PRIVACY AND DATA SECURITY PROCESS

In many ways SMRTNET operates as a sophisticated electronic courier service.  Much like mail or fax machines, SMRTNET does not own or control data.  SMRTNET simply organizes and moves information according to HIPAA compliant instructions by SMRTNET members who are treating the same patient.  The members always own and control their data.  The instructions and regulations for transferring data are fully compliant with HIPAA and state law and are codified in a network agreement all members sign and follow.  There are 27 controls, which are generally much superior to controls on paper records that make certain that these rules are monitored and followed.  As a federally funded research project, SMRTNET’s attention to the privacy and security of health information has always been an overreaching consideration of the  network. 

The following experts have been included in the process of forming the SMRTNET data security processes: Bill Braithwaite, M.D., Ph.D. principal author of HIPAA.

Dr. Braithwaite has come to Oklahoma and spent a day with the SMRTNET regarding the legal basis of exchange under HIPAA. He continues to be available to us as a consultant.

Chris Sears, attorney for a sixteen-year-old data exchange in Indiana that exchanges over one billion pieces of health information for eleven hospitals, Medicaid, insurance, public health and other entities.

Attorneys for the originating partners which are the Oklahoma State Department of Health, Oklahoma   Department of Mental Health and Substance Abuse Services, Northeastern State University, Tahlequah City Hospital, NEO Community Health Center, and Cherokee Nation.

A team of privacy officials from the partner agencies (above).

Cerner, a company that is entrusted with personal health data by 1,500 hospitals and several interoperable networks, one with over two million lives.

Limits of Data Use

1. The network is only used for treatment and treatment support as regulated by HIPAA, federal and state law.
2. Only members who have applied and been accepted by the network can access data.
3. The data cannot be used for research.
4. Nobody can access a “list “of patients by any type except by approval of the management committee. Only data from one patient at a time can be seen and only for treatment or HIPAA related purposes.
5. No employers, insurance companies or any outside source can access the data.

Limited Data Set

6. The data is limited to demographics, allergies and reactions, visit history, diagnosis history, laboratory results, medication history, and immunizations. Over time the network may add data types as agreed to by the members. It is anticipated that the network will eventually add vital signs, providers, insurance, advanced directives and plan of treatment as defined by the continuity of care record, an evolving national standard of information exchange. They may also include science based prevention efforts such as cholesterol, blood pressure, alcohol abuse, smoking and use of aspirin as a part the effort to help change Oklahoma health status.

Public and Transparent Oversight

7. The data exchange process is overseen by a management committee of seven public provider agencies.  The committee operates using a transparent process with public meetings and budgets under the umbrella of a legislatively created health authority. New members can be added to the management committee as the network grows.

Provider Controls

8. Each provider is issued a special identification and password, which they have to use to access the data. This is changed periodically.
9. The provider must electronically certify that s/he is seeing the patient for treatment before any information is shared.
10. Each access to information is recorded.
11. Within each organization only the level of information that is needed by that provider for treatment or support is shared. So, for instance, a clerk can only see the persons address but the physician can see medications and diagnosis. Currently SMRTNET has nine such roles and can add roles as needed.

Audits

12. An audit report is issued to each member of SMRTNET of accesses by staff.
13. Any provider or member can be audited for appropriate use at any time by request of any member.

Patient Identification

14. Name, date or birth, social security number and other demographics identify patients before any information is shared.
15. A sophisticated software program makes sure that names are correctly matched to records. Only perfect matches are shared. Close matches will be researched and corrections made by professional staff members when appropriate using additional demographics such as address and phone numbers to assure matches.

Patient Oversight of Access and Use

16. Patients will be offered an opportunity to apply for a free electronic personal health record where they will see who has accessed their information. Over time they will alsobe able to store information there for use by SMRTNET providers.
17. The ability of member provider to share treatment information with other providers who are also seeing the same patient is allowed under HIPAA and this fact is in the privacy statement of each member as signed and acknowledge by patients.
18. Patients can opt out initially or at any time
19. Patients are informed at the provider source about the network. This is the most appropriate place to share that information.
20. Information about SMRTNET is made available by the provider office, on the website www.smrtnet.org and by phone.
21. Sensitive data under law such as mental health and some family planning information is not sent by the provider into the network. The network may impose redundant filters as required by the members to double check that only appropriate information is shared.
22. The provider must electronically certify that s/he is seeing the patient and only those that certify this can see the patient data.
23. Providers may provide higher levels of patient acknowledgement such as “opt in” if they chose.

Outside Storage and Data Security

24. The data is stored in a special facility in Kansas City overseen by a company that stores data for over 1,500 hospitals and several networks.
25. The software has been tested within a framework of two million patients and seven thousand providers.
26. Patient information is “shattered” into separate electronic “virtual vaults” which store types of information separated from names.

Network Agreement

27. The rules of the network are listed in a detailed member agreement, which all data providers and data contributors agree to in writing. Seven attorneys from six large provider agencies have reviewed and certified that the rules and processes in the agreement fit with all federal and state law.