Can I collect health information from participants in Massachusetts? What are the requirements?

Requirements for Collecting Health Information in Massachusetts

If you want to collect health information from participants in Massachusetts, you must comply with the requirements set forth in the Statewide health information exchange implementation plan ^[1.1], Provider Organizations ^[2.1], Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care ^[3.2], and other relevant documents.

According to ^[1.1], any plan approved by the executive office and council or the e–Health institute, including every grantee and implementing organization that receives monies funded in whole or in part from the e–Health Institute Fund established in section 6E of chapter 40J or the Massachusetts Health Information Exchange Fund established under section 10, shall establish a mechanism to allow patients to opt-in to the health information exchange and to opt-out at any time. The plan must also maintain identifiable health information in physically and technologically secure environments by means including, but not limited to: prohibiting the storage or transfer of unencrypted and non-password protected identifiable health information on portable data storage devices; requiring data encryption, unique alpha-numerical identifiers and password protection; and other methods to prevent unauthorized access to identifiable health information. The plan must provide patients the option of, upon request to a provider, obtaining a list of individuals and entities that have accessed their identifiable health information from that provider. The plan must develop and distribute to authorized users of the health information exchange and to prospective exchange participants, written guidelines addressing privacy, confidentiality and security of health information and inform individuals: the information available through the exchange, who may access their information and the purposes for which their information may be accessed. The plan must ensure compliance with all state and federal privacy requirements, including those imposed by the Health Insurance Portability and Accountability Act of 1996, P.L. 104–191, the American Recovery and Reinvestment Act of 2009, P.L. 111–5, 42 C.F.R. §§ 2.11 et seq. and 45 C.F.R. §§ 160, 162 and 164.

^[2.1] states that all providers, including acute care hospitals, community health centers, and medical ambulatory practices, must connect to the Mass HIway, which is the statewide health information exchange. The applicability of the provider organization definitions shall be determined by calculating the number of licensed providers that provide health care services to patients on behalf of the provider organization in the month of June prior to that organization’s initial required connection date to the Mass HIway, regardless of employment status.

^[3.2] provides guidance on requests from payers, providers, and provider organizations for data with direct patient identifiers for treatment and coordination of care. Payer, provider, and provider organization requests for data with direct patient identifiers shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website. Payers, providers, and provider organizations may be required to establish to CHIA’s satisfaction that data subjects have consented to the release of the data for the specific use described in the payer, provider, or provider organization’s request. Payers, providers, and provider organizations shall enter into a Data Use Agreement with CHIA prior to the receipt of data with Direct Patient Identifiers.

In summary, to collect health information from participants in Massachusetts, you must comply with the requirements set forth in the Statewide health information exchange implementation plan, Provider Organizations, and Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care, and other relevant documents. The plan must establish a mechanism to allow patients to opt-in to the health information exchange and to opt-out at any time. The plan must maintain identifiable health information in physically and technologically secure environments. The plan must provide patients the option of obtaining a list of individuals and entities that have accessed their identifiable health information. The plan must develop and distribute written guidelines addressing privacy, confidentiality and security of health information and inform individuals: the information available through the exchange, who may access their information and the purposes for which their information may be accessed. The plan must ensure compliance with all state and federal privacy requirements. All providers must connect to the Mass HIway. Payer, provider, and provider organization requests for data with direct patient identifiers shall be made in writing by filing an application with CHIA in a form specified by CHIA as provided on its Website.

Source(s):

• [1.1] Statewide health information exchange implementation plan
• [2.1] Provider Organizations
• [3.2] Requests from Payers, Providers and Provider Organizations for Data with Direct Patient Identifiers for Treatment and Coordination of Care

Jurisdiction

Massachusetts

• Privacy