This document sets forth the policies and procedures governing the North Dakota Health Information Network (NDHIN). Standard policies and procedures have been developed to ensure the privacy and security of Individuals’ Protected Health Information (PHI) while facilitating the sharing of health information to provide better quality health care.

NDHIN History

The North Dakota sixty-first legislative assembly (2009-2010) created the Health Information Technology (HIT) Office in the Department of Information Technology and created the Health Information Technology Advisory Committee (HITAC).

The HIT Office, upon recommendations of HITAC, is responsible to implement a statewide interoperable health information infrastructure that is consistent with emerging national standards; promote the adoption and use of electronic health records and other health information technologies; promote interoperability of health information systems for the purpose of improving health care quality, patient safety, and the overall efficiency of health care and public health; apply for federal funds that may be available to assist the state and health care providers in implementing and improving health information technology; establish a health information technology loan program to provide loans to health care providers for the purpose of purchasing and upgrading certified electronic health record technology, training personnel in the use of such technology, and improving the secure electronic exchange of health information.

The HITAC collaborates with and makes recommendations to the HIT office.

NDHIN Purpose

The mission of the NDHIN is to advance the adoption and use of technology to exchange health information and improve healthcare quality, patient safety and overall efficiency of healthcare and public health services of North Dakota.

Governance

The HITAC appoints a Director, and the Director, in collaboration with HITAC shall administer the NDHIN.

The North Dakota HIT Office has engaged Orion Health to provide a technology solution to facilitate the operation of the NDHIN network.

The NDHIN shall grant the use of the network to qualifying Participants and their Authorized Users. Each Participant shall execute a written agreement with the NDHIN prior to being granted access to the Network and after verification of its identity. Authorized Users shall be identified by Participants and shall execute a user agreement prior to being granted access to NDHIN.

The Health Information Technology (HIT) Director possesses the authority to suspend or terminate a Participant’s or Authorized User’s participation as deemed necessary.

Policies and Procedures

The HIT Director, in collaboration with the HITAC, establishes policies and procedures for the NDHIN. Policies may only be revised by the Director in collaboration with HITAC. NDHIN shall notify all Participants of any changes to the policies and procedures at least thirty (30) days prior to the implementation of the change. If changes require modifications to the Participant’s system or may otherwise materially affect the Participant’s operations or obligations under the Participation Agreement, NDHIN shall notify the Participant at least ninety (90) days prior to implementation of the change. However, if the change is required in order for the NDHIN and/or Participants to comply with applicable laws or regulations, the NDHIN may implement the change within a shorter period of time as the NDHIN reasonably determines is appropriate under the circumstances; provided that the NDHIN shall provide the Participants with as much notice of any such change as reasonably possible.

Definitions

For the purposes of the North Dakota Health Information Network (NDHIN) policies, the following terms shall have the meaning ascribed to them below. All defined terms are capitalized throughout the policies.

Terms used, but not otherwise defined in NDHIN policies, shall have the same meaning as those terms in 45 C.F.R. §§ 160.103, 164.304 and 164.501.

Applicable Law

Applicable Laws include the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Acts and Regulations, Health Information Technology for Economic and Clinical Health Act (HITECH), Federal and State Laws and Regulations, and Administrative Rules applicable to individually identifiable health information.

Administrative Authorized User

Administrative Authorized User means individuals who have been authorized by the NDHIN to perform services necessary for operating and maintaining the NDHIN.

Authorized User

Authorized Users are individuals who have been authorized by a Participant to participate in the HIE and may include, but are not limited to, health care providers, employees, contractors, agents, or business associates of a participant.

Breach

Breach means the acquisition, access, use, or disclosure of PHI in a manner not permitted under the HIPAA Rules which compromises the security or privacy of the PHI.

Break the Glass

Break the Glass means the ability of an authorized user, who does not have an established relationship with a patient, to access a patient’s PHI for treatment of the Individual in the performance of the authorized user's duties.

Business Associate

Business Associate has the meaning set forth in 45 C.F.R. 160.103 and generally means an individual or organization that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

Health Information Technology Advisory Committee
(HITAC)

HITAC means the North Dakota Health Information Technology Advisory Committee established by Statute, N.D.C.C. § 54-59-25.

Health Information Technology Office
(HIT)

The Health Information Technology Office is established in the North Dakota Information Technology Department (ITD) by Statute, N.D.C.C. § 54-59-26, to implement and administer a health information exchange.

HIPAA Rules

HIPAA Rules or HIPAA means the Health Insurance Portability and Accountability Act of 1996. Specifically including the Standards for Privacy of Individually Identifiable Health Information and the Security Standards for the Protection of Electronic PHI (45 C.F.R. Parts 160 and 164) as amended by the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as Title XIII, Subtitle D of the American Recovery and Reinvestment Act of 2009 and as any further amendments, modification, or renumbering which occurs or takes effect during the term of the policies.

Health Information Technology for Economic and Clinical Health Act
(HITECH)

HITECH means the Health Information Technology for Economic and Clinical Health Act, Title XIII of the American Recovery and Reinvestment Act, Pub. L. No. 111-5.

Individual

An Individual means a person who is the subject of PHI and has the same meaning as the term “Individual” in 45 C.F.R. § 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 C.F.R. § 164.502(g).

Individually Identifiable Health Information

Individually Identifiable Health Information means a subset of health information, including demographic information collected from an Individual, that is created or received by a health care provider or plan, employer, or healthcare clearinghouse, and relates to the past, present or future physical or mental health or condition or condition or payment for healthcare and that identifies or can be used to identify the Individual.

Medical Emergency

A Medical Emergency means a medical condition manifesting itself by acute symptoms of sufficient severity (including severe pain) such that the absence of immediate medical attention could reasonably be expected to result in:

(1) placing the health of the individual (or, with respect to a pregnant woman, the health of the woman or her unborn child) in serious jeopardy, serious impairment to bodily functions, or

(2) serious dysfunction of any bodily organ or part.

This definition of a Medical Emergency Condition is found in the federal Emergency Medical Treatment and Active Labor Act (EMTALA) at 42 C.F.R. 489.24(b).

A Health Care Provider who reasonably believes in the Provider's professional judgment that a patient presents a Medical Emergency may Break the Glass.

North Dakota Health Information Network
(NDHIN)

The NDHIN is a system to electronically exchange health care information between Participants. The North Dakota Information Technology Department (ITD) is required by statute, N.D.C.C. § 54-59-26(b) to implement and administer a health information exchange that utilizes information infrastructure and systems in a secure and cost-effective manner to facilitate the collection, storage, and transmission of health information.

Participant

A Participant means an organization, health care provider or institution, health plan, or health care clearinghouse who has executed a written Participation Agreement and Business Associate Agreement with the NDHIN.

Participation Agreement

Participation Agreement means the Agreement between the State of North Dakota (Information Technology Department) and a Participant which authorizes the Participant to have access to NDHIN.

Patient Data

Patient Data means information that is requested, disclosed, stored, made available, or sent by a Participant through NDHIN. This includes, but is not limited to, PHI, Individually Identifiable Health Information, de-identified data (health information that does not identify an individual as defined in C.F.R. § 164.514(a)) and Limited Data Sets (PHI that excludes certain identifier information as defined in 45 C.F.R. § 164.514(e)).

Protected Health Information and Electronic Protected Health Information
(PHI)

Protected Health Information means Individually Identifiable Health Information (e.g., any oral or recorded information relating to the past, present, or future physical or mental health of an Individual; the provision of health care to the Individual; or the payment for health care) that is maintained by any medium and transmitted by electronic media or in any other form or medium.

Electronic protected health information (ePHI) refers to any protected health information (PHI) that is covered under Health Insurance Portability and Accountability Act of 1996 (HIPPA) security regulations and is produced, saved, transferred or received in an electronic form.

Security Rule

The Security Rule means the Security Standards for the Protection of Electronic Protected Health Information at 45 C.F.R. Part 160 and Part 164, Subparts A and C as may be amended from time to time.

State

State means the State of North Dakota.

Unsecured Protected Health Information (PHI)

Unsecured PHI means PHI in any form, including electronic, paper or verbal, that is not rendered unusable, unreadable, or indecipherable to unauthorized individuals through the use of a technology or methodology specified by the Secretary in guidance or as otherwise defined in 45 C.F.R. § 164.402.

Vendor

Vendor means Orion Health, selected by the Health Information Advisory Committee, to build and provide an electronic health information exchange system for North Dakota.