Navigation

Data Security Policy

SMRTNET Data Security

Privacy and Data Security Process

In many ways SMRTNET operates as a sophisticated electronic courier service. Much like mail or fax machines, SMRTNET does not own or control data. SMRTNET simply organizes and moves information according to HIPAA compliant instructions by SMRTNET members who are treating the same patient. The members always own and control their data. The instructions and regulations for transferring data are fully compliant with HIPAA and state law and are codified in a network agreement all members sign and follow.

There are numerous controls, which are generally much superior to controls on paper records that make certain that these rules are monitored and followed. As a federally funded research project, SMRTNET’s attention to the privacy and security of health information has always been an overreaching consideration of the network. The following experts have been included in the process of forming the SMRTNET data security processes: Bill Braithwaite, M.D., Ph.D. principal author of HIPAA. Dr. Braithwaite met with SMRTNET in Oklahoma to advise the network on the legal basis of health information exchange under HIPAA. He continues to be available to us as a consultant.



  • Chris Sears, attorney for a sixteen-year-old data exchange in Indiana that exchanges over one billion pieces of health information for eleven hospitals, Medicaid, insurance, public health and other entities.
  • Attorneys for the originating partners which are the Oklahoma State Department of Health, Oklahoma Department of Mental Health and Substance Abuse Services, Northeastern State University, Tahlequah City Hospital, NEO Community Health Center, and Cherokee Nation.
  • A team of privacy officials from the partner agencies (above).
  • Cerner, a company that is entrusted with personal health data by 1,500 hospitals and several interoperable networks, one with over two million lives.

Limits of Data Use

  • The network is only used for treatment and treatment support as regulated by HIPAA, federal and state law and overseen by a public non-profit organization of healthcare providers.
  • Only members who have applied and been accepted by the network can access data.
  • The data cannot be used for research.
  • Nobody can access a “list “of patients by any type except by approval of the management committee. Only data from one patient at a time can be seen and only for treatment or HIPAA related purposes.
  • No employers, insurance companies or any non-member persons can access the data. 

Limited Data Set

The data shared is limited to the data types most needed to assist improving healthcare. These include diagnosis, medications, laboratory results, procedure codes, allergies and reactions, and other related information as determined by the public non-profit governance boards. 

Public and Transparent Oversight

The data exchange process is overseen by a management committee of provider agencies. The committee operates using a transparent process with public meetings and budgets under the umbrella of a legislatively created health authority. New members can be added to the management committee as the network grows. SMRTNET is made up of several health information exchange boards that oversee their particular health issues. These operate within the scope of the general management committee. 

Provider Oversight

  • Each provider is issued a special identification and password, which they have to use to access the data. This is changed periodically.
  • The provider must electronically certify that s/he is seeing the patient for treatment or treatment related issues before any information is shared.
  • Every access to information is recorded.
  • Within each organization only the level of information that is needed by that provider for treatment or support is shared. So, for instance, a clerk can only see the patient’s address but the physician can see medications and diagnosis.

Audits

  • An audit report is issued to each member facility of SMRTNET of accesses by staff.
  • Any provider or member can be audited for appropriate use at any time by request of any member. 

Patient Identification

  • Name, date or birth, or social security number and other demographics identify patients before any information is shared.
  • A sophisticated software program makes sure that names are correctly matched to records. Only statistically determined exact matches are shared. Close matches will be researched and corrections made by professional staff members when appropriate using additional demographics such as address and phone numbers to assure matches. 

Patient Oversight of Access and Use

Under HIPAA patients may ask their providers for copies of their personal health information. In the future patients may be offered an opportunity to apply for a free electronic personal health record where they will see who has accessed their information. Over time they will also be able to store information there for use by SMRTNET providers. The ability of member provider to share treatment information with other providers who are also seeing the same patient is allowed under HIPAA and this fact is in the privacy statement of each member as signed and acknowledge by patients.


  • Patients can opt out initially or at any time. A completed opt out request form submitted to SMRTNET prevents the patients information from being shared through SMRTNET to all member providers in any facility.
  • Patients are informed at the provider source about the network. This is the most appropriate place to share that information.
  • Information about SMRTNET is made available by the provider office, on the website www.smrtnet.org and by phone.
  • Sensitive data under law such drug abuse and some family planning information is not sent by the member providers into the network.
  • The provider must electronically certify that s/he is seeing the patient and only those that certify this can see the patient data.
  • Providers may provide higher levels of patient acknowledgement such as “opt in” if they chose. 

Outside Storage and Data Security

The data is stored in a special facility in Kansas City overseen by a company that stores data for over 1,500 hospitals and several networks. The software has been tested within a framework of two million patients and several thousand providers. Patient information is “shattered” into separate electronic “virtual vaults” which store types of information separated from names. 

Network Agreement

The rules of the network are listed in a detailed member agreement, which all data providers and data contributors agree to in writing. Over twenty attorneys from a wide variety of health entities have reviewed and certified that the rules and processes in the agreement fit with all federal and state law.

Membership

Success Stories

View All Success Stories

Promotions

HIMSS 2012 SMRTNET featured at the HIMSS 2012 InteroperabilityShowcase!


HIMSS Interoperability Showcase!