Saudi Health Information Exchange Policies

3.1 PURPOSE
The purpose of this policy is to ensure that the information security is conducted in a manner that protects personal health information and supports the availability, confidentiality, integrity, and accountability of the Saudi Health Information Exchange shared clinical information.

3.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, to all individuals and organizations that have access to Saudi Health Information Exchange managed health records, including
• Participating Healthcare Subscribers(PHCSs),
• Their business associates,
• Any subcontractors of business associates that perform functions or provide services involving the use and disclosure of personal health information,
• Any Saudi Health Information Exchange Infrastructure Service Provider, and
• Any other subcontractor of Saudi Health Information Exchange.
This policy applies to all personal health information provided to or retrieved from Saudi Health Information Exchange systems.

3.3 POLICY
1. PHCSs SHALL implement policies and protections for Access Control, Automatic Logoff, Audit Log, Emergency Access, Integrity, Authentication, and Encryption. A list of policies and protections SHALL be requested and checked when onboarding participating sites. A minimal set SHALL be specified in the policy, and additional requirements may be included in the Data Use Agreement.
2. All Saudi Health Information Exchange system components SHOULD be managed and operated in conformance with the ISO/TC 215 standard: “ISO 27799:2008, Health informatics – Information security management in health using ISO/IEC 27002”.
3. Data SHALL NOT be deleted at any time from the Saudi Health Information Exchange. Data MAY be amended or replaced to accommodate corrections.
4. All Saudi Health Information Exchange Infrastructure systems SHALL be managed in accordance with one of: ISO 27000, SAS70/ SSAE 16, supporting physical safeguards, clearance, access, supervising those with access and other core secure management practices.
5. All Saudi Health Information Exchange systems SHALL implement contingency and disaster recovery plans to assure availability and integrity of Saudi Health Information Exchange managed health information.
6. Retention time for Saudi Health Information Exchange managed PHI is indefinite.
7. All Saudi Health Information Exchange systems SHALL encrypt communications when exchanging electronic health information. Encryption SHALL minimally support one of the following:
7.1. AES
7.2. 3DES
8. All Saudi Health Information Exchange systems SHALL implement intrusion detection measures.
9. The Saudi Health Information Exchange and the PHCSs SHALL require personnel training in privacy and confidentiality for all personnel handling health information that is directly or indirectly involved in the support of Saudi Health Information Exchange systems.
10. A privacy/security officer SHOULD be designated at the Saudi Health Information Exchange, as well as in the PHCSs.
11. The Saudi Health Information Exchange and the PHCSs SHALL implement a personnel sanction policy for inappropriate use, transmission, copy or disclosure of Saudi Health Information Exchange information and services.
12. PHCSs SHOULD have contingency plans in place for extended downtime periods.

3.4 POLICY MAINTENANCE
The Saudi Ministry of Health (MOH) is responsible for monitoring and maintenance of policies.