Saudi Health Information Exchange Policies

10.1 PURPOSE
The purpose of this policy is to establish the conditions, if any, under which personal health information on the Saudi Health Information Exchange may be used for purposes other than direct patient care (as defined in the Purpose of Use Policy).

10.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to the Saudi Health Information Exchange managed health records, including:
• Participating Healthcare Subscriber (PHCSs),
• their Business Associates,
• any subcontractors of Business Associates that perform functions or provide services involving the use and disclosure of PHI,
• any Saudi Health Information Exchange Infrastructure Service Provider,
• any other subcontractor of the Saudi Health Information Exchange, and
• any party requesting to use the Health Information Exchange managed information for secondary use as described below.
This policy applies to all PHI provided to or retrieved from the Saudi Health Information Exchange.

10.3 POLICY
1. Personal health information on the Saudi Health Information Exchange MAY be made available for purposes other than Treatment, Operations and Public Health, as defined in the Purpose of Use Policy, under the following conditions:
1.1. Designated ethics committee (i.e., Medical Research Board; local IRB) approval SHALL be considered on a case-by-case basis.
1.2. Any additional approval requirements and other proposal criteria requesting access to such data SHALL be determined and published by the designated ethics committee.
1.3. The designated ethics committee MAY publish criteria (e.g., may have a minimum necessary content for the proposal).
1.4. The Saudi Health Information Exchange Privacy and Security Officer or designee SHALL be a member of the designated ethics committee.
1.5. Research data extracts or views SHALL be managed by the Saudi Health Information Exchange or a Saudi Health Information Exchange approved subcontractor.
1.6. A Data Use Agreement between the research organization/individual and the Saudi Health Information Exchange SHALL be established. The Data Use Agreement SHALL include the following requirements:
1.6.1. The data use and access SHALL be limited to the specified purpose cited in the approved proposal.
1.6.2. Additional authorizations and consents of study subjects MAY be required, as defined by the designated ethics committee. Where authorizations and consents are required, the Saudi Health Information Exchange SHALL have access to the authorizations and consents
1.6.3. The designated ethics committee MAY require that the data be de-identified with or without re-identification capabilities.
1.6.4. In the case where a view is provided to the data set that would be managed by the Saudi Health Information Exchange, the party requesting the data SHALL identify designated individuals that access the data for the approved purpose.
2. De-identified health information MAY be released from the Saudi Health Information Exchange under the following conditions:
2.1. De-identification methods SHALL undergo a re-identification risk assessment of the proposed data extract.
2.2. Designated ethics committee (i.e., Medical Research Board; local IRB) MAY consider the request on a case-by-case basis.
2.3. The designated ethics committee MAY offer criteria that will allow documentation of de-identified data sets that are not subject to case-level consideration and approval (e.g. re-identification risk criteria of routine de-identified information sets)
2.4. De-identification methods to be used for the data set SHALL be disclosed
2.5. A Data Use Agreement between the research organization/individual and the Saudi Health Information Exchange SHALL be established. The Data Use Agreement SHALL include the following requirements:
2.5.1. The data use and access SHALL be limited to the specified purpose cited in the approved proposal.
2.5.2. The requesting party SHALL be required to provide contract assurances that no attempt SHALL be made by it to re-identify the de-identified PHI from the Exchange provided for the approved data use.
2.5.3. In the case where a view is provided to the data set that would be managed by the Saudi Health Information Exchange, the party requesting the data SHALL identify designated individuals that access the data for the approved purpose.
2.5.4. If approved, de-identified data extracts or views SHALL be prepared by Saudi Health Information Exchange Health staff or a Saudi Health Information Exchange Health approved subcontractor with due consideration of protections to be applied to all processed data.
3. Pseudonymized health information MAY be released by the Saudi Health Information Exchange under the following conditions in addition to those conditions that apply to de-identified data release:
3.1. Reversible Pseudonymization provisions for the extract SHALL be subject to approval by the designated ethics committee to be reviewed on a case-by-case basis.
4. The Saudi Health Information Exchange SHALL make available a record of all approved requests for identified PHI, de-identified health information, anonymized health information, and pseudonymized health information from the Saudi Health Information Exchange.
4.1. The record of all approved requests SHOULD be reviewed with the same frequency as audit report requirements as specified by the Audit Policy.
4.2. The record of all approved requests SHALL include:
4.2.1. the date of the data release,
4.2.2. the entity to which the data was released,
4.2.3. a summary of the research or analysis involved, and
4.2.4. Approval Reference Number.
4.3. Such record SHOULD be retained for at least ten years after the release of the information.

10.4 POLICY MAINTENANCE
The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.