Policy Statement: Individual Health information may be accessed only by Authorized Users through the North Dakota Health Information Network (NDHIN) for only the purposes consistent with this policy.
Compliance with Law
All disclosures and uses of health information through the NDHIN must be consistent with all Applicable Laws and the NDHIN policies, and may not be used for any unlawful or discriminatory purpose. If applicable law requires that certain documentation exist (such as an authorization) or that other conditions be met prior to using or disclosing health information for a particular purpose, the requesting Participant shall ensure that it has obtained the required documentation or met the requisite conditions and shall provide evidence of the documentation and conditions at the request of the disclosing Participant.
Participant Permitted Purposes
A Participant may request and may disclose individual health information through the NDHIN only for purposes of treatment, payment, health care operations, to comply with public health reporting requirements, and as required by law.
Each Participant shall provide or request Individually Identifiable Health Information through the NDHIN only to the extent necessary for the permitted purpose.
Any other use of Individually Identifiable Health Information data is prohibited.
NDHIN Permitted Purposes
NDHIN may use and disclose Protected Health Information (PHI) for the following purposes:
- for the proper management and administration of the Business Associate, in accordance with 45 C.F.R. § 164.504(e)(4);
- subject to the Participation Agreement, NDHIN policies and procedures, and 45 C.F.R. §§ 164.504(e)(2)(i) and 164.504(e)(2)(i)(B), provide data aggregation services related to the health care operations of the covered entities with which NDHIN has a Participation Agreement;
- manage authorized requests for, and disclosures of, PHI among Participants in the network;
- create and maintain a master patient index;
- provide a record locater or patient matching service;
- standardize data formats;
- implement business rules to assist in the automation of data exchange;
- facilitate the identification and correction of errors in health information records; and
- subject to the Participation Agreement and the NDHIN policies and procedures, aggregate data on behalf of multiple covered entities.
Except as permitted by the HIPAA Rules, Patient Data may not be used by a Participant or NDHIN for marketing, marketing related purposes, or sales without the authorization of the Individual or the Individual's designee to whom the information pertains.
Information Subject to Special Protection
Certain health information may be subject to special protection under federal, state, or local laws and regulations (e.g., substance abuse). Each Participant shall identify any information that is subject to special protection under applicable law prior to disclosing any information through the NDHIN. Each Participant is responsible for complying with all applicable laws and regulations.
Participants shall establish and enforce policies that permit disclosure and use of only the minimum amount of information reasonably necessary to achieve a particular purpose.
An Authorized User may access health information through the NDHIN only to the extent they need the information in connection with their job function or duties.
This minimum necessary policy does not apply to the disclosure of PHI to health care providers for treatment.
Treatment and Insurance Denial Prohibition
A health care practitioner may not deny a patient health care treatment and a health insurer may not deny a patient a health insurance benefit based solely on the provider’s or patient’s decision not to participate in the NDHIN.
Each Participant shall have in place and shall comply with its own internal policies and procedures regarding the disclosure of health information and the conditions that shall be met and documentation that shall be obtained, if any, prior to making any such disclosure.