4.1 PURPOSE
The purpose of this policy is to define Subjects of Care and healthcare consumer expectations that will govern the design and implementation of the Saudi Health Information Exchange.
4.2 SCOPE/APPLICABILITY
This policy applies to the Saudi Health Information Exchange, and to all individuals and organizations that have access to the Saudi Health Information Exchange managed Personal Health Information, including:
• Participating Healthcare Subscribers (PHCSs),
• their Business Associates,
• any subcontractors of Business Associates that perform functions or provide services involving the use and disclosure of PHI,
• any Saudi Health Information Exchange Infrastructure Service Provider, and
• any other subcontractor of the Saudi Health Information Exchange.
This policy applies to all PHI provided to or retrieved from the Saudi Health Information Exchange systems.
4.3 POLICY
1. Subjects of care SHALL be able to access their relevant personal health information contained within the Saudi Health Information Exchange.
1.1. Such information SHOULD be available to the Subject of Care conveniently.
1.2. Such information SHALL be available to the Subject of Care affordably.
1.3. Subjects of care SHOULD have a means of direct, secure access to their relevant health information that does not require physician or institutional mediation.
1.4. The Subject of Care MAY have access to the Saudi Health Information Exchange data through approved services.
1.5. All Subject of Care accessible Personal Health Information services SHALL assure that the identity of the Subject of Care is vetted in accordance with the Saudi Health Information Exchange Identity Management Policy.
1.6. Subjects of Care SHOULD be able to supplement, and request amendment of their Personal Health Information without fees or burdensome processes.
1.7. Annotation of information SHALL document proper identification of the source of the annotation.
2. The Saudi Health Information Exchange SHOULD make information available to Subjects of Care regarding how their personal health information could be used, who could have access to it, and under what circumstances it could be disclosed.
3. Implementation of the Health Information Exchange SHOULD be accompanied by a significant education program so that individuals understand how the network will operate, what information will or will not be available on the network, the value of the network, its privacy and security protections, how to participate in the exchange and the rights, benefits and remedies afforded to them. These efforts SHALL include outreach to those without health insurance coverage.
4. Each Subject of Care MAY receive information generated by the PHCS from their provider explaining the Saudi Health Information Exchange services and the Subject of Care’s rights regarding use and disclosure of PHI from the Saudi Health Information Exchange systems (“Special Notice”) at the Subject of Care’s first visit following the provider’s participation as a Saudi Health Information Exchange PHCS.
4.1. The Special Notice SHOULD
4.1.1. Be provided by a provider to a Subject of Care at least once (e.g. in the entrance of a care facility, on a facility website, or when providing an account to the consumer portal), and
4.1.2. Contain information about the procedure to opt out from the Saudi Health Information Exchange.
4.2. Materials SHOULD minimally include
4.2.1. Information regarding purpose of the exchange,
4.2.2. Benefits,
4.2.3. How data are protected,
4.2.4. How data can be used, and
4.2.5. Contact information to the Saudi Health Information Exchange to obtain more information.
5. PHI MAY be shared unless the Subject of Care opts out of the Saudi Health Information Exchange.
6. All efforts SHALL be taken to implement and maintain systems for Health Information Exchange that protect the integrity, security, privacy, and confidentiality of a Subject of Care’s information.
7. The governance of the Saudi Health Information Exchange SHALL be transparent.
8. Rights and process for complaints if the Subject of Care suspects a breach:
8.1. In the case of a suspected breach, the Subject of Care that is the data subject of such a breach MAY request an investigation (see the Breach Notification Policy). Such a request SHALL be issued by the Subject of Care or by the authorized Subject of Care agent should the Subject of Care be unable to do so, and SHALL be directed to the Health Information Management Personnel or HIE designated resources.
8.2. In the case of a breach identified and investigated through the Saudi Health Information Exchange, the Subject of Care that is the data subject of such a breach SHOULD be notified.
9. Request a report of electronic disclosures:
9.1. A Subject of Care MAY request a report of electronic disclosures for information accessed through the Saudi Health Information Exchange where the Subject of Care is the data subject. Such a request SHALL be issued by the Subject of Care or by the authorized Subject of Care agent should the Subject of Care be unable to do so, and SHALL be directed to the local Health Information Management Personnel or Saudi Health Information Exchange designated resources. Such accounting of disclosures MAY include information such as:
9.1.1. date of disclosure,
9.1.2. name of the entity or person that received the disclosure, and
9.1.3. name of the entity or person that made the disclosure.
9.2. The Subject of Care SHOULD be provided notification of break-glass accesses to his/her Personal Health Information. (e.g., Subject of Care notification of break-glass accesses via cell phone number or e-mail).
10. Procedures and instructions for how to opt out of the Saudi Health Information Exchange SHALL be provided to the Subject of Care or to the authorized Subject of Care agent should the Subject of Care be unable to review or comprehend the instructions.
11. The Subject of Care may choose to opt out of the Saudi Health Information Exchange. In order to exercise this option, the Subject of Care SHALL make the opt out request and deliver this request to an authorized organization. The organization SHALL verify the authenticity of the request, approve the request, and provide any associated counseling regarding potential clinical risks.
12. The Subject of Care MAY choose to opt back in to the Saudi Health Information Exchange at any time.
13. All opt out requests SHALL be issued by the Subject of Care or by the authorized Subject of Care agent in the event that the Subject of Care is unable to do so. The healthcare provider MAY process the request on behalf of the Subject of Care.
14. Personal health information SHALL NOT be disclosed EXCEPT for the purposes of:
14.1. Treatment
14.1.1. Clinical care provision to an individual Subject of Care
14.1.2. Emergency care provision to an individual Subject of Care
14.1.3. Support of care activities within the provider organization for an individual Subject of Care
14.2. Subject of care uses
14.3. Operations
14.3.1. Health service management and quality assurance
14.4. Public Health
14.4.1. Public Health Surveillance, Disease Control
14.4.2. Public safety emergency
14.4.3. Population health management
4.4 POLICY MAINTENANCE
The Saudi Ministry of Health
|