Barclay Damon
Barclay Damon

Legal Alert

NYS Department of Health Publishes Proposed SHIN-NY Regulations

On September 3, 2014, the New York State (“State”) Department of Health (“DOH”) published proposed regulations relating to operation of the Statewide Health Information Network for New York (“SHIN-NY”). The SHIN-NY regulations identify New York eHealth Collaborative (“NYeC”), a Not for Profit corporation, as the State designated entity to promote health IT. The stated purpose of the regulation is to “formalize and update the current governance, structure and process for operation of the SHIN-NY in order to advance health information technology adoption and use on a statewide basis for the public good.” Many of the requirements contained in the SHIN-NY regulations were previously required by the State through its grant contracts for funds under the Healthcare Efficiency and Affordability Law for New Yorkers (HEAL-NY). The regulation establishes the structure for the implementation and operation of the SHIN-NY as the HEAL-NY program winds down.

  1. Statewide Collaboration Process. Under the regulations, DOH and NYeC, utilizing the “statewide collaboration process,” will develop and adopt policies to regulate health information exchange using the SHIN-NY. “SHIN-NY policy standards” refers to the set of policies and procedures, including technical standards and SHIN NY services and products, that are developed through the statewide collaboration process and adopted by DOH. The statewide collaboration process involves development of recommendations on policies, technical standards, services and products through workgroups, forums and committees established and facilitated by NYeC.

    The regulations provide that updates to SHIN-NY policy standards shall be considered on a periodic basis, but in no event less than annually, acknowledging the anticipated need to update policies and procedures in the evolving world of health information exchange.
  1. RHIOs as Qualified Entities. SHIN-NY participation will be accomplished through a qualified health IT entity or “QE,” which is defined as a not-for-profit entity that has been certified under the regulations and has executed a contract with NYeC pursuant to which it has agreed to be bound by SHIN-NY policy standards. QEs include, but are not limited to, what are currently known as regional health information organizations or RHIOs. Effective April 1, 2014, RHIOs across New York State (having been “pre certified” as QEs) entered into participation agreements with NYeC to participate in the SHIN-NY. These QE participation agreements require that QE participants also be required to comply with the SHIN-NY regulations. Consistent with their work to date, RHIOs/QEs will continue to facilitate interoperability among the disparate electronic health record systems that contain patient information, and, under the SHIN-NY, will expand data sharing across the State.

    The regulations set forth many of the services to be made available through the SHIN-NY which include what are referred to as basic “dial tone services,” such as direct messaging and patient record look-up. Details regarding SHIN-NY policy standards, including policies relating to Oversight and Enforcement for QEs, Minimum Technical Requirements for QEs, Member Facing Services Requirements and QE Organizational Characteristics Requirements, as well as the Privacy and Security Policies and Procedures for QEs and their participants (version 3.1) are referenced in the regulations.
  1. Patient Rights. The regulations also set forth specific patient rights, requiring that any agreements between QEs and participants in a health information exchange explicitly identify these rights. These include a patient’s right to revoke access of any QE participant to that patient’s personal health information ("PHI") through the SHIN-NY. The regulations also identify those situations when patient information may be accessed without written authorization, as well as circumstances under which “minor consent patient information” may be disclosed. The regulations reaffirm that patient information may not be disclosed to entities that become QE participants subsequent to the signing of a written authorization (unless such entities are specified in a new authorization).
  1. Required Participation of Healthcare Facilities. The SHIN-NY regulations require that “two years after the effective date of this regulation, health care facilities, as defined in … [the] Public Health Law, utilizing certified electronic health record technology under … HITECH, must connect to the SHIN-NY through a QE and allow private and secure bidirectional access to patient information by other QE Participants authorized by law to access such patient information.” Bidirectional access is defined as requiring a QE participant to upload its patient information to the QE so that it is accessible to other authorized participants in the QE and requiring the QE participant to have the technical capacity to access patient information of other QE participants. This requirement may be waived for healthcare facilities that meet criteria established by the Commissioner of Health, which include economic hardship and technical limitations, “or other exceptional circumstances demonstrated by the provider to the department.”

The comment period on the SHIN-NY regulations expires October 20, 2014.

If you have questions or require further assistance regarding the information contained in this Legal Alert and the impact on your organization, please contact Herb Glose at (716) 566-1579 or hglose@hblaw.com.