Update: NYS Department of Health Re-Publishes Proposed SHIN-NY Regs

This Alert follows-up an Alert we published on September 9, 2014. On November 4, 2015, the New York State ("State") Department of Health ("DOH") re-published proposed regulations relating to operation of the Statewide Health Information Network for New York ("SHIN-NY"). The original draft was released in September of 2014 and received a significant amount of commentary. The stated purpose of the regulation has been narrowed and reads as follows: "This regulation will establish requirements for qualified entities and qualified entity participants in the SHIN-NY to allow them to exchange information across the state." This more precise focus is reflected in the fact that the regulation has been reduced from ten pages to six and one-half pages. The number of subsections in the regulation has been reduced from nine to six.

1. Statewide Collaboration Process. Under the regulation, DOH, utilizing the "statewide collaboration process" develops and adopts policies to regulate health information exchange using the SHIN-NY. "SHIN-NY policy guidance" refers to the set of policies and procedures, including technical standards and SHIN-NY services and products, that are approved by DOH. The statewide collaboration process is described as an "open, transparent process", which involves development of recommendations on SHIN-NY policy guidance and standards through a policy committee set up by DOH. The policy committee includes representatives from Qualified Entities (described below) and other local public agencies. The DOH must consider recommendations of the policy committee, but possesses sole authority to accept or reject recommendations.
   
   The regulation requires that DOH "regular[ly] review and update" the SHIN-NY policy guidance, acknowledging the anticipated need to update policies and procedures in the evolving world of health information technology exchange. The policy guidance was most recently updated in June/July 2015. Compliance with the regulation requires thorough understanding of the policy guidance and recognition that it will be updated on a regular basis. 
    
2. RHIOs as Qualified Entities. SHIN-NY participation occurs through a qualified entity ("QE"), which is defined as "a not-for-profit regional health information organization ("RHIO") or other entity that has been certified under the regulations." All of the RHIOs in New York State (currently eight cover the entire geography) have been certified as QEs. "Qualified entity participant" ("QE Participant") is defined as any health care provider, health plan, governmental agency or other type of entity or person that has executed a participation agreement with a qualified entity ("QE Participation Agreement"), pursuant to which it has agreed to participate in the SHIN-NY. Effective April 1, 2014, all QEs entered into participation agreements with New York eHealth Collaborative, a Not-for-Profit corporation ("NYeC"), to participate in the SHIN-NY. NYeC is the entity designated by DOH to administer the SHIN-NY. Consistent with their work to date, QEs will continue to facilitate regional interoperability among the disparate electronic health record systems that contain patient information, and, under the SHIN-NY, expand data sharing capabilities across the State.
   
   The original regulation set forth many of the services to be made available through the SHIN-NY which included what were referred to as basic "dial tone services". The re-published regulation now refers to these services as "core services", and lists specific services that QEs must provide at a minimum to QE Participants. The core services include patient record look-up, the availability of a clinical viewer, secure messaging among health care providers, tracking of patient consent, notifications for pre-defined events, identity management services, public health reporting support, and delivery of diagnostic results/reports to health care providers.
   
   The regulation also mandates that SHIN-NY policy guidance include, at a minimum, policies and procedures on: privacy and security; monitoring and enforcement; minimum service requirements; organization characteristics of QEs; and QE certification. Thus, although the re-drafted regulation has been shortened, the most recent SHIN-NY policy guidance totals over seventy-five pages. Under QE Participation Agreements, QE Participants are required to comply with SHIN-NY policy guidance.
   
   
3. Patient Rights/Consent. The subsection on patient rights was eliminated in the re-published regulation, but remains in expanded form in the SHIN-NY policy guidance section on "Patient Engagement and Access."
   
   Unless covered by an exception, QEs may only exchange patient information as authorized by law, and as reflected in the policy guidance. Only authorized users can access information via the SHIN-NY, and they must "do so in accordance with patient consent and other requirements . . . that limit their access to specified information (e.g., that which is relevant to a patient's treatment)." The regulation and policy guidance also identify situations when patient information may be accessed without written authorization, including for public health reporting, disaster tracking, or to treat a patient in an emergency.
   
   Where patient consent is required for access, the consent form must give the patient the option of granting or denying consent for individual participants to access patient information. It also must allow the patient to deny consent except in an emergency or deny consent even in an emergency. The regulation states that a patient can revoke consent to access information at any time by following procedures established by a QE. The regulation allows providers and other QE Participants to provide patients the option to opt out of having their information accessible on the SHIN-NY; otherwise the general rule espoused by DOH is that patient data may be uploaded without patient consent.
   
   "Minor consent patient information" is defined in the regulation as patient information relating to health care of a patient under 18 years of age for which the patient provided his or her own consent as permitted by law, without a parent's or a guardian's permission. Minor consent patient information, which includes treatment of sexually transmitted diseases and alcohol and substance abuse treatment, can be disclosed to a QE Participant to provide appropriate care or treatment to the minor if the minor's parent or legal guardian consents and federal or state law or regulation does not require the minor's authorization for such a disclosure. The QE Participant, however, cannot disclose this information to the minor's parent or guardian without the minor's authorization. QEs must arrange or provide training for QE Participants to assure compliance with provisions governing disclosure of minor consent information.
   
   
4. Required Participation of Healthcare Facilities. The SHIN-NY regulations require that "one year from the effective date of this regulation, general hospitals as defined in . . . Public Health Law, and two years from the effective date of this regulation, all health care facilities as defined in . . . Public Health Law . . . utilizing certified electronic health record technology under . . . HITECH, must become qualified entity participants . . . and must allow . . . bi-directional access to patient information" by other QE Participants. Bidirectional access is defined as requiring a QE Participant to upload its patient information to the QE so that it is accessible to other authorized QE Participants. Waivers are possible where DOH determines a facility has demonstrated economic hardship, or technical limitations or practical limitations not within control of the health care provider.

The comment period on the latest SHIN-NY regulations expires December 21, 2015.