Policies and Procedures

Polices and Procedures

Authorized User Certification and Application

The following are requirements of an Authorized User

  • Understand and agree to follow HIPAA requirements, HealtheConnections policies and his/her institution’s guidelines regarding the re-disclosure and use of protected health information available through the HealtheConnections HIE.
  • Understand that protected health information available through the HealtheConnections HIE is limited to that which has been successfully transmitted electronically by connected data sources only.
  • Read, understand and agree to follow the privacy and usage policies of HealtheConnections. These are located on our website: www.HealtheConnections.org.

HealtheConnections HIE Access Training

While Patient consent is not required for the depositing of their medical record, a Patient must authorize consent before their HIE records can be accessed, except in special cases of emergency and public health reporting requirements. To provide their consent choice, a Patient must complete and sign a HealtheConnections Consent Document. The choice selected on this form is only applicable to access by the legal entity listed at the top of the consent form. A patient’s decision not to sign a consent document shall not be construed as “denial of consent”. A patient has the right to change their consent choice for a given organization at any time by filling out a new consent document.

There are three consent choices available to Patients via the Consent Form:

  • The Patient may affirmatively give consent, allowing the Participant to access all of their health information through the HIE.
  • The Patient may deny consent, prohibiting the Participant from accessing any of their information through the HIE, even in a medical emergency.
  • The Patient may deny consent except in a medical emergency, which allows a Participant with the Break the Glass access role emergency access to information through the HIE only if the Participant attests that all of the following conditions as provided in Public Health Law Section 2504(4) are met:
    • In the Practitioners judgement, an emergency condition exists and the Patient is in immediate need of medical attention and an attempt to secure consent would result in delay of treatment which would increase the risk to the Patient’s life or health.
    • The Practitioner determines, in his or her reasonable judgment, that information that may be held by or accessible via the HealtheConnections HIE may be material to emergency treatment.
    • No denial of consent to access the Patient’s information is currently in effect with respect to the Participant with which the Practitioner is affiliated.

HIE Break the Glass Training (BTG)

It is important that you only BTG if “emergency access is medically necessary.” You many ONLY BTG if all of the following conditions are met:

An emergency situation exists whereas:

  1. The patient is in immediate need of medical attention and an attempt to secure consent would result in a delay of treatment, increasing the risk to such patient’s life or health.

  2. Information that may be held or accessible via HealtheConnections may be the material necessary for the treatment of such patient.

  3. Such patient (or his/her legally authorized representative) has not denied consent to access such patient’s information through HealtheConnections.

Once the emergency situation is resolved, the patient’s record should only be accessed if they have given their consent. All BTG access is monitored and audited to ensure that access without consent was justified. If information in the HIE is accessed or used improperly, sanctions will be implemented. Sanctions shall include, but do not necessarily have to be limited to: (i) requiring an Authorized User to undergo additional training (ii) temporarily restricting an Authorized User’s access; (iii) terminating the access of an Authorized User; (iv) suspending or terminating a Participant’s participation; and (v) the assessment of fines or other monetary penalties.


The information accessed within the HIE is covered by HIPAA regulations. Usernames and passwords are for individual Users and must not be posted publicly or shared. Users will be prompted to change their password periodically, and passwords can’t be reused. If the password is entered inaccurately too many times the User will be logged out and access will need to be reset.

The information accessed through HealtheConnections is confidential and may contain sensitive patient information. By logging in and accessing patient records in the health information exchange, you may be viewing patient records that contain HIV/AIDS information protected under Article 27-F of NY Public Health Law or patient records from facilities licensed or operated by the NYS Office of Mental Health or the NYS Office for People With Developmental Disabilities which may not be re-disclosed except as permitted by the NYS Mental Hygiene Law.

Misrepresentation, by knowingly and willfully making a false, fictitious or fraudulent representation, or submitting a document containing false or fraudulent entry can be subject to fines, imprisonment or other legal sanctions.