Acumen Epic Connect enables Acumen customers who license the software (“Participants”) to share a single Patient medical record (“Patient Record”) with each other, in order to provide a longitudinal perspective on the Patient’s medical history that is intended to improve the quality and efficiency in delivering health care.
The privacy, security and integrity of information contained in a Patient Record is a crucial component of the Acumen Epic Connect community and Participants play a critical role in protecting the Patient Record from inappropriate access, use or disclosure. Accordingly, these Rules of the Road (the “Rules”) establish the framework and requirements for how Participants will share a Patient Record, including circumstances under which Participants may access, use and disclose such information.
Definitions
For purposes of these Rules, and unless specified otherwise below, the terms used in these Rules will generally have the meaning assigned to them under the Health Insurance Portability and Accessibility Act of 1996, as amended, and its implementation regulations (“HIPAA”).
Acumen Epic Connect: means the electronic health record and practice management software, or a subsection thereof, powered by EPIC, that Acumen makes available to the Participants.
Authorization: means a written request for access or authorization for the use or disclosure of Protected Health Information of a Patient that is compliant with HIPAA and applicable state law that is signed and dated by the Patient.
Participant: means any customer that (1) has licensed Acumen Epic Connect in accordance with a Master Service Agreement; and (2)(i) is a health care provider (as that term is defined in HIPAA), or (ii) is a HIPAA business associate that provides care coordination or case management services on behalf of a health care provider. For purposes of these Rules, Participant refers to the individual or entity listed in that Agreement. The Participant is responsible for ensuring that its workforce members (including the Participant’s medical, nursing and clerical staff), and all other users of Participant’s Acumen Epic Connect license adhere to these Rules wherever applicable.
Patient Record: refers to the single patient medical record that is created for care and treatment purposes and contained within Acumen Epic Connect. ThePatient Record includes information contained in each Participant’s Record Extract as defined more specifically below. The Patient Record does not include financial, billing, claims or reimbursement information pertaining to the Patient or the Participant, which is maintained separately within Acumen Epic Connect.
Record Extract: refers to the subset of the Patient Record that reflects a specific Participant’s treatment of the Patient. The Record Extract includes, for example, the Patient’s demographics, medications, diagnoses and allergies entered by any Participant for the treatment period, as well as encounter notes from the Participant who generated the Record Extract. The Record Extract does not include encounter notes from other Participants, claims / reimbursement information, or any other information that exists outside of the Patient Record. If only one Participant is ever associated with the Patient, then the Record Extract is comprised of the entire Patient Record. If two or more Participants are associated with the Patient, then each Participant may generate a separate Record Extract reflecting its treatment of that Patient.
Patient: means the individual who is the subject of the Patient Record. The Patient’s legally authorized personal representative, as defined by HIPAA and applicable state law, may exercise the rights of the Patient related to the Patient Record under HIPAA and applicable state law.
Protected Health Information: means any information that is created or received by a health care provider, health plan, employer, or health care clearinghouse; and relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
Sensitive Information: means Protected Health Information that is subject to state or federal laws that exceed HIPAA requirements, including mental health treatment information, substance abuse treatment information that is subject to 42 C.F.R. Part 2, sexually transmitted disease or HIV/AIDS information or genetic information.
Treatment Relationship: means any relationship between an individual Patient and a Participant in which Patient receives or is the beneficiary of Treatment provided by a Participant directly, or by a health care provider that contracts with a Participant to provide care coordination and case management services with respect to that Patient. Evidence of a Treatment Relationship includes scheduling or rescheduling an appointment for the Patient, even if the appointment has not yet occurred.
Treatment: means the provision, coordination, or management of health care and related services by one or more health care providers, including the coordination of management of health care by a health care provider with a third party; consultation between health care providers relating to a Patient; or the referral of a Patient for health care from one health care provider to another.
Access, Use or Disclosure of Patient Records for Treatment Purposes
1) Participants may access, use and disclose a Patient Record for Treatment purposes only in accordance with federal and state laws applicable to that Participant as well as any applicable contractual agreements. In all circumstances, Participants must comply with HIPAA when accessing, using or disclosing any information contained in a Patient Record. If Participant is a HIPAA business associate that provides care coordination or case management services on behalf of a health care provider, then such Participant cannot access, use or disclose a Patient Record in a manner that is inconsistent with their agreement with the health care provider for which they are providing such services. This includes, for example, such Participant accessing a Patient Record for a patient for which the Participant does not provide such services on behalf of that health care provider.
2) Participants may create new Patient Records or access existing Patient Records subject to the limitations set forth in these Rules and as described below:
New Patients: A Participant may create a new Patient Record if (a) the Participant has a Treatment Relationship with the Patient, and (b) the Patient does not already have a Patient Record in Acumen Epic Connect.
Existing Patients: A Participant may access any existing Patient Record if it has an on-going Treatment Relationship with the Patient. Examples include if a Patient initiates a Treatment Relationship with a second Participant for the purpose of obtaining a second opinion or while temporarily residing in another state, or if the second Participant provides vacation coverage for the first Participant.
Prior Patients: A Participant who previously had a Treatment Relationship with the Patient may continue to access the Patient Record after the Treatment Relationship has terminated so that the Participant may generate a Record Extract reflecting its prior care and treatment. Due to technical system limitations, it is not possible to remove a Participant from the Patient Record after the Treatment Relationship concludes, although the Participant’s ability to use or disclose such information is limited by applicable federal and state law as well as these Rules. An example would be if the Patient permanently transfers her care from the first Participant to the second Participant. Both Participants would have access to Record Extracts reflecting their own care and treatment of the Patient. Although the first Participant would continue to have access to other information contained in the Patient Record, its ability to use or disclose such information for non-Treatment purposes is limited according to these Rules.
Access, Use or Disclosure of Patient Records for Non-Treatment Purposes
3) A Participant may access, use or disclose information contained in its Record Extract for non-Treatment purposes to the extent permitted by HIPAA and other federal or state laws applicable to that Participant. For example, this may include using or disclosing information contained in the Record Extract for payment, health care operations, public health and research activities.
4) A Participant may only access, use, or disclose any information contained in the Patient Record, but outside of its Record Extract, for Payment or Health Care Operations purposes if (a) permitted by HIPAA and other federal and state laws applicable to the Participant, (b) the Participant has obtained written consent from the Participant who has created such information in the Patient Record, and (c) for a Health Care Operations purpose, the Participant has, or has had, a Treatment relationship with the Patient.
5) A Participant may only access, use or disclose any information contained in a Patient Record, but outside of its Record Extract, for non-Treatment purposes unrelated to Payment or Health Care Operations if (a) permitted by HIPAA and other federal and state laws applicable to the Participant, (b) the Participant has written Authorization from the Patient to access the Patient Record for that purpose, and (c) the Participant has obtained written Authorization from the Participant who has created such information in the Patient Record to use the information for that purpose.
6) If Participant accesses the Patient Record in the course of providing care coordination or case management services on behalf of a health care provider that has a Treatment Relationship with the Patient, then such Participant cannot access, use or disclose that Patient Record for non-treatment purposes that are not expressly permitted by that health care provider in addition to these Rules of the Road.
Use or Disclosure of Deidentified Data
7) A Participant may use or disclose any information contained in its Record Extract that is deidentified in accordance with the HIPAA Privacy Rule at 45 C.F.R. 164.514(b), and to the extent permitted by these Rules of Road and applicable law or contractual agreements.
8) To the extent that a Participant has elected to participate in the CKD Data Registry offered by Acumen, as such services are described in the Master Services Agreement entered into by Acumen and Participant, Acumen will disclose deidentified information contained in the Participant’s Record Extract.
Patient Consent or Authorization
9) Each Participant is responsible for obtaining any Patient consent or authorization required by state and federal laws applicable to that Participant before accessing, using or disclosing information in a Patient Record. Each Participant must ensure that Patients are notified in a notice of privacy practices that such Patient shares a single Patient Record with other Acumen Epic Connect customers in Acumen Epic Connect.
10) In particular, each Participant must ensure compliance with state and federal laws applicable to that Participant when accessing, entering, using or disclosing Sensitive Information in the Patient Record. Since it is not technically possible to segment or remove Sensitive Information contained within a Patient Record, Participants must not enter Sensitive Information in the Patient Record that cannot be shared with any other Participant (now or in the future) who is authorized to access the Patient Record for Treatment or non-Treatment purposes (such as quality improvement initiatives). If such Sensitive Information cannot be shared with all other Participants, such information must not be entered into the Patient Record and must be maintained in a paper record or another electronic system maintained by the Participant.
Revision or Amendment of the Patient Record
11) Participants will verify the integrity and accuracy of information they contribute or amend in the Patient Record following generally accepted standards of practice applicable to Participant. Each Participant associated with the Patient Record may amend or update the Patient’s list of active demographics, diagnoses, allergies and medications in order to ensure accuracy and up-to-date treatment information.
12) Participants will not rely solely on the Patient Record for information the Participant knows or, following generally accepted standards of practice applicable to Participant, should know has potential for negative impact on Patient care. For example, Participants must verify documented allergies, current medications, relevant histories and problems with the Patient that appear inconsistent with the Participant’s own knowledge and experience.
Removal of Individual Patient Records (“Opt-Outs”)
13) Participants’ ability to access Patient Records for treatment and related purposes is critical to maintaining a continuity of Patient care and improving the quality and efficiency of health care, all for the benefit of the individual Patient. Accordingly, Participants must not restrict any other Participant from accessing, using or disclosing a Patient Record with the following exceptions:
a) Applicable law prohibits a Participant from sharing a Patient Record with other Participants; or
b) The Participant does not believe sharing the Patient Record with other Participants would be in the Patient’s best interests based on his or her professional judgment and the Participant temporarily “opts out” of sharing the Patient Record in order to verify the Patient’s preference (e.g., celebrity Patients).
14) The Participant may “opt out” of sharing the Patient Record with other Participants that are not already associated with the Patient Record. However, once a Patient Record is “opted out,” other Participants in the Acumen community cannot locate that Patient Record in order to schedule an appointment or provide treatment coverage for the Patient. Healthcare providers outside of the Acumen community — including other providers within Epic -- also will not be permitted to access the Patient Record via Epic Care Everywhere or other interoperability connections.
15) However, Participants may create a duplicate Patient Record that does not automatically pull data from Epic CareEverywhere or other interoperability connections. Those Participants manually may pull CareEverywhere data into the Patient Record and/or share their Record Extract with other Participants or health care providers for treatment purposes by mail, fax or e-mail.
16) Patients have the right to request a restriction on the use and disclosure of PHI.
a) Given the implications on continuity of care, it is imperative that the Participant, directly or indirectly, ensure that Patient is provided with sufficient information about the risks of “opting out” of sharing the Patient Record.
b) Participants shall have policies in place by which to accept or deny such requests from Patients.
c) Participants shall refrain from accepting a Patient’s request to restrict use or disclosure of PHI unless required by law.
Security and Access Control Measures
17) In accordance with HIPAA, Participants must implement reasonable safeguards to ensure the privacy, security and integrity of all information contained in Patient Records. This includes implementing security and access control measures that meet the minimum standards required by HIPAA as well as any other federal or state laws applicable to the Participant.
18) At a minimum, this requires Participants to:
a) Train all of the Participant’s workforce members (i.e., end users granted access by Participant) regarding the appropriate and inappropriate use of Acumen Epic Connect generally and Patient Records specifically;
b) Assign unique individual logins and strong passwords for each workforce member to access Acumen Epic Connect, with no shared or public logins or passwords at any time;
c) Develop procedures for access to Patient Records in emergency situations for appropriate Participants;
d) Use and regularly monitor the audit capabilities of Acumen Epic Connect;
e) Require all information contained in Patient Records to be treated with the same privacy and security standards as any of other clinical documentation/Patient Protected Health Information maintained by the Participant; and
f) Appoint one workforce member as the Participant’s Acumen Epic Connect Coordinator who will act as the liaison with all other Participants and with Acumen, and whose responsibilities include timely communication and deployment of information within the organization.
19) Acumen Epic Connect includes certain privacy and security settings, such as end user access controls and restricted department settings, that Participants must review and configure based on their unique workflows and implementation. Participants must implement security and access measures with respect to the communication infrastructure of Acumen Epic Connect, including access to the communication servers and the digital certificates used to validate Participant as an Acumen Epic Connect Participant, that meet the minimum standards required by HIPAA and the law applicable to the Participant.
20) Participants must implement disciplinary procedures with respect to their workforce members’ inappropriate use of Patient Records in the same manner as the Participant would do for inappropriate use of similar Patient or confidential information.
21) If a security vulnerability is identified that poses an immediate threat to the confidentiality, integrity, or availability of Patient Records, then Acumen may take immediate action, in its reasonable discretion, to limit or suspend access to Patient Records by Participants affected by such vulnerability. Any such action will be designed to both (i) mitigate the risk to the confidentiality, integrity, and availability of Patient data due to the security vulnerability, and (ii) permit as much Patient data sharing as possible for Treatment purposes to continue occurring while such action is in effect.
Audits and Inquiries
22) Acumen Epic Connect creates a community of Participants, all with the same goal of improving Patient care through access to Patient Records for appropriate purposes in accordance with applicable law and standards of care. It is critical that all Participants cooperate with each other regarding issues that may arise and work together to informally resolve issues regarding Patient Records.
23) Participants are responsible for monitoring the Audit Logs of all individual users and other Participants who access Patient Records that they are associated with in order to determine that such access was appropriate in accordance with these Rules. In particular, Participants monitor access by generating a “Access Report” on demand or at designated intervals selected by the Participant. Participants also may generate an “Audit Trail Report” to review certain patient information that has been updated or changed in the Patient Record. Participants also may consult Acumen staff for requests related to other types of reports.
24) If Participants have any question or concern about access, use or disclosure of information contained in a Patient Record, then Participants must communicate directly with each other and attempt to resolve any disputes in good faith and a manner consistent with their applicable law, standards of practice and Patient choice.
25) In particular, Participants must comply with any valid Patient request for access to medical records or HIPAA Authorization that is signed by a Patient or the Patient’s legally authorized personal representative and comports with federal and state law. Participants cannot refuse to allow another Participant to access, use or disclose the Patient Record in a manner that is consistent with a Patient’s or a Patient’s legally authorized personal representative’s valid written Authorization.
26) Participants must fully cooperate with each other in this process, including providing detailed information to each other as to what information was accessed or needs to be accessed from the Patient Record, by whom and for what purpose. Participants must provide the requested information (including copies of any Patient request for access or Authorization forms collected at the point of care) within five (5) business days unless mutually agreed.
27) If Participants are not able to resolve any question or concern directly with each other, they may direct a grievance to the Governing Council as described below.
Governing Council
28) Acumen is a technology vendor and services provider. As such, its role is not to act as a policing authority for disputes within the Acumen Epic Connect community. Instead, a governing council of elected representatives (the “Governing Council”), or a subset thereof, will adjudicate disputes between Participants related to these Rules of the Road
29) The Governing Council members shall perform their duties in good faith and with a view to the overall interests of the Acumen Epic Connect community, with that degree of diligence, care, and skill that ordinarily prudent persons would exercise under similar circumstances in like positions
30) The Governing Council shall be comprised of five (5) voting members that are members of and selected by the Acumen Medical Advisory Board (“MAB”) according to the following process:
a) Each Governing Council member shall serve a term of one (1) year.
b) Members are not paid for participation on the Governing Council.
c) When a Governing Council position is vacant or expiring within 90 days, the Recorder of the Governing Council will publish a call for nominations to all MAB members. Each MAB member may nominate only one candidate and provide relevant biographical or professional information. To be considered for election, a candidate must be a current Acumen MAB member with a membership term coinciding or exceeding the one-year term of the Governing Council.
d) The Recorder shall set dates for the opening and close of voting to ensure MAB Members have at least five (5) days to submit their vote, while also ensuring at least fifteen (15) calendar days prior to the end of the term for Governing Council Members being replaced by the voting process. The Recorder may provide additional time if the number of nominees are less than the number of positions to be filled.
e) The specific votes of each MAB member shall be kept confidential by the Recorder, who will report only the total number of votes for each candidate. If there is a tie impacting the outcome, a runoff vote, with one (1) vote per MAB member, for each affected seat will be held over the five (5) days immediately following the date the results are reported, with the results of the runoff reported to all members by the Recorder.
31) The Governing Council also will be comprised of two (2) members appointed by Acumen from among its employees or officers. These members are entitled to participate in any proceedings and deliberations of the Governing Council but will not have a vote on the Governing Council unless otherwise specified in these Rules.
32) The Governing Council members shall select one member to serve as the Chair. The Chair’s duties include convening and facilitating meetings of the Council, organizing the formation of any Grievance Panel or Appeal Panel (as described below), and organizing the formation of any other committees the Governing Council decides are necessary.
33) The Governing Council members shall select one member to serve as the Recorder. The Recorder’s duties include administering the nomination and election of Governing Council members as described in these Rules and maintaining records of all elections and actions of the Governing Council, including meeting minutes.
34) All discussions and records of the actions of the Governing Council, the Grievance Panels and the Appeals Panels will be confidential and will be disclosed only to the applicable Participants, Governing Council Members, and Acumen.
35) Any elected Governing Council members shall be removed by affirmative vote of two-thirds (2/3) of all MAB members.
36) The Governing Council will have no authority to determine compliance with the Acumen Epic Connect Master Service Agreement or any other agreements related to the Participant, allocate liability associated with violation of the Rules of the Road, or assess any monetary penalty or damages of any kind.
Grievance Resolution Procedure
37) In the event that any Participant is unable to resolve a dispute with another Participant involving a Patient Record and believes another Participant’s conduct violates the privacy, security or integrity of the Patient Record, then the Participant may submit a grievance to the Governing Council. Following the submission of a grievance to the Governing Council, the Council Chair will convene a three-member panel of voting Governing Council members to consider and adjudicate the grievance (a “Grievance Panel”). If there are less than three (3) eligible voting members, additional members of the Grievance Panel will be selected as provided in Section 43 until there are three (3) voting members selected for the Grievance Panel. Promptly upon appointment, each member of the Grievance Panel will submit a statement to the Council Chair as to whether s/he has a conflict of interest with respect to any participant to the grievance. If so, the Council Chair will appoint a replacement member.
38) In addition, during the pendency of the grievance process and notwithstanding anything contained in these Rules, if a Participant reasonably determines that the threat to privacy, security or integrity of the Patient Record still exists based on the alleged violation of the Rules of the Road, then the Participant may temporary “opt out” the Patient Record subject to the limitations in these Rules.
39) Each Participant named in a grievance must agree to cooperate with any investigation conducted by the Grievance Panel or Appeal Panel (as applicable), as well as any decision rendered by the Grievance Panel or Appeal Panel (as applicable), to the extent permitted by applicable law and contractual agreements.
40) The Grievance Panel shall render a decision that is reasonably tailored to ensure compliance with these Rules, access to Patient information for legitimate Treatment purposes, and the privacy, security and integrity of information contained in the Patient Record. Depending on the circumstances and technical feasibility, the Grievance Panel may conclude no action is warranted, issue a warning to any Participant and individual end user regarding their obligations under these Rules, require a Participant or individual end user to undergo additional workforce training, or temporarily or permanently remove a Participant or individual end user from Acumen Epic Connect. In addition, Participants must agree to permit Acumen to modify the Acumen Epic Connect related-configuration in its system to the extent necessary to carry out the decision of the Grievance Panel.
41) Within fifteen (15) days from receipt of a final decision issued by the Grievance Panel, a participating Participant may file a written appeal with the Chair of the Governing Council. A request for an appeal shall include a complete statement of the basis on which the review is sought. Following the receipt of an appeal, the Council Chair will convene a five-member appeal panel composed of voting Governing Council members (an “Appeal Panel”). If there are less than five (5) eligible voting members, additional members of the Appeal Panel will be selected as provided in Section 43 until there are five (5) voting members selected for the Appeal Panel. Promptly upon appointment, each member of the Appeal Panel submits a statement to the Council Chair as to whether s/he has a conflict of interest with respect to any party to the grievance. If so, the Council Chair shall appoint a replacement member.
42) The Appeal Panel will issue a written decision after considering the record and render a decision consistent with these Rules. The decision of the Appeal Panel, or the Governing Council if its decision is not timely appealed, is final and binding on the Participants involved in the disputes and is not subject to judicial review.
43) Participants agree not to sue any individual member of the Governing Council, a Grievance Panel, an Appeal Panel, and Acumen and its officers, employees, contractors, and agents, with respect to any action taken by such parties related to the resolution of any grievance under these Rules. This includes, without limitation, Acumen removing any Participant from the Acumen Epic Connect community in accordance with these Rules, as well as any harm to a Patient because Participants did not have access to the Patient’s Patient Record as a result of Acumen’s action or inaction. Nothing in these Rules of the Road limits any rights of a Participant to seek indemnification from another Participant pursuant to the terms of the Master Service Agreement.
44) A Governing Council member is eligible to serve on a Grievance Panel or an Appeal Panel with respect to a specific grievance unless such member has a conflict of interest related to that grievance, which includes, but is not limited to, current or prior employment at a Participant who is party to the grievance, or the existence of a close business relationship between such Governing Council member’s current organization and a Participant who is party to the grievance. A Governing Council member with a conflict of interest will disclose the conflict and will not be eligible to serve on the Grievance Panel or Appeal Panel with respect to that grievance. If there are insufficient eligible Governing Council members to select a Grievance Panel or an Appeal Panel (whether due to conflicts of interest or otherwise), the remaining panel member(s) will be appointed by the MAB from individuals serving on the MAB that otherwise do not have a conflict of interest. Such substitute members will be considered members of the Governing Council while they are serving on the Grievance Panel or Appeal Panel.
Inappropriate Use Or Disclosure, Security Incidents and Data Breaches Involving Patient Records
45) Acumen will, to the extent known by Acumen, report inappropriate use or disclosure of information contained in Patient Records to affected Participants in accordance with the federal and state laws and contractual obligations applicable to Acumen.
46) If a Participant separately becomes aware of inappropriate use or disclosure of another Participant’s information contained in Patient Records, it must notify the affected Participant(s) in accordance with these Rules without undue delay and in no less than ten (10) days of the date from when the Participant knew of the inappropriate use or disclosure.
47) Each Participant must ensure compliance with federal and state laws applicable to that Participant with respect to its inappropriate use or disclosure of any Patient Record, as well as inappropriate use or disclosure of information contained in its Record Extract. In particular, each Participant must assess whether such unauthorized use or disclosure constitutes a privacy or security breach under HIPAA and applicable state law. Each Participant also must notify affected individuals and regulatory agencies in accordance with the Participant’s applicable law, which may vary from Participant to Participant.
Removal of Patient Information from Acumen Epic Connect
48) Information entered in a Patient Record may not be removed or deleted due to technical limitations.
49) If a Participant terminates the Master Service Agreement between Participant and Acumen, Acumen will facilitate the transfer or migration of that Participant’s Record Extracts in accordance with the terms of the applicable Master Service Agreement.
50) Acumen will not purge a Patient Record from the Acumen Epic Connect community unless it is technically feasible to do so and to the extent permitted by its contractual commitments to any affected Participants.
Amendments to Rules of the Road
51) These Rules of the Road are expected to be continually refined in order to meet the needs of Acumen and the Participant community or to ensure compliance with laws, regulations and standards of care applicable to all Participants. Accordingly, changes to the Rules may be made by Acumen or the Governing Council from time to time in accordance with this section. Participants also may submit proposed amendments to Acumen or the Governing Council for their consideration.
52) The Governing Council may, by majority vote, propose amendments to these Rules of the Road. Such amendments will be effective if agreed by a majority of Acumen MAB Members and if Acumen ratifies the amendment. Acumen, or the Governing Council, will inform each Participant’s Acumen Epic Connect Coordinator of the results of the vote, and each Acumen Epic Connect Coordinator will communicate the result and effect of the vote within the coordinator’s organization.
53) In addition, these Rules of the Road may be amended by Acumen, in its reasonable discretion, in the following circumstances:
a) when necessary to ensure the privacy, security or integrity of information contained in Acumen Epic Connect generally or Patient Records specifically;
b) if necessary due to the Acumen system architecture;
c) to conform to state or federal laws or regulations applicable to Acumen and/or one (1) or more Participants; or
d) to conform to Acumen’s obligation to adhere to Epic Community Connect Accreditation requirements.
54) The amended Rules will be posted on Acumen’s user web site and generally will be effective forty-five (45) days after the date of posting. However, a change or amendment may be implemented immediately or in less than 45 days if the change or amendment is intended to address an issue of immediate concern in Acumen’s reasonable discretion.