient's consent to share certain categories of sensitive health information; the potential benefits and risks of participation in the Network; and the fact that a patient's participation in the Network is voluntary and subject to a patient's right to opt-out.2.37. Patient Portal - means an on-line service offered by the Network through a cooperating participating organization which enables a patient to directly access and view only his or her protected health information from anywhere with a secure internet connection through the Network's health information exchange.2.38. Patient Restricted Information - means any protected health information that is subject to a use or disclosure restriction impacting a permissible purpose, and that has been specifically requested by a patient and agreed to by a participating organization or data supplier pursuant to 45 C.F.R Part 164. It could also include a patient's request for restriction to a use or disclosure of protected health information permissible under state law.2.39. Payment - means any activity undertaken to obtain or provide reimbursement for the provision of health care items or services to a patient. Payment also includes activities arising out of billing and collection, obtaining premiums for health plan coverage, determining eligibility for coverage, coordinating benefits with other health plans, performing health plan risk adjustment, reviewing medical necessity, providing precertification or preauthorization of services, and other similar transactions. The term "Payment" has the same meaning as such term is defined in 45 C.F.R. Part 164.2.40. Personal Demographic Information - means information which may be used to individually identify a patient, but which excludes any and all clinical or health-related information. Personal demographic information may include, but not be limited to, the patient's name, address, Social Security number, date of birth, telephone number, and driver's license number.2.41. Personal Health Record - means a health record that is established by a patient on his or her own behalf, and that uses an online platform sponsored by another entity. This personal health record may be developed by gathering and consolidating protected health information from many sources, including participating organizations of the Network's health information exchange.2.42. Protected Health Information - means any information that relates to the past, present, or future physical or mental health or condition of a patient, the provision of health care items or services to the patient, and the past, present, or future payment for the provision of health care items or services to a patient. Protected health information also must personally identify a patient or provide a reasonable basis to believe that the information can be used to identify a patient. The term "Protected Health Information" shall also include electronic protected health information and each shall have the meaning as defined in 45 C.F.R. Part 160.2.43. Public Health Reporting - means the exchange of protected health information through the Network to a federal or state agency for the reporting and surveillance of specified health conditions as required or authorized by law, and for the reporting of immunization data. The reporting shall contain the minimum amount of protected health information or personal demographic information required or authorized for the reporting purpose.2.44. Psychotherapy Notes - means notes recorded by a mental health care provider documenting or analyzing the contents of a conversation by a patient during a private, group, or family counseling session, and that are separated from the rest of the patient's medical record. The term "Psychotherapy Notes" has the same meaning as such term is defined in 45 C.F.R. Part 164.2.45. Sensitive Health Information - means the subset of protected health information involving drug or alcohol abuse information, mental health information, psychotherapy notes, out-of-pocket goods and services, patient restricted information, or any other goods and services subject to heightened privacy and confidentiality requirements under federal and state laws or rules, or regulations and specifically approved by the Network.2.46. Site Administrator - means an authorized user of the Network who is a member of the workforce of a participating organization, who may grant and terminate authorized user status, and who may perform other administrative functions within or on behalf of his or her participating organization. A participating organization may designate more than one site administrator.2.47. Treatment - meant the provision of health care items or services to a patient, including direct patient care as well as consultation, coordination, management, or patient referral between or from one participating organization to another. The term "Treatment" has the same meaning as the term is defined in 45 C.F.R. Part 164. Unless stated otherwise, treatment shall be limited to the provision of health care items or services to the patient who is the subject of the information (except in the case of mother/infant).2.48. Unsecured protected health information - means protected health information that has not been rendered unusable, unreadable, or indecipherable by unauthorized individuals or entities through the use of encryption or other federally-approved technology. The term "Unsecured Protected Health Information" has the same meaning as such term is defined in 45 C.F.R. Part 164.2.49. WV e-Directive Registry - means a service by which participating organizations that are health care providers may access a patient's advance directive forms, physicians' orders for scope of treatment (POST) forms, and do not resuscitate cards. A participating organization that seeks access to these documents must be a WV e-Directive Registry subscriber.2.50. WVDirect - means a service that offers a secure messaging platform to transmit protected health information and other data to other WVDirect subscribers via electronic mail. WVDirect's secure messaging platform is offered as a separate and distinct service from the Network's health information exchange. A health care provider does not have to become a participating organization to subscribe to WVDirect, but must be a WVDirect subscriber.2.51. West Virginia Health Information Network or Network - means the public-private partnership created by West Virginia Code Chapter 29G, and which has as one of its purposes to develop an interoperable health information exchange in West Virginia. The Network also offers services that are separate and distinct from the health information exchange, including WVDirect.2.52. Workforce - means employees, contractors, volunteers, trainees, or other persons whose conduct, in the performance of work for a participating organization, is under the direct control of the participating organization, whether or not they are paid by the participating organization. The term "Workforce" has the same meaning as the term is defined in 45 C.F.R. Part 160.