Policy Statement: To protect an Individual’s health information from unauthorized use, the North Dakota Health Information Network (NDHIN) shall verify the identity of Participants and their Authorized Users before access to the NDHIN is granted. Health information available through NDHIN may be accessed only by Authorized Users who have a legitimate need to access the information.
Authentication is the process of verifying that an Authorized User who is seeking to access information through the NDHIN is the individual who the Authorized User claims to be.
The Health Information Technology (HIT) office shall review, evaluate and act upon requests submitted by organizations that want to become a Participant in the NDHIN.
Each Participant involved in NDHIN must demonstrate that it is a legitimate business by completing an application and provide the requested information and must assure that it participates in the types of health care transactions required of a Covered Entity or its Business Associate.
The Health Information Technology (HIT) Director, or designee, in collaboration with the Vendor shall determine whether an entity meets technical and operational requirements and passes the readiness assessment.
Participant identity shall be authenticated and unique user names and passwords shall be assigned by NDHIN to Authorized Users identified by Participant.
Each Participant shall designate its responsible contact person who shall be initially responsible on behalf of the Participant for compliance with these policies and to receive notice on behalf of the Participant.
The HIT Director, or designee, and each Participant shall execute a written and signed Participation Agreement prior to the Network access.
Participants shall, within five (5) working days, notify NDHIN if there is a material change in status such as a change in ownership. If the Participant ceases to engage in health care transactions, it shall notify NDHIN at least 30 days before the change.
Participants shall notify NDHIN within twenty-four hours, of termination of an Authorized User’s employment or affiliation with the Participant.
Authorized Users Authentication
Participants shall designate the Authorized Users within their organizations who will be authorized to access information through the NDHIN. Participants shall develop and implement policies to assure proper identification of each Authorized User.
Authorized Users shall be required to execute a user agreement prior to network access.
Authorized Users must maintain a current relationship with a Participant to access the NDHIN.
Access of health information shall be based on the Authorized User’s job function and relationship to the patient. Categories of Authorized Users shall be established, at a minimum, as the following:
- Provider with access to clinical information and Break the Glass authority.
- Provider with access to clinical information but no Break the Glass authority.
- Non-provider with access to clinical information.
- Non-provider with access to non-clinical information.
NDHIN Administrative Authorized Users shall be based on the job functions. Categories of NDHIN Administrative Authorized Users shall be established, at a minimum, as the following:
- Administrative Authorized User with access to non-clinical information.
- Administrative Authorized User with access to clinical information to resolve technical issues or input advance directives received from third parties.
- Administrative Authorized user with access to clinical information for audit purposes.
Each Authorized User shall be assigned a unique user name and password by the NDHIN.
Passwords shall meet the password strength requirements set forth in the ND Information Technology Access Control Policy.
Each Authorized User will be assigned an initial password that is required to be changed at the next use. Authorized Users shall be required to change their passwords at least every 60 calendar days and shall be prohibited from reusing passwords.
Authorized Users are prohibited from sharing their user names and passwords with others and from using the user names and passwords of others.
NDHIN shall encrypt user authentication data stored in the Network.
Failed Access Attempts
The NDHIN shall enforce a limit of consecutive failed access attempts by an Authorized User. Upon the 5th failed attempt, NDHIN shall disable the Authorized User’s access to the NDHIN. The Authorized User may reestablish access using appropriate identification and authentication procedures established by the Participant.
Periods of Inactivity
The NDHIN will have an automatic log-off and will terminate an electronic session after 30 minutes of inactivity. A Participant may establish a shorter automatic log-off and termination period for an electronic session on its network or for any device or class of devices used by its Authorized Users to access the Participant's network.
Participants shall provide training for all of its Authorized Users consistent with the Participant’s and NDHIN policies including privacy and security requirements.
Participant Policies/Remote Access
Each Participant shall establish and enforce policies and procedures regarding Authorized User access to Patient Data (including Remote Access), the conditions that must be met and documentation that must be obtained prior to allowing an Authorized User access to Patient Data.
Policies shall include procedures for taking disciplinary actions for its Authorized Users or members of its workforce in the event of a breach or non-compliance with the policies.
The Participant may suspend, limit, or revoke the access authority of an Authorized User on its own initiative upon a determination that the Authorized User has not complied with the Participant’s policies or the NDHIN policies. The Participant shall inform the HIT office immediately, and in any case within twenty-four hours, of any revocation or suspension.
NDHIN shall authenticate users accessing the NDHIN at each attempt the user accesses the Network.