The Statewide Health Information Network for New York (SHIN-NY) Policy Committee is pleased to announce several changes to the SHIN-NY Privacy and Security Policies and Procedures for QEs and their Participants (P&Ps). These changes, which to help facilitate the use of the SHIN-NY, have recently been approved by the New York State Department of Health (NYS DOH) and released via the DOH website.
The revised version of the P&Ps V 3.4 makes several clarifications to V 3.3 and adds several new provisions to moving the SHIN-NY forward as a tool that will be universally used to make lives better for all New Yorkers. Below, please find a summary of the changes.
SUMMARY OF UPDATES TO SHIN-NY PRIVACY AND SECURITY POLICIES AND PROCEDURES (P&Ps) V 3.4
- NEW: Alternative consent forms: Allow for the use of alternative consent forms. The model consent forms can still be used, but QEs would no longer be required to use the model forms or forms that are substantially similar to the model forms. Alternative consent forms must contain at least four basic elements: (1) description of categories of information that may be shared (e.g., HIV, mental health); (2) description of potential uses of information (e.g., for treatment or care management); (3) description of sources and potential recipients of information (general designations can be used); and (4) patient signature.
- NEW: Patient care alerts: Allow for the sending of patient care alerts containing limited patient information without written patient consent if the recipient provides, or is responsible for providing, treatment or care management to the patient, subject to restrictions on alerts coming from facilities subject to the mental hygiene law or 42 C.F.R. Part 2.
- One-to-one exchange: Clarify one-to-one exception to make clear that the patient must give implicit or explicit consent for a one-to-one exchange.
- Part 2 compliance: Clarify that even if an exception to the affirmative consent requirement applies, a QE is still responsible for ensuring compliance with 42 C.F.R. Part 2. For example, public health disclosures that involve information subject to 42 C.F.R. Part 2 can only be made if an exception to 42 C.F.R. Part 2 applies.
- NEW: Disclosures to business associates: Allow QEs to disclose information to the business associates of participants under certain circumstances.
- NEW: PPSs as participants: Clarify definitions of PPS Centralized Entity, PPS Lead Organization, and PPS Partner.
- NEW: Social service programs as participants: Allow social services programs to be participants.
- NEW: Patient portals: Allow QEs to provide access to information through a web-based portal established or maintained by a third party on behalf of a patient.
- Access to names of authorized users: Allow a participant to restrict access to names of authorized users if the participant has a reasonable belief that disclosure could put the authorized user at risk of harm, so long as a right to appeal the determination to a more senior representative is provided.
Note: Implementation of use of alternative consent forms and patient care alerts without written consent is optional. Each QE will determine if and when they can take advantage of these provisions based on their Participant needs.