Current through Register Vol. XLI, No. 50, December 13, 2024
Section 65-28-9 - Authorized Users9.1. The Network and each participating organization shall designate authorized users based upon job roles fulfilled by individuals in their respective workforces. Each participating organization is responsible for establishing this role-based access system to limit access within an organization to those workforce members with a need to know.9.2. Each participating organization shall designate, maintain, and certify their official lists of authorized users to the Network. A workforce member may be designated as an authorized user only if that member requires access to protected health information in the Network's health information exchange in order to perform his or her job responsibilities within the participating organization.9.3. A workforce member who is not designated as an authorized user may not access the Network for any purpose.9.4. Each participating organization shall provide training for its authorized users before they may access the health information exchange. This training program shall include a review of the functionality of the health information exchange, as well as a review of all rules, policies, and procedures promulgated by the Network.9.5. Each participating organization is responsible for maintaining an appropriate and current list of its authorized users. This requires that changes in employment status as well as other workforce changes, including termination of authorized user status, shall be communicated immediately and electronically to the Network by the participating organization's site administrator.9.6. The Network shall require any of its subcontractors and vendors that qualify as a business associate under HIPAA and the HITECH Act to also designate, maintain, and certify their list of authorized users in accordance with the role-based access concept.9.7. A patient may seek approval for authorized user status if he or she registers for access to the Network's patient portal with a cooperating participating organization to directly access and view only his or her protected health information that has been contributed to the health information exchange by any participating organization or data supplier.9.8. The Network may temporarily suspend or permanently revoke an individual's status as an authorized user of the Network for any of the following reasons; 9.8.a. Violation of this rule;9.8.b. Violation of any federal or state law or rule, or regulation;9.8.c. Fraudulent activity;9.8.d. Prolonged inactivity on the health information exchange system; or9.8.e. Any other good cause.