HealtheConnections manages a health information exchange (HIE), governed by regulations and policies established by New York State Department of Health for the Statewide Health Information Network of New York (SHIN-NY). The regulation requires that a patient has the right to allow or deny access to their medical records in the HIE via a consent process for each participating organization of HealtheConnections. By allowing access, the patient authorizes the participating organization to view the patient’s personal health information (PHI) that has been contributed to HealtheConnections.
A patient has the option to select a consent for each of their provider organizations that participate with HealtheConnections.
I give consent is an affirmative consent that allows that provider organization’s authorized users to access and view your personal health information (PHI) that has been contributed to HealtheConnections.
I deny consent does not allow that provider organization to access and view your personal health information (PHI) that has been contributed to HealtheConnections.
I deny consent except in a medical emergency allows a hospital or other critical health care providers to only access and view your personal health information (PHI) that has been contributed to HealtheConnections when you are facing a life-threatening event.
By consenting to allow your health care professionals to access your medical information, you are giving them the ability to view your medical information quickly and efficiently that could improve the quality of your care. Access to your information can save you time and money by eliminating duplicate testing, not having to remember dates and details of previous medical tests, and helping to verify medications that you are currently taking or had previously taken.
Personal Health Information, known as PHI, requires enhanced security to ensure confidentiality and integrity of patient medical records. HealtheConnections (HeC) is governed by regulations and policies set forth by the New York State Department of Health (NYSDOH) for the Statewide Health Information Network of New York (SHIN-NY). As a Qualified Entity (QE) of the SHIN-NY, HeC must comply with all security certification requirements. These certifications include requirements such as password protection, encryption of data, virtual private networks, data transmission standards, auditing, physical premises security, training for staff and authorized users at participating organizations, and more. The policies, procedures, and implementations of all security controls by HealtheConnections has created an environment based on best practice security measures to protect patient data.
HealtheConnections (HeC) complies with all New York State and Federal regulations and policies that are applicable to healthcare information. Each of HeC’s participating organizations are required to sign agreements and to fulfill the terms and conditions that allow authorized users of that organization to access and view a patient’s medical records. Audits of the accesses are conducted on a regular frequency, depending on the type of audit but occur daily, weekly, monthly, and annually. If you have questions about HealtheConnections’ security or privacy policies, call 315.671.2241 x5 and request to be transferred to the Chief Privacy, Security, and Compliance Officer.
There are many different types of health care providers that participate with HealtheConnections—hospitals, laboratories, radiology centers, physician offices, urgent care, and other healthcare organizations. All participating organizations are encouraged to contribute data to HealtheConnections.
To view a list of HealtheConnections’ participating organizations, click here.
To view a list of data contributors to HealtheConnections, here.
Yes, you can change your consent to HealtheConnections at any time for any of your participating providers. Simply request and fill out a new consent form with your updated consent option at your participating provider.
HealtheConnections does not provide a patient portal for patients to access their data directly; however, you may obtain a report of all your data in HealtheConnections. Contact HealtheConnections to obtain a “Patient Records Request Form” by completing the information on the HealtheConnections website.
You may also request an audit of participating organizations that have accessed and viewed your records, along with a listing of consents that you have selected at each organization. Contact HealtheConnections to obtain a “Patient Audit Log Request Form”.
To contact HealtheConnections, click on this link: https://www.healtheconnections.org/who-we-serve/patients/ and scroll to the bottom of the page; include the form name in the Message box. You may also contact our Support Team at 315.671.2241 x5 to request the form.
When you visit your healthcare provider that participates with HealtheConnections, you will be presented with a consent form. You can simply select your consent choice for each participating organization where you receive care. See Consent Example for consent selection choices.
If you want to deny consent for all HealtheConnections’ participants, you may do one of the following:
- Visit HealtheConnections’ office, located at 443 North Franklin Street, Suite 001, Syracuse, NY 13204 with photo identification and complete form B-9.1 – Community-wide Deny Consent.
- Visit your provider and complete form B-9.1 - Community-wide Deny Consent. Your provider will forward the form to HealtheConnections for processing.
- Obtain form and have it notarized. Contact HealtheConnections to obtain a “Community-Wide Deny Consent form” by completing the information on the HealtheConnections website. Click here and scroll to the bottom of the page; include the form name in the Message box. You may also contact our Support Team at 315.671.2241 x5 to request the form. Follow the instructions on the form.
Yes, HealtheConnections generates daily, weekly, and quarterly audit reports that are provided to their participating organizations through a secure, on-line process. HealtheConnections’ participants are required to review and attest to their audit reports, as follows:
- Daily Audits
- Break-the-Glass (BTG) report – a Break-the-Glass event is when an Authorized User gains one-time access to patient information used by a HealtheConnections participating organization in an emergency situation when the patient has selected “Emergency Only” consent or in a life-threatening medical emergency when a patient has not yet consented to that participant. Participants who have used the BTG functionality are notified on the next business day to review and attest to these events.
- Weekly Audits
- Public Health and Organ Procurement Services – public health authorities, health oversight agencies, and federally designated organ procurement organizations are allowed to view patient records without the patient’s consent for purposes of public health activities, health oversight activities, and for facilitating organ, eye, or tissue donation and transplantation. The participants that are designated as public health or organ procurement organizations are notified at the beginning of each week to review and attest to their user accesses for the previous week.
- Quarterly Audits
- Patient Records Accessed report – this report includes the participating organization name, the participant’s authorized user who accessed a patient record, patient’s name, patient’s date of birth, the type of patient information that was accessed, and the date and time of access.
- Consent Sample report – this is a random sample of up to 40 affirmative patient consents that have been entered for a participating organization. In addition to validating the affirmative patient consents, the participating organization must return a copy of the patient-signed consent form for the first five (5) entries on the report.
- These reports are available to all participating organizations every month; however, each organization is only required to attest once per year. Audit results can be seen here..
There are penalties for inappropriate access to or use of your electronic health information. If at any time you suspect that someone who should not have seen or gotten access to information about you has done so, you may call your Provider’s office; or contact HealtheConnections at 315.671.2241; or call the NYS Department of Health at 518-474-4987; or follow the complaint process of the federal Office for Civil Rights at www.hhs.gov/ocr/privacy/hipaa/complaints.
Per New York State regulation, healthcare providers are allowed to share their patients’ medical records with HealtheConnections health information exchange (HIE). A patient does not need to consent or give permission to their healthcare providers to do this; however, a patient does control which of their healthcare providers they want to allow access to view their medical records.
Here are the types of data that may be available through HealtheConnections:
- Demographics / Profile – name, address, phone numbers, email, marital status, next of kin, insurances, advance directives, ethnicity, race, language preferences
- Lab and Radiology reports and Images
- Encounters – hospital, doctor office, emergency room, and other healthcare facility visits
- Procedures / Surgeries
- Medications / Immunizations
- Conditions / Allergies
- Family and Social History
- Vital signs – height, weight, blood pressure readings