Health Care Department Operations Manual

Cancel

Chapter 2 – Patients’ Entitlements and Responsibilities

Article 3 – Health Information Management

View All Sections >

2.3.5 Health Information Exchange

  • Policy

    • California Correctional Health Care Services (CCHCS) health care and administrative programs that exchange data shall ensure Protected Health Information (PHI) transmitted through the Health Information Exchange (HIE) is in compliance with applicable federal and state privacy and information security laws and regulations and CCHCS Information Technology (IT) policies. Data/information shall be conveyed via an encrypted enterprise standard transfer mechanism.

  • Purpose

    • To ensure patient confidentiality and privacy protection during the exchange of health-related documentation via the designated portal, and to ensure disclosure of PHI is documented pursuant to Code of Federal Regulations, Section 164.528, Right to Accounting Disclosures of PHI.

  • Responsibility

    • Under the direction of the Chief Privacy Officer, or designee, the Privacy Office (PO) is responsible for the monitoring and evaluation of this policy.

    • Health care and administrative programs and institutional Hiring Authorities, or designees, are responsible for the implementation of this policy.

  • Procedure Overview

    • HIE is used by providers to securely transmit patient health information directly to external health care professionals. This information is transmitted via the internet in an encrypted and secure method amongst health care professionals with a trusted relationship. This form of information exchange enables coordinated care, benefitting both providers and patients.

    • When HIE is initially requested on behalf of CCHCS, another state agency or entity, or a contracted organization, the health care and administrative programs shall notify the PO, IT, Health Information Management (HIM), and other relevant headquarters administrative programs such as Direct Care Contracts Services (DCCS), Acquisitions Management Services (AMS), and Health Care Invoicing Section (HIS).

    • After an agreed-upon HIE is implemented, health care or administrative programs shall notify the PO, DCCS, IT, HIS, and HIM, and the contract managers for contracts executed by AMS, when HIE begins, to ensure tracking or logging of all HIE events.

    • CCHCS utilizes the following measures and processes to disclose PHI for HIE purposes.

      • When contracted with an organization to exchange PHI via HIE, CCHCS shall enter into a contract with the organization with which it intends to exchange information. The agreement shall address the minimum requirements of a valid Business Associate Agreement (BAA) or comparable Data Sharing Agreement (DSA) to fulfill all of the requirements and obligations of a Business Associate regarding the privacy, security, and administrative activities relating to health information pursuant to the Health Care Department Operations Manual (HCDOM) Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information.

      • The agreement shall ensure that the organization safeguards electronic health information created, received, maintained, or transmitted to or by the organization on behalf of CCHCS, and that the documents address the same safeguards and protections for electronic health information as for any other health information shared.

      • A valid contract or other agreement shall be agreed upon and implemented between CCHCS and organizations prior to using, disclosing, moving, or storing PHI for HIE purposes.

      • When CCHCS and the organization are both government entities, CCHCS may fulfill the agreement requirement with a Memorandum of Understanding that contains terms that accomplish the objectives of a BAA.

  • Procedure

    • Health care and administrative programs within CCHCS, including, but not limited to, contracting units, involved in data transfer of PHI for treatment, payment, research, or continuity of care for oversight, compliance, or litigation purposes, shall report all HIE activities to the Chief Privacy Officer. The PO shall provide a current list of HIE contracted entities to oversight agencies upon request.

    • BAA or DSA shall be executed prior to the exchange of health information.

    • Health care administrative programs shall coordinate communication between the contracted organization and IT to begin the process of HIE.

    • IT staff shall coordinate with health care, administrative programs, or other entities that request HIE when new HIE is initiated under existing or newly negotiated contracts, or DSAs. IT staff shall generate a report of all contracted entities CCHCS engages in HIE and provide the report to the PO on a quarterly basis, at minimum, and as needed.

    • Health care and administrative programs shall report changes to the contract list to the PO quarterly.

    • Health care and administrative programs shall notify the PO when CCHCS engages in HIE with different types of entities pursuant to the Statewide Health Information Policy Manual Section 2.2.17.

    • Health care and administrative programs engaging in HIE shall verify with IT that a BAA or DSA is on file for each entity CCHCS engages in HIE.

    • The PO shall maintain a current list of all contracted entities CCHCS engages in HIE and generate a current list based on contracting unit updates upon request.

    • Requirements for HIE

      • Under direction of executive leadership, directors, or their designees, staff in each health care and administrative program shall contact the contracted organization to execute all necessary controls prior to initiating HIE.

    • Downtime

      • The paper process to exchange the documentation shall be followed pursuant to the HCDOM, Section 2.3.13, Health Record Application/System Downtime Contingency Plan.

    • Facsimile Correspondence

      • Cover Sheet

        • Attach the cover sheet to all facsimile correspondence as the first page.

        • Include the following two statements on the cover sheet:

          • “Transmittal is Confidential.”

          • “If the information transmitted is received by someone other than the intended individual, the sender shall be immediately notified.”

      • Transmittal and Post Transmittal Verification

        • When documents are sent by facsimile, the responsible CCHCS staff shall:

          • Phone the recipient to verify the recipient’s name and facsimile number along with patient name and CDCR number and inform him/her of the imminent transmission.

          • Ask that the recipient stay near the facsimile machine to intercept the documents.

          • Obtain verification of receipt of health care information by reviewing the confirmation print-out from the facsimile machine.

          • Contact the recipient to verify that all documents were received and document the verification task. If the recipient confirms that the record is incomplete, then the documents should be resent to the recipient. Once the documents are successfully confirmed to be received by the recipient, the facsimile log will reflect all attempts to provide the documents via facsimile.

      • Facsimile Log

        • Record all facsimile transmissions into the Facsimile Log and include:

          • The name, address, and telephone number of the sending and/or receiving entities.

          • The name of the patient and CDCR number.

          • The number of pages sent and/or received.

          • The date of transmittal.

          • The date Recipient verified receipt of the documents.

      • Misdirected facsimile tracking

        • In a document has been determined to be sent to the incorrect party the following steps must be taken:

          • Verify the information with the internal log (i.e., facsimile number, recipient name).

          • Contact the recipient via telephone or facsimile to explain the misdirection.

          • Request the destruction or return of all documents sent via facsimile in error.

          • Record the response on the facsimile cover letter and in the Facsimile Log.

          • Follow the CCHCS Health Care Department Operations Manual, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow.

  • References

    • Code of Federal Regulations, Title 45, Part 170, Health Information Technology Standards, Implementation Specifications, And Certification Criteria and Certification Programs for Health Information Technology

    • Code of Federal Regulations, Title 45, Part 171, Information Blocking

    • 21st Century Cures Act, Public Law No 114-255 (12/13/2016)

    • Code of Federal Regulations, Title 45, Section 164.528, Accounting of Disclosures of Protected Health Information

    • Health Insurance Portability and Accountability Act of 1996

    • California Hospital Association. 2021.  Consent Manual: A Reference for consent and Related Health Care Law (48th Edition). Sacramento, CA: 14, pg. 12

    • Statewide Health Information Policy Manual, Chapters 2.2.17; 4.4.1; 4.6.3

    • Health Care Department Operations Manual, Section 2.2.9, Business Associate Use and Disclosure of Protected Health Information

    • Health Care Department Operations Manual, Section 2.2.11, Privacy Incident and Potential Breach Reporting and Case Workflow

    • Health Care Department Operations Manual, Chapter 2, Article 3, Section 2.3.13Health Information Management

    • EHRS Interdisciplinary Downtime Procedures.pdf (sharepoint.com)

  • Revision History

    • Effective: 01/2002
      Revised: 05/05/2023