7.1 PURPOSE
The purpose of this policy is to define who and how individuals and systems can access the Saudi Health Information Exchange managed data. This policy specifies means of ensuring that the resources of a data processing system can be accessed only by authorized entities (individuals or machines interacting with the Saudi Health Information Exchange system) in authorized ways. This policy also defines the circumstances in which a Subject of Care can permit or withhold the use and disclosure of the Saudi Health Information Exchange accessible health information.
7.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including:
• Participating Healthcare Subscriber (PHCSs),
• their business associates,
• any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information,
• any Saudi Health Information Exchange Infrastructure Service Provider, and
• any other subcontractor of Saudi Health Information Exchange.
This policy applies to all personal health information provided to or retrieved from Saudi Health Information Exchange systems.
7.3 POLICY
1. HIE node applications must have successfully completed access control testing conducted by Saudi Health Information Exchange approved bodies. Applications that have not yet completed this testing MAY be considered on a case-by-case basis.
2. Access to personal health information (PHI) through the Saudi Health Information Exchange systems requires verification of consents managed according to this Saudi Health Information Exchange Consent and Access Control Policy.
3. If the Saudi Health Information Exchange is exchanging for purposes of treatment, the provider seeking access SHOULD have a treatment relationship with the Subject of Care.
4. Saudi Health Information Exchange committees MAY define the specific information/documents that should be made available by HIE nodes.
5. All relevant information flows to the Saudi Health Information Exchange, except where law or policies of the PHCS prohibit it. Such PHCS policies that would be in effect SHALL be disclosed to the HIE during the on-boarding process. All new policies established by the PHCS after they join the HIE SHALL be disclosed to the HIE. If the policy is not acceptable to the HIE, the HIE MAY suspend access to the Health Information Exchange.
6. In the case where the Subject of Care has opted out of the Saudi Health Information Exchange, all relevant information SHALL continue to flow to the Saudi Health Information Exchange.
7. Once the Subject of Care has opted out of the Saudi Health Information Exchange, access to information/documents related to that subject of care SHALL be restricted to emergency situations,
8. Only physicians SHOULD be able to force access to all the data, including data for a Subject of Care that has opted out of the Saudi Health Information Exchange, by “breaking the glass”, which SHALL trigger notification and after-the-fact review.
9. Access controls enforcement, including verification of Opt-Out status, is performed at the time of use and disclosure.
10. The individual that accesses the PHI SHALL be responsible for protecting that information or disseminating that information.
11. Sensitive personal health information/documents that are afforded special protection above and beyond protections afforded to generic Personal Health Information or that include values from the Saudi Health Information Exchange Sensitive Data value sets SHALL be marked to reflect the restriction category.
12. The Saudi Health Information Exchange MAY offer transformation services to assist the PHCS with the identification of sensitive PHI based upon information source on a case-by-case basis. The method of transformation SHALL be approved by the Saudi Health Information Exchange governing body. This transformation SHOULD involve dual publication of sensitive PHI and their cleansed version in the Saudi Health Information Exchange with different sensitivity marking when the remaining PHI is significant to continuity of care.
13. A provider who agrees to a restriction requested by a Subject of Care must convey such restriction to the Saudi Health Information Exchange systems using the associated policy confidentiality code object identifier (e.g. in a registered document, such as a Basic Patient Privacy Consent (BPPC) document), identifying the policy confidentiality code associated with the sensitivity type.
14. Systems providing access to information/documents in the Saudi Health Information Exchange SHALL enforce protections associated with content marked as sensitive.
14.1. Sensitive personal health information SHALL be restricted to specialized care providers as identified by their provider role.
14.2. Sensitive personal health information MAY be accessed with a “break glass” option for physicians which SHALL trigger notification to the Security and Privacy Officer, and after-the-fact review in accordance with the Audit Policy.
14.3. Information that such sensitive personal health information is present in the health record of the Saudi Health Information Exchange SHOULD only be disclosed to relevant physicians.
14.4. In the case of risks to the care providers (e.g., HIV), a generic warning MAY be issued about the risk.
15. When a Subject of Care chooses to opt out of the Saudi Health Information Exchange, this SHALL be recorded in the Saudi Health Information Exchange.
16. All Saudi Health Information Exchange individual users SHALL be associated with at least one standard healthcare role.
16.1. Administrative personnel SHOULD only access administrative information.
16.2. Clinical information is restricted to care professionals, defined by a set of roles.
16.3. For Regulated Health Professional, the role SHALL be defined by the role code associated with the license as maintained by the Saudi Commission for Health Specialties.
16.4. For non-Regulated Health Professional and healthcare employees, the role SHALL reflect one of the standard roles identified by the Saudi Health Information Exchange as determined by the licensed healthcare organization responsible for the user’s interactions with Saudi Health Information Exchange systems.
17. External connectivity through portals is permitted subject to:
17.1. The portal user SHALL be contractually bound to abide by all Saudi Health Information Exchange policies.
17.2. Agreements with the portal user SHALL be executed either with the Saudi Health Information Exchange or with a Participating Healthcare Subscriber (PHCS) that is already bound to these policies.
18. Provider directory access controls SHALL restrict public access to the following attribute(s), unless specifically authorized by the provider:
18.1. email,
18.2. mobile phone number, and
18.3. home address.
19. All Participating Healthcare Subscribers (PHCSs) SHOULD establish organization policies to assure compliance with Saudi Health Information Exchange policies. These policies are subject to review and audit in accordance with the Audit Policy.
7.4 POLICY MAINTENANCE
The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.
|