FAQs About NC HealthConnex Data & Security What types of patient information can health care providers access via NC HealthConnex? Participating providers may access and retrieve information about their patients from across various care settings to create more complete health records, including details of encounters, laboratory results, diagnostic studies and clinical documents. This information can be viewed via a web-based portal or within an electronic health records system if a bidirectional connection has been established with your EHR vendor. Current data elements available in NC HealthConnex include the following: Allergies Encounters Immunizations Medications Problems Procedures Results Can information be shared with organizations that do not participate in NC HealthConnex? No. Only full participants may access information within NC HealthConnex. Can health care providers choose to submit only clinical and demographic data paid for with state funds? Health information exchange networks operate across the country and accept all patient data for the purpose of whole-person care. To date, the majority of NC HealthConnex participants send all patient records for this purpose. However, it is acceptable if a practice prefers to comply with the Health Information Exchange Act by submitting only the required data to NC HealthConnex (e.g., Medicaid, State Health Plan and state grants). Note: The ability to submit only state-funded data also depends on the technical capability of your electronic health records vendor to implement data filtering. Providers may use the full participation agreement and submit only state-required patient data while also receiving access to N.C. Health Information Exchange Authority services, or they may use the submission-only participation agreement. Is NC HealthConnex secure? Yes. The N.C. Health Information Exchange Authority takes patient health data privacy and security very seriously. NC HIEA is a health information organization under the Health Insurance Portability and Accountability Act. In accordance with HIPAA regulations and state and federal law, NC HIEA has entered into and will enter into business associate agreements or HIPAA-compliant agreements with all organizations (e.g., covered entities) that disclose and receive personal health information from NC HealthConnex. North Carolina also has the authority to audit the activity of organizations that receive personal health information from the NC HealthConnex network. NC HIEA follows the highest information security standards available. Information is always encrypted at rest and in transit. Additionally, the environment is SOC 2 compliant. What policies are in place in the event of a breach? The N.C. Health Information Exchange Authority recognizes the vital role that information technology has in the health care industry, specifically health information exchanges. NC HIEA and its participants have a shared responsibility to protect our cyber resources and citizens’ electronic health care records. NC HIEA has privacy and security policies and terms in the participation agreement that detail the procedures for security, Health Insurance Portability and Accountability Act and eHealth Exchange breaches. NC HIEA takes its role as a steward of patient data very seriously and abides by the highest security standards as set by federal and state law. Additionally, NC HIEA performs regular audits to ensure compliance, follows data specifications standards already set by the eHealth Exchange and strives to minimize the amount of data shared to what is required to provide safe, quality and affordable care to patients. Can NC HIEA sell the patient care data that providers submit? No. All data is protected, stored and accessed only for purposes permissible under federal and state law. The N.C. Health Information Exchange Authority takes patient health data privacy and security very seriously and will never use health information exchange data for commercial purposes. How will data submitted to NC HealthConnex be used? Patient data becomes part of the patient’s longitudinal record for the permitted purposes outlined in the participation agreement (governing agreement for data use and sharing) and applicable law. The N.C. Health Information Exchange Authority protects the data entrusted to NC HealthConnex for the purposes of health information exchange and as outlined by the General Assembly. As a state entity, health care providers can rest assured that the Ssate is prohibited from using NC HIE data for commercial purposes. SAS, the state’s technology vendor, is also prohibited from using NC HIEA data for commercial purposes and may only use, disclose and access data as directed by the state. Permitted uses of NC HIEA data include only those allowable under the Health Insurance Portability and Accountability Act and applicable law, including patient treatment, payment, health care operations and public health activities, registries and reporting. As an example, a clinical event notification allows a full participant who shares a patient with another health care organization to know where that patient has touched the system as this supports care coordination. I am concerned about my patients’ protected health information. How can I be sure that it will remain private and secure? The N.C. Health Information Exchange Authority takes patient health data privacy and security very seriously. In accordance with Health Insurance Portability and Accountability Act regulations and state law, NC HIEA has entered and will enter business associate agreements with all organizations that submit and receive personal health information from NC HealthConnex. The state also has the authority to audit the activity of organizations that receive personal health information from NC HealthConnex. NC HIEA follows the highest information security standards available. Information is always encrypted at rest and in transit. Additionally, the environment is SOC 2 compliant.